Your entire SDcard in my webhost ~ Proof Of Concept

Note: I do not care if you want to share or translate the document, but please, quote me ;) . Thanks!

Brief

I have developed a Application for Android which stoles the File List of the SD-Card of the victim.

I do not use any kind of special trick. That is the real problem.

What does the exploit need?

It only needs “Internet” permission, so it is very easy to use in malicious apps (and persuade the user to get into the trap).

How it works…

You can read by DEFAULT the files in the SD-Card, so you only have to read them and send into Internet. I have deployed a webservice in a webhost that I can manage to do this PoC.

Download it here: (pname:poc.SDCard)Proof of Concept - Stealing SD-Card with an Android application

Why am I doing it?

Because I care about your security. I want you that you will experiment HOW EASILY it is. And then…

1) Think twice what kind of information you have in your SDCard

2) Think twice what apps you allow🙂 The 90% of apps use the “Internet” permission.

Where is the real problem?

The problem is that the Google Developers have say: “Do not store sensitive information into your SDCard! only shared data!” … but the application developers (like Dropbox, whatapps, your camera, …) does not care a bit and they save your files there.

First, the application developers SHOULD care about you. And second, you should care about YOURSELF. If they do not care about you, do not use them.

Can you show us the source-code?

Main function: (yeah… too easy)


private void getFiles(File F) {
 for (File t : F.listFiles()) {
  DATA.add(t.getAbsolutePath()+"\n");
  if (t.canRead() && t.isDirectory()) {
   getFiles(t);
  }
 }
}

Are you storing my data with this App??

Calm. I am only sending your File List (it is a slow app… I know… I did not use Threads) to my webhost. I do not want your data (I could have send it too :P). I promise you that I am going to remove all the uploaded files of the webhost… BUT…. you can delete it too. Just click the button that appears in the app.

Argg!! It goes really slow…

Yes, I know. It gets the list of files, it is put in a string, it is sent to the webhost, and then it shows you the screen…

I promise it works… so start deleting all your data of the SDcard right now😉.

Special Note: Do you use CyanogenMod or another custom Rom? They save by default a backup of your data as *.img files. Do you know that they contain ALL YOUR DATA OF YOUR ACCOUNTS? It is overLOL!…(this image was taken when I was coding the app…)

cyanogen-mod backups in *.img files

Conclusion

Any application that you have stored could do it. I hope you will learn something about it. Use a sniffer to know what the fuck your apps are sending… (yeah… they could send the data by a SSL channel).

Greets!

and if you have any question, contact me, of course!!

Note: If you see any spell mistakes, you can say me it. I would appreciate it ;) . Thanks!

Your entire SDcard in my webhost ~ Proof Of Concept

5 thoughts on “Your entire SDcard in my webhost ~ Proof Of Concept

  1. Hola Sergio, genial el articulo. Solo una cosa: lo que guarda los datos en un .img no son ni CM ni las demas roms customizada, sino una utilidad que se ofrece a los usuarios para poder hacer backups de sus telefonos, llamada Nandroid. Se distribuye en las “custom recoveries”, como Amon_RA, ClockWorkMod,… No viene con las roms. Las roms tampoco hacen backup automaticamente que yo sepa (creo que Rom Manager Premium si lo permite, pero es una app a parte).

    1. Totalmente cierto Adlx. Me explique mal, queriendo apuntar a justamente lo que tu dices. En mi caso, lo hice a través de usar la herramienta “ROM Manager”, la cual incorpora el Clockworkmod y el Nandroid, y en uno de los pasos de instalación de un nuevo firmware te pregunta si deseas hacer una copia de seguridad. Lo prudente es nada más realizar esa copia, moverla al ordenador o otro dispositivo “más seguro”. Gracias por la aclaración!!

  2. AlfredoMP says:

    Hola Sergio, muy interesante el artículo. Me preguntaba si hay un sniffer listo para Android y si es confiable, conoces alguno?

    1. Buenas Alfredo! Gracias. Mm,… seria interesante que especificaras un poco más. Supongo que “sniffer” te refieres a conexiones por Wifi. ((NOTA: si es por bluetooth, 3g, gsm, … dirigete a taddong.com xD)). Hombre… depende mucho del entorno. Si hay conexion SSL, si esta bien certificado, si puedes acceder a la misma red, si…. si… si….🙂. Estaria bien un poco más de concrección. Aun así… la mejor respuesta es un “haztelo tu”, jeje. No sabría recomendarte nada sencillito… como Firesheep x’D. Concreme y te intento aconsejar mejor como lo haria yo…🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s