Elsevier

Network Security

Volume 2014, Issue 11, November 2014, Pages 5-9
Network Security

Feature
Android scraping: accessing personal data on mobile devices

https://doi.org/10.1016/S1353-4858(14)70111-4Get rights and content

Android devices hold a great deal of personal user data. Accessing that data, particularly if the device has been restored to factory settings, should be relatively difficult. But there are numerous ways to exploit the Android operating system – exploits that can be used to trick these devices into surrendering their secrets.

Android devices hold a great deal of personal user data and so accessing it should be relatively difficult. But there are numerous ways to exploit the Android operating system.

Ken Munro of Pen Test Partners takes us through the steps necessary to uncover the PIN codes and normally inaccessible (and usually very personal) data held on an Android device. While some of these steps require more than average skills, the investment in equipment is very modest.

Section snippets

Cable-based attacks

There are plenty of ‘fixed’ wire-based attack routes to hacking Android, many of which allow the hacker to both gain access and make changes to the security settings of the device. A key tool is Android Debug Bridge (ADB) which is intended primarily for Android developers to debug their application code. It's also used if you want to ‘root’ your device, maybe to install ‘cracked’ apps from dodgy sources or have deeper access to the handset. If you are lucky then you might find ADB enabled.

ADB PIN crack

In many respects, it's far better to crack the PIN rather than to delete it as the hacker will then be able to decrypt the keychain, which might provide access to VPN credentials, wifi pre-shared keys and any other application data protected by the keychain. A four-digit PIN can be cracked by brute force in about 14 hours. The ‘Rubber Ducky’ USB tool can be used, although we've written a rather better version that doesn't require you to stare at the screen for all 14 hours.

. Accessing the

Allwinner

The Allwinner chipset allows the device to boot and run an operating system that is installed on an SD card; this is similar to booting your laptop from a CD. You can exploit this just as you might boot a laptop or desktop from a live Linux distribution on CD and use that to wipe or crack the local admin password. With this Allwinner attack, you boot from the SD card and then mount or image the user data on the device. Again, if a PIN is set and the Android version supports encryption and the

SPFlashTool

If you're working with a MediaTek device, then a fairly similar attack exists using SPflashtool. It's a bit more involved but as effective as the Rockchip/rkflashtool attack.

UART

There's a rather nice attack against, for example, the Nexus 4, 5 and possibly 7 that involves switching the headphone connector into a serial port. Yes, back to the days of RS232! Amazingly, if the device sees a voltage of >2.8V on the headphone socket, it switches it to UART. This allows you to read the hardware state of the device, revealing lots of wonderfully useful information.

However, some devices such as the Samsung Galaxy S2 don't just allow you to read state, they allow you to write

Attacks requiring a screwdriver

If data extraction using a cable won't work, it's time to start disassembling the device. One of the most reliable methods is to look for the JTAG port, present on almost all phones. JTAG is described in IEEE 1149.1. It allows us to talk to the chipset at a really low level. It was intended (among many purposes) for debugging firmware – for example, allowing developers to iterate one-by-one through clock cycles to find exactly where a bug lies. However, depending on the particular interface, it

Wiping data

Faced with this evidence of how easy it is to extract data from an Android handset, many of us will be making a mental note to run a factory reset when we jettison our current devices. However, unlike iOS which does a pretty thorough wipe when the factory reset is run, Android doesn't always do quite as well. The default factory wipe doesn't do much more that delete the equivalent of the File Access Table (FAT) and refresh the OS from a recovery partition.

Given the large user data partition

Conclusion

It's relatively simple, with about $200 of kit, to scrape memory from an Android device and decrypt it, exposing potentially sensitive information. Mobile Device Management (MDM) products have been touted as the solution, but few can prevent these attacks: most simply enforce existing native encryption policy on the handset. A very small number of MDMs work differently though, creating an encryption container independent of the handset operating system cryptography. Some handset manufacturers

About the author

Ken Munro is partner and founder of Pen Test Partners, a firm of experienced penetration testers. He regularly blogs on everything from honeypots to hacking cars and also writes for various newspapers and industry magazines. A familiar face on the speaker circuit, Munro enjoys courting controversy and speaks widely on computer security, taking great pleasure in highlighting vulnerabilities in software and hardware. He has worked in the field of information security for over 15

References (0)

Cited by (5)

About the author

Ken Munro is partner and founder of Pen Test Partners, a firm of experienced penetration testers. He regularly blogs on everything from honeypots to hacking cars and also writes for various newspapers and industry magazines. A familiar face on the speaker circuit, Munro enjoys courting controversy and speaks widely on computer security, taking great pleasure in highlighting vulnerabilities in software and hardware. He has worked in the field of information security for over 15 years.

View full text
Copyright © 2014 Elsevier Ltd. All rights reserved.