Android app with ½½Ê¬¤Ê »ÙÇۡʤ¹¤ë¡Ë¡¿ÅýÀ©¤¹¤ë over your Google account

Some time ago after I had defended my diploma ÏÀÂê¡¿ÏÀʸ on OAuth °ÂÁ´ my groupmate asked me: "Hey, have you looked into Android OAuth?", and I felt ¤ï¤º¤«¤Ë lost since I realized there is yet another OAuth ¼Â»Ü, and I didn't know how it ºîÉÊ.

Lately I ÀßΩ¤¹¤ë some time to ²ò·è¤¹¤ë this problem. The »Å»ö seemed challenging at the beginning since Android OAuth is a part of Google Play, which is ¤Î¶á¤¯¤Ëd source: this was the first time I had to µÕž¤¹¤ë-engineer to see how the open ´ð½à ºîÉÊ (¤¹¤Ê¤ï¤Á OAuth). Instead of explaining the whole design myself in this Îá¾õ up, I recommend to read sbktech's blog where he has recently published his ½½Ê¬¤Ê, descriptive, and Ê¿°×¤Ê to read explanation of Android OAuth ÆâÉô¤Îs. I would just Äɲ乤ë a few ¸ø¼°Ê¸½ñ¡¤Ç§¤á¤ës about my own findings to the ¸ºß¤¹¤ëing sbktech's ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë:

TL;DR: I was able to find two vulnerabilities in Google Play system apk which µö¤¹d me to bypass the Android »ÈÍÑ¡¿Å¬ÍÑ µö²Ä model: an Ǥ̿¤¹¤ë¡¿Æ³Æþ¤¹¤ëd app asking no µö²Äs could get ½½Ê¬¤Ê Àܶá to the ÁõÃÖ owner's Google account (it is ½½Ê¬¤Ê for a new app Ǥ̿¤¹¤ë¡¿Æ³Æþ¤¹¤ë or Chrome sync Àܶá).

As a first step to understand the weak parts of the OAuth logic I binded to the com.google.android.gms/.auth.GetToken service manually and made, perhaps, a classic mistake with "NetworkOnMainThreadException", which thankfully brought me the "getToken() -> ... -> ÌÖ¾õÁÈ¿¥ request" callstack in a logcat to Ä´ºº¤¹¤ë:

