7 Session 7th Kandroid Gms Analysis Final PDF

7th Kandroid Conference
The passion is not speed, but Direction !
Google GMS(Google Mobile Services) [2]
2011. 3. 11.
www.kandroid.org : (yangjeongsoo at gmail.com), :
1. : Why GMS?
2. Setup
- How to get GMS Apps?
- Application Code Reverse Engineering
- MITM(Man In The Middle) Attack
- Network Protocol Guessing & Testing
- Summary
3. GMS
- GSF(Google Service Framework)
- Google Services
- Service Integration Technology
4. GMS
- Network Traffic
- Battery
- Privacy
5. : What is Android? and then
: Why GMS?
What is the killer apps ?
One of the things youre gonna witness is how Googles cloud services tie
together all these different applications and all these different companies
that are making devices in all these different segments.
7th Kandroid Conference - www.kandroid.org
: Why GMS? To the best of Our Knowledge, this is the killer app.
2007
2008
Android SDK
API Level
2009
2010
2
M
AOSP
Branch
4 5
M1 C
67
D
1
Android NDK
Revision
2011
9 10 11
F
New
Technology
5 5b
Open Handset
Alliance (OHA)
T-Mobile USA
SKT KT
LGT
Mobile
Operators
Network Traffic Issue
Semiconductor
Companies
MPCore Issue
G1
Handset
Manufacturers
Qualcomm Samsung
Snapdragon S5PC110
Qualcomm
MSM7201a
G2
G3
http://www.google.com/phone/
Add-on API
N1
SEC
Galaxy-S
LGE/SEC
NS
CTS & Standard Issue
?
Google
GMS
1. : Why GMS?
2. Setup
- Summary
3. GMS
- Google Services
4. GMS
- Network Traffic
- Battery
- Privacy
Setup - 1 : How to get Google GMS?
Partnership with Google Inc.

GMS / Document / Build Configuration
Deodexing from Real Device

http://kwangwoo.blogspot.com/2010/08/build-boot-and-system-images-for-nexus.html
Unyaffs from Unknown Source

http://www.kandroid.org/board/board.php?board=HTCDream&command=body&no=123
Add-onSite URL : http://www.kandroid.org/android/repository/kandroid_adp_api8r2.xml
Setup - 2 : Application Code Reverse Engineering

http://java.decompiler.free.fr/
GMS
Apps
Sources
JAD
http://code.google.com/p/dex2jar/
GMS
Apps
Dex2Jar
http://code.google.com/p/android-apktool/
Java
(classes)
Dalvik
(.dex)
Ref. Libs
Resources
XML Res.
Compilation
+
Other Res.
Pre-process
Manifest
ApkTool
Unsigned
Android
Application
(.apk)
jarsigner
(keytool)
zipalign
Zip
Compressed
File
adb(pm)
install
Key
(Debug Key
Custom Key)
am
start
Error ? : Java Decompiler
Setup - 3 : MITM(Man In The Middle) Attack
Google
Connection
Server
TLS/SSL
fake
TLS/SSL
mtalk.google.com
Google
Connection
Server
fake
mtalk.
google.
com
TLS/SSL
mtalk.google.com
MITM attack
(Man In The Middle)
10

1
> openssl genrsa -des3 -out MYCA.key 2040

> openssl req -new -key MYCA.key -x509 -days 1095 -out MYCA.crt
> openssl genrsa -des3 -out fake_mtalk_cert.key

> openssl req -new -key fake_mtalk_cert.key -out fake_mtalk_cert.csr
=> :
subject: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=mtalk.google.com
> openssl x509 -req -days 365 -in fake_mtalk_cert.csr -CA MYCA.crt -CAkey MYCA.key \
-CAcreateserial -out fake_mtalk_cert.crt
> cat fake_mtalk_cert.crt fake_mtalk_cert.key > fake_mtalk_cert.pem
11

