“I'm pretty sure that this is wrong. Apps on the SD card are encrypted. The crypto is flawed, but not so flawed that this kind of attack would be possible. Also, apps on the device even need an exploit just to be able to read the encrypted data.”
yes,"apps install on SDcard" is wrong :( apps install on sdcard ,but the data on /data/data/xxx , like "Already have super privileges" thank u :), i will change it . hitest 2013/3/18 Jann Horn <jannh...@googlemail.com> > On Sun, Mar 17, 2013 at 06:09:09PM +0800, IEhrepus wrote: > > "Data-Clone" -- a new way to attack android apps > > > > Author: super...@www.knownsec.com [Email:5up3rh3i#gmail.com] > > Release Date: 2013/03/16 > > References: http://www.80vul.com/android/data-clone.txt > > Chinese Version: > > http://blog.knownsec.com/2013/03/attack-your-android-apps-by-webview/ > > > > --[ I - Introduction > > > > This is a new way to attack android apps t,and i call it "Data-Clone > > Attack". it can bypass password authentication ,when user login the > > app and set "remember password"(some apps is define). > [...] > > --[ III - How to exploit > > > > "How to get the contents of data" is key to the completion of the > > attack. some like this: > > > > 1. Already have super privileges > > > > under the root shell like the demo,u can bypass password > > authentication used "Data-Clone Attack". > > > > 2. apps install on SDcard > > > > the others have read permissions to obtain the app's data. > > I'm pretty sure that this is wrong. Apps on the SD card are encrypted. The > crypto is flawed, but not so flawed that this kind of attack would > be possible. Also, apps on the device even need an exploit just to be > able to read the encrypted data. > > > > 3. Cross-site scripting on android > > > > app + webview + xss(or webkit xcs vul) = "Data-Clone" > > > > On older version of android , android app's xss or webkit xcs vul can > > read the loacl file's contents : > > http://www.80vul.com/android/android-0days.txt > > > > So the app's webview have the file read permissions to the app's data. > > when a app user visit a URL link,the data will Be cloned。 > > > > --[ IV - Disclosure Timeline > > > > 2012/03/ - Found this > > 2012/12/10 - Report it to secur...@android.com > > > > ......For a long time has passed...... > > > > 2013/03/16 - secur...@android.com do not have any response > > (maybe,because Google was not andriod's biological mother) > > 2013/03/16 -Public Disclosure > > Or maybe because it's not exactly interesting that you can read an app's > data if you can execute code in its context? >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
