Professional Documents
Culture Documents
2011. 3. 11.
1. : Why GMS?
2. Setup
- How to get GMS Apps?
- Application Code Reverse Engineering
- MITM(Man In The Middle) Attack
- Network Protocol Guessing & Testing
- Summary
3. GMS
- GSF(Google Service Framework)
- Google Services
- Service Integration Technology
4. GMS
- Network Traffic
- Battery
- Privacy
5. : What is Android? and then
: Why GMS?
One of the things youre gonna witness is how Googles cloud services tie
together all these different applications and all these different companies
that are making devices in all these different segments.
: Why GMS? To the best of Our Knowledge, this is the killer app.
2007
2008
Android SDK
API Level
2009
2010
2
M
AOSP
Branch
4 5
M1 C
67
D
1
Android NDK
Revision
2011
9 10 11
F
New
Technology
5 5b
Open Handset
Alliance (OHA)
T-Mobile USA
SKT KT
LGT
Mobile
Operators
Semiconductor
Companies
MPCore Issue
G1
Handset
Manufacturers
Qualcomm Samsung
Snapdragon S5PC110
Qualcomm
MSM7201a
G2
G3
http://www.google.com/phone/
Add-on API
N1
SEC
Galaxy-S
LGE/SEC
NS
CTS & Standard Issue
?
Google
GMS
1. : Why GMS?
2. Setup
- How to get GMS Apps?
- Application Code Reverse Engineering
- MITM(Man In The Middle) Attack
- Network Protocol Guessing & Testing
- Summary
3. GMS
- GSF(Google Service Framework)
- Google Services
- Service Integration Technology
4. GMS
- Network Traffic
- Battery
- Privacy
5. : What is Android? and then
GMS
Apps
Sources
JAD
http://code.google.com/p/dex2jar/
GMS
Apps
Dex2Jar
http://code.google.com/p/android-apktool/
Java
(classes)
Dalvik
(.dex)
Ref. Libs
Resources
XML Res.
Compilation
+
Other Res.
Pre-process
Manifest
ApkTool
Unsigned
Android
Application
(.apk)
jarsigner
(keytool)
zipalign
Zip
Compressed
File
adb(pm)
install
Key
(Debug Key
Custom Key)
am
start
Google
Connection
Server
TLS/SSL
fake
TLS/SSL
mtalk.google.com
Google
Connection
Server
fake
mtalk.
google.
com
TLS/SSL
mtalk.google.com
MITM attack
(Man In The Middle)
10
11
12
13
14
message LoginRequest {
required string id = 1;
required string domain = 2;
required string user = 3;
required string resource = 4;
required string token = 5;
optional string deviceId = 6;
optional int64 lastRmqId = 7;
repeated Setting settings = 8;
optional int32 compress = 9;
repeated string persistentIds = 10;
optional bool useRmq = 11;
optional bool adaptiveHeartbeat = 12;
optional HeartbeatStat heartbeatStat = 13;
optional bool useRmq2 = 14;
}
..
15
Source : http://code.google.com/p/protobuf/
1.
2.
3.
16
17
Setup : Summary
/system/etc/hosts
/system/etc/security/cacerts.bks
MITM attack
(Man In The Middle)
at Ethernet
fake
mtalk.
google.
com
TLS/SSL
Custom
Android
Image
fake
CA
Server
Digital
Signing
fake
Cert
fake
TLS/SSL
fake
TLS/SSL
Packet
Log
Custom
Protocol
Buffer
Deserialzer
Packet
Report
Google
Connection
Server
mtalk.
google.com
fake
mtalk.
google.
com
TLS/SSL
MITM attack
(Man In The Middle)
at Internet
7th Kandroid Conference - www.kandroid.org
18
Setup : Summary
19
Setup : Summary
20
1. : Why GMS?
2. Setup
- How to get GMS Apps?
- Application Code Reverse Engineering
- MITM(Man In The Middle) Attack
- Network Protocol Guessing & Testing
- Summary
3. GMS
- GSF(Google Service Framework)
- Google Services
- Service Integration Technology
4. GMS
- Network Traffic
- Battery
- Privacy
5. : What is Android? and then
permission-tree : 1
permission : 54
Activity : 39
uses-permission : 55
ContentProvider : 4
Service : 8
android:grantUriPermissions : 1
BroadcastReceiver : 9(+8)
path-permission : 1
android:permission : 2
android:readPermission : 4
android:writePermission : 4
Process : com.google.android.gapps
Include
Dalvik VM
Package : GoogleServicesFramework.apk
22
CP
(+1)
NetworkConnectivityListener, OperationScheduler
gdata,http,Cvs,GoogleWebContentHelper,LoggingThreadedSyncAdapter
4
1
1
2
1
1(+2)
(+2)
26
(+2)
1
1
1
2
1(+1)
base,collect,io.protocol
client,data,parser,serializer,subscribedfeeds,GDataException
signature,OAuth....