4
void mtalk_gw_serv_ssl_init(void)
{
SSLeay_add_ssl_algorithms ();
if((serv_ctx = SSL_CTX_new (SSLv23_server_method())) == NULL) {
exit(1);
}
SSL_CTX_set_quiet_shutdown (serv_ctx,1);
SSL_CTX_set_session_cache_mode (serv_ctx,SSL_SESS_CACHE_OFF);
if (!SSL_CTX_use_RSAPrivateKey_file (serv_ctx, PEM_FILE, SSL_FILETYPE_PEM)) {
fprintf(stderr, "could not load RSA private key from [%s]\n", PEM_FILE); exit(1);
}
if (!SSL_CTX_use_certificate_file (serv_ctx, PEM_FILE, SSL_FILETYPE_PEM)) {
fprintf(stderr, "could not load certificate from [%s]\n", PEM_FILE); exit(1);
}
}
void mtalk_gw_cli_ssl_init(void)
{
SSLeay_add_ssl_algorithms ();
if((cli_ctx = SSL_CTX_new (SSLv3_client_method())) == NULL) {
fprintf (stderr, "could not initialize SSL_CTX structure\n"); exit(0);
}
SSL_CTX_set_quiet_shutdown (cli_ctx, 1);
}
12
13
Setup - 4 : Network Protocol Guessing & Testing
14
Example : mtalk.proto file
message LoginRequest {
required string id = 1;
required string domain = 2;
required string user = 3;
required string resource = 4;
required string token = 5;
optional string deviceId = 6;
optional int64 lastRmqId = 7;
repeated Setting settings = 8;
optional int32 compress = 9;
repeated string persistentIds = 10;
optional bool useRmq = 11;
optional bool adaptiveHeartbeat = 12;
optional HeartbeatStat heartbeatStat = 13;
optional bool useRmq2 = 14;
}
..
15
Source : http://code.google.com/p/protobuf/
1.
Download Protocol Buffer Library
2.
Install Protocol Buffer

> tar xvfz protobuf-2.3.0.tar.gz
> cd protobuf-2.3.0
> ./configure
> make install
> cd python
> python setup.py install
3.
Sample Code Usage

- sample proto file create (ex, mtalk.proto)
- protoc --python_out=. mtalk.proto (result : mtalk_pb2.py)
- write your testing code
16
17
Setup : Summary
/system/etc/hosts
/system/etc/security/cacerts.bks
MITM attack
(Man In The Middle)
at Ethernet
fake
mtalk.
google.
com
TLS/SSL
Custom
Android
Image
fake
CA
Server
Digital
Signing
fake
Cert
fake
TLS/SSL
fake
TLS/SSL
Packet
Log
Custom
Protocol
Buffer
Deserialzer
Packet
Report
Google
Connection
Server
mtalk.
google.com
fake
mtalk.
google.
com
TLS/SSL
MITM attack
(Man In The Middle)
at Internet
18
Setup : Summary
19
Setup : Summary
20
1. : Why GMS?
2. Setup
- Summary
3. GMS
- Google Services
4. GMS
- Network Traffic
- Battery
- Privacy
GMS - 2 : GSF(Google Service Framework)
GSF Total Components : 60(+8)
permission-tree : 1
permission : 54
Activity : 39
uses-permission : 55
ContentProvider : 4
Service : 8
android:grantUriPermissions : 1
BroadcastReceiver : 9(+8)
path-permission : 1
android:permission : 2
Intent : Bundle of Informations

Explicit : Call Class
Implicit : IntentFilter : 26(+8)
9 Action, Data, Category
android:readPermission : 4
android:writePermission : 4
Process : com.google.android.gapps
Include
Dalvik VM
Package : GoogleServicesFramework.apk
22

Package Name
com
+ android.common
+ google
+ android
+ common
+ gsf
+ checkin
+ gservices
+ gtalkservice
+ service
+ login
+ loginservice
+ settings
+ subscribedfeeds
+ talk
+ update
+ gtalkservice
+ common
+ wireless.gdata
+ net.oauth
+ org.jivsoftware
Sub Total : 60(+8)
CP
(+1)
NetworkConnectivityListener, OperationScheduler
gdata,http,Cvs,GoogleWebContentHelper,LoggingThreadedSyncAdapter
4
1
1
2
1
1(+2)
(+2)
26
(+2)
1
1
1
2
1(+1)
base,collect,io.protocol
client,data,parser,serializer,subscribedfeeds,GDataException
signature,OAuth....
smack,smackx
39
9(+8)
23
GSF : ContentProvider (4)
GService
GSF Externals
1
content://com.google.android.gsf.gservices
content://com.google.android.gsf.gservices/prefix
content://com.google.android.gsf.gservices/main
content://com.google.android.gsf.gservices/override
VoiceSearch
GoogleFeedback
GoogleQuickSearchBox
SetupWidzard
Talk / Gmail
GoogleBackupTransport
GoogleContactsSyncAdapter
MediaUploader
NetworkLocation / Vending
GoogleCalendarSyncAdapter
content://com.google.android.providers.talk/<path>
Talk
Talk
content://com.google.settings/partner
Setting
VoiceSearch / GenieWidget
GoogleQuickSearchBox
GooglePartnerSetup
MapLibrary / Street
MediaUploader
NetworkLocation / Vending
content://subscribedfeeds/feeds
content://subscribedfeeds/deleted_feeds
Feeds
Gmail
GoogleContactsSyncAdapter
GoogleCalendarSyncAdapter
24
GSF : Service (8)
GSF Externals
A: com.google.android.gsf.action.GET_GLS
NetworkMonitor
B: IGoogleLoginService
SetupWizard
A: android.intent.action.START_RESTORE
S:B: LoginActivityTask$4
2
S: ServiceAutoStarter
B: ConnectionAuthErrorDialog
C: IGTalkService.class.getName()
Talk
Vending
B: IGTalkService
3
A: com.google.android.c2dm.intent.UNREGISTER
S: .gtalkservice.PushMessagingRegistrar
DataMessageManager
CheckinService
EventLogService
SubscribedFeedsSyncAdapterService
GTalkService
PushMessagingRegistrar
SystemUpdateService
SubscribedFeedsIntentService
GoogleLoginService
1
25

