Protection from unauthorized copying applications Blackberry PlayBook
In this article I will show that there is practically no protection as such at the moment. That is, if you are developing an application, you should understand that almost all your know how can be disclosed without any special tricks. I will demonstrate it with an example, take my own application and try to get its source.
Immediately bring clarity. I am not a hacker or a security professional. I am a mathematician by education. I came to self-taught programming, so maybe my language will seem to someone amateurish. My goal is to point out vulnerability and make me think about it. How useful this information is to you.
So, some time ago I came across one article , which featured information that you can directly install files on the bar 1 device, bypassing the store. Actually, this is not news, bar files can be installed and much easier, but I was embarrassed not by the awkward java application, but by the fact that it included 20+ bar files, including the Angry Birds game that was not released for the PlayBook. I wondered where they could come from?
')
Since I haven’t yet heard about root access to the device, and all file managers have limited access, I came to the conclusion that bar files were intercepted along the way, and decided to check my guess.
Watching sniffer on wikipedia. I take the first one mentioned, this is free WireShark .
Installed without problems, everything is intuitive, open the desired network adapter. I launch PlayBook, in the sniffer I install the filter on the ip PlayBook. I see several entries, but the sniffer does not respond to viewing web pages on the device. As Wikipedia teaches us, it’s because I have a switch, not a hub.
Ok, install 3proxy . I specify the logging redirection to the console, the internal interface (ip of the desktop), the external interface (all, 0.0.0.0), port 3128.
To do this, run the proxy with the command:
It would be possible to create a configuration file, but faster.
I specify this proxy on the PlayBook in the connection settings (192.168.1.34), I connect, I see that the logs have gone. I change the filter on the ip in the sniffer, by which I listen to the proxy and specify only the http protocol.
The filter looks like this:
On the PlayBook, I switch to App World, looking for my PlayIrc application. This is an IRC client with a normal Russian keyboard and support for encodings. Install the demo version, disable capture in the sniffer.
In the sniffer I see:
and then a certain file number. Right-click on the record, select Follow TCP Stream, in the appeared window click Save as and specify the name PlayIrc_cracked.bar.
You can first make sure that this is really a zip archive by changing the extension to zip and opening it with the archiver. Inside, I see two folders:
air - here lies the SWF application and resources
META-INF - here manifestos, information about the digital signature and so on.
Deploy the bar file to the simulator and to the PlayBook. And there and there it installs and works without problems.
What can an attacker do next?
Option 1. Stupid hacker, that is, a hacker is not a programmer. Can create your site, lay out the intercepted bar files along with the installer. There was a paid program, and it became free. To be fair, it should be noted that, possibly, the bar file contains information about who this file was intended for. Since I downloaded it, the check on the device was successful. In the simulator, this check, if it exists, is most likely disabled. For the purity of the experiment, it would be nice to try installing the bar file on another PlayBook, but I don’t have that option. So maybe the stupid hacker option is not so simple. However, this does not affect the next option.
Option 2. Hacker programmer. All the same, but before that take the swf decompiler, get the full source, disable the demo restrictions, or just steal the code. There was a demo, became the full version.
Let's see how complicated the second way is. I search for google SWF Decompiller, install the trial version of Sothink SWF Decompiller , open PlayIrc swf. He swears that he did not find the flash.filesystem.file class, it does not matter. I see the whole structure of classes, all the packages and resources. Since I gave classes and packages clear names and made sure that the code was easy to modify and debug, I easily (not because I am the author and I know where to look, but in fact easily) find a class that shows advertising banner. Finding a limit on the number of open channels is somewhat more difficult, but it is also done without problems. The modified source can be re-signed to yourself, replace the logos and put back for sale or put on the people in the form of a bar file.
All this is very depressing.
I suppose RIM should somehow protect the data transfer.
Until this happened, I see no other way but to obfustsirovat code.
You can, of course, add permanent online control, send dynamically changing keys, but it will not be very difficult for me to parse the necessary code fragment and eliminate the check.
Footnotes:
This is my first post on Habré, I hope I have not broken any rules and my information is not too banal.
Upd.
Summing up.
Hacking has been and always will be. Like the majority in our life, hacking begins at the moment when it becomes profitable, that is, in terms of time and money, it is more profitable to hack than to buy or use an analog.
This article does not pretend to indicate new ways or technologies of hacking. On the contrary, all information that is specified in it is known to any advanced user and has been discussed many times.
In addition, this article does not aim to cover all methods of illegal copying of information, it shows the presence of one, but very simple.
The essence of the article is precisely that RIM has created the conditions under which the “cost” of hacking is extremely small, and this should be taken into account when developing. The situation could be changed by encrypting the communication between the device and the store.
