0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/855 Thanks! 1 00:00:15,890 --> 00:00:17,899 Welcome, everybody, to this next talk 2 00:00:17,900 --> 00:00:20,599 inside Android safety net, attestation 3 00:00:20,600 --> 00:00:22,129 attack and defense. 4 00:00:22,130 --> 00:00:23,959 First of all, I would like to see a show 5 00:00:23,960 --> 00:00:25,969 of hands. Who among you has already 6 00:00:25,970 --> 00:00:27,649 developed an Android app? 7 00:00:29,740 --> 00:00:31,449 That's almost everybody I would say 8 00:00:31,450 --> 00:00:33,909 something between 90 and 98 9 00:00:33,910 --> 00:00:36,069 percent of you and who 10 00:00:36,070 --> 00:00:38,079 of you has already used the safety net at 11 00:00:38,080 --> 00:00:40,059 a station API, please, another show of 12 00:00:40,060 --> 00:00:42,579 hands that feels more like five 13 00:00:42,580 --> 00:00:44,889 or six. And who of you has already 14 00:00:44,890 --> 00:00:47,139 heard about this API before coming 15 00:00:47,140 --> 00:00:48,609 here today? 16 00:00:48,610 --> 00:00:49,659 That's more perfect. 17 00:00:49,660 --> 00:00:50,979 That's why you are all here. 18 00:00:50,980 --> 00:00:52,359 I guess. 19 00:00:52,360 --> 00:00:54,609 So gear up for a very informative 20 00:00:54,610 --> 00:00:56,769 talk by Colin Madlener, an expert 21 00:00:56,770 --> 00:00:58,929 in the field of security research, and 22 00:00:58,930 --> 00:01:01,299 he's also the coauthor of the Android 23 00:01:01,300 --> 00:01:02,349 Hackers Handbook. 24 00:01:02,350 --> 00:01:03,759 I'm very excited for his talk. 25 00:01:03,760 --> 00:01:05,769 Please give him a warm round of applause. 26 00:01:17,670 --> 00:01:20,309 Right, and this is basically 27 00:01:20,310 --> 00:01:22,589 just something I did a bunch 28 00:01:22,590 --> 00:01:24,809 of like mobile security and development 29 00:01:24,810 --> 00:01:27,089 some years ago, wrote 30 00:01:27,090 --> 00:01:29,699 a bunch of guides 31 00:01:29,700 --> 00:01:31,979 and helped on this book. 32 00:01:31,980 --> 00:01:33,749 But let's get right to the talk. 33 00:01:33,750 --> 00:01:35,429 So what are the goals for this target? 34 00:01:35,430 --> 00:01:36,629 The main goal for this talk is, of 35 00:01:36,630 --> 00:01:38,939 course, understanding what Android 36 00:01:38,940 --> 00:01:41,039 safety net and especially that gestation 37 00:01:41,040 --> 00:01:43,169 appears and actually how to really 38 00:01:43,170 --> 00:01:45,239 implement and deployed, as 39 00:01:45,240 --> 00:01:46,379 you will see throughout the talk. 40 00:01:46,380 --> 00:01:47,819 It's not like that straightforward, 41 00:01:47,820 --> 00:01:49,109 unfortunately. 42 00:01:49,110 --> 00:01:50,699 And then we just kind of look at that 43 00:01:50,700 --> 00:01:52,919 station API, really what kind of do 44 00:01:52,920 --> 00:01:54,929 for you and what can we do for you? 45 00:01:54,930 --> 00:01:56,549 And I guess what's most like with most 46 00:01:56,550 --> 00:01:59,219 security systems or 47 00:01:59,220 --> 00:02:00,539 or features? 48 00:02:00,540 --> 00:02:01,769 It's very interesting, though. 49 00:02:01,770 --> 00:02:03,269 The part of what it can do is the most 50 00:02:03,270 --> 00:02:04,229 interesting part. 51 00:02:04,230 --> 00:02:05,429 And then we're going to look at some 52 00:02:05,430 --> 00:02:07,499 attacks and bypasses from other 53 00:02:07,500 --> 00:02:09,599 people and some of my own work. 54 00:02:09,600 --> 00:02:11,669 And the second main 55 00:02:11,670 --> 00:02:13,109 goal of this talk is like basically 56 00:02:13,110 --> 00:02:15,299 documenters API because do Google's 57 00:02:15,300 --> 00:02:17,429 documentation is not very good. 58 00:02:17,430 --> 00:02:19,589 And that's like how I thought like, 59 00:02:19,590 --> 00:02:21,269 hey, let's let's talk a little bit about 60 00:02:21,270 --> 00:02:22,439 this. 61 00:02:22,440 --> 00:02:24,839 So, of course, this entire enterprise 62 00:02:24,840 --> 00:02:27,209 system and this entire talk about 63 00:02:27,210 --> 00:02:30,119 app security and back in the day 64 00:02:30,120 --> 00:02:32,039 apps, there's not a lot of apps that not 65 00:02:32,040 --> 00:02:34,199 communicate. But these days, if your app 66 00:02:34,200 --> 00:02:36,359 doesn't communicate, like who cares? 67 00:02:36,360 --> 00:02:38,519 And most it communicates with like an app 68 00:02:38,520 --> 00:02:40,199 specific background. 69 00:02:40,200 --> 00:02:42,139 And if the app and the back and 70 00:02:42,140 --> 00:02:43,859 everything works, the user is happy, 71 00:02:43,860 --> 00:02:45,059 everybody's happy. 72 00:02:45,060 --> 00:02:47,339 And if it doesn't work, 73 00:02:47,340 --> 00:02:49,379 everybody's unhappy and the company will 74 00:02:49,380 --> 00:02:51,629 not make any money and likely 75 00:02:51,630 --> 00:02:54,239 will discontinue their service. 76 00:02:54,240 --> 00:02:56,669 So mobile app security 77 00:02:56,670 --> 00:02:58,349 is really, really interesting because 78 00:02:58,350 --> 00:03:00,569 these days at an app or like a mobile 79 00:03:00,570 --> 00:03:02,099 app, it's really just the gateway to like 80 00:03:02,100 --> 00:03:03,100 the backend service. 81 00:03:04,080 --> 00:03:06,359 And these days there's a lot of like 82 00:03:06,360 --> 00:03:08,459 online service which are basically 83 00:03:08,460 --> 00:03:10,289 mobile only or at least mobile. 84 00:03:10,290 --> 00:03:12,059 First, if you think about something like 85 00:03:12,060 --> 00:03:14,549 Snapchat, they don't even have like 86 00:03:14,550 --> 00:03:15,569 a website or anything. 87 00:03:16,740 --> 00:03:19,139 And if security is also about 88 00:03:19,140 --> 00:03:21,529 basically controlling data, so who 89 00:03:21,530 --> 00:03:23,519 is displaying data and managing data 90 00:03:23,520 --> 00:03:25,679 about the app and making sure somebody 91 00:03:25,680 --> 00:03:27,749 like is not allowed to copy our 92 00:03:27,750 --> 00:03:30,209 data that is like managed by the app 93 00:03:30,210 --> 00:03:32,279 and altogether, basically mobile app 94 00:03:32,280 --> 00:03:34,139 security is really about protecting, like 95 00:03:34,140 --> 00:03:36,209 your servers, your revenue, your brand, 96 00:03:36,210 --> 00:03:38,249 and hopefully really hopefully your 97 00:03:38,250 --> 00:03:39,990 customer or like the consumer. 98 00:03:41,720 --> 00:03:43,429 So if you look at our hacks in general, 99 00:03:43,430 --> 00:03:44,719 what are you looking at? 100 00:03:44,720 --> 00:03:45,949 There's the main part. 101 00:03:45,950 --> 00:03:48,049 It's like always modification basically 102 00:03:48,050 --> 00:03:50,419 on Android would say, like rooting and 103 00:03:50,420 --> 00:03:51,979 rooting is basically just like the break, 104 00:03:51,980 --> 00:03:54,499 the assumptions of the security model 105 00:03:54,500 --> 00:03:56,329 because of your root, like your phone, 106 00:03:56,330 --> 00:03:58,099 you're suddenly able to, like, basically 107 00:03:58,100 --> 00:04:00,289 take content from apps that didn't 108 00:04:00,290 --> 00:04:01,969 want their content to be taken in the 109 00:04:01,970 --> 00:04:02,899 first place. 110 00:04:02,900 --> 00:04:04,369 And you can do this by just like reading 111 00:04:04,370 --> 00:04:06,649 data or like taking screenshots 112 00:04:06,650 --> 00:04:08,359 or like instrumenting the app and pulling 113 00:04:08,360 --> 00:04:09,589 data out of it. 114 00:04:09,590 --> 00:04:11,089 And of course, you can also just modify 115 00:04:11,090 --> 00:04:12,979 the app directly and then you can just 116 00:04:12,980 --> 00:04:14,899 like change whatever the app is doing or 117 00:04:14,900 --> 00:04:16,759 like what the app isn't forcing. 118 00:04:16,760 --> 00:04:18,078 And of course, there's also a network 119 00:04:18,079 --> 00:04:19,129 traffic. 120 00:04:19,130 --> 00:04:20,749 But in this talk, I'm not going to like 121 00:04:20,750 --> 00:04:22,999 look at network traffic at all. 122 00:04:23,000 --> 00:04:24,129 So if you look at looting, 123 00:04:25,160 --> 00:04:27,139 what is looting actually is basically 124 00:04:27,140 --> 00:04:29,029 regaining full control over your device, 125 00:04:29,030 --> 00:04:31,609 because these days any kind of 126 00:04:31,610 --> 00:04:34,069 phone or tablet, basically 127 00:04:34,070 --> 00:04:36,079 you don't have root anymore, like you 128 00:04:36,080 --> 00:04:38,359 don't have full access to everything, 129 00:04:38,360 --> 00:04:40,129 like on your computer. 130 00:04:40,130 --> 00:04:42,529 And with looting, you gain like us access 131 00:04:42,530 --> 00:04:44,929 again. You gain access to resources. 132 00:04:44,930 --> 00:04:46,969 You can read and write any file and 133 00:04:46,970 --> 00:04:49,249 modify parts of the S or like 134 00:04:49,250 --> 00:04:50,809 the software framework. 135 00:04:50,810 --> 00:04:52,399 And all of this routine capabilities 136 00:04:52,400 --> 00:04:54,799 really highly depend on Android versions 137 00:04:54,800 --> 00:04:56,600 and really newer Android versions 138 00:04:57,620 --> 00:04:59,809 of much, much more hardened 139 00:04:59,810 --> 00:05:03,109 due, for example, as the Linux policies. 140 00:05:03,110 --> 00:05:05,589 But I'm not going to jump into that part. 141 00:05:05,590 --> 00:05:07,129 So if you look at security in the old 142 00:05:07,130 --> 00:05:09,289 days, what what do you have? 143 00:05:09,290 --> 00:05:10,719 There were like basic routine checks. 144 00:05:10,720 --> 00:05:12,979 So apps would implement something like, 145 00:05:12,980 --> 00:05:15,529 hey, is the system the system X 146 00:05:15,530 --> 00:05:16,619 as you exist? 147 00:05:16,620 --> 00:05:18,589 If so, there was just checking, hey, did 148 00:05:18,590 --> 00:05:20,329 somebody read the file and reinstall 149 00:05:20,330 --> 00:05:22,489 Asou? And if that was true, they would 150 00:05:22,490 --> 00:05:24,739 just say, like, are you devices likely? 151 00:05:24,740 --> 00:05:26,329 This app is not going to work. 152 00:05:26,330 --> 00:05:28,069 And the same apps, they would just like 153 00:05:28,070 --> 00:05:30,319 check if like a specific package 154 00:05:30,320 --> 00:05:31,320 was present. 155 00:05:31,990 --> 00:05:33,759 Or they will check if, like explosions 156 00:05:33,760 --> 00:05:35,859 installed and 157 00:05:35,860 --> 00:05:38,139 maybe try to detect emulators 158 00:05:38,140 --> 00:05:40,419 by just seeing what device idea 159 00:05:40,420 --> 00:05:42,489 returns and if it returns zero as 160 00:05:42,490 --> 00:05:44,319 often like an emulator. 161 00:05:44,320 --> 00:05:45,820 So that's like really the old days 162 00:05:47,050 --> 00:05:48,279 and the old days. 163 00:05:48,280 --> 00:05:50,439 It was for the developers really, really 164 00:05:50,440 --> 00:05:52,149 easy to implement because it was they 165 00:05:52,150 --> 00:05:53,150 knew there they 166 00:05:54,490 --> 00:05:55,809 they can just like check for certain 167 00:05:55,810 --> 00:05:57,909 files or certain packages and it's 168 00:05:57,910 --> 00:05:59,019 like really easy to implement. 169 00:05:59,020 --> 00:06:01,089 You don't have to be like a 170 00:06:01,090 --> 00:06:02,949 genius. You just have to like check for 171 00:06:02,950 --> 00:06:05,290 this file and then you can very easily 172 00:06:06,310 --> 00:06:08,839 deploy deploy those kind of checks. 173 00:06:08,840 --> 00:06:10,269 But of course, for the attacker, it's 174 00:06:11,280 --> 00:06:13,599 the easy as well, because 175 00:06:13,600 --> 00:06:15,069 they also understand how this works. 176 00:06:15,070 --> 00:06:16,779 So they could just like rename some files 177 00:06:17,860 --> 00:06:19,989 or move files around and then 178 00:06:19,990 --> 00:06:22,540 they can again abuse those applications. 