SlideShare une entreprise Scribd logo

Hacking ingress

Eran Goldstein
Eran Goldstein

Hacking ingress

Technologie
1  sur  24
Télécharger pour lire hors ligne
12 HACKING INGRESS – ANDROID APPLICATION REVERSE ENGINEERING by Eran Goldstein Today we are going to demonstrate a quick reverse engineering and analysis process of an android mobile application called Ingress. Ingress is a near-real time augmented reality massively multiplayer online video game. It was created by Niantic Labs, a startup within Google, for the Android based devices market. The game has a complex science fiction back story which Niantic is revealing in segments. The gameplay consists of establishing “portals” at places of public art, etc., and linking them to create virtual triangular fields over geographic areas. The progress in the game is measured by the number of Mind Units, i.e. people, nominally controlled by each faction (as illustrated on the Intel Map). The necessary links between portals may range from meters to kilometers, or to hundreds of kilometers in operations of considerable logisti-cal complexity. International links and fields are not uncommon, as Ingress has attracted an enthusiastic following in cities worldwide amongst both young and old, to the extent that the gameplay is itself a lifestyle for some, including tattoos. CLARIFICATION This analysis started from the point of view of the frustrated Ingress players which invest their time and effort to play legally the Ingress game. The analy-sis purpose was to explain and demonstrate that while there are Ingress us-ers that play fair and legal there are some who do not. We under do not encourage any misuse or illegal use of the Niantic Project – Ingress game or any other games/platforms. The user ‘Hatulero’ which was used during this analysis was for demonstration purpose only and has been canceled with the end of this analysis. DISCLAIMER We are going to analyze and implement modifications to the Niantic project – ingress application for research purposes only, by using, opening and/or reading this document you agree that your use of the Niantic project – ingress application products and/or this cyber security research documentation, in-cluding any changes you will implement in your own code will be on your own risk only. For more information please refer to Niantic project – ingress terms of use: http://www.ingress.com/terms. What you will learn: • Analyzing and debugging pro-cesses of an android application and examining the code within the .apk package. • Inspecting how important func-tions operates. • Modify and manipulate the way functions work. • How android application commu-nicates with the web services API. • Exploit application design weak-nesses. What you should know: • Extracting, packing and signing processes of an android applica-tion package (.apk). • Mobile reverse engineering pro-cess basics. • Web application analysis tech-niques.
HACKING INGRESS – ANDROID APPLICATION REVERSE ENGINEERING INTRODUCTION Ingress involves near-real time augmented reality by the need to take control over portals by physically move between them which means that the ingress players’ community will have to go around cities, plac-es and sites in attempt to gain more power (XM’s), “hack”, take control or even attack Ingress portals. One of the biggest advantages every Ingress user will probably want to achieve is the ability to move be-tween portals without changing your actual physical location. This analysis document assumes that you are familiar with the process of reverse engineering process of an android mobile application and already know how to extract, sign and pack back the content of an android application package (.apk) The security analysis will include the following sections: • Reverse Engineering – Environment preparation • Ingress Android application – binary code analysis • Ingress web services API – server side analysis • Hacking POC REVERSE ENGINEERING – ENVIRONMENT PREPARATION EXTRACT THE PACKAGE Before we begin we will need to extract/dump the content of the .apk file. You can do that using apktool or any other tool you like. Once you extract the .apk file, you will get something like: Figure 1. Extract the package DOWNLOAD AND INSTALL “FAKEGPS” As a part of the process you will probably want to download and install any fake GPS location app in or-der to be able to generate mock GPS location signals. You can download from “Google Play” any app you want such “Fake GPS”, “MoveMyGPS” or any other app you like: Figure 2. MoveMyGPS www.eForensicsMag.com 13
14 FIREFOX ADD-ONS::HTTPREQUESTER This tool is useful when doing web or REST development, or when you need to make HTTP requests that are not easily done via the browser (PUT/POST/DELETE). This is based on the Alex Milowski’s excellent Poster add-on, with a large focus on keeping a history of transactions, allowing you to go back and review, re-execute, load, and save HTTP requests. HttpRequester can be opened via the Tools menu, or via the Add-on-bar icon. https://addons.mozilla.org/en-us/firefox/addon/httprequester/ Figure 3. HttpRequester plugin tool PORTSWIGGER::BURP SUITE Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities. Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art au-tomation, all in order to make your work more effective, fast and fun than before. You can download Burp suite here: http://portswigger.net/burp/downloadfree.html. Figure 4. PortSwigger – Burp Suite web proxy analyzer
HACKING INGRESS – ANDROID APPLICATION REVERSE ENGINEERING INGRESS ANDROID APPLICATION – BINARY CODE ANALYSIS OBJECTIVES • Disable the detection of mock locations in order to use fake GPS location signal. • Merge the fake and real GPS location signals and remove the “Scanner Disabled; Inaccurate Loca-tion;” message. • Remove the protection flag for common actions and allow Hack Portal, Fire XMP, Deploy Resona-tors and more. OBJECTIVE ONE: DISABLE THE DETECTION OF MOCK LOCATION IN ORDER TO USE FAKE GPS LOCATION SIGNAL MOCK LOCATIONS PREVENTION Mock location – developer’s option allows developers to use any fake GPS signal in order to be able to change their GPS signal while developing and debug applications. Once you will open any fake GPS loca-tion app, you will probably be asked to enable this option in the System Setting -> developer options menu. From this point on you basically can set your location to any location you want but the problem is that “Ingress” will not allow you to use the “Allow mock locations” option L. And this is the point where we will start our analysis. Figure 5. Allow mock locations Figure 6. Mock locations disallowed DISABLE THE “ALLOW MOCK LOCATIONS” PREVENTION In attempt to toggle the validation of the “Allow mock locations” developer option checkbox we will need to search for relevant point to start our analysis. As in every reverse engineering process, searching for any of suspicious or problematic string you want to investigate or hack can assist you to find relevant event triggers which can lead to the point you probably looking for and will want to modify. Let’s take a look at the following file: www.eForensicsMag.com 15
