Comments on: Breaking into an Android password manager – Practice

By: Gustavo Niemeyer

Gustavo Niemeyer — Thu, 21 Oct 2010 10:33:34 +0000

Emil,

It’s trivial to get data out of the phone, even if the phone is not rooted by the owner. If it was hard to do this, one wouldn’t need to encrypt the data in the first place.

By: Emil

Emil — Thu, 21 Oct 2010 10:07:26 +0000

Gustavo, thanks for a couple of really interesting and enlightening posts. I have a question though: you say that the third step in breaking into this application was to “sign and zipalign the new .apk file”. How did you manage to convince the package manager to install your .apk? Assuming you don’t have access to the original author’s signing keys, the PM should refuse to install your modified application (or at least install it as a new one, in which case breaking into it would serve little purpose as there would be no secret data to find).

I mean, what the application author is trying to prevent is that if someone steals a phone with his application installed and protecting sensitive data, he can’t get access to the data. Even if he could do what you did and manage to have the PM install his hacked version of the app, the data wouldn’t be there to see. I guess he could copy the database from the original app’s storage to the hacked one’s, but that might (I’m unsure about this) only be possible if the phone is rooted, in which case at least some of the blame would have to fall on the phone owner?

By: Nikolaus Rath

Nikolaus Rath — Tue, 14 Sep 2010 22:10:55 +0000

Really good job Gustavo. I am impressed by your patience with gbrors.

By: Rik Hemsley

Rik Hemsley — Mon, 22 Feb 2010 15:00:21 +0000

I’d like to see your analysis of keepassdroid.

By: gbrors

gbrors — Mon, 07 Dec 2009 19:52:01 +0000

By the way I own and have read parts of the books “Practical cryptography” and “Applied Cryptography” by Bruce Schneier. Even with open source solutions you are forced to enter a long and cryptic master key if you want to defeat brute force attacks.I guess that 99.5% of the users would not do it, but use a weak master key that can be broken with brute force attacks. My solution with the “unlock key” was wrong, but right now I see no real solution to the problem, because the Java cryptography API implemented in the Android system helps brute force attacks by throwing an exception when trying to decode with a wrong master key. If it did not, but just gave back some randomly decoded bytes, I could develop a much more clever solution similar to one that was developed by a German research institute: http://www.mobilesitter.de/en/result.htm

By: Gustavo Niemeyer

Gustavo Niemeyer — Mon, 07 Dec 2009 02:08:12 +0000

Thanks David. Unfortunately, given the comments right above, it looks like he didn’t read it yet.

Gunter, you seem to blame Android for a problem that actually lies in the application itself. No matter how hard it is to disassemble an application (and trust me, other platforms aren’t much harder than this), if the application security depends on not having the source code, the application is badly engineered. Using an obfuscator will just serve to prove that its security is not to be trusted.

Following David’s suggestion and reading some papers and articles by people like Bruce Schneier might be enlightening.

By: David Allouche

David Allouche — Sun, 06 Dec 2009 14:02:15 +0000

Nice job Gustavo.

I hope the author of this app will read some Bruce Schneier before making bold security claims the next time.

By: gbrors

gbrors — Sun, 06 Dec 2009 12:59:17 +0000

Thank you for your good work. It shows how easy it is to manipulate and change the Java apps of Android, so it is useless trying to implement a copy protection or registration solution. I’m looking for a good obfuscator, as it might make it more difficult for hackers.
I released version 1.2.0 of gbaSafe where the problem with the weak key is solved.