smack,smackx
39
9(+8)
23
GService
GSF Externals
1
content://com.google.android.gsf.gservices
content://com.google.android.gsf.gservices/prefix
content://com.google.android.gsf.gservices/main
content://com.google.android.gsf.gservices/override
VoiceSearch
GoogleFeedback
GoogleQuickSearchBox
SetupWidzard
Talk / Gmail
GoogleBackupTransport
GoogleContactsSyncAdapter
MediaUploader
NetworkLocation / Vending
GoogleCalendarSyncAdapter
content://com.google.android.providers.talk/<path>
Talk
Talk
content://com.google.settings/partner
Setting
VoiceSearch / GenieWidget
GoogleQuickSearchBox
GooglePartnerSetup
MapLibrary / Street
MediaUploader
NetworkLocation / Vending
content://subscribedfeeds/feeds
content://subscribedfeeds/deleted_feeds
Feeds
Gmail
GoogleContactsSyncAdapter
GoogleCalendarSyncAdapter
24
GSF Externals
A: com.google.android.gsf.action.GET_GLS
NetworkMonitor
B: IGoogleLoginService
SetupWizard
A: android.intent.action.START_RESTORE
S:B: LoginActivityTask$4
2
S: ServiceAutoStarter
B: ConnectionAuthErrorDialog
C: IGTalkService.class.getName()
Talk
Vending
B: IGTalkService
3
A: com.google.android.c2dm.intent.UNREGISTER
S: .gtalkservice.PushMessagingRegistrar
DataMessageManager
CheckinService
EventLogService
SubscribedFeedsSyncAdapterService
GTalkService
PushMessagingRegistrar
SystemUpdateService
SubscribedFeedsIntentService
GoogleLoginService
1
25
CP
S
A:android.accounts.LOGIN_ACCOUNTS_CHANGED
ACTION_BATTERY_CHANGED
ACTION_DEVICE_STORAGE_LOW
ACTION_DEVICE_STORAGE_OK
(+1)
ACTION_BOOT_COMPLETED
ACTION_PRE_BOOT_COMPLETED
ACTION_DOWNLOAD_COMPLETED
ACTION_DOWNLOAD_NOTIFICATION_CLICKED
4
1
1
2
1
1(+2)
(+2)
26
(+2)
1
1
1
2
39
1(+1)
9(+8)
ACTION_SCREEN_OFF;
ACTION_TIME_SET
ACTION_USER_PRESENT
A:android.net.conn.BACKGROUND_DATA_SETTING_CHANGED
A:android.net.conn.CONNECTIVITY_CHANGE
A:android.net.wifi.STATE_CHANGE
A:android.provider.Telephony.SECRET_CODE
A:android.server.checkin.CHECKIN
A:com.android.sync.SYNC_CONN_STATUS_CHANGED
A:com.google.android.GTalkService.NOTIFICATION_DELETED_ACTION
A:com.google.android.c2dm.intent.RECEIVE
A:com.google.android.intent.action.GTALK_HEARTBEAT
A:com.google.android.intent.action.GTALK_RECONNECT
A:com.google.gservices.intent.action.GSERVICES_CHANGED
A:com.google.gservices.intent.action.GSERVICES_OVERRIDE
C:android.server.checkin.CHECKIN
C:com.google.android.gsf.subscribedfeeds
D:android:scheme="android_secret_code" android:host="2432546"
D:android:scheme="android_secret_code" android:host="46"
D:android:scheme="android_secret_code" android:host="7867"
26
setup_wizard_title
gls_ui_activity___
27
28
Service name
analytics
apps
gbase
jotspot
blogger
print
cl
codesearch
cp
writely
finance
mail
health
weaver (H9 sandbox)
local
lh2
annotateweb
wise
sitemaps
Youtube
ah
Source : http://code.google.com/apis/gdata/faq.html#clientlogin
7th Kandroid Conference - www.kandroid.org
29
No CAPTCHA
Mobile
Proxy
8.relay
9.relay
30
Response Code
200
OK
403
Authentication Error
Create New AuthToken with ClientLogin
503
Service Available
Use multiple AuthToken
Use Cache
Stopping your request / sleep / retry request
appropriate sleep time : 10 seconds x 503 error count
400
Bad request
Set Request Property with correct values
Send Request data with base64.urlsafe_b64encode
instead of base64.encodestring
Request
Blocking
Blocking account
Blocking IP Address
No
Response
31
Google Cloud
Mobile(Android) Based
Google Services
cl
cp
mail
GSF
heartbeat
Google
Mobile Connection Server
mtalk.google.com 5228
32
Non-Standard
Protocol Buffer
Header