179 00:06:23,990 --> 00:06:26,089 So modern mobile app security really 180 00:06:26,090 --> 00:06:27,709 works by collecting data. 181 00:06:27,710 --> 00:06:29,839 Basically, you have some some piece 182 00:06:29,840 --> 00:06:32,389 of code that just like collects data 183 00:06:32,390 --> 00:06:34,129 and send it to the back end on your back 184 00:06:34,130 --> 00:06:37,189 and will make the decision if a specific 185 00:06:37,190 --> 00:06:39,449 security, like a specific thing happened, 186 00:06:39,450 --> 00:06:41,779 for example, if your device 187 00:06:41,780 --> 00:06:44,119 is routed and the idea behind 188 00:06:44,120 --> 00:06:45,469 us that the attacker cannot just like, 189 00:06:45,470 --> 00:06:47,539 patch out your app like petrol checks on 190 00:06:47,540 --> 00:06:49,819 you, because, um, 191 00:06:49,820 --> 00:06:52,129 yeah. Imagine if you just like to 192 00:06:52,130 --> 00:06:54,379 file access, check to like a 193 00:06:54,380 --> 00:06:56,479 system business, you you can just like 194 00:06:56,480 --> 00:06:58,099 remove that and then the apple just work. 195 00:06:58,100 --> 00:07:00,169 But if you collect really a 196 00:07:00,170 --> 00:07:01,999 lot of data on the device, you really 197 00:07:02,000 --> 00:07:04,609 don't know what is used for what. 198 00:07:04,610 --> 00:07:06,229 And you basically have to fake all the 199 00:07:06,230 --> 00:07:08,299 data. And if you collect a really 200 00:07:08,300 --> 00:07:10,459 a lot of data, you can't really do 201 00:07:10,460 --> 00:07:11,539 that. 202 00:07:11,540 --> 00:07:13,639 Um, that's basically what 203 00:07:13,640 --> 00:07:15,709 all modern apps 204 00:07:15,710 --> 00:07:17,599 that have like a high demand or higher 205 00:07:17,600 --> 00:07:19,879 demand for security do these days. 206 00:07:19,880 --> 00:07:21,949 Um, and also that is what safety 207 00:07:21,950 --> 00:07:24,079 legislation will do for you. 208 00:07:24,080 --> 00:07:26,179 So just go 209 00:07:26,180 --> 00:07:27,709 a little bit back to like Android. 210 00:07:27,710 --> 00:07:29,989 So in the early days, Android 211 00:07:29,990 --> 00:07:31,250 was very I would say. 212 00:07:32,660 --> 00:07:34,789 Very open, but these days, a 213 00:07:34,790 --> 00:07:36,679 lot of openness and the ways they have 214 00:07:36,680 --> 00:07:39,289 like secret about now and 215 00:07:39,290 --> 00:07:41,539 which is basically the trust anchor, 216 00:07:41,540 --> 00:07:43,699 basically, they just like they are 217 00:07:43,700 --> 00:07:45,799 able to tell if you like, 218 00:07:45,800 --> 00:07:48,079 unlock the bootloader and things 219 00:07:48,080 --> 00:07:49,789 like that. And, of course, as meanwhile 220 00:07:49,790 --> 00:07:50,959 as a Linux restrictions. 221 00:07:50,960 --> 00:07:52,549 So they have like much stricter 222 00:07:52,550 --> 00:07:53,550 sandboxes. 223 00:07:54,560 --> 00:07:56,239 And then Google added this platform 224 00:07:56,240 --> 00:07:58,879 security service called safety net. 225 00:07:58,880 --> 00:08:00,079 And safety net is really. 226 00:08:01,260 --> 00:08:03,199 Just a brand name for like security 227 00:08:03,200 --> 00:08:04,969 services on Android, they have a bunch of 228 00:08:04,970 --> 00:08:07,939 different services 229 00:08:07,940 --> 00:08:10,219 from verified apps to check on them to 230 00:08:10,220 --> 00:08:12,709 check for a which is Google's 231 00:08:12,710 --> 00:08:14,389 nicer term for like malware. 232 00:08:14,390 --> 00:08:15,799 And then you have attestation and you 233 00:08:15,800 --> 00:08:17,269 have like a CAPTCHA service. 234 00:08:18,740 --> 00:08:21,039 And safety in general is designed 235 00:08:21,040 --> 00:08:22,929 to run on any Android device that has 236 00:08:22,930 --> 00:08:24,459 Google Play. 237 00:08:24,460 --> 00:08:27,249 So it's like part of Google Play services 238 00:08:27,250 --> 00:08:28,839 and the nice part, it's like independent 239 00:08:28,840 --> 00:08:30,639 from the manufacturer. So this exists on 240 00:08:30,640 --> 00:08:33,459 any on any Android device, 241 00:08:33,460 --> 00:08:36,158 not only unlike the Google devices 242 00:08:36,159 --> 00:08:38,259 and with attestation, you can do 243 00:08:38,260 --> 00:08:40,330 remote device on at the. 244 00:08:43,450 --> 00:08:45,519 So and of course, Google also 245 00:08:45,520 --> 00:08:47,769 heavily uses their own API, 246 00:08:49,870 --> 00:08:51,849 for example, if you ever use Android pay 247 00:08:51,850 --> 00:08:54,399 and saw 248 00:08:54,400 --> 00:08:56,709 this nice pop up, that meant 249 00:08:56,710 --> 00:08:59,139 safety net actually failed to validate 250 00:08:59,140 --> 00:09:01,209 or a test your device or 251 00:09:01,210 --> 00:09:03,489 like your or like, I guess 252 00:09:03,490 --> 00:09:04,529 the Android pay up. 253 00:09:05,870 --> 00:09:08,029 And they said, like, oh, yeah, you 254 00:09:08,030 --> 00:09:09,030 modified something, 255 00:09:10,280 --> 00:09:12,109 and one of the intentions, I think, 256 00:09:12,110 --> 00:09:14,419 behind the attestation part was 257 00:09:14,420 --> 00:09:16,609 they can't really control security 258 00:09:16,610 --> 00:09:19,189 of like other manufacturers devices, 259 00:09:19,190 --> 00:09:20,929 but they wanted to support Apple pay on 260 00:09:20,930 --> 00:09:22,999 them. So what do they what did they 261 00:09:23,000 --> 00:09:24,109 do? 262 00:09:24,110 --> 00:09:25,110 They basically 263 00:09:26,330 --> 00:09:28,409 found a way to like measure, if 264 00:09:28,410 --> 00:09:30,499 you like, your device or the 265 00:09:30,500 --> 00:09:31,159 device. 266 00:09:31,160 --> 00:09:33,439 Apple Android Pay 267 00:09:33,440 --> 00:09:34,499 is running on. 268 00:09:34,500 --> 00:09:35,539 It was modified. 269 00:09:36,830 --> 00:09:39,019 And the nice part is they can really 270 00:09:39,020 --> 00:09:41,189 change safetynet 271 00:09:41,190 --> 00:09:43,249 like the attestation part on the fly, 272 00:09:43,250 --> 00:09:45,319 so you don't have to like wait for like a 273 00:09:45,320 --> 00:09:47,149 system software update. 274 00:09:47,150 --> 00:09:49,339 It's like basically they can push 275 00:09:49,340 --> 00:09:51,409 code to the device at any point to like, 276 00:09:51,410 --> 00:09:53,349 check for. 277 00:09:53,350 --> 00:09:54,389 Yeah. 278 00:09:54,390 --> 00:09:56,509 Modifications and 279 00:09:56,510 --> 00:09:58,759 that they can, like, really fast 280 00:09:58,760 --> 00:10:00,889 react to, say, new 281 00:10:00,890 --> 00:10:03,019 routes or something without like having 282 00:10:03,020 --> 00:10:05,179 any like software updates being 283 00:10:05,180 --> 00:10:06,590 delivered to the devices. 284 00:10:12,070 --> 00:10:14,259 So so what what 285 00:10:14,260 --> 00:10:15,639 is actually the attestation part? 286 00:10:16,720 --> 00:10:18,879 It's really the attestation of the device 287 00:10:18,880 --> 00:10:21,159 and the specific app that called the API, 288 00:10:21,160 --> 00:10:23,229 that's basically all of the things 289 00:10:23,230 --> 00:10:24,879 people use to implement themselves. 290 00:10:26,050 --> 00:10:27,399 And as I said, it's like part of the 291 00:10:27,400 --> 00:10:28,600 Google Play services. 292 00:10:29,740 --> 00:10:31,899 And basically you just call an API and 293 00:10:31,900 --> 00:10:34,239 validated your app and devices like 294 00:10:34,240 --> 00:10:36,309 the idea of the device of the the user 295 00:10:36,310 --> 00:10:38,079 was not modified. 296 00:10:38,080 --> 00:10:40,779 Unfortunately, the documentation, 297 00:10:40,780 --> 00:10:43,029 as I said in the introduction, is not 298 00:10:43,030 --> 00:10:45,309 not super detailed. 299 00:10:45,310 --> 00:10:47,079 And they leave a lot of things to like 300 00:10:47,080 --> 00:10:49,269 your interpretation or just like 301 00:10:49,270 --> 00:10:51,219 you have to basically use it to find out 302 00:10:51,220 --> 00:10:52,220 how this really works. 303 00:10:53,620 --> 00:10:55,059 So over time, it got much better. 304 00:10:55,060 --> 00:10:57,099 But when I started looking at it, which 305 00:10:57,100 --> 00:10:59,289 is why I guess one and a half, two years 306 00:10:59,290 --> 00:11:01,749 ago, some of the documentation 307 00:11:01,750 --> 00:11:03,159 was like really bad. And they add new 308 00:11:03,160 --> 00:11:05,829 features without really documenting them. 309 00:11:05,830 --> 00:11:08,049 They have like a private mailing list 310 00:11:08,050 --> 00:11:09,369 where they announce some stuff. 311 00:11:09,370 --> 00:11:10,370 But yeah. 312 00:11:12,130 --> 00:11:14,259 Yeah, this is, I guess, the only piece of 313 00:11:14,260 --> 00:11:15,639 code, actually, I'm going to show, it's 314 00:11:15,640 --> 00:11:17,049 basically just like how you call it. 315 00:11:17,050 --> 00:11:19,299 So safety net as part 316 00:11:19,300 --> 00:11:21,549 of the Google API client. 317 00:11:21,550 --> 00:11:22,989 And you basically just say, I want the 318 00:11:22,990 --> 00:11:25,149 connection to the safety net API 319 00:11:25,150 --> 00:11:26,440 and then you just like call it. 320 00:11:27,720 --> 00:11:29,819 So how does it how does it actually 321 00:11:29,820 --> 00:11:32,009 work? So here in 322 00:11:32,010 --> 00:11:33,279 the middle of the box in the Middle East, 323 00:11:33,280 --> 00:11:34,709 basically, that's the software that's 324 00:11:34,710 --> 00:11:35,969 running on the phone. 325 00:11:35,970 --> 00:11:37,439 You have the background, the Google Play 326 00:11:37,440 --> 00:11:39,719 background and your applications 327 00:11:39,720 --> 00:11:41,789 background. So if you if your app doesn't 328 00:11:41,790 --> 00:11:43,859 have its own back end, you really can't 329 00:11:43,860 --> 00:11:44,940 use safety net at all. 330 00:11:46,620 --> 00:11:49,289 And you will see in a second why that is 331 00:11:49,290 --> 00:11:51,539 so basic. What happens if your 332 00:11:51,540 --> 00:11:53,069 app, like, talks to you back and for 333 00:11:53,070 --> 00:11:55,019 maybe maybe wants to log in or do like 334 00:11:55,020 --> 00:11:57,119 some very specific 335 00:11:57,120 --> 00:11:58,859 operation and then you're back and will 336 00:11:58,860 --> 00:12:01,349 say, hey, your application, 337 00:12:01,350 --> 00:12:03,449 I need you, I request you 338 00:12:03,450 --> 00:12:05,070 to like a test yourself. 339 00:12:06,840 --> 00:12:08,849 So the back end will basically send a 340 00:12:08,850 --> 00:12:11,009 request to its app, The Apple, and I 341 00:12:11,010 --> 00:12:13,079 call the safety net at the station API. 342 00:12:13,080 --> 00:12:16,449 And in this in this step, we actually see 343 00:12:16,450 --> 00:12:18,839 the the attestation 344 00:12:18,840 --> 00:12:20,939 code on the device will inspect the 345 00:12:20,940 --> 00:12:22,219 device itself. 346 00:12:22,220 --> 00:12:23,999 So the operating system, how was it 347 00:12:24,000 --> 00:12:26,289 routed? And then it also also inspect 348 00:12:26,290 --> 00:12:27,290 the actual application, 349 00:12:28,350 --> 00:12:30,539 some minor detail, like in the 350 00:12:30,540 --> 00:12:33,089 in the call, it should be Anon's to 351 00:12:33,090 --> 00:12:34,429 prevent replays. 352 00:12:34,430 --> 00:12:35,969 It's just like for documentation. 353 00:12:35,970 --> 00:12:38,549 So that's basically 354 00:12:38,550 --> 00:12:40,889 you instead of having you implement 355 00:12:40,890 --> 00:12:43,479 everything yourself, 356 00:12:43,480 --> 00:12:46,289 you can just call this API and 357 00:12:46,290 --> 00:12:47,340 you will have 358 00:12:48,450 --> 00:12:50,609 all all the work done by Google 359 00:12:50,610 --> 00:12:52,980 engineers to do your. 360 00:12:54,400 --> 00:12:56,649 You secure your security configurations 361 00:12:56,650 --> 00:12:58,729 are security attestations. 