The 7th International Conference for Internet Technology and Secured Transactions (ICITST-2012) Technical Co-sponsored by IEEE UK/RI

Computer Chapter December 10-12, 2012, London, UK

Sponsors

ICITST-2012 Proceedings
Edited By Charles A. Shoniregun Galyna A. Akmayeva Contents Page Workshops Welcome Speech Sessions Executive Committees Posters Keynote Speakers

Copyright ICITST-2012 Published by Infonomics Society, UK

ISBN 978-1-908320-08-7 IEEE Catalog Number: CFP1281I-CDR

Vulnerability Elimination by Force of New Mobile OS

Comparative Research of Security Techniques on BlackBerry OS (incl. PlayBook)
Yury Chemerkin
Independent Security Researcher Russian State University for the Humanities (RSUH) Moscow, Russia

Abstract - This paper proposes a new security research covers BlackBerry issues relating their own features relied on highest possible way of integration and aggregation with data, service and application that simplifies management. Such way integration shapes developer's outlook as well as malware writer's outlook led to the bypass security methods. Despite of that, BlackBerry is full of holes to the brim if consumer has a flexible IT Policy even because current security techniques implemented in BIS (BlackBerry Internet Service) or BES (BlackBerry Enterprise Server) are indecisive argument to be sure in security and privacy and do not provide enough controls. As opposite to smartphone, the tablets (PlayBook) are quite new, QNX-based and have the most known technologies, such Adobe Air, HTML5, and Android Dalvik-Runtime, are implemented widely. However, they have a poor application environment and a little those feature known on non-QNX BlackBerry device. This makes security more difficult and unstable to reliably use it by end-users. Research shows that additional third party security solutions often ruin security while native environment allows intercepting, blocking, stealing, misleading, substitute data in real-time bypassing security controls that, finally, reveal sensitive information and turn security solutions to the malware agents. Keywords: mobile security, blackberry, blackberry playbook, application pentesting, real-time data manipulation, security issues

by replacing files, changing settings or modifying information shows. The non-malware applications may use such techniques, e.g. firewall hooks API to watch any incoming or outgoing network traffic. The legitimizing effect of commercial malware software led away from user-mode towards the kernel-mode techniques at first glance. However, user-mode rootkits or spyware are still effective to bypass security applications because they have simple APIs calling kernel methods. This research examines and highlights a range of issues referred to the incorrect approach to the security techniques development. It draws security management level of inefficiency outside isolated environment as well as old-attack techniques possibility of application for new BlackBerry device known as Playbook. The research presents pressing issues for fundamental and application BlackBerry security cases, exploitation of native applications built in OS. In additional, third-party security applications are going to be examined for security holes and misunderstanding BlackBerry security concepts. II. USER-MODE ROOTKIT AND SPYWARE There are several kinds of rootkits; they are bootkits, firmware, user-mode, kernel, and hypervisor. User-mode rootkits involve system hooking in the user or application space. User-mode rootkits are very similar to the spyware because most spyware is installed without users' knowledge, by using deceptive tactics, or by deceiving users by bundling itself with desirable software. User-mode rootkits have different ways to intercept and modify behaviour of APIs those include: vendor-supplied extensions or third-party plugins that extend functionality throughout the public interfaces. interception of system messages. exploitation of security vulnerabilities. hooking or patching APIs.

I.

INTRODUCTION

Today the mobile devices provide amount of features to integrate all possible communications following aggregation with data on BlackBerry as well as others. The native and third party applications often connect to the email, maps, IM and social applications. Mobile environment makes itself as very attractive target to the attackers. Personal or financial information compromised very easy because devices are part of day-to-day user activities. A BlackBerry includes inherent virus protection and spyware protection designed to contain and prevent the spread of viruses and spyware to other applications. Security is the cornerstone of the BlackBerry system that allows users to confidently access to the sensitive information [1]. A rootkit is a kind of malware that intercepts API to modify or filter OS messages to keep itself usually hidden. For example, it intercepts requests to the file explorer to keep certain files hidden from display, or reports false file sizes. Rootkits designed to maintain access to the targeted computers, to disable the firewall/antivirus tools (or any else security tools)