16 dump-ingresssmalicomnianticprojectingressNemesisActivity.smali At line 1426 we can observe the “mock_location” string and right after it we can see the function that put integer “0” in a register, check if the “allow mock locations” checkbox is checked (this will return “1”) and then compare the registers values and validate that v0 register value is not equal to zero, and then go to a condition (cond_b) which will block us from using Ingress while the “Allow mock locations” option is enable: if- nez v0, :cond_b And will set a prevention flag by moving register v7 to register v0: move v0, v7 So as you probably guessed, we basically can do a few simple tricks here to manipulate the function that checks for the “Allow mock locations” checkbox status. First, let’s modify the function to check that the checkbox value is equal to zero (instead of not equals to zero), this will cause ingress to allow you to play only if “Allow mock locations” option is enabled. Since we don’t want any further actions to be performed once the condition is true, we will move the pointer from ‘cond_b’ to ‘cond_3’ which originally is the pointer that continue the scanner process with-out interruptions. From: if- nez v0, :cond_b To: if-eqz v0, :cond_3 To make sure the prevention flag will not be set as true (by moving register v7 to register v0), we will comment the line below (Line 1428): From: move v0, v7 To: # move v0, v7 Figure 7. Line 1426::change the term below from if-nez to if-eqz and from cond_b to cond_3 Now we can use “FakeGPS” to set our location dynamically but the “Scanner disabled; Location inac-curate.” Message appears.
HACKING INGRESS – ANDROID APPLICATION REVERSE ENGINEERING Figure 8. Scanner disabled message OBJECTIVE TWO: MERGE THE FAKE AND REAL GPS LOCATION SIGNALS Remove the “Scanner Disabled; Inaccurate Location;” message. Once we “hacked” the “Allow mock locations” developer options to al-low us use fake GPS location (e.g. mock_location), we will cause the scanner state process to change the value of the relevant flag/register to ”1” (register v0 in our case), which will cause the Ingress app to alert the message “Scanner disabled; Location inaccurate.” Let’s take a look at the following file: dump-ingresssmalicomnianticprojectingresscommonscannerk.smali To disable the alert message, we will need to modify the condition at line 996 that check if the value in v0 resister is not equals to zero (‘0’) from if-nez to if-eqz: From: if-nez v0, :cond_4 To: if-eqz v0, :cond_4 Figure 9. Line 996::change the term below from if-nez to if-eqz As we can see the “Scanner disabled; Location inaccurate.” Alert message is disabled but we can’t per-form any relevant actions on the portal (even if it in our range). www.eForensicsMag.com 17
18 Figure 10. Alert message is disabled Figure 11. Actions are unavailable OBJECTIVE THREE: REMOVE THE PROTECTION FLAG FOR COMMON ACTIONS ALLOW HACK PORTAL, FIRE XMP, DEPLOY RESONATORS AND MORE Because the scanner state has been changed from a real GPS location signal into a FakeGPS location signal and the Ingress app detects this as “Inaccurate location” event we can’t perform any relevant ac-tions on the portal (even if it is in our range). Next we will need to modify the condition of the function that checks for the scanner state value. Let’s take a look at the following file: dump-ingresssmalicomnianticprojectingresscommonitemupgradea.smali In line 2095 we can observe the function that check if the value in v0 register is less or equals to zero (‘0’) and if it is the Ingress app will alert the message “Location Inaccurate” when you will press any ac-tion button (example: “Hack”, “Deploy Status”, etc…). Locate the “if-lez v0, :cond_0” (Line 2095) and change the condition from if-lez to if-eqz: From: if- lez v0, :cond_0 To: if-gtz v0, :cond_0
HACKING INGRESS – ANDROID APPLICATION REVERSE ENGINEERING Figure 12. Modifying the function’s operand Congratulations!!! Now we can move to any location we want using FakeGPS or any other Fake GPS location signal application. Let’s start with San Jose – United States: Figure 13. Moving to San Jose – U.S Figure 14. All action options are available www.eForensicsMag.com 19
20 Figure 15. Collecting XM Figure 16. Hacking the portal Now let’s move to Paris: Figure 17. Moving to Paris t All action options are available
HACKING INGRESS – ANDROID APPLICATION REVERSE ENGINEERING Or to Spain: Figure 19. Moving to Spain Figure 20. All action options are available INGRESS WEB SERVICES API – SERVER SIDE ANALYSIS OBJECTIVES • Configuring an Android device with Web-Based proxy. • Intercept, decode and explore common Ingress https requests. • Modify an Ingress https request and communicate with the server. OBJECTIVE ONE: CONFIGURING AN ANDROID DEVICE WITH WEB-BASED PROXY LAUNCH BURP SUITE In order to begin we will need to start burp and configure it to listen to specific port: Figure 21. Configuring Burp Suite to listen on specific address and port By default, when you browse an HTTPS website via Burp, the Proxy generates an SSL certificate for each host, signed by its own Certificate Authority (CA) certificate. This CA certificate is generated the first www.eForensicsMag.com 21
22 time Burp will run and will be stored locally. To use Burp Proxy most effectively with HTTPS websites, you will need to install Burp’s CA certificate as a trusted root in your browser. NOTE If you install a trusted root certificate in your browser, then an attacker who has the private key for that certificate may be able to man-in-the-middle your SSL connections without obvious detection, even when you are not using an intercepting proxy. To protect against this, Burp generates a unique CA certificate for each installation, and the private key for this certificate is stored on your computer, in a user-specific location. If untrusted people can read local data on your computer, you may not wish to install Burp’s CA certificate. INSTALLING THE CERTIFICATE Export Burp CA certificate and save to your local computer using .crt extension (e.g. PortSwiggerCA.crt) • Push the “PortSwiggerCA.crt” certificate to a microSD card on your android device. • Go to: System Setting -> More tab -> Security ->install from device storage. • Follow the on screen instructions, and reboot the device once it says the certificate has been in-stalled. CONFIGURE THE DEVICE Once we have configured Burp we will need to configure our Android device to use burp for external con-nections. To do this: • Go to: Settings -> Connections -> Wi-Fi • Long press on the network connection you want to configure. • Select “Modify network config” from the menu. • Check the “Show advanced options”, click the “Proxy settings” combo box and select “Manual”. • Configure Burp suite machine address and port. If everything works correctly you now should have a trusted certificate installed successfully on an an-droid device! From this point you basically can intercept and explore any Ingress android app – http and https re-quests using burp. And this is the point where we will start our analysis. LAUNCHING INGRESS When launching Ingress on your device and while watching burp history tab, you can observe the data and traffic between your device and the web-services API server. This data includes a few general in-gress application important processes such as authentication, verification, synchronization and more. The data also includes basic functions results such actions and events. In the next objectives we will ex-plore few Ingress android application common requests. OBJECTIVE TWO: INTERCEPT, DECODE AND EXPLORE COMMON INGRESS HTTPS REQUESTS VERIFICATION The first process and requested data we will explore is the verification step. The Ingress app send an HTTPS GET request to the server in attempt to verify the user’s account. In the image below we can ob-serve the verification GET request and navigates to: m-dot-betaspike.appspot.com/handshake.
HACKING INGRESS – ANDROID APPLICATION REVERSE ENGINEERING Figure 22. Verification GET request The request contains few headers includes: Content-Type – the content type of the request is application/json Accept-Encoding – gzip User-Agent – Nemesis (gzip) Cookie – the session cookie of the user X-XsrfToken – the users token Host – m-dot-betaspike.appspot.com In addition, json URL variable contains json data with information about the google user. We can observe that the authentication step will be probably be completed by SSL handshake process. GOOGLE AUTHENTICATION Following the verification step we can observe that the Ingress app send another HTTPS POST request to google in order to authenticate the user’s account. In the image below we can observe the authentica-tion POST request which done during SSL handshake process. The first request navigates to: android. clients.google.com. Figure 23. HTTPS POST request to google www.eForensicsMag.com 23
