打破链条：破解安卓密钥认证.pdf

《打破链条：破解安卓密钥认证.pdf》由会员分享，可在线阅读，更多相关《打破链条：破解安卓密钥认证.pdf（34页珍藏版）》请在三个皮匠报告上搜索。

1、#BHUSA BlackHatEventsBreaking Chains:Hacking Android Key AttestationAlex Gonzalez#BHUSA BlackHatEventsIntroductionAlex GonzalezSenior Red Team Engineerlinkedin/in/alex-gonzalez-63b01426bdubfr33/dubfreedubfr33#BHUSA BlackHatEventsAgendaBackgroundAndroid Key AttestationBot Fraud/Abuse Use CaseCommon P

2、KI IssuesCertificate Extension PKI IssueRoot Cause AnalysisClosing Remarks#BHUSA BlackHatEventsBackgroundTargeting a service with a bot fraud/abuse problemBot service providers operating in various cloud service providersAutomating API calls to beat out legitimate usersImplemented app and key attest

3、ationMeans to attest traffic sources from a physical deviceInitial disruption but lead to bot TTP shiftIntroduction of the 0-day marketFraudSec campaign objectivesEmulate bot service provider#BHUSA BlackHatEventsAndroid Key AttestationApp Attestation!=Key AttestationApp Attestation(SafetyNet/Play In

4、tegrity)Establishes a mobile apps integritySigned/Official App Store versionRooted device/bootloader checksHooking/Swizzling checksCalls a Google API to retrieve a verdict(JWT)Key AttestationVerifies that a key is stored in secure hardwareEnsures keys cant be extracted from the device(Android Keysto

5、re)Calls an Android OS API to retrieve verdict(PKI/X.509 certificates)#BHUSA BlackHatEventsAndroid KeystoreTwo types of secure storageTrusted Execution Environment(TEE)Utilizes ARM TrustZoneVirtualizes processor to create secure environmentSeparate OS,kernel driver,userspace lib for IPCSecure Elemen

6、t(SE)Hardware Security Module(HSM)Separate chip typically connected via serial interfaceTwo main security protectionsPrevents key extraction Cryptographic material never leaves secure hardwareKey use authorizationsKeys are scoped to the app and for specific use casesTrusty TEE OS DiagramTEEGRIS OS D