W/GLSUser (  602): GoogleAccountDataService.getToken()
I/GoogleHttpClient(  602): Íî¤Á¤ëing »Ù±ç¤¹¤ë to old SSLCertificateSocketFactory
I/GoogleHttpClient(  602): Using GMS GoogleHttpClient
W/GLSActivity(  602): [GetToken] - getToken exception!
W/GLSActivity(  602): android.os.NetworkOnMainThreadException
W/GLSActivity(  602): at android.os.StrictMode$AndroidBlockGuardPolicy.onNetwork(StrictMode.java:1145)
W/GLSActivity(  602): at libcore.io.BlockGuardOs.connect(BlockGuardOs.java:84)
W/GLSActivity(  602): at libcore.io.IoBridge.connectErrno(IoBridge.java:144)
W/GLSActivity(  602): at libcore.io.IoBridge.connect(IoBridge.java:112)
W/GLSActivity(  602): at java.ÂáÊ᤹¤ë.PlainSocketImpl.connect(PlainSocketImpl.java:192)
W/GLSActivity(  602): at java.ÂáÊ᤹¤ë.PlainSocketImpl.connect(PlainSocketImpl.java:459)
W/GLSActivity(  602): at java.ÂáÊ᤹¤ë.Socket.connect(Socket.java:843)
W/GLSActivity(  602): at com.android.okhttp.ÆâÉô¤Î.ÃÅ¡¦¹ËÎΡ¦¸øÌó.connectSocket(ÃÅ¡¦¹ËÎΡ¦¸øÌó.java:131)
W/GLSActivity(  602): at com.android.okhttp.´Ø·¸.connect(´Ø·¸.java:101)
W/GLSActivity(  602): at com.android.okhttp.ÆâÉô¤Î.http.HttpEngine.connect(HttpEngine.java:294)
W/GLSActivity(  602): at com.android.okhttp.ÆâÉô¤Î.http.HttpEngine.sendSocketRequest(HttpEngine.java:255)
W/GLSActivity(  602): at com.android.okhttp.ÆâÉô¤Î.http.HttpEngine.sendRequest(HttpEngine.java:206)
W/GLSActivity(  602): at com.android.okhttp.ÆâÉô¤Î.http.HttpURLConnectionImpl.¿ë¹Ô¤¹¤ë¡¿È¯¸ú¤µ¤»¤ë(HttpURLConnectionImpl.java:345)
W/GLSActivity(  602): at com.android.okhttp.ÆâÉô¤Î.http.HttpURLConnectionImpl.connect(HttpURLConnectionImpl.java:89)
W/GLSActivity(  602): at com.android.okhttp.ÆâÉô¤Î.http.HttpURLConnectionImpl.getOutputStream(HttpURLConnectionImpl.java:197)
W/GLSActivity(  602): at com.android.okhttp.ÆâÉô¤Î.http.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:254)
W/GLSActivity(  602): at gaz.a(SourceFile:823)
W/GLSActivity(  602): at gaz.c(SourceFile:692)
W/GLSActivity(  602): at gaz.¿ë¹Ô¤¹¤ë¡¿È¯¸ú¤µ¤»¤ë(SourceFile:601)
W/GLSActivity(  602): at xt.¿ë¹Ô¤¹¤ë¡¿È¯¸ú¤µ¤»¤ë(SourceFile:365)
W/GLSActivity(  602): at xt.¿ë¹Ô¤¹¤ë¡¿È¯¸ú¤µ¤»¤ë(SourceFile:447)
W/GLSActivity(  602): at avc.a(SourceFile:258)
W/GLSActivity(  602): at avd.a(SourceFile:575)
W/GLSActivity(  602): at avd.a(SourceFile:649)
W/GLSActivity(  602): at avd.a(SourceFile:812)
W/GLSActivity(  602): at avi.a(SourceFile:282)
W/GLSActivity(  602): at avh.a(SourceFile:163)
W/GLSActivity(  602): at axm.a(SourceFile:133)
W/GLSActivity(  602): at axf.a(SourceFile:337)
W/GLSActivity(  602): at axf.a(SourceFile:132)
W/GLSActivity(  602): at arx.a(SourceFile:92)
W/GLSActivity(  602): at arh.a(SourceFile:107)
W/GLSActivity(  602): at wj.onTransact(SourceFile:63)
W/GLSActivity(  602): at android.os.Binder.execTransact(Binder.java:404)
W/GLSActivity(  602): at dalvik.system.NativeStart.run(Native Method)
W/System.err( 1093): android.os.NetworkOnMainThreadException
W/System.err( 1093): at android.os.¾®Êñ.readException(¾®Êñ.java:1475)
W/System.err( 1093): at android.os.¾®Êñ.readException(¾®Êñ.java:1419)
W/System.err( 1093): at com.google.android.gms.auth.¸«ËÜ.helloauth.GetNameInForeground$myConnection.onServiceConnected(GetNameInForeground.java:100)
W/System.err( 1093): at android.app.LoadedApk$ServiceDispatcher.doConnected(LoadedApk.java:1110)
W/System.err( 1093): at android.app.LoadedApk$ServiceDispatcher$RunConnection.run(LoadedApk.java:1127)
W/System.err( 1093): at android.os.Handler.handleCallback(Handler.java:733)
W/System.err( 1093): at android.os.Handler.dispatchMessage(Handler.java:95)
W/System.err( 1093): at android.os.Looper.ÃèÊÖ¤êÈô¹Ô(Looper.java:136)
W/System.err( 1093): at android.app.ActivityThread.main(ActivityThread.java:5017)
D/ConnectivityService(  389): handleInetConditionHoldEnd: ÂáÊ᤹¤ë=0, ¾ò·ï=0, published ¾ò·ï=0
W/System.err( 1093): at java.lang.È¿±Ç¤¹¤ë.Method.invokeNative(Native Method)
W/System.err( 1093): at java.lang.È¿±Ç¤¹¤ë.Method.invoke(Method.java:515)
W/System.err( 1093): at com.android.ÆâÉô¤Î.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:779)
W/System.err( 1093): at com.android.ÆâÉô¤Î.os.ZygoteInit.main(ZygoteInit.java:595)
W/System.err( 1093): at dalvik.system.NativeStart.main(Native Method)

I ²óÉü¤¹¤ëd the logic of those three-letter classes from arh to gaz (that's the Google Play part) and felt an extreme sympathy to the avd class because of the two ¤Ë°ú¤­Â³¤¤¤Æ ¿äÏÀ¤¹¤ë¡¿Íýͳs:

1. URL parameter Ãí¼Í

The below µ¡Ç½¡Ê¤¹¤ë¡Ë¡¿¹Ô»ö of the avd class parsed the getToken Bundle extras argument and ÁÞÆþ¤¹¤ëd all _opt_XXX parameters from it inside the HTTP request as XXX, ÌÀÇò¤Ë µö¤¹ing to »Ï¤á¤ë¡¤·è¤á¤ë has_permission=1 without any »ÈÍÑ¼Ô Æ±°Õ:

  public final ̾Êí¡Ê¤ËºÜ¤»¤ë¡Ë¡¿É½¡Ê¤Ë¤¢¤²¤ë¡Ë a(String paramString1, String paramString2, int paramInt, String paramString3, boolean paramBoolean1, Bundle paramBundle, boolean paramBoolean2, String paramString4, boolean paramBoolean3, boolean paramBoolean4, CaptchaSolution paramCaptchaSolution, PACLConfig paramPACLConfig, FACLConfig paramFACLConfig, String paramString5)
    if (str8.startsWith("_opt_"))
    {
      localaux1.a(str8.replaceFirst("_opt_", ""), paramBundle.getString(str8));
      ...

2. ËâË¡ ÈÏ°Ïs "SID" and "LSID"

The GooglePlay also ´î¤ó¤Ç ǧ¤á¤ëd me a couple of undocumented ÈÏ°Ïs, ¸½¼Â¤Ë giving me »Ù±ç¤¹¤ë those SID and LSID ³«²ñ¡¿³«Äî¡¿²ñ´ü cookies in ¡Êµ¿¤¤¤ò¡ËÀ²¤é¤¹:

  public final TokenResponse a(TokenResponse paramTokenResponse, ÃÏ¿Þ¡¿·×²è¤¹¤ë paramMap, int paramInt, String paramString1, boolean paramBoolean1, boolean paramBoolean2, String paramString2, PACLConfig paramPACLConfig, FACLConfig paramFACLConfig)
    {
    ...
      if (("SID".equals(paramString1)) || ("LSID".equals(paramString1)))
      {
         str1 = (String)paramMap.get(paramString1);
         ...

Additionally, I made a few more steps on my way to the PoC:

• I impersonated the gms app by setting _opt_app=com.google.android.gms
• I bypassed the ½ð̾ Ω¾Ú by copy-pasting the ½ð̾s and setting them through _opt_client_sig=<sig> (sorry, no crypto ·ç´Ùs here)
• I collected ½ð̾s for all ¸«²ò¡¿ËÝÌõ¡¿ÈÇs of gms (two in total: 58e1c4133f7441ec3d2c270270a14802da47ba0e and 38918a453d07199354f8b19af05ec6562ced5788), so that my code worked on all Android 4/5 phones
• I was able to ϳ¤ì¤ë the ÁõÃÖ owner's email through the AccountManager.newChooseAccountIntent for using it in GoogleAuthUtil.getToken (this °Õ¿Þ silently returns the »ÈÍѼÔ's email if you Ä´°õ¤¹¤ëd into the only one Google account)

As a result, considering an Ǥ̿¤¹¤ë¡¿Æ³Æþ¤¹¤ëd app Í׵᤹¤ëing no µö²Äs, (1) µö¤¹d me to just ϳ¤ì¤ë all possible oauth2 ÈÏ°Ïs, while with (2) I was able to take over Google account.

PoC: https://gist.github.com/isciurus/df4d7edd9c3efb4a0753

Timeline:
December 2, 2014 — Êó¹ð¡Ê¤¹¤ë¡Ë¡¿²±Â¬d the vulnerability to the Android °ÂÁ´, @natashenka ³Îǧ¤¹¤ëd the repro ºîÉÊ
January 6, 2015 — ÊÖÅú form Android °ÂÁ´ Àâ that the ľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ë was ²¡¤·¿Ê¤á¤ëd in Ãæ±û¤Î-December, I checked that the repro stopped working on all my phones
January 9, 2015 — Public ¸øɽ¡¤Ë½Ïª

Thanks to @evdokimovds from DSecRG for helping with unpacking Æ»¶ñs and to @jduck from droidsec for Ω¾Ú¤¹¤ëing the code on ¿½Å¤Î Android phones.