362 00:12:59,950 --> 00:13:02,129 So what happens after the after 363 00:13:02,130 --> 00:13:03,879 after station has checked you up and the 364 00:13:03,880 --> 00:13:05,830 device will send the data back to Google? 365 00:13:07,200 --> 00:13:09,299 Google will actually analyze it and 366 00:13:09,300 --> 00:13:11,489 then will determine the 367 00:13:11,490 --> 00:13:13,869 state of your device and your app. 368 00:13:13,870 --> 00:13:16,029 And actually forward the response to your 369 00:13:16,030 --> 00:13:18,099 app and in 370 00:13:18,100 --> 00:13:20,289 order to to make sure the app, 371 00:13:20,290 --> 00:13:21,909 because if you modify the app in this 372 00:13:21,910 --> 00:13:24,669 case and if it would not be signed, 373 00:13:24,670 --> 00:13:26,319 you could just like temporalis like this 374 00:13:26,320 --> 00:13:27,289 attestation response. 375 00:13:27,290 --> 00:13:29,379 So this is signed some 376 00:13:29,380 --> 00:13:30,969 on the back end. 377 00:13:30,970 --> 00:13:33,219 You should validate that signature and 378 00:13:33,220 --> 00:13:35,169 then validate the attestation and then 379 00:13:35,170 --> 00:13:36,459 you actually know what you're dealing 380 00:13:36,460 --> 00:13:38,759 with. That's basically what you get back. 381 00:13:38,760 --> 00:13:40,809 It's really, really, really simple. 382 00:13:40,810 --> 00:13:42,939 Just some blobs of basics 383 00:13:42,940 --> 00:13:44,409 for encoding. 384 00:13:44,410 --> 00:13:46,869 So Google has the signature validation 385 00:13:46,870 --> 00:13:49,959 API, which is basically just for 386 00:13:49,960 --> 00:13:51,220 development purposes. 387 00:13:52,450 --> 00:13:54,159 But yeah, that part is actually pretty 388 00:13:54,160 --> 00:13:55,189 well documented. 389 00:13:55,190 --> 00:13:57,369 I guess they do that 390 00:13:57,370 --> 00:13:59,919 a lot like SSL cert validation. 391 00:14:01,150 --> 00:14:03,039 But let's look at the attestation data, 392 00:14:03,040 --> 00:14:05,589 so data station data, that's basically 393 00:14:05,590 --> 00:14:06,759 the main blob you get back. 394 00:14:06,760 --> 00:14:08,679 Everything else is just like a chain on 395 00:14:08,680 --> 00:14:09,939 the signature. 396 00:14:09,940 --> 00:14:10,940 So you see 397 00:14:12,370 --> 00:14:14,469 the CTS profile match and that 398 00:14:14,470 --> 00:14:16,899 refers to that's basically the car, 399 00:14:16,900 --> 00:14:19,509 the car, the car device integrity 400 00:14:19,510 --> 00:14:21,009 measure and CTS 401 00:14:22,240 --> 00:14:23,709 refers to the Google. 402 00:14:25,500 --> 00:14:28,169 Compatible, compatible compatibility 403 00:14:28,170 --> 00:14:29,159 test suite. 404 00:14:29,160 --> 00:14:30,839 So basically, whenever you build an 405 00:14:30,840 --> 00:14:32,639 Android device, you have to run this like 406 00:14:32,640 --> 00:14:34,949 test suite and give Google the results. 407 00:14:34,950 --> 00:14:37,199 And basically, what does a lot of 408 00:14:37,200 --> 00:14:39,269 apparatus basically collect data from 409 00:14:39,270 --> 00:14:42,539 your phone and then it compares it to 410 00:14:42,540 --> 00:14:44,939 the data the manufacturer provided. 411 00:14:44,940 --> 00:14:46,469 And by those they can determine if your 412 00:14:46,470 --> 00:14:48,899 modified contents of like your system 413 00:14:48,900 --> 00:14:50,989 system and then you see like 414 00:14:50,990 --> 00:14:53,549 which which RPK called the API 415 00:14:53,550 --> 00:14:56,039 and then you get a digest of the app 416 00:14:56,040 --> 00:14:56,999 itself. 417 00:14:57,000 --> 00:14:58,289 You get your back. 418 00:14:58,290 --> 00:15:00,389 And then you also have 419 00:15:00,390 --> 00:15:02,459 like timestamps and the basic integrity 420 00:15:02,460 --> 00:15:04,829 as an indicator about 421 00:15:04,830 --> 00:15:05,830 routine. 422 00:15:06,600 --> 00:15:08,849 So this is this nice table that was 423 00:15:08,850 --> 00:15:11,729 actually only, I guess 424 00:15:11,730 --> 00:15:13,619 probably added to like their 425 00:15:13,620 --> 00:15:15,719 documentation maybe like seven 426 00:15:15,720 --> 00:15:17,789 months ago and before it was like, 427 00:15:17,790 --> 00:15:19,379 yeah, there's a true or true and false 428 00:15:19,380 --> 00:15:21,059 field. And yeah. 429 00:15:21,060 --> 00:15:22,379 So basically here you can see 430 00:15:24,060 --> 00:15:26,369 CTS will only be true if your device 431 00:15:26,370 --> 00:15:28,809 is like genuine and like 432 00:15:28,810 --> 00:15:30,659 the city, the CTS data kind of 433 00:15:30,660 --> 00:15:32,459 corresponds to the data that was 434 00:15:32,460 --> 00:15:33,460 collected. 435 00:15:35,270 --> 00:15:37,289 As soon as you unlock the bootloader that 436 00:15:37,290 --> 00:15:39,449 goes to falls and but basic 437 00:15:39,450 --> 00:15:40,799 integrity will still be there. 438 00:15:40,800 --> 00:15:42,539 So if you're just unlucky bootloader 439 00:15:44,340 --> 00:15:45,959 but didn't modify actually the content of 440 00:15:45,960 --> 00:15:48,259 your filesystems, your basic integrity 441 00:15:48,260 --> 00:15:49,299 is true. 442 00:15:49,300 --> 00:15:51,419 And that's basically those two different 443 00:15:53,190 --> 00:15:55,919 indicators will basically help you to 444 00:15:55,920 --> 00:15:58,499 understand the state of the device. 445 00:15:58,500 --> 00:15:59,549 And this is nice table. 446 00:15:59,550 --> 00:16:00,959 You can do some 447 00:16:02,280 --> 00:16:04,190 basically implement like here checks. 448 00:16:05,220 --> 00:16:07,409 So I wrote this like small 449 00:16:07,410 --> 00:16:09,299 like I actually implemented that for like 450 00:16:09,300 --> 00:16:10,559 a bigger company. 451 00:16:10,560 --> 00:16:12,989 But I also built 452 00:16:12,990 --> 00:16:14,549 like a small demo of which I'm going to 453 00:16:14,550 --> 00:16:16,319 show you at the end. 454 00:16:16,320 --> 00:16:18,479 And you see some you 455 00:16:18,480 --> 00:16:19,989 know, it will basically just like run at 456 00:16:19,990 --> 00:16:21,719 the station and it will tell you, like if 457 00:16:21,720 --> 00:16:23,939 your device is routed and what the app 458 00:16:23,940 --> 00:16:26,249 integrity is and you see 459 00:16:26,250 --> 00:16:29,039 the blob of data below 460 00:16:29,040 --> 00:16:30,730 and you see like everything is 461 00:16:31,830 --> 00:16:33,389 Postles, all of the checks. 462 00:16:33,390 --> 00:16:34,799 And you're going to have some some more 463 00:16:34,800 --> 00:16:35,800 fun with this later. 464 00:16:36,690 --> 00:16:39,269 Yeah. The big the big issue with 465 00:16:39,270 --> 00:16:41,519 SafetyNet and attestations apps 466 00:16:41,520 --> 00:16:43,679 like Aromasin or like Arab states, 467 00:16:43,680 --> 00:16:45,659 there's a ton of different errors. 468 00:16:45,660 --> 00:16:47,519 And if you don't know what you're dealing 469 00:16:47,520 --> 00:16:49,259 with, you can basically very easily 470 00:16:49,260 --> 00:16:50,999 bypass the entire system. 471 00:16:53,120 --> 00:16:54,969 If you guys and Implementor don't, don't 472 00:16:54,970 --> 00:16:57,899 or aren't aware of, like, error messages. 473 00:16:57,900 --> 00:17:00,029 So, for example, this is 474 00:17:00,030 --> 00:17:02,789 one of the nice and 475 00:17:02,790 --> 00:17:04,469 basic errors. Basically, if for some 476 00:17:04,470 --> 00:17:07,348 reason the API ran, 477 00:17:07,349 --> 00:17:08,639 the API call actually worked. 478 00:17:08,640 --> 00:17:10,889 But somehow the 479 00:17:10,890 --> 00:17:13,169 the the code inside the API, 480 00:17:13,170 --> 00:17:14,999 like, just like encountered some random 481 00:17:15,000 --> 00:17:16,618 error, you will get this. 482 00:17:16,619 --> 00:17:18,299 And they basically say, oh yeah, we just 483 00:17:18,300 --> 00:17:21,179 like have this like random error message. 484 00:17:21,180 --> 00:17:23,309 And you're then like, yeah, you're going 485 00:17:23,310 --> 00:17:25,469 to find out like what how this actually 486 00:17:25,470 --> 00:17:27,419 looks like because this is not really 487 00:17:27,420 --> 00:17:28,049 documented. 488 00:17:28,050 --> 00:17:29,669 And those are basically just means just 489 00:17:29,670 --> 00:17:31,319 called the API again and try again. 490 00:17:31,320 --> 00:17:32,969 Most of the time it will just like go. 491 00:17:35,190 --> 00:17:37,139 Yeah, this is one of the more interesting 492 00:17:37,140 --> 00:17:39,509 errors. This basically says we can't 493 00:17:39,510 --> 00:17:41,969 really determine which API called 494 00:17:41,970 --> 00:17:44,069 GVK called the API, also 495 00:17:44,070 --> 00:17:46,139 that kind of thing, the devices 496 00:17:46,140 --> 00:17:47,399 generally untrusted. 497 00:17:47,400 --> 00:17:49,769 So they just like removed a bunch of 498 00:17:49,770 --> 00:17:51,839 fields from 499 00:17:51,840 --> 00:17:54,539 this JSON response, which is also 500 00:17:54,540 --> 00:17:56,459 very confusing, if you like implementors 501 00:17:56,460 --> 00:17:58,199 the first time, because you suddenly get 502 00:17:58,200 --> 00:18:00,329 like broken data 503 00:18:00,330 --> 00:18:02,029 blob's back. 504 00:18:02,030 --> 00:18:04,129 And of again, of course, this was 505 00:18:04,130 --> 00:18:06,050 like not not really documented. 506 00:18:07,160 --> 00:18:09,529 So now, you know, like basically 507 00:18:09,530 --> 00:18:11,839 are we have we have this API 508 00:18:11,840 --> 00:18:14,029 and like there may be the adjacent field 509 00:18:14,030 --> 00:18:15,030 looks strange. 510 00:18:16,640 --> 00:18:18,319 So basically now you can go and just like 511 00:18:18,320 --> 00:18:21,409 implement your app and 512 00:18:21,410 --> 00:18:22,879 have the interaction between your and 513 00:18:22,880 --> 00:18:24,719 your back and and you have running the 514 00:18:24,720 --> 00:18:25,720 attestation. 515 00:18:27,760 --> 00:18:29,949 But unfortunately, it's still not that 516 00:18:29,950 --> 00:18:30,950 simple. 517 00:18:31,410 --> 00:18:33,479 So also, all 518 00:18:33,480 --> 00:18:35,459 of the API calls can kind of fail and 519 00:18:35,460 --> 00:18:37,679 they actually will fail in the wild, like 520 00:18:37,680 --> 00:18:39,929 like all of the every every 521 00:18:39,930 --> 00:18:41,999 API you call will actually fail 522 00:18:42,000 --> 00:18:43,249 at some point if you 523 00:18:44,490 --> 00:18:46,649 depending on your user group, if you have 524 00:18:46,650 --> 00:18:48,419 if you're playing at home with one of 525 00:18:48,420 --> 00:18:50,129 your devices, you will never see any of 526 00:18:50,130 --> 00:18:51,479 those errors. 527 00:18:51,480 --> 00:18:52,710 But if you like, Seyran, 528 00:18:54,720 --> 00:18:56,789 if your app runs on like a hundred 529 00:18:56,790 --> 00:18:58,739 thousands or millions of devices, you 530 00:18:58,740 --> 00:19:01,140 will see every every error eventually 531 00:19:02,730 --> 00:19:03,730 when you have 532 00:19:05,220 --> 00:19:07,319 things like of like Google 533 00:19:07,320 --> 00:19:09,389 Play Services doesn't support safety net 534 00:19:09,390 --> 00:19:11,159 yet. So what should you do? 535 00:19:11,160 --> 00:19:12,539 And one part is you can, like, just 536 00:19:12,540 --> 00:19:14,669 update forces to update their 537 00:19:14,670 --> 00:19:15,670 place services. 538 00:19:17,950 --> 00:19:18,950 Or. 539 00:19:20,500 --> 00:19:22,119 And then there is like just like general 540 00:19:22,120 --> 00:19:24,339 error, connection errors, and in those 541 00:19:24,340 --> 00:19:26,529 cases, you just really have to retry. 