24 The request contains few headers includes: Authorization – the user’s authentication challenge token. Content-Type – the content type of the request is application/x-www-form-urlencoded User-Agent – AndroidC2DM/1.1 (ja3g JDQ39) X-XsrfToken – the users token Host – android.clients.google.com The request’s data includes few parameters send to the application server: ‘X-GOOG.USER_AID’, ‘app’, ‘sender’, ‘cert’, ‘device’ and ‘device_user_id’ As a result from the last request contains the challenge token we will get the authentication response to-ken in the response HTTPS body. Figure 24. The authentication response token Using the authentication response token, the Ingress app generates the authentication token in order to authorize the user’s device account and the second request navigates to: play.googleapis.com Figure 25. Ingress app generates the authentication token The request contains few headers and the requests body contains data with information about the google user. In the last request of the login process, Ingress app send HTTPS POST request to Ingress application server with the same token.
HACKING INGRESS – ANDROID APPLICATION REVERSE ENGINEERING Figure 26. The last request of the login process REQUEST::GLOBALREGIONMAP The next request in the process of launching Ingress app is the globalRegionMap. In the image below we can observe the globalRegionMap HTTPS GET request which navigates to: m-dot-betaspike.appspot.com Figure 27. The globalRegionMap HTTPS GET request The request contains a few headers includes: Content-Type – the content type of the request is application/json Accept-Encoding – gzip User-Agent – Nemesis (gzip) Cookie – the session cookie of the user X-XsrfToken – the users token Host – m-dot-betaspike.appspot.com www.eForensicsMag.com 25
26 REQUEST::GETINVITEINFO The last request in the process of launching Ingress app is the ‘getInviteInfo’ which will check how many agent’s invitation lefts to the user. In the image below we can observe the ‘getInviteInfo’ POST request which navigates to: m-dot-betaspike.appspot.com/rpc/playerUndecorated/getInviteInfo Figure 28. ’getInviteInfo’ https POST request The request contains few headers includes: Content-Type – the content type of the request is application/json Accept-Encoding – gzip User-Agent – Nemesis (gzip) Cookie – the session cookie of the user X-XsrfToken – the users token Host – m-dot-betaspike.appspot.com In addition, the body contains json data with an empty “params” array. RESPONSE::GETINVITEINFO The ‘getInviteInfo’ response contains https headers sent from the server back to the client and includes a json string with two arrays as well: Figure 29. ‘getInviteInfo’ https response ‘result’ array: General array that contains information about the ‘numAvailableInvites’ remain to the user. ‘gameBasket’ array: General array that contains information about the user’s inventory, game entities and more (‘gameEntities’, ‘inventory’ and ‘deletedEntityGuids’). We will be able to observe this array po-tently in few other common requests.
HACKING INGRESS – ANDROID APPLICATION REVERSE ENGINEERING REQUEST::GETINVENTORY Figure 30. Ingress OPS button In order to synchronize the user’s inventory database the Ingress app sends ‘getInventory’ request to the server. In the image below we can observe the HTTPS POST request which navigates to: m-dot-betaspike.appspot.com/rpc/playerUndecorated/getInventory Figure 31. ‘getInventory’ https POST request The request contains few headers includes: Content-Type – the content type of the request is application/json Accept-Encoding – gzip User-Agent – Nemesis (gzip) Cookie – the session cookie of the user X-XsrfToken – the users token Host – m-dot-betaspike.appspot.com In addition, the body contains json data with “params” array and ‘lastQueryTimeStemp’ parameter. www.eForensicsMag.com 27
28 RESPONSE::GETINVENTORY Figure 32. ’getInventory’ https response The response contains https headers sent from the server back to the client and includes a json string with two arrays as well: Result array: General array that contains the value to update the ‘lastQueryTimeStemp’ parameter that will be used for the next request. gameBasket array: General array that contains information about the user’s inventory, game entities and more (gameEntities, inventory and deletedEntityGuids). This time we can observe the items that the user store in his inventory. We will be able to observe this array potentially in few other common request as well. As a result the user’s inventory will be available to the user. Figure 33. Ingress OPS – Inventory screen
HACKING INGRESS – ANDROID APPLICATION REVERSE ENGINEERING REQUEST:: COLLECTSITEMSFROMPORTAL Figure 34. Portal’s details view screen Behind the scene, when the user click the “HACK portal” button, Ingress app sends ‘collectsItemsFromPor-tal’ request to the server. In the image below we can observe the POST request which navigates to: m-dot-betaspike.appspot.com/rpc/gameplay/collectsItemsFromPortal Figure 35. ‘collectsItemsFromPortal’ https request The request contains few headers includes: Content-Type – the content type of the request is this case is application/json Accept-Encoding – gzip User-Agent – Nemesis (gzip) Cookie – the session cookie of the user X-XsrfToken – the users token Content-Encoding – gzip Host – m-dot-betaspike.appspot.com www.eForensicsMag.com 29
30 In addition, the body contains json gzipped data that we will have to decode. To do that we will use the built-in burp’s decoder tool: • Select the data you want to decode from the request data below • Right-click and select “send to decoder”. Figure 36. ‘collectsItemsFromPortal’ request – send to decoder Now move to the “Decoder” tab in burp, and in the combo box “Decode as…” on the right, select “Gzip”: Figure 37. ‘collectsItemsFromPortal’ request – send to decoder – decode as gzip We can see the result data of the gzip decode process below to the encoded data: Figure 38. ‘collectsItemsFromPortal’ request – send to decoder – decode as gzip – result Now we can see in clear text that the body contains json gzipped data with a ‘clientBasket’ array in a “params” array. The ‘clientBasket’ array include the following parameters: ‘clientBlob’ – the client blob’s data. ‘energyGlobGuids’ – with an empty value. ‘itemGuid’ – the portal ‘itemGuid’ the user want to “hack”. ‘playerLocation’ – the geolocation data of the user in a hexadecimal “altitude, longitude” format.