Techniques shown in [2-11] to steal the password, screen information, chats messages, etc. are possible on user-mode level that has an ability to the wide spreading, easy distribution, misleading and finally developing more easy. All trends in the security field place the most popular solutions is to operate as always under attack. Well-established products will provide the

Copyright 2012 ICITST-2012 Technical Co-Sponsored by IEEE UK/RI Computer Chapter

483

end user protect. Meanwhile vendors start to develop security measures as do it hackers continue to develop new rootkit/exploits. It means user-mode will always be relevant to the investigation. III. FILE SYSTEM ISSUES GUI simplification often led to the problems that behind registered extensions of file types. In this case, users limited to the common types like media (audio, photo, video, camera) and documents (MS Office, Open Office, PDF, plaintext or similar) instead of full file explorer. It keeps from unwanted execution of malware but provides a backdoor to store any kind of payload information without ciphering or hiding. On another hand, a full file explorer does often not permit accessing to the unassociated object in plaintext even, e.g. .csv while any application has unlimited access to such files. For example, as instant messaging is a well-established means of fast and effective communication, especially BlackBerry Messenger, it should be protected. However, OS stores a chat history in plain text in .csv file; neither it BlackBerry Messenger, or others (Google, Yahoo, Windows Live, AIM/AOL) while there is only protection is not to save history. Moreover, it simplifies a search to the malware by tag like camera, video, documents. These problems form user habits to divide on right files (media and documents) or a junk that is others at first and user forgetfulness about junk files at second. On PlayBook each application has access to its own working directory (app, data, logs, tmp, etc) in the file system, and might access to the shared folder (sandbox) because of the access to the files and folders governed by UNIX-style groups and permissions (Table I). It means applications cannot create new directories in the working directory; they can only access the folders listed below. Despite of UNIX-style access to the folders there is ability to recreate folder structure partially and have read-only access to almost all files [11]. By the way, BlackBerry smartphone does not need such permission type. The cornerstone problem of PlayBook is protection application data known as sandbox instead of user data protection. All user files stored in several shared folders as shared/documents are accessible widely; thereto user cannot restrict to the application use it. It may good for extract clipboard data or forensics case only. Moreover, RIM suggest several types application like enterprise or personal but announce that malware is subtype of personal application that means but a huge fail for user privacy. A file access is available from the PC changes too. Early OS and device software were oriented to the secure and encryption while modern version grant full access without asking. The old device software has only one way to explorer device throughout internal file explorer even storage has encryption option turn off. Now plugged device (incl. PlayBook) will appear as an external storage as users have just entered devices password that led to the cross-platform malware by self-copying from PC. Issue is in application ability to be installed from internal/external storage or attachment that works for smartphone only. Way to install is placing a .jar/.jad file as a description and .cod file as main executable together, but .jar plus .cod is preferable.
TABLE I. PLAYBOOK SHARED FOLDERS STRUCTURE

Folder app data temp logs shared shared/bookmarks shared/books shared/clipboard shared/documents shared/downloads shared/misc shared/music shared/photos shared/videos shared/voice

What data contains The installed applications files. The application's private data. The application's temporary working files. System for an application logs (stderr and stdout) Subfolders grouped by type. Web browser bookmarks that can be shared among applications. eBook files that can be shared among applications. Data copied or cut from another application (txt, html, uri format). Documents that can be shared among applications. Web browser downloads. Miscellaneous data that can be shared among applications. Music files that can be shared among applications. Photos that can be shared among applications. Videos that can be shared among applications. Audio recordings that can be shared among applications.

Access type read-only read & write read & write read & write no access read & write read & write read & write read & write read & write read & write read & write read & write read & write read & write

IV.

