http://www.80vul.com/android/data-clone.txt update
thx jonn Horn([email protected]) hitest 2013/3/18 IEhrepus <[email protected]> > “I'm pretty sure that this is wrong. Apps on the SD card are encrypted. The > > crypto is flawed, but not so flawed that this kind of attack would > be possible. Also, apps on the device even need an exploit just to be > able to read the encrypted data.” > > yes,"apps install on SDcard" is wrong :( apps install on sdcard ,but the > data on /data/data/xxx , like "Already have super privileges" > > thank u :), i will change it . > > hitest > > > 2013/3/18 Jann Horn <[email protected]> > >> On Sun, Mar 17, 2013 at 06:09:09PM +0800, IEhrepus wrote: >> > "Data-Clone" -- a new way to attack android apps >> > >> > Author: [email protected] [Email:5up3rh3i#gmail.com] >> > Release Date: 2013/03/16 >> > References: http://www.80vul.com/android/data-clone.txt >> > Chinese Version: >> > http://blog.knownsec.com/2013/03/attack-your-android-apps-by-webview/ >> > >> > --[ I - Introduction >> > >> > This is a new way to attack android apps t,and i call it "Data-Clone >> > Attack". it can bypass password authentication ,when user login the >> > app and set "remember password"(some apps is define). >> [...] >> > --[ III - How to exploit >> > >> > "How to get the contents of data" is key to the completion of the >> > attack. some like this: >> > >> > 1. Already have super privileges >> > >> > under the root shell like the demo,u can bypass password >> > authentication used "Data-Clone Attack". >> > >> > 2. apps install on SDcard >> > >> > the others have read permissions to obtain the app's data. >> >> I'm pretty sure that this is wrong. Apps on the SD card are encrypted. The >> crypto is flawed, but not so flawed that this kind of attack would >> be possible. Also, apps on the device even need an exploit just to be >> able to read the encrypted data. >> >> >> > 3. Cross-site scripting on android >> > >> > app + webview + xss(or webkit xcs vul) = "Data-Clone" >> > >> > On older version of android , android app's xss or webkit xcs vul can >> > read the loacl file's contents : >> > http://www.80vul.com/android/android-0days.txt >> > >> > So the app's webview have the file read permissions to the app's data. >> > when a app user visit a URL link,the data will Be cloned。 >> > >> > --[ IV - Disclosure Timeline >> > >> > 2012/03/ - Found this >> > 2012/12/10 - Report it to [email protected] >> > >> > ......For a long time has passed...... >> > >> > 2013/03/16 - [email protected] do not have any response >> > (maybe,because Google was not andriod's biological mother) >> > 2013/03/16 -Public Disclosure >> >> Or maybe because it's not exactly interesting that you can read an app's >> data if you can execute code in its context? >> > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
