Tuesday, November 20, 2012

Security? In My Phone?

After a few days of having my Android MLP Hacker App in the wild, I received quite a few reports of it working successfully, while I received several more of it not working at all. After looking through the comments, the common problem was that the app was unable to open the game's save file, and all of the effected users had devices running Android 4.1 or 4.2 (at the time of writing, 4.2 is the most current version of Android).

With that information in hand, I quick Google search unveiled what was happening. As security researcher Zach Lanier points out, it is a common security pitful in Android apps to save files with world-writable permissions since the default umask in Android is 000. This is precisely the pitfall the MLP game fell in to, and is the vulnerability my app was exploiting since world-writable permissions enabled it to rewrite the game's save file.

However, in the above post, Lanier cites a message from Nick Kralevich on the Android security team informing him that Android 4.1 changes the default umask 077. Thus on such devices the game's save file is no longer world-writable (or even readable); hence why there were people unable to use my app.


At the end of the day, this is a good thing for security (for example, you don't really want every application you run to exploit this and discover all the contacts you've added to your MLP game, do you?), even if it does make it more difficult to run my app.

The manage this problem, I've updated the app (link in the original blog post has been updated) to use root permissions to reset the save game file to world-writable permissions (only in the event that the save file is not already writable, so those running Android 4.0 and earlier should be unaffected). This does, however, of course require a rooted device.


Those with an un-rooted device running Android 4.1 or newer will unfortunately not be able to use the native app. However, it is still possible to hack your save file by manually pulling it off the device with ADB, modifying it, and pushing it back again with ADB. Detailed instructions to come.

6 comments:

  1. Is that even posible with an unrooted phone on 4.1? I mean I tried remount,rw and chmod in every possible way on that folder/file the best reply I got that I didnt have any permission to change it to R/W.

    ReplyDelete
  2. I have a non-rooted galaxy nexus running 4.2 and I tried your ADB/perl script instructions and couldn't get it to work (bad permissions). Is there a different procedure for ADB pull/push per this security update stuff?

    ReplyDelete
    Replies
    1. The same security seems to prevent using "adb pull". I've found that "adb backup" followed by use of the Android Backup Extractor will work, though. http://sourceforge.net/projects/adbextractor/

      I'm looking to move my save from my Nexus 7 on 4.2 to my new Nook HD+ on what appears to be ICS (neither rooted), but have only just started. I'll comment back here in a few days with what I find.

      Delete
  3. Hello , please go to http://www.magicios.org/topic/3180-gameloft/ and contact Mila432 .

    ReplyDelete
  4. Dude, that is some serious knowledge you have. Did you major in programming in college or learn all this own your own? I would love to learn this stuff, but schools are so expensive now.

    Chris

    ReplyDelete