APPLICATION MANAGEMENT ISSUES

BlackBerry application must to be signed to not to bother with access notification to resources. Sometimes it is enough to be only signed by RIM keys to stay silent. An application provided with install and remove feature by OS and needs application ID to perform such action. OS grants access to the running application and information such as name, version, ID, etc. that means there is no problem to delete another application by accessing to the active application list even. Although, it remove only main executable module, while others modules need to be found and manually delete by the same API. In addition, development SDK tools helps to remove and upload any executable module without notification. It might work for PlayBook SDK tools if development mode is on only. The PlayBook was improved on security and those live methods like application deletion API do not work, because of an interface to manage with application does not exist. The users interactions only with BlackBerry AppWorld or gesture delete application on home screen operates, while smartphone gives capability to dump or replace installed modules via read, write APIs neither it is own or foreign application. Outwardly, user will not decide there must be a catch in it because application should govern with own modules and will grant such type of permission. The PlayBook solution mentioned above has another problem, as it would be difficult to remove distributed malware modules or classify them even. V. CLIPBOARD ISSUES A clipboard is still unsolved security issue that does not protect any data stored in plaintext if user copy password or another sensitive information from the wallet because methods like getClipboard() on BlackBerry [6], or getData() on

Copyright 2012 ICITST-2012 Technical Co-Sponsored by IEEE UK/RI Computer Chapter

484

PlayBook [11] reveal all stored data. However, two native applications (Password Keeper and BlackBerry Wallet) developed by RIM has some kind of protection. The clipboard access is restricted (API interface returns null) while those applications are active only and do not go into minimize or exit state. It means end-point object (application or webform) has not any protection. Let clipboard is insecure then user needs to look a password to type it that may seem more secure. It is breakable too because can easily be screencaptured. Malware catches active application, compares ID or name and screenshots application screen finally. Talking about tablet, the PlayBook does not have a clipboard protection on one hand (it allows to read a clipboard or manage clipboard file stored in shared folder), but have no API interface to manage with screenshots on another hand. VI. PHOTOSCREEN ISSUES Screen logger is great solution for malware because BlackBerry permits a key-logger on the simulator only not real device. Despite of IT policy on BIS device or BES, it often featured by only two states: permit or restrict screen capture to specific application or at whole. It is afunctional because user cannot know when application with that feature takes a screen capture. As mentioned above it easy possible to define active application among running to steal typed data. First, the masking of password takes with delay when virtual keyboard is active; in other words, this delay cracks by screen capture delay that equals 300 milliseconds or less. By the way, it discharges the battery by couple of days. Improved techniques [2] based noising input field led to locking/wiping device or grabbing an unmasked password. Second, a virtual keyboard has a scaled preview of pressed keys that uncovers protection technique known as masking of password field by asterisks. Also, there is no restriction to the certain applications like password wallets, device settings (device password, device encryption), or when user is typing a certificate password to decipher email message. This method can improved in extracting difference within XOR function applied to the active screen and similar screen from native screen themes that results the typed data only because it eliminates noise and brings clear typed or drawn text, e.g. from chat window or email message. Anyway, an OCR engine may crack them. As opposite to the BlackBerry smartphone, it is impossible to grab the screen on the PlayBook except files stored in camera folder made by user and accessible to anyone as it is a part of shared folder. A quite interesting fact that fake notification helps too and gives a simple way to manipulate user to press hardware keys associated with screen capturing. VII. DEVICE PASSWORD ISSUES BlackBerry devices come with password protection and attempt limit (not more than ten and not less three) which exceeding let to wipe to the factory defaults. As external storage is not part of factory configuration, all stored data will keep on smartphone not tablet that does not have external storage. The recovery the BlackBerry device password is possible with Elcomsoft products if the user-selectable Device Password security option is enabled to encrypt media card data by password only. Second technique works like screen capture whether user type password to unlock his own device or setup/change it. The last case manages with GUI vulnerability

