Friday, June 10, 2011

Android diffing tool : skype vulnerability

The 15th April 2011, AndroidPolice have released a new security vulnerability in Skype (version 1.0.0.831) for Android. This vulnerability exposes your name, phone number, chat logs, ... to all installed applications.

The security bug is very simple, it's an incorrect usage of permissions to open files. So, it's possible for another application to access to all information of your skype account, like account balance, full name, date of birth, city/state/country, home phone, office phone, cell phone, email addresses, your webpage, your bio, instant messages, .... Few days after this vulnerability, Skype releases a new version (1.0.0.983) in order to fix this security bug.

This example can be very interesting to test our algorithms with a real case like skype because the code of the application is very huge (we can check if we have false positives) and it's an interesting case of reverse engineering.

We can identify quickly how many methods are :

  • exactly identical : 8038,

  • partially identical : 165,

  • new : 14,

  • deleted : 7.


We must analyze the 165 methods quickly, by searching methods related to file permissions (by using the java API or directly with chmod program). Inside the 165 methods, most of them are related to simple constants changements but we can identify a method really close to another one (with the same name in this case (but the algorithm doesn't use that)) which manipulates files :

  • Lcom/skype/ipc/SkypeKitRunner; run ()V with Lcom/skype/ipc/SkypeKitRunner; run ()V 0.269383959472

This method has four modified basic blocks, but only three basic blocks are more interesting :


The integer value is the first argument (it's the operating mode) of the openFileOutput method, has been changed from 3 to 0 :

  • public abstract FileOutputStream openFileOutput (String name, int mode)
where 3 and 0 is respectively :

  • MODE_WORLD_READABLE (allow all other applications to have read access to the created file) and MODE_WORLD_WRITEABLE (allow all other applications to have write access to the created file),
  • MODE_PRIVATE (the default mode, where the created file can only be accessed by the calling application (or all applications sharing the same user ID)).
In this basic block, the first argument of chmod has been changed from 777 to 750 :

  • RWX, RWX, RWX
  • RWX, R-X, ---

And in the latest modified basic block, there is a new call to a new method to fix all files in the context directory of the application :

  • Lcom/skype/ipc/SkypeKitRunner; ([Ljava/io/File;) V fixPermissions]

which fix all permissions (so this method changes the permissions for the previous version) to :

  • RWX --- --- for a directory,
  • RW- --- -- for a file.


We have found essential modifications with our application, if you have some ideas to improve the tool or new interesting samples to test the tool, please leave a comment ! :)

As usual, the source code of the application is available in the Androguard framework.

See ya !

No comments:

Post a Comment