Immediately bring clarity. I am not a hacker or a security professional. I am a mathematician by education. I came to self-taught programming, so maybe my language will seem to someone amateurish. My goal is to point out vulnerability and make me think about it. How useful this information is to you.
So, some time ago I came across one article , which featured information that you can directly install files on the bar 1 device, bypassing the store. Actually, this is not news, bar files can be installed and much easier, but I was embarrassed not by the awkward java application, but by the fact that it included 20+ bar files, including the Angry Birds game that was not released for the PlayBook. I wondered where they could come from?
')
Since I haven’t yet heard about root access to the device, and all file managers have limited access, I came to the conclusion that bar files were intercepted along the way, and decided to check my guess.
Watching sniffer on wikipedia. I take the first one mentioned, this is free WireShark .
Installed without problems, everything is intuitive, open the desired network adapter. I launch PlayBook, in the sniffer I install the filter on the ip PlayBook. I see several entries, but the sniffer does not respond to viewing web pages on the device. As Wikipedia teaches us, it’s because I have a switch, not a hub.
Ok, install 3proxy . I specify the logging redirection to the console, the internal interface (ip of the desktop), the external interface (all, 0.0.0.0), port 3128.
To do this, run the proxy with the command:
proxy -l -i192.168.1.34 -e0.0.0.0 -p3128It would be possible to create a configuration file, but faster.
I specify this proxy on the PlayBook in the connection settings (192.168.1.34), I connect, I see that the logs have gone. I change the filter on the ip in the sniffer, by which I listen to the proxy and specify only the http protocol.
The filter looks like this:
ip.addr == 192.168.1.34 && httpOn the PlayBook, I switch to App World, looking for my PlayIrc application. This is an IRC client with a normal Russian keyboard and support for encodings. Install the demo version, disable capture in the sniffer.
In the sniffer I see:
GET http:// appworld.blackberry.com/ClientAPI/file/and then a certain file number. Right-click on the record, select Follow TCP Stream, in the appeared window click Save as and specify the name PlayIrc_cracked.bar.
You can first make sure that this is really a zip archive by changing the extension to zip and opening it with the archiver. Inside, I see two folders:
air - here lies the SWF application and resources
META-INF - here manifestos, information about the digital signature and so on.
Deploy the bar file to the simulator and to the PlayBook. And there and there it installs and works without problems.
What can an attacker do next?
Option 1. Stupid hacker, that is, a hacker is not a programmer. Can create your site, lay out the intercepted bar files along with the installer. There was a paid program, and it became free. To be fair, it should be noted that, possibly, the bar file contains information about who this file was intended for. Since I downloaded it, the check on the device was successful. In the simulator, this check, if it exists, is most likely disabled. For the purity of the experiment, it would be nice to try installing the bar file on another PlayBook, but I don’t have that option. So maybe the stupid hacker option is not so simple. However, this does not affect the next option.
Option 2. Hacker programmer. All the same, but before that take the swf decompiler, get the full source, disable the demo restrictions, or just steal the code. There was a demo, became the full version.
Let's see how complicated the second way is. I search for google SWF Decompiller, install the trial version of Sothink SWF Decompiller , open PlayIrc swf. He swears that he did not find the flash.filesystem.file class, it does not matter. I see the whole structure of classes, all the packages and resources. Since I gave classes and packages clear names and made sure that the code was easy to modify and debug, I easily (not because I am the author and I know where to look, but in fact easily) find a class that shows advertising banner. Finding a limit on the number of open channels is somewhat more difficult, but it is also done without problems. The modified source can be re-signed to yourself, replace the logos and put back for sale or put on the people in the form of a bar file.
All this is very depressing.
I suppose RIM should somehow protect the data transfer.
Until this happened, I see no other way but to obfustsirovat code.
You can, of course, add permanent online control, send dynamically changing keys, but it will not be very difficult for me to parse the necessary code fragment and eliminate the check.
Footnotes:
- Bar files. Bar files for the BlackBerry PlayBook is the same as jar files for Java, that is, just zip archives that contain compiled classes, resources, manifests, in general, everything you need to run the application.
This is my first post on Habré, I hope I have not broken any rules and my information is not too banal.
Upd.
Summing up.
Hacking has been and always will be. Like the majority in our life, hacking begins at the moment when it becomes profitable, that is, in terms of time and money, it is more profitable to hack than to buy or use an analog.
This article does not pretend to indicate new ways or technologies of hacking. On the contrary, all information that is specified in it is known to any advanced user and has been discussed many times.
In addition, this article does not aim to cover all methods of illegal copying of information, it shows the presence of one, but very simple.
The essence of the article is precisely that RIM has created the conditions under which the “cost” of hacking is extremely small, and this should be taken into account when developing. The situation could be changed by encrypting the communication between the device and the store.
Source: https://habr.com/ru/post/124080/
All Articles