Package Name
com
+ android.common
+ google
+ android
+ common
+ gsf
+ checkin
+ gservices
+ gtalkservice
+ service
+ login
+ loginservice
+ settings
+ subscribedfeeds
+ talk
+ update
+ gtalkservice
+ common
+ wireless.gdata
+ net.oauth
+ org.jivsoftware
Sub Total : 60(+8)
CP
S
A:android.accounts.LOGIN_ACCOUNTS_CHANGED
ACTION_BATTERY_CHANGED
ACTION_DEVICE_STORAGE_LOW
ACTION_DEVICE_STORAGE_OK
(+1)
ACTION_BOOT_COMPLETED
ACTION_PRE_BOOT_COMPLETED
ACTION_DOWNLOAD_COMPLETED
ACTION_DOWNLOAD_NOTIFICATION_CLICKED
4
1
1
2
1
1(+2)
(+2)
26
(+2)
1
1
1
2
39
1(+1)
9(+8)
ACTION_SCREEN_OFF;
ACTION_TIME_SET
ACTION_USER_PRESENT
A:android.net.conn.BACKGROUND_DATA_SETTING_CHANGED
A:android.net.conn.CONNECTIVITY_CHANGE
A:android.net.wifi.STATE_CHANGE
A:android.provider.Telephony.SECRET_CODE
A:android.server.checkin.CHECKIN
A:com.android.sync.SYNC_CONN_STATUS_CHANGED
A:com.google.android.GTalkService.NOTIFICATION_DELETED_ACTION
A:com.google.android.c2dm.intent.RECEIVE
A:com.google.android.intent.action.GTALK_HEARTBEAT
A:com.google.android.intent.action.GTALK_RECONNECT
A:com.google.gservices.intent.action.GSERVICES_CHANGED
A:com.google.gservices.intent.action.GSERVICES_OVERRIDE
C:android.server.checkin.CHECKIN
C:com.google.android.gsf.subscribedfeeds
D:android:scheme="android_secret_code" android:host="2432546"
26
setup_wizard_title
gls_ui_activity___
27
28
GMS - 3 : Google Services Overview

Google API
Service name
Google Analytics Data APIs
analytics
Google Apps APIs

(Domain Information & Management)
apps
Google Base Data API

Google Sites Data API
Blogger Data API
Book Search Data API
Calendar Data API
Google Code Search Data API
Contacts Data API
Documents List Data API
Finance Data API
Gmail Atom feed
Maps Data APIs

Picasa Web Albums Data API
Sidewiki Data API
Spreadsheets Data API
Webmaster Tools API
YouTube Data API
gbase
jotspot
blogger
print
cl
codesearch
cp
writely
finance
mail
health
weaver (H9 sandbox)
local
lh2
annotateweb
wise
sitemaps
Youtube
Google App Engine
ah
Health Data API
Source : http://code.google.com/apis/gdata/faq.html#clientlogin
29
GMS - 3 : Google Services Architecture
No CAPTCHA
Mobile
Proxy
8.relay
9.relay
30
GMS - 3 : Google Services QoS
Response Code
Description & Solution
200
OK
403
Authentication Error
Create New AuthToken with ClientLogin
503
Service Available
Use multiple AuthToken
Use Cache
Stopping your request / sleep / retry request
appropriate sleep time : 10 seconds x 503 error count
400
Bad request
Set Request Property with correct values
Send Request data with base64.urlsafe_b64encode
instead of base64.encodestring
Request
Blocking
Blocking account
Blocking IP Address
No
Response
Black Hole Technology
31
GMS - 4 : Service Integration Architecture