HACKING INGRESS – ANDROID APPLICATION REVERSE ENGINEERING EXAMPLE REQUEST BODY DATA {“params”:{“clientBasket”:{“clientBlob”:”MEE9cey2ssygjADvD5jeeuS0pqnwAqSrmFapvy4ZwZzUKlBqHF4fnZiCqmO8 aJ51IXG7m8jsomWlecgeAH7mx MLqQJOUDsQ29z/ +kW+/upF7nY3yEUQZseYCfDKHhj95P9c77LslYt5K8tlRjvIr4g0TLKSqJ0G VGgYWy2WU0pZNSCAES2JIJSWaE6Tss43v3G1fQ9cRahmAwEyCqrdpOlFRq4y4v0Y2nIKy3j0GnIlhSMDC4rBkTPan/OJ9AoXzeifv +g9Qi6uR/107UW9IXWMAoN46NXp4wtKrpU19AhiynyBD9uP2csbQWd0YezcomQtW/NsmrBDlJO5YuGIjFDfnjmJ83 +Eqs1zW/P93y 3mvGC +hL2fkWX6SuNpAaKm2yNs4Dh8xsAJcZWJsesX3E +6TbHpbMV7q+eFqInVW9pK6bllorMug9poIfZ6FdkHhGR5PuAqYlhOw R4+94idOMpbC70ZD+kh82X+5y0SdrS7LeQEozYSTp +WXy2b6lQmuIfEtX0eHGBzeC5ZDk5gc8Tp6MM/EbCQGFZ4CFcMLVLguuPue 1ZONmIBN3HUn2sUK1uYxEBXdUSVqHFmN1hVFHQ3FSQsUQojw8veNvvSDjj0YSJrsGcy +kvtfsqy1sEG5+fKyWx0PNMfF75eT75yn ZUIAOD8WFwrflRYRGy9gCHU”},”energyGlobGuids”:[],”itemGuid”:”0ac46f4c69c8b993b1e5784838ff.12”, ”knobSyncTimestamp”:1394236374863,”playerLocation”:”0f40a9b7,d834d4ff”}} RESPONSE::COLLECTSITEMSFROMPORTAL The result of the “HACK portal” action should get the user’s inventory new items. In the image below we can observe that the items data return in a HTTP response message body. Figure 39. ‘collectsItemsFromPortal’ response In our case the “HACK portal” action didn’t return any items but if we explore the HTTP response, we will see that it contains https headers sent from the server back to the client and includes a json string as body, with two arrays as well: ‘result’ array: General array that generally contains the value to update the ‘lastQueryTimeStemp’ pa-rameter that will be used for the next request but in the case of ‘collectsItemsFromPortal’ request re-mains empty. ‘gameBasket’ array: General array that contains information about the user’s inventory, game entities and more (gameEntities, inventory and deletedEntityGuids). This time we can observe the items the us-ers hacked from the portal. We will be able to observe this array potently in few other common request as well. This response also sync the user’s inventory with the new items that were collected. This means that in case the user wants to hack the game and to add more items to his inventory by hacking the HTTP response body, it will be useless, since the fake items are not generated on the application server and do not exist on the application server’s database. But as you probably can guess, by modifying the request data that we send to the server we can fake the user’s geo-location and to hack any remote portal we want. This will bring a full items inventory to the user. Let’s try to see how it works. To modify the request or response data, you can use Burp suite’s repeater module. By clicking on the “Repeater” tab (in Burp Suite). However, In order to get rid from the process of decoding and encoding the request data in your tests, we will discover another simple but useful tool. OBJECTIVE THREE: MODIFY AN INGRESS HTTPS REQUEST AND COMMUNICATE WITH THE SERVER MODIFYING THE REQUEST::COLLECTSITEMSFROMPORTAL DATA To modify the request and to avoid from the process of encoding and decoding the data in every request in our analysis we will use the Firefox Add-ons ‘HttpRequester’. www.eForensicsMag.com 31
32 To read more about the Firefox Add-ons ‘HttpRequester’ refer to the “Reverse Engineering – Environ-ment preparation” section. Let’s modify the collectsItemsFromPortal HTTPS request data, to do this: • Open HttpRequester Add-on via the Tools menu, or via the Add-on-bar icon. • In the URL text input, write the full request path (for example: “m-dot-betaspike.appspot.com/rpc/ gameplay/collectsItemsFromPortal”). • Click on the “Headers” tab and add all the request’s HTTPS Headers by ‘Name’ and ‘Value’ (see the example in the image below). • OPTIONAL: modify the “Cookie” and “X-XsrfToken” values (in order to collect and add the items from the portal to other user J account). Figure 40. Adding the HTTPS headers • Click on the “Content to Send” tab. In the “Content Type:” text input write: “gzip” • Copy the ‘collectsItemsFromPortal’ request body (the one we decoded earlier – Example request body data) and paste it to the “Content” text area in ‘HttpRequester’ (see the example in the image below). • OPTIONAL: modify the “player location” values (remember to convert the longitude and altitude val-ues from hexadecimal to decimal format) • Click “Submit” button. Figure 41. Modifying request body data, setting the “Content-Type” as gzip and click “Submit”
HACKING INGRESS – ANDROID APPLICATION REVERSE ENGINEERING Figure 42. Paste the request body data and click “Submit” button CONGRATULATIONS!!! In the image below we can observe the server response. It is seems that we’ve successfully collected new items from the portal by hacking the portal remotely. Figure 43. Successfully collected new items from the portal Which means that by intercepting and collecting more “HACK portal” actions requests from our device, we will able to hack portals remotely using any device (PC, Smart phone, Tablet, etc…) in the future. CYBERWARRIOR | INGRESS HACKING POC CyberWarrior developed by 0xICF as proof of concept (POC) in order to demonstrate the results of auto-mated vulnerabilities exploitation of the threats and security breaches that were found during the security analysis of Google, Niantic Project – Ingress app. Google, Niantic Project – Ingress game involve near-real time augmented reality by the need to take control over portals (real-locations) by physically moving between them which means Ingress players community will have to go around cities, places and sites in attempt to gain more power (XM’s), “hack”, take control or even attack Ingress portals. www.eForensicsMag.com 33
34 Naturally, Ingress players must be physically near objects on the map to interact with them. The mobile client represents the player as a small arrow in the center of a 40-meter oval which represents the perim-eter within which direct interaction is possible. By simply configure any Ingress player id and token, CyberWarrior allows the Ingress player to play remotely and to perform different actions in the game includes: • Hacking portals • Attack portals • Create portals links • Create control fields • Recharge XM’s • Collect and use portal keys • And more… Figure 44. CyberWarrior – Dashboard view HOW CYBERWARRIOR WORKS? At the beginning of this analysis we discovered how it is possible to manipulate the scanner module of Ingress app to allow mock locations (e.g. fake GPS location signals). By exploiting this weakness, Cy-berWarrior is able to travel between portals and to collect relevant portals data remotely. Figure 45. CyberWarrior – Portals view CyberWarrior uses that data further to perform different actions. In the “Events” view below we can see how CyberWarrior reports about every action performed on behalf of the Ingress player.
HACKING INGRESS – ANDROID APPLICATION REVERSE ENGINEERING Figure 46. CyberWarrior – Events view SUMMARY In this article we discovered a few weakness in the android application binary code and the web services API of Google – Niantic Project, Ingress. As we learned, the Ingress game logic suffers from multiple vul-nerability and weaknesses that allows the attacker (or in our case the cheater) to hack the Ingress game rules easily and conduct automated actions to manipulate and influence other’s experience. It is important to mention that other vulnerabilities that were found during the analysis and related to the Google location services were not reported in this document but may influence other Googles android applications. However, we do not encourage any misuse or illegal use of Google, Niantic Project – Ingress game (even in winter) or any other games. It is important to remember that while a cheater is destroying other Ingress player’s portals, links and fields, he will cause to others to go out from their homes or from any other cushy place in order to fight back. The user ‘Hatulero’ that was used during this analysis is for demonstration purpose only and has been deleted with the end of this analysis. Hope you enjoyed reading this article, see you next time. About the Author Eran Goldstein is a Senior Cyber Security Researcher at Samsung Electronics and the founder of Frogteam|Security, a cyber security vendor company in USA and Israel. He is also the creator and devel-oper of “Total Cyber Security – TCS” product line. Eran Goldstein is a senior cyber security expert and a software developer with over 10 years of experience. He specializes at penetration testing, reverse engineering, code reviews and application vulnerability as-sessments. Eran has a vast experience in leading and tutoring courses in application security, software analysis and se-cure development as EC-Council Instructor (C|EI). For more information about Eran and his company you may go to: http://www.frogteam-security.com www.eForensicsMag.com 35