542 00:19:27,880 --> 00:19:30,069 If you forget to, like, 543 00:19:30,070 --> 00:19:31,689 handle one of those errors, that either 544 00:19:31,690 --> 00:19:33,909 means some 545 00:19:33,910 --> 00:19:36,099 for some client will basically not work 546 00:19:36,100 --> 00:19:38,169 on your network or some client will be 547 00:19:38,170 --> 00:19:39,789 allowed to, like, connect to your service 548 00:19:39,790 --> 00:19:41,049 even if it was tampered with. 549 00:19:42,970 --> 00:19:44,739 And like the lower three cases, that's 550 00:19:44,740 --> 00:19:47,379 like really something you should actually 551 00:19:47,380 --> 00:19:49,899 be able to to see during development 552 00:19:49,900 --> 00:19:51,519 because of your nonsense to sharded. 553 00:19:51,520 --> 00:19:53,169 Well, actually, just like fail even. 554 00:19:53,170 --> 00:19:55,059 Yeah. It was just like directly fail. 555 00:19:56,590 --> 00:19:58,669 Um, yeah, some some more examples 556 00:19:58,670 --> 00:20:01,119 I just like and I just, like, uninstalled 557 00:20:01,120 --> 00:20:03,669 the all place services updates on 558 00:20:03,670 --> 00:20:05,769 this like Nexus seven, which is 559 00:20:05,770 --> 00:20:07,539 like an Android forum, which also doesn't 560 00:20:07,540 --> 00:20:09,189 have secured. And then if you like to 561 00:20:09,190 --> 00:20:11,169 start the application, you'll just like 562 00:20:11,170 --> 00:20:13,029 nothing will work, like because you 563 00:20:13,030 --> 00:20:14,289 really need to update those place 564 00:20:14,290 --> 00:20:15,290 services. 565 00:20:17,530 --> 00:20:19,689 So a lot of a lot 566 00:20:19,690 --> 00:20:21,939 of the API failure things are 567 00:20:21,940 --> 00:20:24,009 basically a temporary failure, so you 568 00:20:24,010 --> 00:20:26,109 basically have to start with retrying 569 00:20:26,110 --> 00:20:28,269 everything, generic 570 00:20:28,270 --> 00:20:29,589 arrows, networking errors. 571 00:20:32,070 --> 00:20:33,809 And in general, you should be like a good 572 00:20:33,810 --> 00:20:35,999 citizen and basically do an exponential 573 00:20:36,000 --> 00:20:38,069 take off after 574 00:20:38,070 --> 00:20:40,539 each failed to try. 575 00:20:40,540 --> 00:20:43,259 Also, you can look into 576 00:20:43,260 --> 00:20:44,519 this adjacent field. 577 00:20:44,520 --> 00:20:46,319 Others chase and blow up on the device 578 00:20:46,320 --> 00:20:48,149 itself and then determine if you do if 579 00:20:48,150 --> 00:20:49,379 you want to do a retrial and you don't 580 00:20:49,380 --> 00:20:50,380 have to do a full 581 00:20:51,480 --> 00:20:52,819 round trip to your back end. 582 00:20:53,940 --> 00:20:55,619 But basically what you really need to do 583 00:20:55,620 --> 00:20:57,539 is report any of the failures to your 584 00:20:57,540 --> 00:20:58,540 back end 585 00:20:59,820 --> 00:21:01,949 and really plan what you're 586 00:21:01,950 --> 00:21:04,199 going to do if, like, some device 587 00:21:04,200 --> 00:21:06,599 keeps just like throwing errors, because 588 00:21:06,600 --> 00:21:08,669 that's and the worst case, a 589 00:21:08,670 --> 00:21:10,859 customer of a user of your app that 590 00:21:10,860 --> 00:21:12,629 can never use the app because if they 591 00:21:12,630 --> 00:21:14,309 have some random error, 592 00:21:15,810 --> 00:21:17,879 so you have to be like, really 593 00:21:17,880 --> 00:21:19,469 we have to really think hard about what 594 00:21:19,470 --> 00:21:20,069 you're going to do. 595 00:21:20,070 --> 00:21:22,079 Unfortunately, this, of course, is an 596 00:21:22,080 --> 00:21:24,239 obsessive behavior because in some cases 597 00:21:24,240 --> 00:21:26,309 like, oh, maybe it's because I let the 598 00:21:26,310 --> 00:21:28,439 person use it like once or twice, 599 00:21:28,440 --> 00:21:30,779 but maybe it's like we never want anybody 600 00:21:30,780 --> 00:21:32,909 who fails us 601 00:21:32,910 --> 00:21:35,009 to ever use our service. 602 00:21:35,010 --> 00:21:37,290 And this is like really more specific 603 00:21:40,170 --> 00:21:41,799 decisions. 604 00:21:41,800 --> 00:21:44,559 So let's look at. 605 00:21:44,560 --> 00:21:46,839 Yeah, so the first and the main 606 00:21:46,840 --> 00:21:48,249 function or one of the two 607 00:21:48,250 --> 00:21:50,469 functionalities like the OS and Device 608 00:21:50,470 --> 00:21:52,209 Integrity Check, and that's basically 609 00:21:52,210 --> 00:21:53,829 just like those two fields which give you 610 00:21:53,830 --> 00:21:54,940 like true or false. 611 00:21:56,080 --> 00:21:57,819 But app integrity works a little bit 612 00:21:57,820 --> 00:21:59,499 different because they actually Google 613 00:21:59,500 --> 00:22:01,299 can actually can't really tell you of 614 00:22:01,300 --> 00:22:03,879 your app. And the app integrity 615 00:22:03,880 --> 00:22:06,309 is is there 616 00:22:06,310 --> 00:22:08,319 and you have those two fields, the app 617 00:22:08,320 --> 00:22:10,869 Digest and the app Digest. 618 00:22:10,870 --> 00:22:12,849 And the Digest is really like the digest 619 00:22:12,850 --> 00:22:15,109 of your the key is 620 00:22:15,110 --> 00:22:16,110 saying to your app. 621 00:22:18,460 --> 00:22:19,449 So in the easy mode. 622 00:22:19,450 --> 00:22:21,669 So if you resign, an application 623 00:22:21,670 --> 00:22:23,859 gets the search digest will be 624 00:22:23,860 --> 00:22:24,969 of course, different. 625 00:22:24,970 --> 00:22:27,129 So if somebody just like uses a 626 00:22:27,130 --> 00:22:28,989 tool on the app, modifies the app, 627 00:22:28,990 --> 00:22:31,209 reinstalled it, the API 628 00:22:31,210 --> 00:22:32,230 digest will be different. 629 00:22:34,160 --> 00:22:36,319 So the most easy check to check for 630 00:22:36,320 --> 00:22:38,479 up integrity is basically just 631 00:22:38,480 --> 00:22:41,749 like compare the RPK strategist 632 00:22:41,750 --> 00:22:43,879 and you kind of say if you have five 633 00:22:43,880 --> 00:22:45,979 different abs and you can 634 00:22:45,980 --> 00:22:48,140 kind of most likely they will all be 635 00:22:49,940 --> 00:22:51,859 signed with the same search. 636 00:22:51,860 --> 00:22:53,959 He basically only have to like hot 637 00:22:53,960 --> 00:22:55,789 just like digestion to your back once. 638 00:22:55,790 --> 00:22:57,079 And you can just like, always compare 639 00:22:57,080 --> 00:22:58,549 that. Um, yeah. 640 00:22:58,550 --> 00:23:00,079 That's like really, if you like, done 641 00:23:00,080 --> 00:23:02,269 this, like, it's basically a very 642 00:23:02,270 --> 00:23:04,489 a very, very simple comparison. 643 00:23:04,490 --> 00:23:06,469 But with that you can always like yap, 644 00:23:06,470 --> 00:23:08,689 yap, it's like not 645 00:23:08,690 --> 00:23:10,939 tampered with, but you can also 646 00:23:10,940 --> 00:23:13,009 go into advanced mode and 647 00:23:13,010 --> 00:23:15,709 basically also compare the APIC 648 00:23:15,710 --> 00:23:16,710 Digest. 649 00:23:18,470 --> 00:23:20,149 But that's, of course, a little bit 650 00:23:20,150 --> 00:23:22,099 different or a little bit more difficult, 651 00:23:22,100 --> 00:23:24,289 because that means 652 00:23:24,290 --> 00:23:26,660 for every single APCO you ever released 653 00:23:27,680 --> 00:23:28,819 to the App Store, 654 00:23:30,440 --> 00:23:32,689 you basically have to record the digest 655 00:23:32,690 --> 00:23:34,759 of the file, because if you didn't do 656 00:23:34,760 --> 00:23:36,829 that, you will just like reject people 657 00:23:36,830 --> 00:23:38,989 and say, like, hey, we don't recognize 658 00:23:38,990 --> 00:23:39,990 this app. 659 00:23:40,730 --> 00:23:42,409 Yeah, you've probably modified your app, 660 00:23:42,410 --> 00:23:44,059 but in reality, maybe you just, like, 661 00:23:44,060 --> 00:23:45,739 forgot to collect the data. 662 00:23:45,740 --> 00:23:47,269 So you have to we have like, very tight 663 00:23:47,270 --> 00:23:49,549 control over your release process, but 664 00:23:49,550 --> 00:23:51,349 you can do cool stuff like revokes the 665 00:23:51,350 --> 00:23:53,479 specific app conversions at this 666 00:23:53,480 --> 00:23:56,149 like very early part of the communication 667 00:23:56,150 --> 00:23:57,799 with your server by just like deleting 668 00:23:57,800 --> 00:24:00,349 that specific digest from your database 669 00:24:00,350 --> 00:24:02,569 and then safetynet will basically block 670 00:24:02,570 --> 00:24:03,619 this app for you. 671 00:24:05,390 --> 00:24:06,390 Yeah. 672 00:24:09,680 --> 00:24:12,169 So, yeah, basically 673 00:24:12,170 --> 00:24:14,209 so to do the implementation and 674 00:24:14,210 --> 00:24:15,210 deployment, 675 00:24:16,550 --> 00:24:18,349 yeah, on the client side, you really have 676 00:24:18,350 --> 00:24:19,609 to check for error conditions. 677 00:24:19,610 --> 00:24:21,739 We try and report failure codes and 678 00:24:21,740 --> 00:24:22,969 the back, and you really have to make 679 00:24:22,970 --> 00:24:24,979 sure to validate the signature and the 680 00:24:24,980 --> 00:24:27,169 other station data check 681 00:24:27,170 --> 00:24:29,959 really all fields, timestamps, Norns, 682 00:24:29,960 --> 00:24:32,149 and really make a decision about 683 00:24:32,150 --> 00:24:34,609 failures and what you want to do. 684 00:24:34,610 --> 00:24:36,769 And especially like things like 685 00:24:36,770 --> 00:24:38,929 do we want to force users to update 686 00:24:38,930 --> 00:24:40,789 the place services and maybe have 687 00:24:40,790 --> 00:24:43,429 something like a white listing mechanism 688 00:24:43,430 --> 00:24:45,529 where you can lightless, maybe specific 689 00:24:45,530 --> 00:24:47,719 kind of devices because you will run 690 00:24:47,720 --> 00:24:49,699 into problems and you probably don't want 691 00:24:49,700 --> 00:24:52,129 to prevent 692 00:24:52,130 --> 00:24:54,019 a like a specific user group from not 693 00:24:54,020 --> 00:24:55,760 using being able to use your service. 694 00:24:58,980 --> 00:25:01,349 So until yeah, so that's basically 695 00:25:01,350 --> 00:25:03,629 the the part about 696 00:25:03,630 --> 00:25:05,729 what does that safety net attestation, 697 00:25:05,730 --> 00:25:07,709 how does it work? What what you should 698 00:25:07,710 --> 00:25:09,509 look out for? And they're trying to 699 00:25:09,510 --> 00:25:10,559 implement and deploy it. 700 00:25:11,700 --> 00:25:14,699 But of course, as 701 00:25:14,700 --> 00:25:16,769 I guess anybody who is interested in 702 00:25:16,770 --> 00:25:19,199 security and if you like, 703 00:25:19,200 --> 00:25:21,329 implement or a new security 704 00:25:21,330 --> 00:25:23,999 system, you really want to know 705 00:25:24,000 --> 00:25:25,799 if you can actually trust the system or 706 00:25:25,800 --> 00:25:27,060 if it's just like does nothing. 707 00:25:28,800 --> 00:25:30,689 So when I when I first looked at it, I 708 00:25:30,690 --> 00:25:32,789 was like, let's see how good 709 00:25:32,790 --> 00:25:34,889 this actually is. And can we do 710 00:25:34,890 --> 00:25:36,089 like bypasses? 711 00:25:36,090 --> 00:25:37,619 And also what are the limitations? 712 00:25:38,700 --> 00:25:41,399 Obvious limitations, I guess, 713 00:25:41,400 --> 00:25:43,709 were Android different 714 00:25:43,710 --> 00:25:45,719 Android versions because on Android 715 00:25:45,720 --> 00:25:48,449 phone, if you really don't have like this 716 00:25:48,450 --> 00:25:50,579 secure good state like 717 00:25:50,580 --> 00:25:51,580 applications, kind of 718 00:25:52,650 --> 00:25:54,989 determine the 719 00:25:54,990 --> 00:25:56,239 state. 720 00:25:56,240 --> 00:25:58,409 So anything that would be based 721 00:25:58,410 --> 00:26:01,319 on unlocking your bootloader 722 00:26:01,320 --> 00:26:03,419 would but basically work because if you 723 00:26:03,420 --> 00:26:05,939 can't detect the bootloader was unlocked, 724 00:26:05,940 --> 00:26:08,159 you can block an unlocked 725 00:26:08,160 --> 00:26:09,359 bootloader. 