Web Based
Google Cloud
Google Account Server

(Authentication & Authorization)
www.google.com/accouts/
Mobile(Android) Based
Google Services
cl
cp
mail

GMS(Google Mobile Services)
Google Mobile Services

market
c2dm

GSF
heartbeat
Google
Mobile Connection Server
mtalk.google.com 5228
32
GMS - 4 : Service Integration Heartbeat

Google
Mobile Connection Server
mtalk.google.com 5228
TLS/SSL based Packet Encryption

Gtalk Core Message Types
Non-Standard Protocol Message Link : Extension Tag
Gtalk Extensions Message Types
Non-Standard
Protocol Buffer
Header
1. Tag : 13 (1 byte)
2. Length : (1 or 5(?) byte)
0
1
2
3
4
5
6
7
8
9
10
11
12
:
:
:
:
:
:
:
:
:
:
:
:
:
HEARTBEAT_PING
HEARTBEAT_ACK
LOGIN_REQUEST
LOGIN_RESPONSE
CLOSE
MESSAGE_STANZA
PRESENCE_STANZA
IQ_STANZA
DATA_MESSAGE_STANZA
BATCH_PRESENCE_STANZA
STREAM_ERROR_STANZA
HTTP_REQUEST
HTTP_RESPONSE
1
2
3
4
5
6
7
8
9
10
11
12
13
:
:
:
:
:
:
:
:
:
:
:
:
:
ROSTER_QUERY
RMQ_LAST_ID
RMQ_ACK
VCARD
SHARED_STATUS
CHAT_READ
CHAT_CLOSED
CAPABILITIES
OTR_QUERY
IDLE
POST_AUTH_BATCH_QUERY
SELECTIVE_ACK
STREAM_ACK
heartbeat
33
GMS - 4 : Service Integration Case Study #1
Android Market Client Update Issues
Security problem
Async application installation hacked
Protocol buffer reverse engineering
34
GMS - 4 : Service Integration Case Study #2
Register Your App.

to C2DM Server
Receive
Registration ID
Send
Registration ID
Gmail
9
Send
message
Request Auth Token

for C2DM (ac2dm)
Publish
Your Application
Receive
Auth Token
Create New
Gmail Account
C2DM
Signup
C2DM Signup
0
APP
35
1. : Why GMS?
2. Setup
- Summary
3. GMS
- Google Services
4. GMS
- Network Traffic
- Battery
- Privacy
GMS - 5 : Network Traffic
37
<receiver android:name="GTalkDiagnosticsBroadcastReceiver">
<intent-filter>
<action android:name="android.provider.Telephony.SECRET_CODE" />
<data android:scheme="android_secret_code" android:host="8255" />
</intent-filter>
</receiver>
Type
Packet
Sub Type
Count
connection
data
message
talk
Count(%)
Size(%)
heartbeat
22
9%
0%
login
27
12 %
12 %
GSYNC_TICKLE
45
20 %
13 %
INSTALL_ASSET
0%
1%
chat
0%
0%
iq
87
39 %
25 %
presence
21
9%
46 %
38

Packet Size (Byte) : after SSL strip
Env : Emulator, New Gmail Account, 2 BuddyList
500
450
400
350
300
250
200
150
100
50
Heartbeat Data Traffic Threshold
1
11
21
31
41
51
61
71
81
91
101
111
121
131
141
151
161
171
181
191
201
211
221
231
241
251
261
271
281
291
301
311
321
331
341
351
361
371
381
391
401
411
421
431
Packet Traffic Sequence

39

Packet Size (Byte) : after SSL strip
Env : Real Device, Exist Gmail Account, many BuddyList
450
400
350
300
250
200
150
100
50
Heartbeat Data Traffic Threshold
235
229
223
217
211
205
199
193
187
181
175
169
163
157
151
145
139
133
127
121
115
109
103
97
91
85
79
73
67
61
55
49
43
37
31
25
19
13
Packet Traffic Sequence