allows to extract as plain text all data from GUI object (even password fields masked by asterisks). Third technique, malware may create a fake window during USB synchronization intercepting OTA events through the API as well as block or pause it not to let the device software shows Password Window on desktop (smartphone case) [11]. There is another issue refers to the device software installed on Windows covers password stealing during USB synchronization. It works because of security issues of Windows API (PostMessage/SendMessage) on one hand, and key-logging per specific application on another [4]. Moreover, it works not only to grab device password but backup password too by filtering active window/screen, tray application and characters typing into text fields. Finally, it works very well on smartphone and tablet. VIII. MESSAGES ISSUES Each mobile device OS provides API to intercept receiving and sending event to third party applications but RIM makes good progress and delegates API to create, read and delete messages without any control except permission looks like grant a message access to this application. It means malware can easy reassemble any message instead of original (replace the older), creates a fake message, adds any allowable attachment even executable files, as well mark message unread, set error of delivering status, etc. Also, an application written for BlackBerry can catch the event when user press send, open, forward and others buttons in native email application. PIN, BBM and Email message types affected by that API [5], [7], [8], and [9]. By-turn, a SMS message affected by intercepting outgoing message with blocking or replacing address number or body without notification if sent message will be deleted my application else user sees a text transmission refused by application <localized name of application>. It performs as a useful firewall if it is only trust application else it ruins all possible security solutions. Moreover, device that receives Facebook or Twitter notification and allowed to manage them via SMS brings one more security hole [3]. The PlayBook does not have similar API; it has only an invoke interface shows native application moving it on the top of screen stack. In addition, BlackBerry Bridge technology is not affected too by the same reason (suitable API is absent). IX. GUI EXPLOITATION Previous issues related to the fundamental BlackBerry problems, solution for those looks like "turn on/off feature". BlackBerry has powerful integration capabilities that exploitable too. Each application written for BlackBerry can integrate itself in options or menu (directly into the global menu or indirectly into sub-menus like "Send via"). BlackBerry manages with API allows GUI object manipulation neither it is own application or foreign; native application that external/foreign regarding to the application calling API is exploitable more than third party. Developers may redraw screens, catch opening specific native screen like open/forward/reply email message, grab extractable data from them and replace it, change checkbox states, adds GUI objects and more. The last case (adding GUI object) does not provide way to shuffle buttons or replace with another by design,

Copyright 2012 ICITST-2012 Technical Co-Sponsored by IEEE UK/RI Computer Chapter

485

because GUI constructs through source code like "this.addChild()" that fills a line entirely and place a second object next line. It is good idea than specifying exactly size, height, and width or x-y-z orientation if screen orientation has changed and should be redrawn or to exclude "come down objects" cases. Native applications are applications like email, calendar, Blackberry Messenger and others are developed by RIM like GTalk or Facebook. It is not a simulation as an input injects of hardware buttons that is available for all application screen even third party that requires allowed API additionally. Sometimes it is possible to recreate screen design completely to deceive with fake window/screen or clickjacking. It difficult to define what data is not extractable on native applications because application will get all text data plus all object properties by API; if object is so-called manager it will be expanded because all objects, e.g. text fields, pack into managers if there is one even. Text fields differ by type from basic edit fields to the password fields with masking or custom for cases when strongly recommend to type only certain data like custom set of characters. Windows is known has weakly protection for text field with password char # properties thus it is possible to steal data from such fields despite an interface, that copies data from edit box, returns nothing. As opposite to Windows, BlackBerry does not protect such field that application-proven for preinstalled and others RIM applications on OS v4-7. The field stores the password as plain text but draws it as a series of asterisks that can be replaced easily for applications or options that especially important for section Password Device and Device Encryption. X. THIRD PARTY EXPLOITATION Many third party applications try to improve BlackBerry security offer the same features sometimes, like SMS filtering. One of them is KMS (Kaspersky Mobile Security) featured by GPS find, device lock, device wipe and call/SMS filters. Device wipe feature manages with personal information and custom folders only and does not reformat external storage. This application similar to the BlackBerry Protect while accessible through SMS not WEB but protected by ciphering. It means SMS-command will be decrypted and KMS performs actions only then. In other words, any right SMS that sent to the victim will perform action on victim device except only one case user should enable this option. GUI examines reveal possible of weak encryption due SMS message size and typed password counts four digits out sixteen at minimum. Previous version 8 uses the same password typed by user to access application to create a command SMS. Current version 9 offers to type another password but users usually do not used to operate like that. There was found no inaccuracy of cryptoengine implementation but encryption takes place by GOST R 34.11-94 (that's quite obvious if company is in Russian) without salt, with test values, and hash size is truncated in two, for example, a password contains digits 1234 will hash into 8a19de2e756035a3ece48cd01260b89e instead of full value 8a19de2e756035a3ece48cd01260b89ec36a510d9e18066e64ff c4d379c6e457, that eventually simplifies exploitation. Further examination shows outgoing SMS can be dropped, replaced with body or recipient. It may result spoof, bot-net creation or misusing resources like a Frankenstein [12]. As it is a thirdparty application, it is difficult to manage with GUI to extract

