REGISTER
Cart

Take a Picture of Your App Code – Android MRI Interpreter

REGISTER

Date

August 25, 2023

Time

14:00

Track

Track 2

Magnetic Resonance Imaging (MRI), a medical device, allows tomographic imaging of human organs and measurement of blood flow. Using these features, modern doctors can easily detect diseases without having to perform open surgery as in the past.

If it were possible to perform tomography on the app’s code through a simple procedure, such as taking a picture like an MRI without invasion the app’s process, and trace the flow of data used within the code, it would be an effective way to find vulnerabilities. This paper proposes a new OS (interpreter, runtime, kernel) that performs MRI functions based on Android 12.

In this new Interpreter, the Android app takes a picture of the dalvik instruction and register value at runtime when the target (data or function) is used, generating a Control Flow Graph (CFG) that traces the target’s forward and backward execution, providing an effective environment for analyzing the app and finding vulnerabilities. Furthermore, I will explain the vulnerabilities discovered in mobile apps using the developed OS.

Three functions were developed based on the Android Open Source Project (AOSP) in order to analyze and find vulnerabilities of apps in the Android 12 environment.

  • Firstly, a new MRI interpreter was developed that can inspect, trace, and print all the Dalvik instructions and register values executed in an Android app. However, in the Android 12 environment, some Dalvik codes in the app are compiled into native codes and run directly without going through the interpreter. Therefore, it is not possible to inspect all the codes with the developed MRI interpreter alone.
  • Secondly, to overcome this, we controlled the flow of code by the Android Runtime (ART) so that all code is executed as Dalvik code through the MRI interpreter. The interpreter developed in this way was installed on the device. However, in apps that provide sensitive functions, the Runtime Application Self-Protection (RASP) technique is applied to detect OS tampering, among other things, and prevent the app from running in a modified OS environment. To bypass this,
  • Thirdly, we have developed a new kernel for Android, so that all of RASP’s detection functions are automatically bypassed. The new kernel adds a privilege escalation backdoor, SEAndroid bypass, and AVB bypass, enabling RASP to fail to detect OS tampering and allowing security analysts to obtain root privileges for analysis.

SungHyoun Song

Senior Security Researcher

Financial Security Institute (FSI)

SungHyoun Song is a principal security researcher at Financial Security Institute(FSI), in charge of Mobile Security for Financial Industry in Korea. He has experienced mobile security, reverse engineering, penetration test and authentication mechanism for ten Years. Currently focusing on Linux kernel exploitation and Android runtime. Also he has participated in several international security conferences such as ITU-T, Black Hat USA/Asia, Ekoparty, NullCon, CanSecWest, SEC-T, PacSec, HITCON, BlackAlps, beVX.

SUPPORTING ORGANIZATION

COMMSEC TRACK SPONSOR

CTF & CTF PRIZE SPONSOR

TCP/IP RECEPTION SPONSOR

SPEAKERS DINNER BY

POST CONFERENCE RECEPTION SPONSOR

EXHIBITOR

CRESTnew-logo-2

VILLAGES

RRG-Logo.png
hardwareninja.png

FRIENDS OF HITB

HACK IN THE BOX PTE LTD

Level 36, Menara Maxis,

Kuala Lumpur City Center,

50088 Kuala Lumpur,

Malaysia

Facebook Twitter Youtube