726 00:26:09,360 --> 00:26:11,609 Yeah. And another Android six. 727 00:26:13,080 --> 00:26:15,899 Yeah, of course they can detect 728 00:26:15,900 --> 00:26:18,419 the Bush state and then you can actually 729 00:26:18,420 --> 00:26:20,489 rely on everything that is 730 00:26:20,490 --> 00:26:22,589 based on the secure 731 00:26:22,590 --> 00:26:23,590 boot mode. 732 00:26:24,360 --> 00:26:26,429 But there's of course, already shows you 733 00:26:26,430 --> 00:26:29,849 that all devices 734 00:26:29,850 --> 00:26:31,229 kind of. 735 00:26:31,230 --> 00:26:33,479 Yeah. Are very much harder 736 00:26:33,480 --> 00:26:35,789 to like judge in terms of 737 00:26:35,790 --> 00:26:38,009 the attestations system because of 738 00:26:38,010 --> 00:26:40,409 certain limitations of the actual OS. 739 00:26:40,410 --> 00:26:42,839 So in your in your security policy, 740 00:26:42,840 --> 00:26:45,089 in your background, you basically have to 741 00:26:45,090 --> 00:26:47,159 to know that, hey, 742 00:26:47,160 --> 00:26:49,439 if something like Android four or five 743 00:26:49,440 --> 00:26:51,539 devices, we might not be able to see 744 00:26:51,540 --> 00:26:53,579 certain things if you just use safetynet. 745 00:26:55,170 --> 00:26:56,579 And you have like other things with 746 00:26:56,580 --> 00:26:57,719 Android phones, so you don't have 747 00:26:57,720 --> 00:26:59,279 diversity, that means you can just 748 00:26:59,280 --> 00:27:01,649 rebound and write or change files 749 00:27:01,650 --> 00:27:03,539 and on the system partition. 750 00:27:03,540 --> 00:27:05,819 So like, you can do fun things like. 751 00:27:07,850 --> 00:27:10,279 Change or rename or move like 752 00:27:10,280 --> 00:27:12,439 a system exponential to some other 753 00:27:12,440 --> 00:27:14,569 directory, and then if you just run your 754 00:27:14,570 --> 00:27:16,549 safety net enabled application, you will 755 00:27:16,550 --> 00:27:17,569 totally bypass 756 00:27:19,130 --> 00:27:20,419 or you will actually not you will not 757 00:27:20,420 --> 00:27:21,919 bypass what you will just pass that 758 00:27:21,920 --> 00:27:23,629 station because the system will say, 759 00:27:23,630 --> 00:27:26,449 yeah, fine, nothing was modified. 760 00:27:26,450 --> 00:27:29,059 And and then after 761 00:27:29,060 --> 00:27:31,669 using that, you can basically restore 762 00:27:31,670 --> 00:27:33,440 you to like by copying it back, 763 00:27:34,520 --> 00:27:36,319 you could also and that also is like 764 00:27:36,320 --> 00:27:38,359 another another basically indicator of 765 00:27:38,360 --> 00:27:39,919 what you should do if you only like, 766 00:27:39,920 --> 00:27:42,639 basically run safety net on on 767 00:27:42,640 --> 00:27:44,209 start up, you can do with things like 768 00:27:44,210 --> 00:27:46,429 that. But say if you use it more often, 769 00:27:46,430 --> 00:27:48,459 like at random intervals, just the back 770 00:27:48,460 --> 00:27:50,509 and the conservatives like at random 771 00:27:50,510 --> 00:27:52,489 intervals, just like says hey, can you 772 00:27:52,490 --> 00:27:53,509 rerun this at the station. 773 00:27:53,510 --> 00:27:55,579 For me, those things become a little 774 00:27:55,580 --> 00:27:56,580 bit harder. 775 00:27:57,890 --> 00:28:00,019 Of course, none of this is documented 776 00:28:00,020 --> 00:28:01,020 at all. 777 00:28:02,960 --> 00:28:05,359 So does my 778 00:28:05,360 --> 00:28:07,579 small demo application, again, 779 00:28:07,580 --> 00:28:09,769 looks like this was like a Nexus five 780 00:28:09,770 --> 00:28:11,839 X with Android six and I just 781 00:28:11,840 --> 00:28:13,699 unlock the bootloader and then if you 782 00:28:13,700 --> 00:28:15,649 like, run that station, you'll see 783 00:28:15,650 --> 00:28:17,719 something like this like secu mode that 784 00:28:17,720 --> 00:28:19,579 actually doesn't come from the 785 00:28:19,580 --> 00:28:20,529 attestation API. 786 00:28:20,530 --> 00:28:21,949 They just like read that from the system 787 00:28:21,950 --> 00:28:24,289 properties, but it basically 788 00:28:24,290 --> 00:28:27,709 detects unlock bootloader and 789 00:28:27,710 --> 00:28:30,079 so it will change. 790 00:28:31,190 --> 00:28:32,190 Yeah. 791 00:28:32,770 --> 00:28:34,459 Yeah. The CTS profile in the middle to 792 00:28:34,460 --> 00:28:36,079 false and will also give you like an 793 00:28:36,080 --> 00:28:38,449 advice which like hey, you should relock 794 00:28:38,450 --> 00:28:39,649 your bootloader. 795 00:28:39,650 --> 00:28:41,209 And this advice philos also something 796 00:28:41,210 --> 00:28:43,279 that just like added I think earlier 797 00:28:43,280 --> 00:28:45,499 this year just under just like this, just 798 00:28:45,500 --> 00:28:46,879 added it. And you were like you were 799 00:28:46,880 --> 00:28:48,949 looking, I was looking at the Jasen 800 00:28:48,950 --> 00:28:50,509 fine. I was like, hey, there's a new 801 00:28:50,510 --> 00:28:52,129 field and it's like undocumented. 802 00:28:52,130 --> 00:28:53,449 Nice. 803 00:28:53,450 --> 00:28:54,450 So 804 00:28:56,210 --> 00:28:57,979 Sue, Hide and Majles. 805 00:28:57,980 --> 00:28:58,980 So 806 00:29:00,710 --> 00:29:03,019 obviously, if a system like that 807 00:29:03,020 --> 00:29:05,089 exists, people will try to bypass 808 00:29:05,090 --> 00:29:07,399 it. And one of the first bypasses 809 00:29:07,400 --> 00:29:09,259 for the system for those was as you hide 810 00:29:09,260 --> 00:29:11,509 basically at some, you can call 811 00:29:11,510 --> 00:29:14,209 it a rootkit because it's 812 00:29:14,210 --> 00:29:16,369 really just hiding it, trying to 813 00:29:16,370 --> 00:29:18,499 hide that, 814 00:29:18,500 --> 00:29:20,069 basically that you rooted your device 815 00:29:20,070 --> 00:29:21,070 from safety net. 816 00:29:22,310 --> 00:29:24,589 And that was the 817 00:29:24,590 --> 00:29:26,569 issue, suicide, it was very simple and 818 00:29:26,570 --> 00:29:28,849 Google very easily actually detected 819 00:29:28,850 --> 00:29:30,709 it and you could actually read on forums 820 00:29:30,710 --> 00:29:32,959 like that. People would post all I 821 00:29:32,960 --> 00:29:34,639 can, like, use to hide anymore. 822 00:29:34,640 --> 00:29:36,559 They did not take that in like two weeks 823 00:29:36,560 --> 00:29:38,599 later. It was like, oh, you maybe like 824 00:29:38,600 --> 00:29:40,099 two days later there was like an update 825 00:29:40,100 --> 00:29:42,109 and it worked again. And then it was like 826 00:29:42,110 --> 00:29:43,519 detected again. 827 00:29:43,520 --> 00:29:45,949 And that's really where those like 828 00:29:45,950 --> 00:29:48,169 short iteration 829 00:29:48,170 --> 00:29:50,359 cycle due to like code pushing comes into 830 00:29:50,360 --> 00:29:53,209 play. They Google just like really fast, 831 00:29:53,210 --> 00:29:55,519 react to whatever changes 832 00:29:55,520 --> 00:29:56,419 there. 833 00:29:56,420 --> 00:29:59,089 And then Suhad was discontinued 834 00:29:59,090 --> 00:30:00,529 because the guy basically said like, oh, 835 00:30:00,530 --> 00:30:02,329 I give up like they they can, like, 836 00:30:02,330 --> 00:30:04,999 change their detection so fast and 837 00:30:05,000 --> 00:30:07,879 I want to do something else with my life 838 00:30:07,880 --> 00:30:09,019 then just like updating. 839 00:30:10,550 --> 00:30:11,779 But then there's magic, 840 00:30:13,220 --> 00:30:15,649 which is more 841 00:30:15,650 --> 00:30:17,869 a more modern way of like 842 00:30:17,870 --> 00:30:19,160 basically hiding root. 843 00:30:20,550 --> 00:30:22,709 But metrics is based on unlocking the 844 00:30:22,710 --> 00:30:24,239 bootloader and pitching as a Linux 845 00:30:24,240 --> 00:30:26,159 policies and so on. 846 00:30:26,160 --> 00:30:28,049 Actually, this is, as far as I know, 847 00:30:28,050 --> 00:30:30,329 completely undetectable, undetectable 848 00:30:30,330 --> 00:30:31,330 at the moment. 849 00:30:32,810 --> 00:30:35,029 Due to safety, not actually not running 850 00:30:35,030 --> 00:30:36,349 the full system privileges, 851 00:30:37,550 --> 00:30:39,739 but this 852 00:30:39,740 --> 00:30:41,479 faces right, you really have to like 853 00:30:42,560 --> 00:30:44,749 unlock and modify or like unlock. 854 00:30:44,750 --> 00:30:46,309 It would louder and do like heavy 855 00:30:46,310 --> 00:30:47,310 modifications. 856 00:30:48,690 --> 00:30:50,759 So it's like not probably done by 857 00:30:50,760 --> 00:30:52,829 a lot of users, but 858 00:30:52,830 --> 00:30:55,259 basically all those tools are basically 859 00:30:55,260 --> 00:30:57,479 real, real root to like hide 860 00:30:57,480 --> 00:31:00,299 from security services on Android. 861 00:31:00,300 --> 00:31:02,489 And Google is playing a nice cat 862 00:31:02,490 --> 00:31:03,490 and mouse game. 863 00:31:06,210 --> 00:31:08,279 So, yeah, and 864 00:31:08,280 --> 00:31:10,409 also those to basically just 865 00:31:10,410 --> 00:31:12,329 try to hide system modifications sort of 866 00:31:12,330 --> 00:31:14,989 routine, which is only one aspect of 867 00:31:14,990 --> 00:31:17,129 of safety net or the safety of the rest 868 00:31:17,130 --> 00:31:18,130 API. 869 00:31:19,730 --> 00:31:22,109 Um, so I was more interested 870 00:31:22,110 --> 00:31:23,130 in integrity. 871 00:31:25,030 --> 00:31:27,099 Yeah, because the other the other 872 00:31:27,100 --> 00:31:28,839 two the other two like checks can 873 00:31:28,840 --> 00:31:31,119 obviously be bypassed and really 874 00:31:31,120 --> 00:31:33,159 nobody ever looked at integrity and I was 875 00:31:33,160 --> 00:31:34,399 really wondering why. 876 00:31:34,400 --> 00:31:36,219 And I was like, yeah, that's kind of 877 00:31:36,220 --> 00:31:38,559 interesting for us. 878 00:31:38,560 --> 00:31:40,420 So, look, I was looking into eventuality 879 00:31:41,500 --> 00:31:44,069 and basically the the the the goal behind 880 00:31:44,070 --> 00:31:46,269 integrity is like we needed to really 881 00:31:46,270 --> 00:31:48,489 to detect if somebody 882 00:31:48,490 --> 00:31:49,490 modified 883 00:31:51,550 --> 00:31:52,600 your application 884 00:31:53,800 --> 00:31:56,289 and you do that by looking at the APK 885 00:31:56,290 --> 00:31:57,729 Digest and the sort digest. 886 00:32:00,230 --> 00:32:02,179 Because if he could modify the APJ, you 887 00:32:02,180 --> 00:32:04,279 can do something like remove like 888 00:32:04,280 --> 00:32:06,319 the let's start printing and like modify 889 00:32:06,320 --> 00:32:08,299 traffic and things, things like that. 890 00:32:10,340 --> 00:32:12,529 So and you probably don't want that 891 00:32:12,530 --> 00:32:14,039 to happen. 892 00:32:14,040 --> 00:32:15,779 So that integrity is like very 893 00:32:15,780 --> 00:32:16,780 interesting, 894 00:32:17,880 --> 00:32:18,880 um. 895 00:32:19,450 --> 00:32:21,699 So how does how does everyone 896 00:32:21,700 --> 00:32:23,919 here or how just like the Digest's 897 00:32:23,920 --> 00:32:26,139 actually work or the effect? 898 00:32:26,140 --> 00:32:28,329 Just the interesting part is 899 00:32:28,330 --> 00:32:31,089 they're those two values are calculated 900 00:32:31,090 --> 00:32:33,399 on the on the APK file 901 00:32:33,400 --> 00:32:35,409 that are stored on disk. 902 00:32:35,410 --> 00:32:37,569 But if you know how Android actually 903 00:32:37,570 --> 00:32:39,099 works, you know, like Android doesn't 904 00:32:39,100 --> 00:32:40,179 actually execute. 905 00:32:40,180 --> 00:32:42,609 The app came because APACS 906 00:32:42,610 --> 00:32:43,749 contained X Files 907 00:32:44,920 --> 00:32:47,049 and until Android for the X Files 908 00:32:47,050 --> 00:32:48,519 would be converted to objects like 909 00:32:48,520 --> 00:32:51,129 optimized text file like a bytecode 910 00:32:51,130 --> 00:32:53,199 and Android for four and five 911 00:32:53,200 --> 00:32:55,359 and later would just like compile the 912 00:32:55,360 --> 00:32:57,249 tax code to native code. 913 00:32:58,430 --> 00:32:59,430 And there was 914 00:33:00,830 --> 00:33:03,019 three years ago, there was like some work 915 00:33:03,020 --> 00:33:05,119 done on unpegging old 916 00:33:05,120 --> 00:33:06,120 X Files. 