Recommandé

Meet the potnet - AboutAndroid | Malware Analysis Report
Meet the potnet - AboutAndroid | Malware Analysis ReportMeet the potnet - AboutAndroid | Malware Analysis Report
Meet the potnet - AboutAndroid | Malware Analysis ReportEran Goldstein
 
Reverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentalsReverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentalsEran Goldstein
 
Richard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzingRichard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzingPacSecJP
 
Null 14 may_lesser_known_attacks_by_ninadsarang
Null 14 may_lesser_known_attacks_by_ninadsarangNull 14 may_lesser_known_attacks_by_ninadsarang
Null 14 may_lesser_known_attacks_by_ninadsarangNinad Sarang
 
Mitigating data theft_in_android
Mitigating data theft_in_androidMitigating data theft_in_android
Mitigating data theft_in_androidRashmi Bhandari
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...Felipe Prado
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5Jayesh Patel
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationJustin Bui
 

Recommandé

Meet the potnet - AboutAndroid | Malware Analysis Report
Meet the potnet - AboutAndroid | Malware Analysis ReportMeet the potnet - AboutAndroid | Malware Analysis Report
Meet the potnet - AboutAndroid | Malware Analysis ReportEran Goldstein
 
Reverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentalsReverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentalsEran Goldstein
 
Richard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzingRichard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzingPacSecJP
 
Null 14 may_lesser_known_attacks_by_ninadsarang
Null 14 may_lesser_known_attacks_by_ninadsarangNull 14 may_lesser_known_attacks_by_ninadsarang
Null 14 may_lesser_known_attacks_by_ninadsarangNinad Sarang
 
Mitigating data theft_in_android
Mitigating data theft_in_androidMitigating data theft_in_android
Mitigating data theft_in_androidRashmi Bhandari
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...Felipe Prado
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5Jayesh Patel
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationJustin Bui
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practicesNeoito
 
Effectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application BackdoorsEffectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application Backdoorsn|u - The Open Security Community
 
На страже ваших денег и данных
На страже ваших денег и данныхНа страже ваших денег и данных
На страже ваших денег и данныхPositive Hack Days
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
 
Setting up your virtual infrastructure using fi lab cloud
Setting up your virtual infrastructure using fi lab cloudSetting up your virtual infrastructure using fi lab cloud
Setting up your virtual infrastructure using fi lab cloudHenar Muñoz Frutos
 
Fuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 JuneFuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 Junenullowaspmumbai
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияPositive Hack Days
 
Web API Security
Web API SecurityWeb API Security
Web API SecurityStefaan
 
Mobile application security
Mobile application securityMobile application security
Mobile application securityShubhneet Goel
 
Kadecot APIs overview
Kadecot APIs overviewKadecot APIs overview
Kadecot APIs overviewsonycsl
 
vulnerability scanning and reporting tool
vulnerability scanning and reporting toolvulnerability scanning and reporting tool
vulnerability scanning and reporting toolBhagyashri Chalakh
 
Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool nullowaspmumbai
 
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...Zhen Huang
 
Hack.Lu 2010 - Escaping Protected Mode Internet Explorer
Hack.Lu 2010 - Escaping Protected Mode Internet ExplorerHack.Lu 2010 - Escaping Protected Mode Internet Explorer
Hack.Lu 2010 - Escaping Protected Mode Internet ExplorerTom Keetch
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS UniverseStefano Di Paola
 
Preventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionPreventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionStefano Di Paola
 
Learning by hacking - android application hacking tutorial
Learning by hacking - android application hacking tutorialLearning by hacking - android application hacking tutorial
Learning by hacking - android application hacking tutorialLandice Fu
 
Cyber warfare
Cyber warfareCyber warfare
Cyber warfareVedangiBrahmbhatt
 
Cyber War ( World War 3 )
Cyber War ( World War 3 )Cyber War ( World War 3 )
Cyber War ( World War 3 )Sameer Paradia
 
Sustainable Lifestyles: The Trendsetters
Sustainable Lifestyles: The TrendsettersSustainable Lifestyles: The Trendsetters
Sustainable Lifestyles: The TrendsettersInstitute of Customer Experience
 
Nanotechnology and its impact on modern computer
Nanotechnology and its impact on modern computerNanotechnology and its impact on modern computer
Nanotechnology and its impact on modern computerFarah M. Altufaili
 

Contenu connexe

Tendances

Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practicesNeoito
 
На страже ваших денег и данных
На страже ваших денег и данныхНа страже ваших денег и данных
На страже ваших денег и данныхPositive Hack Days
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
 
Setting up your virtual infrastructure using fi lab cloud
Setting up your virtual infrastructure using fi lab cloudSetting up your virtual infrastructure using fi lab cloud
Setting up your virtual infrastructure using fi lab cloudHenar Muñoz Frutos
 
Fuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 JuneFuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 Junenullowaspmumbai
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияPositive Hack Days
 
Web API Security
Web API SecurityWeb API Security
Web API SecurityStefaan
 
Mobile application security
Mobile application securityMobile application security
Mobile application securityShubhneet Goel
 
Kadecot APIs overview
Kadecot APIs overviewKadecot APIs overview
Kadecot APIs overviewsonycsl
 
vulnerability scanning and reporting tool
vulnerability scanning and reporting toolvulnerability scanning and reporting tool
vulnerability scanning and reporting toolBhagyashri Chalakh
 
Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool nullowaspmumbai
 
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...Zhen Huang
 
Hack.Lu 2010 - Escaping Protected Mode Internet Explorer
Hack.Lu 2010 - Escaping Protected Mode Internet ExplorerHack.Lu 2010 - Escaping Protected Mode Internet Explorer
Hack.Lu 2010 - Escaping Protected Mode Internet ExplorerTom Keetch
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS UniverseStefano Di Paola
 
Preventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionPreventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionStefano Di Paola
 

Tendances (17)

Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practices
 
Effectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application BackdoorsEffectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application Backdoors
 
На страже ваших денег и данных
На страже ваших денег и данныхНа страже ваших денег и данных
На страже ваших денег и данных
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack Fu
 
Setting up your virtual infrastructure using fi lab cloud
Setting up your virtual infrastructure using fi lab cloudSetting up your virtual infrastructure using fi lab cloud
Setting up your virtual infrastructure using fi lab cloud
 
Fuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 JuneFuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 June
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполнения
 
Web API Security
Web API SecurityWeb API Security
Web API Security
 
Mobile application security
Mobile application securityMobile application security
Mobile application security
 
Kadecot APIs overview
Kadecot APIs overviewKadecot APIs overview
Kadecot APIs overview
 
vulnerability scanning and reporting tool
vulnerability scanning and reporting toolvulnerability scanning and reporting tool
vulnerability scanning and reporting tool
 
Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool
 
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...
 
Hack.Lu 2010 - Escaping Protected Mode Internet Explorer
Hack.Lu 2010 - Escaping Protected Mode Internet ExplorerHack.Lu 2010 - Escaping Protected Mode Internet Explorer
Hack.Lu 2010 - Escaping Protected Mode Internet Explorer
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe
 
Preventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionPreventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code Execution
 

En vedette

Learning by hacking - android application hacking tutorial
Learning by hacking - android application hacking tutorialLearning by hacking - android application hacking tutorial
Learning by hacking - android application hacking tutorialLandice Fu
 
Cyber War ( World War 3 )
Cyber War ( World War 3 )Cyber War ( World War 3 )
Cyber War ( World War 3 )Sameer Paradia
 
Nanotechnology and its impact on modern computer
Nanotechnology and its impact on modern computerNanotechnology and its impact on modern computer
Nanotechnology and its impact on modern computerFarah M. Altufaili
 
Frugal innovations: A “Necessary” Trend For The Future!
Frugal innovations: A “Necessary” Trend For The Future!Frugal innovations: A “Necessary” Trend For The Future!
Frugal innovations: A “Necessary” Trend For The Future!Institute of Customer Experience
 
Google Driverless Car
Google Driverless CarGoogle Driverless Car
Google Driverless CarRunam Sharma
 

En vedette (10)

Learning by hacking - android application hacking tutorial
Learning by hacking - android application hacking tutorialLearning by hacking - android application hacking tutorial
Learning by hacking - android application hacking tutorial
 
Cyber warfare
Cyber warfareCyber warfare
Cyber warfare
 
Cyber War ( World War 3 )
Cyber War ( World War 3 )Cyber War ( World War 3 )
Cyber War ( World War 3 )
 
Sustainable Lifestyles: The Trendsetters
Sustainable Lifestyles: The TrendsettersSustainable Lifestyles: The Trendsetters
Sustainable Lifestyles: The Trendsetters
 
Nanotechnology and its impact on modern computer
Nanotechnology and its impact on modern computerNanotechnology and its impact on modern computer
Nanotechnology and its impact on modern computer
 
Frugal innovations: A “Necessary” Trend For The Future!
Frugal innovations: A “Necessary” Trend For The Future!Frugal innovations: A “Necessary” Trend For The Future!
Frugal innovations: A “Necessary” Trend For The Future!
 
Google Driverless Car
Google Driverless CarGoogle Driverless Car
Google Driverless Car
 
Cyber Warfare -
Cyber Warfare -Cyber Warfare -
Cyber Warfare -
 
Google driverless cars
Google driverless carsGoogle driverless cars
Google driverless cars
 
3D Printing: Endless Opportunities
3D Printing: Endless Opportunities3D Printing: Endless Opportunities
3D Printing: Endless Opportunities
 

Similaire à Hacking ingress

Create Location Sharing apps using the Ionic framework
Create Location Sharing apps using the Ionic framework Create Location Sharing apps using the Ionic framework
Create Location Sharing apps using the Ionic framework Shelly Megan
 
Mobile Miner Installation
Mobile Miner InstallationMobile Miner Installation
Mobile Miner InstallationkingsBSD
 
(Christian heilman) firefox
(Christian heilman) firefox(Christian heilman) firefox
(Christian heilman) firefoxNAVER D2
 
iPhone App Development
iPhone App Development iPhone App Development
iPhone App Development ManekTech
 
Mobile app development
Mobile app developmentMobile app development
Mobile app developmentManekTech
 
Swift Development
Swift DevelopmentSwift Development
Swift DevelopmentManekTech
 
Andriy Vandakurov about "Frontend. Global domination"
Andriy Vandakurov about "Frontend. Global domination" Andriy Vandakurov about "Frontend. Global domination"
Andriy Vandakurov about "Frontend. Global domination" Pivorak MeetUp
 
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphonesSensePost
 
How React Native has changed Web and Mobile Application Development, Engineer...
How React Native has changed Web and Mobile Application Development, Engineer...How React Native has changed Web and Mobile Application Development, Engineer...
How React Native has changed Web and Mobile Application Development, Engineer...engineermaste solution
 
Design the implementation of Robotic Simulator: Goalkeeper.
Design the implementation of Robotic Simulator: Goalkeeper.Design the implementation of Robotic Simulator: Goalkeeper.
Design the implementation of Robotic Simulator: Goalkeeper.Ankita Tiwari
 
Mini project final presentation
Mini project final presentationMini project final presentation
Mini project final presentationGianlucaCapozzi1
 
Easy2park - A smarter way to find a parking lot
Easy2park - A smarter way to find a parking lotEasy2park - A smarter way to find a parking lot
Easy2park - A smarter way to find a parking lotDaniele Davoli
 
project report on IoT
project report on IoTproject report on IoT
project report on IoTAnshul Sahu
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeNowSecure
 
Appium understanding document
Appium understanding documentAppium understanding document
Appium understanding documentAkshay Pillay
 

Similaire à Hacking ingress (20)

Azlina5 imagery
Azlina5 imageryAzlina5 imagery
Azlina5 imagery
 
Create Location Sharing apps using the Ionic framework
Create Location Sharing apps using the Ionic framework Create Location Sharing apps using the Ionic framework
Create Location Sharing apps using the Ionic framework
 
