Jump to content
Aerosol

Dropbox SDK For Android Remote Exploitation

By Aerosol, in Exploituri

Recommended Posts

Aerosol Newbie

Aerosol

Posted
Posted 

1 Introduction
The Dropbox SDK is a library that developers can download and add to their products. This library provides
easy access to Dropbox features, such as downloading and uploading files, via a simple set of APIs.
AppBrain provides statistics as to the prevalence of the use of the Dropbox SDK on Android [1]. According
to these statistics, 0.31% of all applications use the Dropbox SDK. Of the top 500 apps in the Google
Play Store, 1.41% use the Dropbox SDK. Interestingly, 1.32% of total app installations and 3.93% of app
installations of the top 500 apps use the Dropbox SDK, respectively.
While it is not a highly prevalent library, some extremely popular Android apps that may hold sensitive
information use the Dropbox SDK, including Microsoft Office Mobile with over 10,000,000 downloads1 and
AgileBits 1Password with over 100,000 downloads2
.
The vulnerability that we discovered may affect any Android app that uses the Dropbox SDK versions
1.5.4-1.6.1. We examined 41 apps that use the Dropbox SDK for Android, out of which 31 apps (76%) were
vulnerable to our attack (i.e. they used version 1.5.4-1.6.1). It’s noteworthy that the rest of the apps were
vulnerable to a much simpler attack with the same consequences, but had been fixed by Dropbox with the
1.5.4 version of the SDK which they did not care to upgrade to.
This paper is organized as follows. Section 2 gives a background on Inter-App Communication (IAC) in
Android. Section 3 shows how IAC can be exploited in general locally by malware and remotely using driveby
techniques. Section 4 describes how the Dropbox SDK for Android uses OAuth for app authorization. In
1https://play.google.com/store/apps/details?id=com.microsoft.office.officehub
2https://play.google.com/store/apps/details?id=com.agilebits.onepassword
1section 5 we deep-dive into the vulnerability we found within the Dropbox SDK for Android OAuth code.
Section 6 presents a real attack, dubbed DroppedIn, that exploits the vulnerability. In section 7, we show
that the threat is real by presenting case studies. We end with section 8 that presents a mitigation for the
vulnerability.
2 Inter-App Communication (IAC) in Android
Android applications are executed in a sandbox environment. The sandbox ensures data confidentiality
and integrity as no application can access sensitive information held by another application without proper
privileges. For example, Android’s stock browser application holds sensitive information such as cookies,
cache and history which shouldn’t be accessed by third-party apps. The sandbox relies on several techniques
including per-package Linux user-id assignment. Thus, resources, such as files, owned by one app cannot be
accessed by default by other apps. While sandboxing is great for security, it may diminish interoperability
as apps sometimes would like to talk to each other. Going back to the browser example, the browser would
want to invoke the Google Play app when a user browsed to the Google Play website. In order to support
this kind of functionality, Android provides high-level Inter-App Communication (IAC) mechanisms. This
communication is usually done using special messages called Intents, which hold both the payload and the
target application component. Intents can be sent explicitly, where the target application component is
specified, or implicitly, where the target is left unspecified and is determined by Android according to other
Intent parameters such as its URI scheme, action or category.
3 General Exploitation via Inter-App Communication
The attack surface is greatly increased if the attacker can directly invoke application components, controlling
the Intent’s payload. This is the case with exported application components. Such components can be
attacked locally by malware. Activities, Android application components responsible for UI screens, can also
be attacked remotely using drive-by exploitation techniques as shown by [2, 3].
In the local attack, illustrated by Figure 3.1, malware invokes the exported target application component
with a malicious Intent (i.e. one that contains malicious data) by simply calling APIs such as
Context.startActivity(Intent).
In the case of remote drive-by exploitation, illustrated by Figure 3.2, a user is lured into browsing a
malicious website. This site serves a web page that causes the browser to invoke the target activity with the
malicious Intent.

Read more: http://dl.packetstormsecurity.net/1503-exploits/exploiting-dropboxsdk-android.pdf

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...