Goddess's phone gets compromised - what should we pay more attention to in mobile security?
Created#More Posted time:Dec 30, 2016 10:01 AM
Where the story starts
With the accelerated internet process, the mobile internet, as a new-generation internet carrier, has been widely used in our work and life. But this field is seldom mentioned, seemingly a little mysterious.
On the one hand, with the increasing number of rooted and customized mobile devices, coupled with some platforms which require no packing protection on the apps, the security concerns over the mobile terminals are getting increasingly severe. Hackers and outlaws can crack the app within days or even hours to obtain or even tamper with the data; on the other hand, the resource files (images, audios, videos) that the app author has spent a lot of money on will be compromised and used in unauthorized scenarios. Therefore, terminal security issues are gradually put on the agenda.
Security cases (reprinted from droidsec, with some edits)
An IT guy had a secret crush on a beautiful girl in the same department. One day, the mobile phone of his “goddess” was running poorly and she asked the IT guy to help clean up the phone. The boy happily agreed, promising to get it done within two minutes. He ran back to his computer and had the phone connected. The “goddess” blankly stared at the boy typing in several lines of code and tapping on the phone several times, and the phone was indeed fixed in less than two minutes. After the “goddess” left with thanks, the IT guy gave a cunning smile.
That’s right - he successfully hacked the account of the girl - with no need to ask her for her account. Of course, this is not the end of the story. One night before he fell asleep, he saw the private messages of his “goddess” and his heart suddenly broke.
What happened? What is the murky secret behind this? Continue with this article to learn the details.
0x1 Background of the loophole
Google introduced a system backup feature in the Android 2.2 Froyo system launched in 2010, allowing users to back up the APK installers and data of system applications and third-party applications so that the applications can be recovered after the device is flashed or data is lost. The third-party application developers should configure the allowBackup marker (true by default) in the AndroidManifest.xml file of the application to set whether the application data can be backed up or recovered.
When this marker is set to true, the application data can be backed up and recovered through the adb tool when the phone is not rooted. This also allows malicious attackers to start the phone's USB debugging function during a short contact with the phone and steal the application data subject to the AllowBackup loophole, leading to user privacy leakage or even financial loss.
View the client Manifest configuration using the decompiling tool JEB:
In the case above, it is just because the AndroidManifest.xml on the Android client (latest version) failed to configure android:allowBackup=“false”, that the client data in the girl's phone can be backed up to the computer in a short time through the adb tool, and the data can be restored to the IT guy's phone. This is how the boy can see the private messages in the girl's account.
The exploitable scenarios are far from this of course. Just think: what will happen if a group purchase app has such a loophole? (I will never say no to having first dibs on the available coupons, just kidding.) In addition, the contacts, social networking and financial apps are also prone to such attacks. (Seeing this, would you really allow an IT guy clean your mobile phone in the future?)
0x3 Follow-up of follow-up
What other topics do you want to talk about on the terminal and security?
1st Reply#Posted time:Dec 30, 2016 15:10 PM
Many people think it is safe to reduce the user information and phone application permission, and in particular, never root the phone.
But the built-in apps, especially those auto-start apps in the current Android phones, are so annoying - and we can only remove them by rooting the phone.
My phone is rooted for sure, and I will change or reset the system once every several months to eliminate the risk of information leakage.
2nd Reply#Posted time:Jan 3, 2017 11:01 AM
The current network security issue cannot be neglected, especially the rampant information leakage on mobile devices. So to safeguard our personal information we should first safeguard our phones. Do not tap on unknown links, and do not connect to insecure public Wi-Fi networks. What’s the most important is, disable all the privacy permissions of the phone apps.
3rd Reply#Posted time:Jan 4, 2017 14:59 PM
I would like to share my practices.
Comments welcomed. After you unmount the storage card and SIM card, first reset the phone to the factory settings. Then connect the phone to the computer and write useless data into the phone until the phone storage is full (make sure it is fully written). Then restore the factory settings once again. In this way, your information won’t be restored.
4Floor#Posted time:Jan 5, 2017 10:32 AM
Today the network has been increasingly advanced. Cloud terminals, network terminals and various other terminals have been emerging, while the mobile terminals are the closest to our life. Android devices are easy to get stuck and slow after a period of usage because of their own features and require to be repaired or cleaned. This poses a great danger for those who know little about the smart devices. So programmers are squeezing their brains to reinforce the security mechanisms, but relying on the programmers alone is just plastering over the cracks. If everybody improves their own security awareness regarding smart devices and stays alert against such risks, the chances of information leakage will be greatly reduced. Why not let some great guys share their insights about smart devices?
5Floor#Posted time:Jan 6, 2017 10:37 AM
But all in all, the phone's permissions and security are often in conflict.
If you grant permissions, the chance of privacy information leakage will rise; but if you don't grant permissions, it is often not convenient.
6Floor#Posted time:Jan 9, 2017 9:49 AM
Currently the main solution is personal security awareness. I’d like to popularize the common hidden dangers. Many iPhone users haven’t realized the importance of the Apple ID. Some even keep using the buyer’s ID after purchasing the phone. They do not change the password for a long time, or the password is simple. As a result, the phone is exploited by hackers and remotely locked eventually. Such cases are countless, especially in China. The password verification on wireless terminals will be gradually replaced by biological recognition means. The traditional character string encryption/decryption methods harbor loopholes. Biological recognition features uniqueness and non-repeatability, greatly enhancing the encryption security. Now face recognition verification and fingerprint recognition verification are among the best implementations. What’s important is to have a uniform mechanism for managing and verifying various accounts. Everybody should adopt one set of verification method for all the websites and applications. The biological recognition information should be used as the private key, and the ID information as the public key. During logins, the information should be matched for verification.
In addition, I personally think Android systems are not that insecure as others have complained. The rooted Android system is a double-edged sword. If you can use it well, it is very advantageous. I have never used any anti-virus software on my personal computers since I got in touch with the computer. I even disable the built-in anti-virus tools in Win10. But still, no security issues have occurred. As long as we possess high security awareness, and well protect the privacy and manage our own account systems, the security issues will decrease, unless the database hijacking happens on the website, in which case we users cannot be spared.