Mobile Miner Installation
Mobile Miner InstallationMobile Miner Installation
Mobile Miner Installation
 
(Christian heilman) firefox
(Christian heilman) firefox(Christian heilman) firefox
(Christian heilman) firefox
 
iPhone App Development
iPhone App Development iPhone App Development
iPhone App Development
 
Mobile app development
Mobile app developmentMobile app development
Mobile app development
 
Swift Development
Swift DevelopmentSwift Development
Swift Development
 
Andriy Vandakurov about "Frontend. Global domination"
Andriy Vandakurov about "Frontend. Global domination" Andriy Vandakurov about "Frontend. Global domination"
Andriy Vandakurov about "Frontend. Global domination"
 
Pivorak.javascript.global domination
Pivorak.javascript.global dominationPivorak.javascript.global domination
Pivorak.javascript.global domination
 
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphones
 
Location Based Services Without the Cocoa
Location Based Services Without the CocoaLocation Based Services Without the Cocoa
Location Based Services Without the Cocoa
 
How React Native has changed Web and Mobile Application Development, Engineer...
How React Native has changed Web and Mobile Application Development, Engineer...How React Native has changed Web and Mobile Application Development, Engineer...
How React Native has changed Web and Mobile Application Development, Engineer...
 
Design the implementation of Robotic Simulator: Goalkeeper.
Design the implementation of Robotic Simulator: Goalkeeper.Design the implementation of Robotic Simulator: Goalkeeper.
Design the implementation of Robotic Simulator: Goalkeeper.
 
Mini project final presentation
Mini project final presentationMini project final presentation
Mini project final presentation
 
Easy2park - A smarter way to find a parking lot
Easy2park - A smarter way to find a parking lotEasy2park - A smarter way to find a parking lot
Easy2park - A smarter way to find a parking lot
 
project report on IoT
project report on IoTproject report on IoT
project report on IoT
 
04 objective-c session 4
04 objective-c session 404 objective-c session 4
04 objective-c session 4
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the Code
 
Appium understanding document
Appium understanding documentAppium understanding document
Appium understanding document
 
Firefox OS Presentation
Firefox OS PresentationFirefox OS Presentation
Firefox OS Presentation
 

Dernier

The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 

Dernier (20)