917 00:33:08,120 --> 00:33:10,789 So this looks like problem of 918 00:33:10,790 --> 00:33:13,149 calculating, checksums on 919 00:33:13,150 --> 00:33:15,289 on our Digest's on one on one 920 00:33:15,290 --> 00:33:18,139 file, but executing another Filkin, 921 00:33:18,140 --> 00:33:19,670 I would say obviously we attacked. 922 00:33:20,750 --> 00:33:23,379 So if you like, rehash 923 00:33:23,380 --> 00:33:25,459 the cold running again, so 924 00:33:25,460 --> 00:33:26,809 an Android phone five, you basically have 925 00:33:26,810 --> 00:33:28,819 the data directly and you have other data 926 00:33:28,820 --> 00:33:30,609 you have every year like apexes, 927 00:33:31,670 --> 00:33:33,919 and then you have like 928 00:33:33,920 --> 00:33:36,169 the program, the program data, 929 00:33:36,170 --> 00:33:38,599 and then you have the coat on and 930 00:33:38,600 --> 00:33:39,799 data dalvik cache. 931 00:33:39,800 --> 00:33:42,649 And then you have this like super long 932 00:33:42,650 --> 00:33:44,509 filename, which is basically very like 933 00:33:44,510 --> 00:33:45,799 the optimized since. 934 00:33:47,270 --> 00:33:49,999 An Android six and later, you have 935 00:33:50,000 --> 00:33:51,679 just like your package directory and in 936 00:33:51,680 --> 00:33:53,059 the package directory, you have an app, 937 00:33:53,060 --> 00:33:55,459 okay, and you have the base or 938 00:33:55,460 --> 00:33:56,779 the base or text file. 939 00:33:56,780 --> 00:33:58,099 But in this case, it's actually not an 940 00:33:58,100 --> 00:33:59,479 old text file. It's like an old text 941 00:33:59,480 --> 00:34:01,789 file, but it contains native code. 942 00:34:01,790 --> 00:34:03,589 The interesting part is those files are 943 00:34:03,590 --> 00:34:05,779 all owned by the system and 944 00:34:05,780 --> 00:34:08,089 they can only be read and 945 00:34:08,090 --> 00:34:10,309 written by actually installed 946 00:34:10,310 --> 00:34:12,049 and zygote. 947 00:34:12,050 --> 00:34:13,789 So your own app can actually not read 948 00:34:13,790 --> 00:34:15,229 it's own like binary. 949 00:34:18,880 --> 00:34:21,569 Which makes us very interesting. 950 00:34:21,570 --> 00:34:23,799 Yeah, yeah, because I got 951 00:34:23,800 --> 00:34:25,718 that, like, I just, like, loaded into 952 00:34:25,719 --> 00:34:26,779 memory and and executed. 953 00:34:26,780 --> 00:34:28,689 So you doesn't really need to be able to 954 00:34:28,690 --> 00:34:29,690 read its own code. 955 00:34:30,909 --> 00:34:33,009 So if you go back and look at 956 00:34:33,010 --> 00:34:35,109 generic modification, how 957 00:34:35,110 --> 00:34:36,189 does this actually work? 958 00:34:36,190 --> 00:34:37,869 Normally you would do something like APIC 959 00:34:37,870 --> 00:34:40,178 Tool and use like unpack the file, 960 00:34:40,179 --> 00:34:41,678 modify the Somali code and use 961 00:34:41,679 --> 00:34:43,650 Apicultural to like rebuild the book 962 00:34:44,860 --> 00:34:47,109 and use Joss to like sign 963 00:34:47,110 --> 00:34:48,579 the file. 964 00:34:48,580 --> 00:34:50,408 And then you can just like run the 965 00:34:50,409 --> 00:34:52,419 modified HBK. Of course, in this case the 966 00:34:52,420 --> 00:34:54,549 signature would be broken because 967 00:34:54,550 --> 00:34:57,129 you don't have the authoress like 968 00:34:57,130 --> 00:34:58,130 keys. 969 00:35:00,300 --> 00:35:01,340 On the device 970 00:35:03,290 --> 00:35:05,659 Apricus compiled using to always 971 00:35:05,660 --> 00:35:07,129 kind of say this is the X Files is the 972 00:35:07,130 --> 00:35:09,199 old file, and then you have 973 00:35:09,200 --> 00:35:10,669 the modified APIC. 974 00:35:14,490 --> 00:35:16,649 So what then, what you do with 975 00:35:16,650 --> 00:35:17,650 this X file, 976 00:35:18,990 --> 00:35:20,909 you have you still have to, like patch 977 00:35:20,910 --> 00:35:23,129 the objects, the modified objects file 978 00:35:23,130 --> 00:35:25,199 to be the 979 00:35:25,200 --> 00:35:27,389 objects file contains like a 60 32 980 00:35:27,390 --> 00:35:29,639 of the text file that was generated from 981 00:35:29,640 --> 00:35:31,199 this is not a security check at all. 982 00:35:31,200 --> 00:35:32,399 It's just for the VM. 983 00:35:32,400 --> 00:35:34,619 So the VM can see, though, that maybe 984 00:35:34,620 --> 00:35:37,169 the AP was updated and now the CRC 985 00:35:37,170 --> 00:35:39,809 doesn't match the 986 00:35:39,810 --> 00:35:41,669 text file and just like recompile it, 987 00:35:41,670 --> 00:35:43,889 that's just like a pure let's not run 988 00:35:43,890 --> 00:35:44,879 old code feature. 989 00:35:44,880 --> 00:35:46,499 It's not a security feature. 990 00:35:46,500 --> 00:35:48,419 And in order to Petroskey file, I made a 991 00:35:48,420 --> 00:35:50,959 small tool. It's like really tiny. 992 00:35:50,960 --> 00:35:52,909 And that's also open source where you can 993 00:35:52,910 --> 00:35:55,939 just like patch patches here, see 994 00:35:55,940 --> 00:35:56,989 of the X File. 995 00:35:58,280 --> 00:35:59,799 So what you can do with basically, which 996 00:35:59,800 --> 00:36:01,909 will work on any Android version, 997 00:36:01,910 --> 00:36:02,910 you can just like. 998 00:36:04,310 --> 00:36:06,769 You need to override the optics file 999 00:36:06,770 --> 00:36:08,839 of the specific app, so if your device 1000 00:36:08,840 --> 00:36:11,209 is routed, you can just let go and like 1001 00:36:11,210 --> 00:36:13,249 overwrite that specific file. 1002 00:36:13,250 --> 00:36:15,349 And so either in the Dalvik cache or 1003 00:36:15,350 --> 00:36:16,639 in the app, in the app 1004 00:36:17,990 --> 00:36:18,990 out cache. 1005 00:36:20,120 --> 00:36:21,559 And interests like stop the app and 1006 00:36:21,560 --> 00:36:23,719 restarted and 1007 00:36:23,720 --> 00:36:25,969 you just have this modified app 1008 00:36:25,970 --> 00:36:28,249 and it will actually bypass all of the 1009 00:36:28,250 --> 00:36:30,149 all of the checks because you only modify 1010 00:36:30,150 --> 00:36:32,279 it, only modify the code 1011 00:36:32,280 --> 00:36:34,249 that it's executed, but not the actual 1012 00:36:34,250 --> 00:36:35,250 original APIC. 1013 00:36:36,570 --> 00:36:37,739 And then, of course, you have to like 1014 00:36:37,740 --> 00:36:40,230 unroot because you want to still 1015 00:36:42,210 --> 00:36:43,799 pass like the good general device 1016 00:36:43,800 --> 00:36:44,800 integrity checks. 1017 00:36:46,950 --> 00:36:49,619 So if you go back to 1018 00:36:49,620 --> 00:36:51,179 if you think back about earlier slights, 1019 00:36:51,180 --> 00:36:52,679 I like, oh, on Android phone, you can 1020 00:36:52,680 --> 00:36:54,959 really you can't really detect 1021 00:36:54,960 --> 00:36:56,459 if a bootloader is unlocked. 1022 00:36:56,460 --> 00:36:58,619 That basic means on Android for you can 1023 00:36:58,620 --> 00:37:00,929 trivially trivially bypass app 1024 00:37:00,930 --> 00:37:03,779 integrity checks because, 1025 00:37:03,780 --> 00:37:06,059 yeah, if you have a router that's based 1026 00:37:06,060 --> 00:37:07,679 on an unlocked bootloader, you can just 1027 00:37:07,680 --> 00:37:08,680 do that. 1028 00:37:09,490 --> 00:37:12,069 Yeah, so that is that is bypassed, 1029 00:37:12,070 --> 00:37:14,199 so but I 1030 00:37:14,200 --> 00:37:16,389 was like, yeah, so I 1031 00:37:16,390 --> 00:37:18,339 bet we can also find other ways to do 1032 00:37:18,340 --> 00:37:19,690 this. So 1033 00:37:21,100 --> 00:37:23,349 the main goal for this attack is like 1034 00:37:23,350 --> 00:37:24,759 as before, if you really want to 1035 00:37:24,760 --> 00:37:26,320 overwrite this one or the X File, 1036 00:37:27,730 --> 00:37:30,069 but we know only 1037 00:37:30,070 --> 00:37:32,619 basically two to two 1038 00:37:33,850 --> 00:37:35,409 demons can actually like. 1039 00:37:35,410 --> 00:37:37,509 Right. To two binaries to actually have 1040 00:37:37,510 --> 00:37:39,609 the SLA privileges to write 1041 00:37:39,610 --> 00:37:41,749 to this file or this class of files was 1042 00:37:41,750 --> 00:37:44,169 just installed and they got. 1043 00:37:44,170 --> 00:37:46,329 But who else can write to any file 1044 00:37:46,330 --> 00:37:47,829 on the file system? Of course, the 1045 00:37:47,830 --> 00:37:50,409 kernel, the Linux kernel, because 1046 00:37:50,410 --> 00:37:52,779 access privileged access, 1047 00:37:52,780 --> 00:37:55,029 any anything that's like like 1048 00:37:55,030 --> 00:37:56,829 said Linux on file permissions do not 1049 00:37:56,830 --> 00:37:59,139 exist for the kernel itself. 1050 00:37:59,140 --> 00:38:01,299 And uh, yeah, two years 1051 00:38:01,300 --> 00:38:03,009 ago, one year ago, there was this like 1052 00:38:03,010 --> 00:38:05,259 nice kernel bug, um, 1053 00:38:05,260 --> 00:38:07,569 by the name of the article 1054 00:38:07,570 --> 00:38:10,179 which in for this talk I was like, 1055 00:38:10,180 --> 00:38:12,159 yeah, you basically allowed you to like 1056 00:38:12,160 --> 00:38:14,349 overwrite any file in the file system 1057 00:38:14,350 --> 00:38:15,579 then that you can read. 1058 00:38:17,120 --> 00:38:19,459 So as a shell 1059 00:38:19,460 --> 00:38:21,319 user, you can obviously read all our X 1060 00:38:21,320 --> 00:38:22,320 Files. 1061 00:38:24,020 --> 00:38:26,599 So now we can go and 1062 00:38:26,600 --> 00:38:28,319 basically, since you can read any old 1063 00:38:28,320 --> 00:38:30,409 text file without 1064 00:38:30,410 --> 00:38:32,300 rooting the device, we can actually 1065 00:38:33,470 --> 00:38:36,349 do this attack without rooting a phone. 1066 00:38:36,350 --> 00:38:38,209 So basically the same procedure, the 1067 00:38:38,210 --> 00:38:40,480 actual the file 1068 00:38:41,960 --> 00:38:44,059 modify the text file and patch 1069 00:38:44,060 --> 00:38:45,469 everything. 1070 00:38:45,470 --> 00:38:47,779 Um, but the one the one small 1071 00:38:47,780 --> 00:38:49,909 issue is like dirty, cannot lie, can 1072 00:38:49,910 --> 00:38:52,039 only overwrite files, but 1073 00:38:52,040 --> 00:38:53,809 basically not a pen like or increase the 1074 00:38:53,810 --> 00:38:55,399 size of a file. 1075 00:38:55,400 --> 00:38:57,849 And the one easy trick that I found 1076 00:38:57,850 --> 00:38:59,989 is so normally text to old 1077 00:38:59,990 --> 00:39:02,389 runs was like 1078 00:39:02,390 --> 00:39:04,459 the processor. Specific optimizations, as 1079 00:39:04,460 --> 00:39:06,259 you can see down here, it's just like 1080 00:39:06,260 --> 00:39:08,749 cortex a 53 1081 00:39:08,750 --> 00:39:10,909 and optimizations can usually make 1082 00:39:10,910 --> 00:39:12,829 files much bigger. 1083 00:39:12,830 --> 00:39:14,689 So if you just like if you just like 1084 00:39:14,690 --> 00:39:16,759 compile, if you're just from 1085 00:39:16,760 --> 00:39:18,889 Dexter to odd without optimizations, 1086 00:39:18,890 --> 00:39:20,389 you will actually get a much smaller 1087 00:39:20,390 --> 00:39:22,249 file. So even if you add like a lot of 1088 00:39:22,250 --> 00:39:24,349 code to like the patched app, you 1089 00:39:24,350 --> 00:39:26,269 file will still be smaller and you can 1090 00:39:26,270 --> 00:39:28,609 very nicely overwrite 1091 00:39:28,610 --> 00:39:30,290 the text file using dirty code. 1092 00:39:32,060 --> 00:39:35,269 Um, yeah, I'm actually going to show you 1093 00:39:35,270 --> 00:39:37,219 do a little life demo, because it's 1094 00:39:37,220 --> 00:39:38,690 actually that that simple. 1095 00:39:40,530 --> 00:39:41,750 First, I'm going to show you. 1096 00:39:45,310 --> 00:39:47,619 So let's see 1097 00:39:47,620 --> 00:39:48,620 until. 