Passerby A · 2015/08/22 13:34

From:https://www.fireeye.com/blog/threat-research/2015/08/another_popular_andr.html

0 x00 preface

Many popular Android apps leak private data. We found that another popular Google Play app, Camera 360 Ultimate, not only optimizes users’ photos, but also inadvertently exposes private data, allowing malicious users to gain unauthenticated access to users’ Camera 360 cloud accounts and photos.

The discovery comes after FireEye researchers discovered vulnerabilities in the SSL protocol that are widely used in Camera 360 apps and other applications. These vulnerabilities are exploited through the use of man-in-the-middle attacks and pose a serious threat to users’ privacy.

Android app developers need to take better security measures to provide a safer mobile experience for their users.

0x01 Overview and Introduction

Camera 360 is a popular photo taking and editing app. It has millions of users worldwide. The app offers a free cloud service for storing photos. To use these cloud features, users create a cloud account that can be accessed at www.cloud.camera360.com.

Cloud access is restricted by username and password. But when an application accesses a halo, it can reveal private data in unencrypted forms, such as Android system logs (LogCat) and network communications. Applications that can read Logcat or capture network traffic can steal this data. Malicious users on your WiFi network can also steal this data through WiFi sniffing.

The leaked data could be used to download photos of all users except those in their private photo albums. Private photo albums often use an extra password to protect important image data. The app does not manipulate these private images, and all images uploaded from the device are non-private by default.

0x02 Technical details

We analyzed the latest version of Camera 360 (6.2) and previous versions (6.1.2, 6.1.1 and 6.1) and found data breaches in all of them.

The leaked data can be used to gain unauthorized access to a user’s photo through the following steps:

  • Create a new login session by using the leaked certificate. The image keys are then obtained from the server and used to download the image.
  • Hijack the login session and use the leaked token to download the image
  • Use leaked image keys to download images without requiring authentication

Also, images captured within network traffic can be extracted and viewed cheaply.

Here are all the details.

0x03 Create a Login Session

Camera 360 applications log in to the server using HTTPS, which means that sensitive login data cannot be easily accessed through network communications. During login, apps record private data to LogCat, which can be read by other apps running on the device at the same time.

Camera 360 recorded the user’s Email address, password hash value and other relevant data. When this data is compromised, it can be used to create a separate login session. In response to a login request, the server returns a token, user ID, and other account information. This token and user ID can be used to obtain the key for all unencrypted images on the server. Using these keys, all relevant images can be downloaded.

The following diagram shows the log information generated during our test:

By doing a reverse analysis of the application, we found his HTTPS login URL. The data in the log information mentioned above can be used to create a login session in this HTTPS request. The URL with no parameters looks like this:

Any application that can read LogCAT can obtain the login data and create their own login session. Logcat can be read with the READ_LOGS permission, which is available to all applications running Android4.0 and below. But since Android4.1 (jelly bean), this permission is no longer granted to third-party apps.

By reversing the application, we can also find that the hash value of the password is double MD5 of the original password and is unsalted. An attacker can use dictionary attacks to retrieve the original password, rainbow tables or brute force cracking to generate a string that matches the hash value. Cracking the password is not required, as long as the hash value can be used directly to create a login session. The hash value of the password and the stolen Email address can be used to log into camera 360 and the cloud.

0x04 Hijack the conversation with leaked tokens

In response to the application login request, the server returns a token, user ID, and other account information. Camera 360 uses this token and user ID in the next request to authenticate itself.

The server response to our test account looks like this:

This token is not expiring and is fixed. It remains valid even after the user has logged out, because the session variable is only deleted on the client side and not the server side. Therefore, a successful request can be sent at any time using this token.

Camera 360 leaks these tokens, along with user ids, other application and device-related data, to Logcat and network communications. Any Android app that can read LogCat and any network sniffer running on the device or on the device’s WiFi network can steal this data. The leaked data can be used to send unauthenticated requests to servers, or to laugh at all the non-private images in the cloud.

0x05 leaks data to logcat

Camera 360 will leak data to LogCat during login and during activities related to opening cloud accounts.

Here are two examples of log information:

In the above information, uid and user Id are set to the same user Id. Token, user The token and localkey are set to the same token value.

0x06 Data leaked to network communication

The application sends the login request using HTTPS, but the next request is sent over HTTP, along with an unencrypted authentication token and user ID. This unencrypted data can easily be read from network traffic.

One such HTTP request looks like this:

0x07 Uses token and User ID to download photos

Leaked tokens, user ids, and other app-related data can be obtained by using any of the following requests:

These HTTP requests can be used to download photos in two ways, as shown below:

FETCHING IMAGE KEYS

Any of the HTTP requests mentioned above can be used to get the photo’s key from the server. The server responded to our test request as follows:

Response for “http://cloud.camera360.com/v2/page/timeline?….”

Response for “http://cloud.camera360.com/v2/page/getNew?…”

The key can be extracted from the server reply and the associated image can be downloaded using the following HTTP request:

Bypassing login page of web cloud

Be used to obtain the image key HTTP requests can also be used to bypass the camera 360 cloud website login (https://cloud.camera360.com/login). Executing any of these requests will log the user into the Web service because the requests contain authentication tokens. The user is prompted to type these URLS into a browser TAB and goes directly to the home page of the cloud site.

0x08 Download photos using leaked photo keys

Camera 360’s cloud Album process takes the most recent photos (non-private photos) from the server to show the user the stored cloud photos. It logs the received server response to Logcat. One such message looks like this:

The keys of these records can be stolen by applications that can read logcat. All keys consist of a user ID and a unique photo ID. As mentioned above, these keys can be used in the following HTTP requests to download images:

This is a fixed link to the photo that doesn’t break. This link can be used to download photos without providing a certificate or authentication token.

0x09 Retrieves the photo from the captured communication

The images collected from network traffic are unencrypted and easily visible.

0 x0a prevention

Cloud and Android app security needs to be improved to prevent more data leaks and unauthorized data access. Here are some ideas:

  • Do not log privacy data in the Android System Log (LogCAT) of any product
  • Prevent session hijacking by using the following methods:
  • Encrypt not only the login process, but also private data such as tokens, userIDS, photo keys and photo files
  • Set the expiration timestamp for the token
  • When sending a logout request, it is best to remove all session variables from the server. Do not accept tokens that have been issued before.
  • The server can change the token value on each request. This can limit an attacker’s attacks.
  • Tokens can be bound to IP addresses, but may not be convenient for users who use dynamic IP addresses.
  • A fixed link to a photo should require authentication, or make the link time-sensitive.

0 x0b conclusion

Camera 360 discloses a lot of unencrypted private data in network communication and Android system logs, which will endanger users’ privacy.

The FireEye Mobile Threat Prevention Platform detects data breaches and vulnerabilities found in Android apps, and helps users make better choices about sharing private data with apps.

0x0c Reference

http://en.wikipedia.org/wiki/Session_hijacking

http://resources.infosecinstitute.com/session-hijacking-cheat-sheet/