user password when it is being typed but screen capture works. However, that is not what it needs because the numeric set is less than set contains characters, numbers, and special marks. McAfee Mobile Security looks like more secure and can wipe device entirely than KMS but, as wrote in section about application management, any application easily accesses to the installed executable (.cod) modules to read, write, dump or delete. Therefore, both McAfee Mobile Security and KMS do not prevent it as opposed to the BlackBerry Protect. Moreover, both of them works successfully under BlackBerry simulator that provides behavior analyze (traffic, GUI, communication) but it is not a part of this research. XI. PERMISSIONS Most of attack vectors showed Table II manages with privileged API permissions allowing an access not only to own application features but third party towards to that application as well as OS entirely. Those interactions can be filtered and restricted in some flexible way; instead, calling interfaces have to be switched between turn on and turn off states. Permissions divide into several wide groups while a BlackBerry has over a hundred APIs that results to the disputable choice grant access without knowledge what actions like read, delete, dump, intercept or spoof will perform. For example, cross application access leads to the foreign GUIs intercept, while applications management breaks into foreign executable modules to dump, remove or lock that. BlackBerry Tablet permissions were reduced greatly and have decreased efficiency to protect spyware despite of a sandbox that protects applications data more than user data sharing them widely. A PC case manages with no permission for Windows OS; intercepts GUI object stored a typing password or provides access to the device with additional software like SDK/NDK or commercial software.
TABLE II. Ty pe Attack Replacing .cod denial of service Removing .cod DoSing event listeners GUI intercept Noising input fields Clipboard intercept information disclosure Screen capture Noising fields + Screen capture GUI intercept (stealing sensitive data) Dumping .cod Chats S h ATTACK VECTORS AND RESULTS Permission Smart phone + Tablet PC (incl. tools) +

+ (except event permission) + + -(directly) / + (via files) + + + + -

+ + + + + + + + +

+ + (via files) -

+ + (via files) + + + +

Copyright 2012 ICITST-2012 Technical Co-Sponsored by IEEE UK/RI Computer Chapter

486

Ty pe

Attack Media + metadata Docs DB/other SMS Messages MMS Email PIN2PIN BBM GUI intercept Fake window/ clickjacking

Permission (smartphone) / + (tablet)

Smart phone + + + rarely

Tablet + + + often -

PC (incl. tools) shared folders only

MITM (interception / spoofing)