1098 00:39:50,050 --> 00:39:52,260 Just have to wait a little bit until the. 1099 00:39:53,300 --> 00:39:55,639 The camera just to the right. 1100 00:39:55,640 --> 00:39:56,640 There you go. 1101 00:39:59,430 --> 00:40:01,290 So this is like the stemmer up the road. 1102 00:40:05,610 --> 00:40:07,919 Yep, and we pass all 1103 00:40:07,920 --> 00:40:09,589 of the checks. 1104 00:40:09,590 --> 00:40:11,659 And so basically, if unrooted 1105 00:40:11,660 --> 00:40:13,939 device, unmodified 1106 00:40:13,940 --> 00:40:15,380 app looks good. 1107 00:40:21,920 --> 00:40:23,519 So. 1108 00:40:23,520 --> 00:40:24,520 This is readable. 1109 00:40:31,270 --> 00:40:33,339 I think that's OK, that's fine. 1110 00:40:33,340 --> 00:40:35,529 Um, so there's this like 1111 00:40:35,530 --> 00:40:37,479 this is the AP, so if you just like, 1112 00:40:37,480 --> 00:40:39,149 unpack this APIC quickly. 1113 00:40:53,980 --> 00:40:55,719 And then we just kind of modified some 1114 00:40:55,720 --> 00:40:56,720 code, 1115 00:40:57,880 --> 00:40:59,859 so this is just like some small code, 1116 00:40:59,860 --> 00:41:01,449 which I'm going to just like in to this 1117 00:41:01,450 --> 00:41:02,450 application. 1118 00:41:10,200 --> 00:41:11,759 That's all we need. 1119 00:41:11,760 --> 00:41:12,760 So. 1120 00:41:13,800 --> 00:41:14,969 And it can just. 1121 00:41:16,780 --> 00:41:18,789 Now, we just like rebuild was basically 1122 00:41:18,790 --> 00:41:21,249 use a tool again and like those sign 1123 00:41:22,990 --> 00:41:25,299 use like the sign with like the default 1124 00:41:25,300 --> 00:41:27,519 key to like just have 1125 00:41:27,520 --> 00:41:28,520 a self signed a. 1126 00:41:33,900 --> 00:41:36,389 Oh, I guess. 1127 00:41:36,390 --> 00:41:38,159 I guess I didn't set the path for that. 1128 00:41:54,290 --> 00:41:55,460 Where is that? 1129 00:41:58,770 --> 00:42:00,050 Who knows where that filer's. 1130 00:42:02,820 --> 00:42:03,820 Sen. Bill Tool's. 1131 00:42:25,630 --> 00:42:27,849 Yeah, no, I have followed the path for 1132 00:42:27,850 --> 00:42:28,850 Sinar. 1133 00:42:29,650 --> 00:42:31,940 The combined arguments for Justyna, um. 1134 00:42:34,530 --> 00:42:35,530 Yeah, that. 1135 00:42:36,930 --> 00:42:37,930 I guess I should have. 1136 00:43:01,360 --> 00:43:02,360 Where is that? 1137 00:43:05,810 --> 00:43:07,909 Um, oh, yeah, yeah, 1138 00:43:07,910 --> 00:43:10,159 it's I heard JDK swear that's exactly 1139 00:43:10,160 --> 00:43:12,710 where it is, whereas my JDK. 1140 00:43:16,520 --> 00:43:17,530 Definitely not here. 1141 00:43:25,840 --> 00:43:27,400 Where is the JDK? 1142 00:43:48,690 --> 00:43:49,690 There we go. 1143 00:43:55,430 --> 00:43:56,430 Placers. 1144 00:43:59,550 --> 00:44:00,899 Should be more of those, yeah. 1145 00:44:08,600 --> 00:44:09,880 I was pretty sure. 1146 00:44:16,240 --> 00:44:17,240 There you go. 1147 00:44:43,190 --> 00:44:45,169 OK, so let's do this again. 1148 00:44:46,350 --> 00:44:47,350 Yeah. 1149 00:44:50,370 --> 00:44:52,310 So now we redesigned the app, 1150 00:44:53,400 --> 00:44:55,469 um, so what what 1151 00:44:55,470 --> 00:44:56,459 else do we need to do? 1152 00:44:56,460 --> 00:44:59,349 So we have or we signed up. 1153 00:44:59,350 --> 00:45:00,350 Um. 1154 00:45:01,090 --> 00:45:03,219 So we want to compile this 1155 00:45:03,220 --> 00:45:04,220 app on the device 1156 00:45:05,770 --> 00:45:06,770 with. 1157 00:45:09,180 --> 00:45:11,669 Basically pushing 1158 00:45:11,670 --> 00:45:13,739 the then the new OPK 1159 00:45:14,850 --> 00:45:16,859 and getting the modified comp. 1160 00:45:16,860 --> 00:45:17,860 Audax, 1161 00:45:18,930 --> 00:45:20,369 now we want the original. 1162 00:45:23,030 --> 00:45:25,219 We the original base file, because 1163 00:45:25,220 --> 00:45:27,110 we need to extract the original secrecy 1164 00:45:28,130 --> 00:45:29,149 and all we can do. 1165 00:45:31,900 --> 00:45:34,209 And so on, this 1166 00:45:34,210 --> 00:45:36,789 is the this is the original one, 1167 00:45:36,790 --> 00:45:38,739 and this one is the one we want to 1168 00:45:38,740 --> 00:45:40,599 change. So what what are you going to do 1169 00:45:40,600 --> 00:45:42,559 here is. 1170 00:45:42,560 --> 00:45:44,809 I want to change this one. 1171 00:45:44,810 --> 00:45:45,810 To this one. 1172 00:45:47,420 --> 00:45:49,040 And if we run it on this. 1173 00:46:24,100 --> 00:46:26,020 Alzira, serious news here, see oh. 1174 00:46:29,670 --> 00:46:32,399 You know, it's always nice if you forget 1175 00:46:32,400 --> 00:46:34,139 the command line of your own 1176 00:46:34,140 --> 00:46:35,140 applications. 1177 00:46:38,150 --> 00:46:40,339 And now we modify, you 1178 00:46:40,340 --> 00:46:42,559 know, it's modified, so this is like 1179 00:46:42,560 --> 00:46:43,560 patched. 1180 00:46:44,530 --> 00:46:46,599 And for the attack, basically push this 1181 00:46:46,600 --> 00:46:48,789 modified app, the modified audio 1182 00:46:48,790 --> 00:46:51,059 file to the to the device and then run 1183 00:46:51,060 --> 00:46:53,019 that one vertical. 1184 00:46:53,020 --> 00:46:55,149 It's another nice point of failure in the 1185 00:46:55,150 --> 00:46:56,150 demo. 1186 00:47:12,100 --> 00:47:13,179 And it didn't work. 1187 00:47:15,960 --> 00:47:16,960 You can try 1188 00:47:18,150 --> 00:47:19,150 try again. 1189 00:47:20,880 --> 00:47:23,029 I have a few more minutes, you 1190 00:47:23,030 --> 00:47:24,799 know, life that I like, life to mostly 1191 00:47:24,800 --> 00:47:26,629 just like turn to. 1192 00:47:26,630 --> 00:47:28,819 Sometimes it's like do not work 1193 00:47:28,820 --> 00:47:29,919 on the first try. 1194 00:47:35,390 --> 00:47:36,390 So good. 1195 00:48:14,450 --> 00:48:16,339 So he's going to reinstall the original 1196 00:48:16,340 --> 00:48:17,340 APIC. 1197 00:48:19,550 --> 00:48:21,139 Since you already have all the modified 1198 00:48:21,140 --> 00:48:23,209 files, you can just skip 1199 00:48:23,210 --> 00:48:24,210 everything else. 1200 00:48:40,080 --> 00:48:41,690 So let's try it one more time. 1201 00:48:49,530 --> 00:48:51,599 And it worked, so let's go to the 1202 00:48:51,600 --> 00:48:52,600 camera. 1203 00:48:55,940 --> 00:48:57,800 Let's wait until the white. 1204 00:49:10,380 --> 00:49:12,329 And now you see the snow is probably 1205 00:49:12,330 --> 00:49:14,459 added and you will see 1206 00:49:14,460 --> 00:49:16,499 all those checks passing and. 1207 00:49:27,060 --> 00:49:29,399 So, yeah, and basically 1208 00:49:29,400 --> 00:49:31,649 unrooted device, but complete, 1209 00:49:31,650 --> 00:49:33,719 basically compromised 1210 00:49:33,720 --> 00:49:35,489 from the integrity level. 1211 00:49:37,470 --> 00:49:39,569 So what is the actual impact of 1212 00:49:39,570 --> 00:49:40,570 this attack? 1213 00:49:41,920 --> 00:49:43,739 Yeah, it's of course, limited to Android 1214 00:49:43,740 --> 00:49:45,359 device that's still vulnerable to a dirty 1215 00:49:45,360 --> 00:49:47,420 car. There's probably like a lot of them. 1216 00:49:48,720 --> 00:49:50,819 The nice part is that basically the 1217 00:49:50,820 --> 00:49:53,129 owner of the device has to, like, perform 1218 00:49:53,130 --> 00:49:55,409 this attack himself because 1219 00:49:55,410 --> 00:49:56,099 ABSs. 1220 00:49:56,100 --> 00:49:57,749 So, like, if you get a malicious app that 1221 00:49:57,750 --> 00:49:59,279 runs on your device, it could not 1222 00:49:59,280 --> 00:50:01,439 modifying other app because apps cannot 1223 00:50:01,440 --> 00:50:03,749 open old X files. 1224 00:50:03,750 --> 00:50:05,009 So that's good. 1225 00:50:05,010 --> 00:50:06,719 Of course, the attack goes way beyond 1226 00:50:06,720 --> 00:50:08,469 safetynet attestations. 1227 00:50:08,470 --> 00:50:11,519 So any any device that 1228 00:50:11,520 --> 00:50:13,889 any any check you do on like 1229 00:50:13,890 --> 00:50:15,959 like old X Files 1230 00:50:15,960 --> 00:50:17,699 or something will be vulnerable to this 1231 00:50:17,700 --> 00:50:18,809 attack. 1232 00:50:18,810 --> 00:50:20,729 The nice part is Android seven devices 1233 00:50:20,730 --> 00:50:23,849 will not be vulnerable because 1234 00:50:23,850 --> 00:50:26,099 Google changed basically the policy 1235 00:50:26,100 --> 00:50:27,389 for this test. 1236 00:50:27,390 --> 00:50:28,619 So they will actually check if your 1237 00:50:28,620 --> 00:50:30,719 criminal has still 1238 00:50:30,720 --> 00:50:32,489 has this background and you will not get 1239 00:50:32,490 --> 00:50:35,609 Google certification, 407 devices, 1240 00:50:35,610 --> 00:50:38,339 the generic Ettakatol, Google, like many 1241 00:50:38,340 --> 00:50:40,559 by I guess now it's like probably 1242 00:50:40,560 --> 00:50:42,279 two years ago. 1243 00:50:42,280 --> 00:50:44,409 So they know it, but it's like, 1244 00:50:44,410 --> 00:50:46,749 I guess, hard to fix Copperhead or assets 1245 00:50:46,750 --> 00:50:48,939 like hard Android clone, they 1246 00:50:48,940 --> 00:50:51,369 actually buy it not by accident, by 1247 00:50:51,370 --> 00:50:53,589 design, mitigate any kind of these 1248 00:50:53,590 --> 00:50:55,479 attacks, but just recompiling every app 1249 00:50:55,480 --> 00:50:56,739 on every start. 1250 00:50:56,740 --> 00:50:59,229 So that would kill like modified 1251 00:50:59,230 --> 00:51:00,699 or X Files. 1252 00:51:00,700 --> 00:51:03,579 So I made some observations over time. 1253 00:51:03,580 --> 00:51:06,099 So basic integrity was like 1254 00:51:06,100 --> 00:51:09,249 June, July 2016, 1255 00:51:09,250 --> 00:51:10,749 suddenly, like found this. 1256 00:51:10,750 --> 00:51:12,519 And I was like, hey, does anybody know? 1257 00:51:12,520 --> 00:51:14,769 Because this is not really documented. 1258 00:51:14,770 --> 00:51:17,209 And then again and I guess maybe 1259 00:51:17,210 --> 00:51:20,439 this year the editor's advice field 1260 00:51:20,440 --> 00:51:21,639 that will tell you about like you 1261 00:51:21,640 --> 00:51:23,409 bootloader or like please refresh your 1262 00:51:23,410 --> 00:51:25,149 daylight's because we determined your 1263 00:51:25,150 --> 00:51:26,349 device was like tampered. 1264 00:51:27,490 --> 00:51:29,859 So that was like kind of interesting. 1265 00:51:29,860 --> 00:51:31,359 Now there's also like a mailing list 1266 00:51:31,360 --> 00:51:32,829 where you can, like, subscribe and they 1267 00:51:32,830 --> 00:51:34,359 will tell you, I guess, about new 1268 00:51:34,360 --> 00:51:36,519 features. But the website will 1269 00:51:36,520 --> 00:51:38,319 not be updated like in a timely way at 1270 00:51:38,320 --> 00:51:39,279 all. 1271 00:51:39,280 --> 00:51:41,419 Also, the 1272 00:51:41,420 --> 00:51:42,770 little bit more interesting parts, 1273 00:51:44,050 --> 00:51:46,389 since attestation 1274 00:51:46,390 --> 00:51:48,519 is based on CTS data and 1275 00:51:48,520 --> 00:51:51,039 CTS is run by manufacturers before 1276 00:51:51,040 --> 00:51:53,139 they release 1277 00:51:53,140 --> 00:51:55,599 an update or a patch or a phone. 