Hackers are often viewed as modern-day pirates. While mostly true due to the security hazards they create, ethical hackers actually are very helpful in actually improving security standards. Most of these security experts perform these actions simply for the benefit of the community. Rafay Baloch is one such ethical hacker.
Baloch, also known as Pakistan’s “Top Ethical Hacking Prodigy”, has been in the headlines recently for exposing two vulnerabilities in Android’s stock (AOSP) browser. These security loopholes allow hackers to steal the mobile user’s session cookie, enabling them to perform a wide variety of malicious actions including identity theft.
The Pakistani AppSec expert, currently an undergraduate student who spends his free time honing his research skills, was also kind enough to take Checkmarx’s questions and provide an in-depth view into how he revealed the aforementioned vulnerabilities in the world’s most popular mobile OS.
What vulnerabilities did Baloch expose in the AOSP browser?
Both vulnerabilities revolve around the Same Origin Policy (SOP), the security backbone of the modern browser. This feature makes sure that scripts can interact only with webpage elements from the same origin as the script. This is verified by checking various parameters like security protocols (HTTP/HTTPS) and port numbers.
A secure browser should be able to prevent malicious script from infected websites to access legal websites and applications. Unfortunately, the vulnerable AOSP browser allows the malicious attacker to bypass the SOP security mechanism. Relatively simple malware can lead to the bypassing of the SOP and stealing of the victim’s cookie.
The second Android SOP vulnerability was found by Baloch shortly afterwards. All stock built-in (AOSP) browsers below version 4.3 Jelly Bean suffer from this glaring security flaw.
Android browser vulnerability in a nutshell. Courtesy: TWiT
Baloch Talks Ethical Hacking, Source Code Analysis and Application Security
As mentioned above, Baloch agreed to an exclusive Q&A with Checkmarx to shed some light on his research methodology and to share his views about application security in general.
Checkmarx: How do you conduct your research and how do you “pick your prey”?
Baloch: “My approach depends on the specific type of vulnerability,” he explains.
“The main idea behind security research is to understand the security policies and mechanisms that have been implemented and working towards how you can abuse them. Normally, newly introduced features could be a great area of research from both web app and browser based security research.”
Baloch uses the Chromium Vulnerability Database as his primary reference platform to research the Android related issues that have surfaced in recent months. He highly recommends this portal to his fellow ethical hackers.
Checkmarx: Tell us more about the latest Android vulnerabilities you found recently.
Baloch: “For the latest SOP issues, I tried to play with the features that interact with webpages on different domains. For example, an iframe on sitex.com loads a website from a different domain, let’s assume sitey.com. With proper SOP mechanism, sitex.com cannot access the properties of sitey.com. The AOSP browser failed miserably.”
The primary security tool Baloch implemented for this research was no other than Source Code Analysis (SCA), a Static Application Security Testing (SAST) variant. He used SCA to scan the Android (AOSP) browser source, which eventually helped him locate the two glaring SOP bypasses in the popular mobile platform.
Related: Android Version Fragmentation Issues
Checkmarx: Do you also research vulnerabilities that have already been exposed?
Baloch: “Yes, of course I do. For example, I have checked existing SOP bypasses that have already been exposed in today’s top desktop browsers such as Chrome, Opera and Firefox. I simply play with the POCs and manipulate them. I like testing them on mobile browsers to expose the weaknesses and gain additional insights into the problems.”
Checkmarx: What do you do after verifying the POC?
Baloch: “Once the security issue has been researched and I have verified the POC, the process is simple. I contact the relevant company representatives with my findings and give them around 4 weeks before making the POC public and publishing it on my blog. I always hope that the issues get fixed as soon as possible. But that’s not always the case.”
Checkmarx: Looking ahead, where do you see the next big cybercrime hotspots?
Baloch: “I intend to move towards iOS and try finding some issues with Safari browser. iCloud and other similar areas are also worth investigating. While iPhones appear to be safer due to the overwhelming global popularity of Android, I am not convinced this is the case as seen in the recent iCloud leaks. This is something I wish to research soon.”
What can Android users do to stay safe?
Baloch admitted that he is a big fan of the Android mobile platform as it offers a lot of customization options and is much more flexible than competing platforms. But he sounded concerned with the apparent lack of effort from Google when it comes to shutting down loopholes and solving the version fragmentation of the open-source mobile platform.
Baloch also found this problem on the Samsung Galaxy S3, HTC Wildfire and Motorola devices. This issue is not manufacturer related and all Android phones running the vulnerable software are at risk. To summarize, all Android 4.3 and earlier versions have security issues. Google currently has no interest in fixing these vulnerabilities.
All CISOs and security managers should make sure the following steps are taken in their organizations:
- All BYOD devices should be upgraded to Android 4.4 and above.
- BYOD devices that can’t be upgraded should not have the AOSP browser set as the default option. Workers should be encouraged to use third-party browsers such as Chrome and Firefox.
- Employees should be educated about the risks of Social Engineering.
Baloch signed off with some more words of advice for companies and private developers.
“I’m a firm believer in Source Code Analysis (SCA), which raises coding standards and eliminates vulnerabilities during the development process. This should ideally be complemented by Dynamic Application Security Testing (DAST) or Pen Testing. New features and components should always be scanned and tested before their release.”
“I also strongly recommend running Bug Bounty Programs,” Baloch concluded. “Besides the obvious benefit of finding vulnerabilities, this raises security awareness and engages the ethical hacking community.”