40
GMS - 5 : Battery
41
GMS - 5 : Battery
What costs the most?

Waking up in the background
Bulk data transfer
Takeaways
Use an efficient parser and GZIP
Use <receiver> and AlarmManager (not daemon)
Wait for better network/battery for bulk transfers
: GoogleIO 2009
42
GMS - 5 : Privacy
message CheckinRequest {
message Build {
optional bytes fingerprint = 1;
optional bytes hardware = 2;
optional bytes brand = 3;
optional bytes radio = 4;
optional bytes bootloader = 5;
optional bytes client_id = 6;
optional int64 time = 7;
optional int32 version = 8;
optional bytes device = 9;
}
optional bytes deviceId = 1;

optional int64 cr2 = 2;
optional bytes cr3 = 3;
required Checkin checkin = 4;
optional bytes locale = 6;
optional int64 id = 7;
optional bytes macaddress = 9;
repeated bytes accountInfo = 11 ;
optional bytes timezone = 12;
repeated bytes cr15 = 15;
}
message Checkin {
optional Build build = 1;
optional int64 check2 = 2;
repeated Event event = 3;
repeated Statistic statistics = 4;
repeated bytes check5 = 5;
optional bytes networkOperator = 6;
optional bytes simOperator = 7;
optional bytes networkInfo = 8;
message Event {
required bytes evnet1 = 1;
optional bytes evnet2 = 2;
optional int64 evnet3 = 3;
}
Next Page
message Statistic {
required bytes stat1 = 1;
optional int32 stat2 = 2;
optional float stat3 = 3;
}
43
GMS - 5 : Privacy
44
GMS - 5 : Privacy
45
1. : Why GMS?
2. Setup
- Summary
3. GMS
- Google Services
4. GMS
- Network Traffic
- Battery
- Privacy
: What is Android? and then.

vs.
Pirates Of Silicon Valley, 1999
Steve Jobs :
What is this?
<>
Bill Gates :
Alan Kay
Get real, will you?
You and I are both like guys that have this rich neighbor......Xerox...
That left the door open all the time.
47
Q&A
www.kandroid.org

7 Session 7th Kandroid Gms Analysis Final PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

7 Session 7th Kandroid Gms Analysis Final PDF

Uploaded by

Copyright:

Available Formats

7th Kandroid Conference

The passion is not speed, but Direction !

Google GMS(Google Mobile Services) [2]

www.kandroid.org : (yangjeongsoo at gmail.com), :

7th Kandroid Conference

What is the killer apps ?

7th Kandroid Conference - www.kandroid.org

Network Traffic Issue

7th Kandroid Conference - www.kandroid.org

7th Kandroid Conference

Setup - 1 : How to get Google GMS?

Partnership with Google Inc.

Deodexing from Real Device

Unyaffs from Unknown Source

7th Kandroid Conference - www.kandroid.org

Setup - 2 : Application Code Reverse Engineering

7th Kandroid Conference - www.kandroid.org

Setup - 2 : Application Code Reverse Engineering

Error ? : Java Decompiler

7th Kandroid Conference - www.kandroid.org

Setup - 2 : Application Code Reverse Engineering

7th Kandroid Conference - www.kandroid.org

Setup - 3 : MITM(Man In The Middle) Attack

7th Kandroid Conference - www.kandroid.org

Setup - 3 : MITM(Man In The Middle) Attack

> openssl genrsa -des3 -out MYCA.key 2040

> openssl genrsa -des3 -out fake_mtalk_cert.key

7th Kandroid Conference - www.kandroid.org

Setup - 3 : MITM(Man In The Middle) Attack

7th Kandroid Conference - www.kandroid.org

Setup - 3 : MITM(Man In The Middle) Attack

7th Kandroid Conference - www.kandroid.org

Setup - 4 : Network Protocol Guessing & Testing

7th Kandroid Conference - www.kandroid.org

Setup - 4 : Network Protocol Guessing & Testing

Example : mtalk.proto file

7th Kandroid Conference - www.kandroid.org

Setup - 4 : Network Protocol Guessing & Testing

Download Protocol Buffer Library

Install Protocol Buffer

Sample Code Usage

7th Kandroid Conference - www.kandroid.org

Setup - 4 : Network Protocol Guessing & Testing

7th Kandroid Conference - www.kandroid.org

7th Kandroid Conference - www.kandroid.org

7th Kandroid Conference - www.kandroid.org

7th Kandroid Conference

GMS - 2 : GSF(Google Service Framework)

GSF Total Components : 60(+8)

Intent : Bundle of Informations

7th Kandroid Conference - www.kandroid.org

GMS - 2 : GSF(Google Service Framework)

7th Kandroid Conference - www.kandroid.org

GMS - 2 : GSF(Google Service Framework)

GSF : ContentProvider (4)

7th Kandroid Conference - www.kandroid.org

GMS - 2 : GSF(Google Service Framework)

GSF : Service (8)

7th Kandroid Conference - www.kandroid.org

GMS - 2 : GSF(Google Service Framework)

7th Kandroid Conference - www.kandroid.org

GMS - 2 : GSF(Google Service Framework)