Aerosol Posted March 11, 2015 Report Share Posted March 11, 2015 1 IntroductionThe Dropbox SDK is a library that developers can download and add to their products. This library provideseasy access to Dropbox features, such as downloading and uploading files, via a simple set of APIs.AppBrain provides statistics as to the prevalence of the use of the Dropbox SDK on Android [1]. Accordingto these statistics, 0.31% of all applications use the Dropbox SDK. Of the top 500 apps in the GooglePlay Store, 1.41% use the Dropbox SDK. Interestingly, 1.32% of total app installations and 3.93% of appinstallations of the top 500 apps use the Dropbox SDK, respectively.While it is not a highly prevalent library, some extremely popular Android apps that may hold sensitiveinformation use the Dropbox SDK, including Microsoft Office Mobile with over 10,000,000 downloads1 andAgileBits 1Password with over 100,000 downloads2.The vulnerability that we discovered may affect any Android app that uses the Dropbox SDK versions1.5.4-1.6.1. We examined 41 apps that use the Dropbox SDK for Android, out of which 31 apps (76%) werevulnerable to our attack (i.e. they used version 1.5.4-1.6.1). It’s noteworthy that the rest of the apps werevulnerable to a much simpler attack with the same consequences, but had been fixed by Dropbox with the1.5.4 version of the SDK which they did not care to upgrade to.This paper is organized as follows. Section 2 gives a background on Inter-App Communication (IAC) inAndroid. Section 3 shows how IAC can be exploited in general locally by malware and remotely using drivebytechniques. Section 4 describes how the Dropbox SDK for Android uses OAuth for app authorization. In1https://play.google.com/store/apps/details?id=com.microsoft.office.officehub2https://play.google.com/store/apps/details?id=com.agilebits.onepassword1section 5 we deep-dive into the vulnerability we found within the Dropbox SDK for Android OAuth code.Section 6 presents a real attack, dubbed DroppedIn, that exploits the vulnerability. In section 7, we showthat the threat is real by presenting case studies. We end with section 8 that presents a mitigation for thevulnerability.2 Inter-App Communication (IAC) in AndroidAndroid applications are executed in a sandbox environment. The sandbox ensures data confidentialityand integrity as no application can access sensitive information held by another application without properprivileges. For example, Android’s stock browser application holds sensitive information such as cookies,cache and history which shouldn’t be accessed by third-party apps. The sandbox relies on several techniquesincluding per-package Linux user-id assignment. Thus, resources, such as files, owned by one app cannot beaccessed by default by other apps. While sandboxing is great for security, it may diminish interoperabilityas apps sometimes would like to talk to each other. Going back to the browser example, the browser wouldwant to invoke the Google Play app when a user browsed to the Google Play website. In order to supportthis kind of functionality, Android provides high-level Inter-App Communication (IAC) mechanisms. Thiscommunication is usually done using special messages called Intents, which hold both the payload and thetarget application component. Intents can be sent explicitly, where the target application component isspecified, or implicitly, where the target is left unspecified and is determined by Android according to otherIntent parameters such as its URI scheme, action or category.3 General Exploitation via Inter-App CommunicationThe attack surface is greatly increased if the attacker can directly invoke application components, controllingthe Intent’s payload. This is the case with exported application components. Such components can beattacked locally by malware. Activities, Android application components responsible for UI screens, can alsobe attacked remotely using drive-by exploitation techniques as shown by [2, 3].In the local attack, illustrated by Figure 3.1, malware invokes the exported target application componentwith a malicious Intent (i.e. one that contains malicious data) by simply calling APIs such asContext.startActivity(Intent).In the case of remote drive-by exploitation, illustrated by Figure 3.2, a user is lured into browsing amalicious website. This site serves a web page that causes the browser to invoke the target activity with themalicious Intent.Read more: http://dl.packetstormsecurity.net/1503-exploits/exploiting-dropboxsdk-android.pdf Quote Link to comment Share on other sites More sharing options...