1278 00:51:55,600 --> 00:51:57,699 So if this data is false or not up 1279 00:51:57,700 --> 00:51:59,949 to date, of course, the CTS 1280 00:51:59,950 --> 00:52:01,689 test will fail. I will tell you, like, 1281 00:52:01,690 --> 00:52:03,219 hey, your device has been modified 1282 00:52:04,570 --> 00:52:06,819 and actually found that unlike some 1283 00:52:06,820 --> 00:52:08,799 Yotel phone where like, I guess they 1284 00:52:08,800 --> 00:52:11,409 rolled out a security patch and 1285 00:52:11,410 --> 00:52:13,089 did not submit to test data. 1286 00:52:13,090 --> 00:52:15,279 So on all of those devices, actually 1287 00:52:15,280 --> 00:52:17,529 all of this will just fail just because 1288 00:52:17,530 --> 00:52:19,959 Google didn't have the up to date data 1289 00:52:19,960 --> 00:52:22,479 and actually Google did it themselves 1290 00:52:22,480 --> 00:52:25,269 here in March this year, 1291 00:52:25,270 --> 00:52:27,439 Google had to like pull a security update 1292 00:52:27,440 --> 00:52:29,529 for the Nexus seven because it 1293 00:52:29,530 --> 00:52:31,809 like broke their safety net 1294 00:52:31,810 --> 00:52:34,059 and thereby also Android pay 1295 00:52:34,060 --> 00:52:35,079 Pardinas. Probably 1296 00:52:36,530 --> 00:52:37,509 that the last part. 1297 00:52:37,510 --> 00:52:39,369 I don't like how that happened, but 1298 00:52:39,370 --> 00:52:41,469 basically, if it's safety net at the 1299 00:52:41,470 --> 00:52:43,569 station has an outage and 1300 00:52:43,570 --> 00:52:45,579 you can't react to like this outage, you 1301 00:52:45,580 --> 00:52:47,469 will have an outage, too, as like an app 1302 00:52:47,470 --> 00:52:48,699 developer. 1303 00:52:48,700 --> 00:52:50,529 And you probably do not want that. 1304 00:52:52,190 --> 00:52:53,239 The fun part about 1305 00:52:55,160 --> 00:52:57,379 safety in general, Google really 1306 00:52:57,380 --> 00:52:59,029 improves it like all the time, if you 1307 00:52:59,030 --> 00:53:01,249 like, follow forums, rooting forums 1308 00:53:01,250 --> 00:53:03,319 and so on very closely, you 1309 00:53:03,320 --> 00:53:05,859 will see this cat and mouse game. 1310 00:53:05,860 --> 00:53:07,929 Um, and 1311 00:53:07,930 --> 00:53:09,459 it's mostly for Google, I guess, mostly 1312 00:53:09,460 --> 00:53:10,899 about protecting Android pay. 1313 00:53:12,960 --> 00:53:15,659 You know, and yeah, 1314 00:53:15,660 --> 00:53:18,299 but the other the big, the big, 1315 00:53:18,300 --> 00:53:20,729 I guess the big benefit of of safety net 1316 00:53:20,730 --> 00:53:22,889 on the other station part is that 1317 00:53:22,890 --> 00:53:24,839 really do you have a bunch of people at 1318 00:53:24,840 --> 00:53:26,579 Google who constantly, like, work on 1319 00:53:26,580 --> 00:53:28,529 improving basically the results for a 1320 00:53:28,530 --> 00:53:30,299 safety net? So if you use that to secure 1321 00:53:30,300 --> 00:53:32,219 your own app, you get like a lot of 1322 00:53:32,220 --> 00:53:34,289 security for free where you 1323 00:53:34,290 --> 00:53:36,329 otherwise would have to, like, employ a 1324 00:53:36,330 --> 00:53:38,219 bunch of people or by like a third party 1325 00:53:38,220 --> 00:53:40,229 product that does like app and device 1326 00:53:40,230 --> 00:53:43,209 integrity checks for your service. 1327 00:53:43,210 --> 00:53:45,839 The nice part is attestations is free, 1328 00:53:45,840 --> 00:53:47,549 but of course it can go down and have 1329 00:53:47,550 --> 00:53:50,429 outages. You basically don't get an SLA. 1330 00:53:50,430 --> 00:53:52,319 There's raid limits which you should 1331 00:53:52,320 --> 00:53:53,550 never be able to reach. 1332 00:53:54,600 --> 00:53:56,279 Yeah, and it's free. It's like if you 1333 00:53:56,280 --> 00:53:58,369 compare it to like third party service 1334 00:53:58,370 --> 00:54:00,929 that are not free, this 1335 00:54:00,930 --> 00:54:03,029 should be interesting on the 1336 00:54:03,030 --> 00:54:04,469 side, not about malware. 1337 00:54:04,470 --> 00:54:06,539 So there's a lot of Android malware that 1338 00:54:06,540 --> 00:54:08,819 basically is repackaged Android apps. 1339 00:54:08,820 --> 00:54:10,979 So basically people just like add, 1340 00:54:10,980 --> 00:54:13,139 they're like whatever they want to do to 1341 00:54:13,140 --> 00:54:14,039 like Angry Birds. 1342 00:54:14,040 --> 00:54:15,149 And then you have like download that 1343 00:54:15,150 --> 00:54:17,429 modified Angry Birds, if that 1344 00:54:17,430 --> 00:54:19,409 if that game or like that would actually 1345 00:54:19,410 --> 00:54:21,599 run safety net and they 1346 00:54:21,600 --> 00:54:23,939 would basically have to. 1347 00:54:23,940 --> 00:54:25,829 Yeah. Basically that repackaging wouldn't 1348 00:54:25,830 --> 00:54:27,809 work because the apple just like say, 1349 00:54:27,810 --> 00:54:29,579 hey, I was modified and I don't work. 1350 00:54:29,580 --> 00:54:31,649 So they have to like either cut out a lot 1351 00:54:31,650 --> 00:54:33,839 of functionality of that specific app 1352 00:54:33,840 --> 00:54:35,639 and they probably won't do that because 1353 00:54:35,640 --> 00:54:37,289 then we'll just like go after some other 1354 00:54:37,290 --> 00:54:38,789 app so you can basically use us to 1355 00:54:38,790 --> 00:54:41,009 basically prevent your product from 1356 00:54:41,010 --> 00:54:44,429 being targeted by app repackaging malware 1357 00:54:44,430 --> 00:54:46,649 in a as like a site, as 1358 00:54:46,650 --> 00:54:47,650 a site, 1359 00:54:48,780 --> 00:54:50,669 as a side effect. 1360 00:54:50,670 --> 00:54:53,009 So summary and conclusions, basically, 1361 00:54:53,010 --> 00:54:55,349 it's like one of the essential platform 1362 00:54:55,350 --> 00:54:57,599 security services and if you like, 1363 00:54:57,600 --> 00:54:59,729 see serious about like any kind of 1364 00:54:59,730 --> 00:55:01,589 security on Android, you should really, 1365 00:55:01,590 --> 00:55:03,179 really use it. 1366 00:55:03,180 --> 00:55:05,489 As I showed you, there's like some 1367 00:55:05,490 --> 00:55:07,379 like downsides or some things you have to 1368 00:55:07,380 --> 00:55:09,119 be aware of, but you have to be aware of 1369 00:55:09,120 --> 00:55:11,219 those anyway. If you use if you roll your 1370 00:55:11,220 --> 00:55:13,529 own or like by a third party service 1371 00:55:13,530 --> 00:55:15,539 and the majority of apps will just like 1372 00:55:15,540 --> 00:55:17,729 benefit from this and 1373 00:55:17,730 --> 00:55:19,259 it really will really get better over 1374 00:55:19,260 --> 00:55:19,829 time. 1375 00:55:19,830 --> 00:55:22,109 And you kind of really see Google doing 1376 00:55:22,110 --> 00:55:23,669 improvements to that. 1377 00:55:23,670 --> 00:55:24,959 And that's it. 1378 00:55:24,960 --> 00:55:27,089 Slides are online, tools are online on 1379 00:55:27,090 --> 00:55:28,769 my GitHub page. Or like if you go to a 1380 00:55:28,770 --> 00:55:31,109 molenaar android, you'll find 1381 00:55:31,110 --> 00:55:33,419 everything related to this talk 1382 00:55:33,420 --> 00:55:35,159 some more references to read up. 1383 00:55:35,160 --> 00:55:36,259 That's it. 1384 00:55:36,260 --> 00:55:37,259 Thank you very much. 1385 00:55:37,260 --> 00:55:38,699 And I guess we have two minutes for 1386 00:55:38,700 --> 00:55:39,700 questions. 1387 00:55:50,200 --> 00:55:52,429 So first of all, I would like to say 1388 00:55:52,430 --> 00:55:53,430 one of 1389 00:55:54,810 --> 00:55:56,919 other people 1390 00:55:56,920 --> 00:55:59,109 need in order to comply. 1391 00:55:59,110 --> 00:56:01,179 That's another thing. That's why we 1392 00:56:01,180 --> 00:56:02,180 do the Q&A. 1393 00:56:07,830 --> 00:56:10,109 Yes, what a safety net, 1394 00:56:10,110 --> 00:56:12,689 not wrong with full permissions 1395 00:56:12,690 --> 00:56:14,899 because it runs inside 1396 00:56:14,900 --> 00:56:16,979 the Google Play services 1397 00:56:16,980 --> 00:56:20,089 like the, um, basically the, um, 1398 00:56:20,090 --> 00:56:22,439 the play app, like the Android 1399 00:56:22,440 --> 00:56:25,499 like play service 1400 00:56:25,500 --> 00:56:27,719 app. And that only runs like 1401 00:56:27,720 --> 00:56:29,039 ass like system service. 1402 00:56:29,040 --> 00:56:31,379 And so it doesn't run with full services 1403 00:56:31,380 --> 00:56:34,019 because, um, 1404 00:56:34,020 --> 00:56:35,849 because of that it just like runs on like 1405 00:56:35,850 --> 00:56:38,189 a slightly privileged like app. 1406 00:56:38,190 --> 00:56:39,569 And I think that's by design. 1407 00:56:39,570 --> 00:56:41,939 Also think about other manufacturers 1408 00:56:41,940 --> 00:56:44,309 like maybe Samsung or HTC. 1409 00:56:44,310 --> 00:56:46,469 They maybe like other companies, probably 1410 00:56:46,470 --> 00:56:48,569 like do not want to have a super 1411 00:56:48,570 --> 00:56:50,699 high privilege Google process on 1412 00:56:50,700 --> 00:56:53,189 their phones. It's just by design, like 1413 00:56:53,190 --> 00:56:54,989 that's the only thing I can think of. 1414 00:56:54,990 --> 00:56:56,100 Um, yeah. 1415 00:56:57,350 --> 00:56:59,119 Thank you. Next question from microphone 1416 00:56:59,120 --> 00:57:00,120 number two, please. 1417 00:57:02,670 --> 00:57:03,629 Hello? 1418 00:57:03,630 --> 00:57:04,539 Can you hear me? 1419 00:57:04,540 --> 00:57:06,659 Yeah, um, thank you for 1420 00:57:06,660 --> 00:57:09,499 your talk. First of all, uh, 1421 00:57:09,500 --> 00:57:11,879 it looks like surfing the Net runs 1422 00:57:11,880 --> 00:57:12,880 like, uh. 1423 00:57:13,740 --> 00:57:16,079 Under a system user, 1424 00:57:16,080 --> 00:57:18,090 right? Yeah, and 1425 00:57:19,230 --> 00:57:21,569 it has way more privileges to check 1426 00:57:21,570 --> 00:57:23,969 for filesystem when an ordinary 1427 00:57:23,970 --> 00:57:26,309 application. Yes, I do think 1428 00:57:26,310 --> 00:57:28,709 it is still worth to do enough 1429 00:57:28,710 --> 00:57:31,029 checks for things like the technical 1430 00:57:31,030 --> 00:57:32,579 MicroTech devices. 1431 00:57:32,580 --> 00:57:35,069 So I think it really depends 1432 00:57:35,070 --> 00:57:36,089 on your risk model. 1433 00:57:36,090 --> 00:57:38,669 Like if if you if you're very concerned 1434 00:57:38,670 --> 00:57:40,829 about modified apps or modified 1435 00:57:40,830 --> 00:57:42,509 devices, of course it makes sense to add 1436 00:57:42,510 --> 00:57:44,909 your own checks in addition. 1437 00:57:44,910 --> 00:57:47,039 But I think if you like starting to 1438 00:57:47,040 --> 00:57:49,229 develop like a new app, you should first 1439 00:57:49,230 --> 00:57:51,469 implement safety net at 1440 00:57:51,470 --> 00:57:53,099 a station and get all of this right. 1441 00:57:53,100 --> 00:57:54,659 And then you can, like, start investing 1442 00:57:54,660 --> 00:57:56,909 money to to build your own, because 1443 00:57:57,930 --> 00:57:59,909 if you start rolling your own, you 1444 00:57:59,910 --> 00:58:01,289 basically you have to have a team that 1445 00:58:01,290 --> 00:58:02,909 constantly, like, keeps up to date with 1446 00:58:02,910 --> 00:58:04,739 Android versions, because if something 1447 00:58:04,740 --> 00:58:06,359 changes from your app and your own 1448 00:58:06,360 --> 00:58:08,249 detection has false positives, you have 1449 00:58:08,250 --> 00:58:10,409 like just like disable your app 1450 00:58:10,410 --> 00:58:12,479 for, like, a lot of people. 1451 00:58:12,480 --> 00:58:14,639 So, um, yeah, it's 1452 00:58:14,640 --> 00:58:16,439 like, uh, depending on what you want to 1453 00:58:16,440 --> 00:58:18,749 do and like how much you want to spend on 1454 00:58:18,750 --> 00:58:19,769 on on. Yeah. 1455 00:58:19,770 --> 00:58:20,770 On that. 1456 00:58:21,390 --> 00:58:22,469 Thank you very much. 1457 00:58:22,470 --> 00:58:24,569 Unfortunately time is up by now. 1458 00:58:24,570 --> 00:58:26,579 So whoever else has questions, please 1459 00:58:26,580 --> 00:58:28,769 find Colin after the talk. 1460 00:58:28,770 --> 00:58:30,899 I know you probably all know 1461 00:58:30,900 --> 00:58:32,339 that it's pretty nerve racking when 1462 00:58:32,340 --> 00:58:34,379 you're on stage and your demo or whatever 1463 00:58:34,380 --> 00:58:36,269 you were planning in your presentation 1464 00:58:36,270 --> 00:58:37,589 doesn't work as planned. 1465 00:58:37,590 --> 00:58:39,209 So I hope that you are going to show a 1466 00:58:39,210 --> 00:58:41,489 lot of empathy and give Colin another 1467 00:58:41,490 --> 00:58:42,659 big round of applause. 1468 00:58:42,660 --> 00:58:43,660 Thank you very much.