+ + + + + + +

+ + + + + + +

+ +

neither network connection or local. Despite of that, it fails with security too. A newer BlackBerry Server named as BlackBerry Mobile Fusion manages with BlackBerry PlayBook, old BES and other mobile devices faced with problem leveraging of permissions groups in twice to keep similar permission right among all mobile devices that a huge fail. As opposite to that, AWS (Amazon Web Services) provide a restriction by each API call if it is directory listing even. That is a quite useful solution but does not solve what data accessed and for. It seems OS vendors are unable to implement logging system to show user what actions were actually used, what data for, when action was and else. This kind of solution fill the gaps not only with analyze malware but also helps to forensics handle an investigation to be sure no one application harm data or ruins management with forensics tools. REFERENCES
Y. Chemerkin, A Security System That Changed The World, Hakin9 Magazine, Software Press Sp. z o.o. Sp. Komandytowa 02-682 Warszawa, vol. 6 2 Issue 02/2011 (38) ISSN 1733-7186, pp. 10-13, February 2011 [2] Y. Chemerkin, Is Data Secure on the Password Protected Blackberry Device?, Hakin9 Magazine, Software Press Sp. z o.o. Sp. Komandytowa 02-682 Warszawa, vol. 6 2 Issue 02/2011 (38) ISSN 1733-7186, pp. 22-29, February 2011 [3] Y. Chemerkin, The Backroom Message Thats Stolen Your Deal, Hakin9 Magazine, Software Press Sp. z o.o. Sp. Komandytowa 02-682 Warszawa, vol. 6 4 Issue 04/2011 (40) ISSN 1733-7186, pp. 22-27, April 2011 [4] Y. Chemerkin, Why is password protection a Fallacy Point of View, Hakin9 Magazine, Software Press Sp. z o.o. Sp. Komandytowa 02-682 Warszawa, vol. 1 1 Issue 01/2011 (01) ISSN 1733-7186, pp. 36-53, June 2011 [5] Y. Chemerkin, Does your BlackBerry smartphone have ears?, Hakin9 Magazine, Software Press Sp. z o.o. Sp. Komandytowa 02-682 Warszawa, vol. 6 7 Issue 07/2011 (43) ISSN 1733-7186, pp. 26-40, July 2011 [6] Y. Chemerkin, To get round to the heart of fortress, Hakin9 Extra Magazine, Software Press Sp. z o.o. Sp. Komandytowa 02-682 Warszawa, vol. 1 3 Issue 03/2011 (03) ISSN 1733-7186, pp. 2037, August 2011 [7] Y. Chemerkin, When Developer's API Simplify User-Mode Rootkits Developing, Hakin9 Mobile Magazine, Software Press Sp. z o.o. Sp. Komandytowa 02-682 Warszawa, vol. 2 2 Issue 02/2012 (3) ISSN 1733-7186, pp. 1621, February 2012 [8] Y. Chemerkin Insecurity of blackberry solutions: Vulnerability on the edge of the technologies, vol. 6, pp. 20-21, December 2011 [Annual InfoSecurity Russia Conf., 2011] [9] Y. Chemerkin, When Developers API Simplify User-Mode Rootkits Development Part II, Hakin9 OnDemand Magazine, Software Press Sp. z o.o. Sp. Komandytowa 02-682 Warszawa, vol. 1 4 Issue 04/2012 (4) ISSN 1733-7186, pp. 5681, July 2012 [10] Y. Chemerkin, Comparison of Android and BlackBerry Forensic Techniques, Hakin9 Extra Magazine, Software Press Sp. z o.o. Sp. Komandytowa 02-682 Warszawa, vol. 11 4 Issue 04/2012 (11) ISSN 1733-7186, pp. 2836, April 2012 [11] Y. Chemerkin, BlackBerry Playbook New Challenges Hakin9 EBook Magazine, Software Press Sp. z o.o. Sp. Komandytowa 02-682 Warszawa, vol. 1 3 Issue 03/2012 (3) ISSN 1733-7186, pp. 134, September 2012 [12] V. Mohan, K. Hamlen, Frankenstein: Stitching Malware from Benign Binaries, 6th USENIX Workshop on Offensive Technologies (WOOT) August 2012 [Annual WOOT Conf., 2012] [1]

XII. CONCLUSION Mobile vendor vision about user privacy has no deal with real privacy completely favors mobile application to upload user personal data without his knowledge. Once user downloads an application, he decides if grant access relies on poor explains what permissions will be utilized by application, These permissions have never been being similar with applications actions; whats more it is out of touch with data that will be accessed. Issue when only few people look them before installing it faces with security but it should not be taken because this application never says what is actually will use for. It difficult to understand why GPS tracker wants access to the email function and impossible to be sure whether no one email will be touched that does not belong to the application operations results. Moreover, there are enough sensitive objects that a malware could access without any permissions, just be signed by vendors keys. Sometimes metadata embedded in files easy reveal GEO data or date by involving shared file access only. When applications are downloading, no one has a time to discuss with developer why they want to access one or another permission. Forensics techniques is no more provide with information through the logs, because OS vendors let developers store in application logs only debug information. Only ten percent API calls have strong privileges on BlackBerry, especially if it is BES BlackBerry device. The rest provides cross-application interception that usually need to manage own modules but as it mentioned above no one of OS divide calling functions to the friend of foe. It does not need modify system files or else to block internet connection; sometimes it is just effective to build a silent extension for native browser that filters desirable URLs, send POST/GET requests to steal data or receive bot-net commands. Any mobile OS boasts about of a sandbox like about user data privacy but protect only application data in reality while user data keep wide opened. RIM had a great security featured BES that allows to manipulate with mask to filter any potential unsafe connections

Copyright 2012 ICITST-2012 Technical Co-Sponsored by IEEE UK/RI Computer Chapter

487