1. Tag : 13 (1 byte)
2. Length : (1 or 5(?) byte)
0
1
2
3
4
5
6
7
8
9
10
11
12
:
:
:
:
:
:
:
:
:
:
:
:
:
HEARTBEAT_PING
HEARTBEAT_ACK
LOGIN_REQUEST
LOGIN_RESPONSE
CLOSE
MESSAGE_STANZA
PRESENCE_STANZA
IQ_STANZA
DATA_MESSAGE_STANZA
BATCH_PRESENCE_STANZA
STREAM_ERROR_STANZA
HTTP_REQUEST
HTTP_RESPONSE
1
2
3
4
5
6
7
8
9
10
11
12
13
:
:
:
:
:
:
:
:
:
:
:
:
:
ROSTER_QUERY
RMQ_LAST_ID
RMQ_ACK
VCARD
SHARED_STATUS
CHAT_READ
CHAT_CLOSED
CAPABILITIES
OTR_QUERY
IDLE
POST_AUTH_BATCH_QUERY
SELECTIVE_ACK
STREAM_ACK
7th Kandroid Conference - www.kandroid.org
heartbeat
33
Security problem
Async application installation hacked
Protocol buffer reverse engineering
34
Receive
Registration ID
Send
Registration ID
Gmail
9
Send
message
Publish
Your Application
Receive
Auth Token
Create New
Gmail Account
C2DM
Signup
C2DM Signup
0
APP
35
1. : Why GMS?
2. Setup
- How to get GMS Apps?
- Application Code Reverse Engineering
- MITM(Man In The Middle) Attack
- Network Protocol Guessing & Testing
- Summary
3. GMS
- GSF(Google Service Framework)
- Google Services
- Service Integration Technology
4. GMS
- Network Traffic
- Battery
- Privacy
5. : What is Android? and then
37
<receiver android:name="GTalkDiagnosticsBroadcastReceiver">
<intent-filter>
<action android:name="android.provider.Telephony.SECRET_CODE" />
<data android:scheme="android_secret_code" android:host="8255" />
</intent-filter>
</receiver>
Type
Packet
Sub Type
Count
connection
data
message
talk
Count(%)
Size(%)
heartbeat
22
9%
0%
login
27
12 %
12 %
GSYNC_TICKLE
45
20 %
13 %
INSTALL_ASSET
0%
1%
chat
0%
0%
iq
87
39 %
25 %
presence
21
9%
46 %
38
500
450
400
350
300
250
200
150
100
50
Heartbeat Data Traffic Threshold
1
11
21
31
41
51
61
71
81
91
101
111
121
131
141
151
161
171
181
191
201
211
221
231
241
251
261
271
281
291
301
311
321
331
341
351
361
371
381
391
401
411
421
431
39
450
400
350
300
250
200
150
100
50
Heartbeat Data Traffic Threshold
235
229
223
217
211
205
199
193
187
181
175
169
163
157
151
145
139
133
127
121
115
109
103
97
91
85
79
73
67
61
55
49
43
37
31
25
19
13
40
GMS - 5 : Battery
41
GMS - 5 : Battery
42
GMS - 5 : Privacy
message CheckinRequest {
message Build {
optional bytes fingerprint = 1;
optional bytes hardware = 2;
optional bytes brand = 3;
optional bytes radio = 4;
optional bytes bootloader = 5;
optional bytes client_id = 6;
optional int64 time = 7;
optional int32 version = 8;
optional bytes device = 9;
}
}
message Checkin {
optional Build build = 1;
optional int64 check2 = 2;
repeated Event event = 3;
repeated Statistic statistics = 4;
repeated bytes check5 = 5;
optional bytes networkOperator = 6;
optional bytes simOperator = 7;
optional bytes networkInfo = 8;
message Event {
required bytes evnet1 = 1;
optional bytes evnet2 = 2;
optional int64 evnet3 = 3;
}
Next Page
message Statistic {
required bytes stat1 = 1;
optional int32 stat2 = 2;
optional float stat3 = 3;
}
43
GMS - 5 : Privacy
44
GMS - 5 : Privacy
45
1. : Why GMS?
2. Setup
- How to get GMS Apps?
- Application Code Reverse Engineering
- MITM(Man In The Middle) Attack
- Network Protocol Guessing & Testing
- Summary
3. GMS
- GSF(Google Service Framework)
- Google Services
- Service Integration Technology
4. GMS
- Network Traffic
- Battery
- Privacy
5. : What is Android? and then
Steve Jobs :
What is this?
<>
Bill Gates :
Alan Kay
Get real, will you?
You and I are both like guys that have this rich neighbor......Xerox...
That left the door open all the time.
7th Kandroid Conference - www.kandroid.org
47
Q&A
www.kandroid.org