The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 

Hacking ingress

  • 1. 12 HACKING INGRESS – ANDROID APPLICATION REVERSE ENGINEERING by Eran Goldstein Today we are going to demonstrate a quick reverse engineering and analysis process of an android mobile application called Ingress. Ingress is a near-real time augmented reality massively multiplayer online video game. It was created by Niantic Labs, a startup within Google, for the Android based devices market. The game has a complex science fiction back story which Niantic is revealing in segments. The gameplay consists of establishing “portals” at places of public art, etc., and linking them to create virtual triangular fields over geographic areas. The progress in the game is measured by the number of Mind Units, i.e. people, nominally controlled by each faction (as illustrated on the Intel Map). The necessary links between portals may range from meters to kilometers, or to hundreds of kilometers in operations of considerable logisti-cal complexity. International links and fields are not uncommon, as Ingress has attracted an enthusiastic following in cities worldwide amongst both young and old, to the extent that the gameplay is itself a lifestyle for some, including tattoos. CLARIFICATION This analysis started from the point of view of the frustrated Ingress players which invest their time and effort to play legally the Ingress game. The analy-sis purpose was to explain and demonstrate that while there are Ingress us-ers that play fair and legal there are some who do not. We under do not encourage any misuse or illegal use of the Niantic Project – Ingress game or any other games/platforms. The user ‘Hatulero’ which was used during this analysis was for demonstration purpose only and has been canceled with the end of this analysis. DISCLAIMER We are going to analyze and implement modifications to the Niantic project – ingress application for research purposes only, by using, opening and/or reading this document you agree that your use of the Niantic project – ingress application products and/or this cyber security research documentation, in-cluding any changes you will implement in your own code will be on your own risk only. For more information please refer to Niantic project – ingress terms of use: http://www.ingress.com/terms. What you will learn: • Analyzing and debugging pro-cesses of an android application and examining the code within the .apk package. • Inspecting how important func-tions operates. • Modify and manipulate the way functions work. • How android application commu-nicates with the web services API. • Exploit application design weak-nesses. What you should know: • Extracting, packing and signing processes of an android applica-tion package (.apk). • Mobile reverse engineering pro-cess basics. • Web application analysis tech-niques.
  • 2. HACKING INGRESS – ANDROID APPLICATION REVERSE ENGINEERING INTRODUCTION Ingress involves near-real time augmented reality by the need to take control over portals by physically move between them which means that the ingress players’ community will have to go around cities, plac-es and sites in attempt to gain more power (XM’s), “hack”, take control or even attack Ingress portals. One of the biggest advantages every Ingress user will probably want to achieve is the ability to move be-tween portals without changing your actual physical location. This analysis document assumes that you are familiar with the process of reverse engineering process of an android mobile application and already know how to extract, sign and pack back the content of an android application package (.apk) The security analysis will include the following sections: • Reverse Engineering – Environment preparation • Ingress Android application – binary code analysis • Ingress web services API – server side analysis • Hacking POC REVERSE ENGINEERING – ENVIRONMENT PREPARATION EXTRACT THE PACKAGE Before we begin we will need to extract/dump the content of the .apk file. You can do that using apktool or any other tool you like. Once you extract the .apk file, you will get something like: Figure 1. Extract the package DOWNLOAD AND INSTALL “FAKEGPS” As a part of the process you will probably want to download and install any fake GPS location app in or-der to be able to generate mock GPS location signals. You can download from “Google Play” any app you want such “Fake GPS”, “MoveMyGPS” or any other app you like: Figure 2. MoveMyGPS www.eForensicsMag.com 13
  • 3. 14 FIREFOX ADD-ONS::HTTPREQUESTER This tool is useful when doing web or REST development, or when you need to make HTTP requests that are not easily done via the browser (PUT/POST/DELETE). This is based on the Alex Milowski’s excellent Poster add-on, with a large focus on keeping a history of transactions, allowing you to go back and review, re-execute, load, and save HTTP requests. HttpRequester can be opened via the Tools menu, or via the Add-on-bar icon. https://addons.mozilla.org/en-us/firefox/addon/httprequester/ Figure 3. HttpRequester plugin tool PORTSWIGGER::BURP SUITE Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities. Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art au-tomation, all in order to make your work more effective, fast and fun than before. You can download Burp suite here: http://portswigger.net/burp/downloadfree.html. Figure 4. PortSwigger – Burp Suite web proxy analyzer
  • 4. HACKING INGRESS – ANDROID APPLICATION REVERSE ENGINEERING INGRESS ANDROID APPLICATION – BINARY CODE ANALYSIS OBJECTIVES • Disable the detection of mock locations in order to use fake GPS location signal. • Merge the fake and real GPS location signals and remove the “Scanner Disabled; Inaccurate Loca-tion;” message. • Remove the protection flag for common actions and allow Hack Portal, Fire XMP, Deploy Resona-tors and more. OBJECTIVE ONE: DISABLE THE DETECTION OF MOCK LOCATION IN ORDER TO USE FAKE GPS LOCATION SIGNAL MOCK LOCATIONS PREVENTION Mock location – developer’s option allows developers to use any fake GPS signal in order to be able to change their GPS signal while developing and debug applications. Once you will open any fake GPS loca-tion app, you will probably be asked to enable this option in the System Setting -> developer options menu. From this point on you basically can set your location to any location you want but the problem is that “Ingress” will not allow you to use the “Allow mock locations” option L. And this is the point where we will start our analysis. Figure 5. Allow mock locations Figure 6. Mock locations disallowed DISABLE THE “ALLOW MOCK LOCATIONS” PREVENTION In attempt to toggle the validation of the “Allow mock locations” developer option checkbox we will need to search for relevant point to start our analysis. As in every reverse engineering process, searching for any of suspicious or problematic string you want to investigate or hack can assist you to find relevant event triggers which can lead to the point you probably looking for and will want to modify. Let’s take a look at the following file: www.eForensicsMag.com 15
  • 5. 16 dump-ingresssmalicomnianticprojectingressNemesisActivity.smali At line 1426 we can observe the “mock_location” string and right after it we can see the function that put integer “0” in a register, check if the “allow mock locations” checkbox is checked (this will return “1”) and then compare the registers values and validate that v0 register value is not equal to zero, and then go to a condition (cond_b) which will block us from using Ingress while the “Allow mock locations” option is enable: if- nez v0, :cond_b And will set a prevention flag by moving register v7 to register v0: move v0, v7 So as you probably guessed, we basically can do a few simple tricks here to manipulate the function that checks for the “Allow mock locations” checkbox status. First, let’s modify the function to check that the checkbox value is equal to zero (instead of not equals to zero), this will cause ingress to allow you to play only if “Allow mock locations” option is enabled. Since we don’t want any further actions to be performed once the condition is true, we will move the pointer from ‘cond_b’ to ‘cond_3’ which originally is the pointer that continue the scanner process with-out interruptions. From: if- nez v0, :cond_b To: if-eqz v0, :cond_3 To make sure the prevention flag will not be set as true (by moving register v7 to register v0), we will comment the line below (Line 1428): From: move v0, v7 To: # move v0, v7 Figure 7. Line 1426::change the term below from if-nez to if-eqz and from cond_b to cond_3 Now we can use “FakeGPS” to set our location dynamically but the “Scanner disabled; Location inac-curate.” Message appears.
  • 6. HACKING INGRESS – ANDROID APPLICATION REVERSE ENGINEERING Figure 8. Scanner disabled message OBJECTIVE TWO: MERGE THE FAKE AND REAL GPS LOCATION SIGNALS Remove the “Scanner Disabled; Inaccurate Location;” message. Once we “hacked” the “Allow mock locations” developer options to al-low us use fake GPS location (e.g. mock_location), we will cause the scanner state process to change the value of the relevant flag/register to ”1” (register v0 in our case), which will cause the Ingress app to alert the message “Scanner disabled; Location inaccurate.” Let’s take a look at the following file: dump-ingresssmalicomnianticprojectingresscommonscannerk.smali To disable the alert message, we will need to modify the condition at line 996 that check if the value in v0 resister is not equals to zero (‘0’) from if-nez to if-eqz: From: if-nez v0, :cond_4 To: if-eqz v0, :cond_4 Figure 9. Line 996::change the term below from if-nez to if-eqz As we can see the “Scanner disabled; Location inaccurate.” Alert message is disabled but we can’t per-form any relevant actions on the portal (even if it in our range). www.eForensicsMag.com 17
  • 7. 18 Figure 10. Alert message is disabled Figure 11. Actions are unavailable OBJECTIVE THREE: REMOVE THE PROTECTION FLAG FOR COMMON ACTIONS ALLOW HACK PORTAL, FIRE XMP, DEPLOY RESONATORS AND MORE Because the scanner state has been changed from a real GPS location signal into a FakeGPS location signal and the Ingress app detects this as “Inaccurate location” event we can’t perform any relevant ac-tions on the portal (even if it is in our range). Next we will need to modify the condition of the function that checks for the scanner state value. Let’s take a look at the following file: dump-ingresssmalicomnianticprojectingresscommonitemupgradea.smali In line 2095 we can observe the function that check if the value in v0 register is less or equals to zero (‘0’) and if it is the Ingress app will alert the message “Location Inaccurate” when you will press any ac-tion button (example: “Hack”, “Deploy Status”, etc…). Locate the “if-lez v0, :cond_0” (Line 2095) and change the condition from if-lez to if-eqz: From: if- lez v0, :cond_0 To: if-gtz v0, :cond_0
  • 8. HACKING INGRESS – ANDROID APPLICATION REVERSE ENGINEERING Figure 12. Modifying the function’s operand Congratulations!!! Now we can move to any location we want using FakeGPS or any other Fake GPS location signal application. Let’s start with San Jose – United States: Figure 13. Moving to San Jose – U.S Figure 14. All action options are available www.eForensicsMag.com 19
  • 9. 20 Figure 15. Collecting XM Figure 16. Hacking the portal Now let’s move to Paris: Figure 17. Moving to Paris t All action options are available
  • 10. HACKING INGRESS – ANDROID APPLICATION REVERSE ENGINEERING Or to Spain: Figure 19. Moving to Spain Figure 20. All action options are available INGRESS WEB SERVICES API – SERVER SIDE ANALYSIS OBJECTIVES • Configuring an Android device with Web-Based proxy. • Intercept, decode and explore common Ingress https requests. • Modify an Ingress https request and communicate with the server. OBJECTIVE ONE: CONFIGURING AN ANDROID DEVICE WITH WEB-BASED PROXY LAUNCH BURP SUITE In order to begin we will need to start burp and configure it to listen to specific port: Figure 21. Configuring Burp Suite to listen on specific address and port By default, when you browse an HTTPS website via Burp, the Proxy generates an SSL certificate for each host, signed by its own Certificate Authority (CA) certificate. This CA certificate is generated the first www.eForensicsMag.com 21
  • 11. 22 time Burp will run and will be stored locally. To use Burp Proxy most effectively with HTTPS websites, you will need to install Burp’s CA certificate as a trusted root in your browser. NOTE If you install a trusted root certificate in your browser, then an attacker who has the private key for that certificate may be able to man-in-the-middle your SSL connections without obvious detection, even when you are not using an intercepting proxy. To protect against this, Burp generates a unique CA certificate for each installation, and the private key for this certificate is stored on your computer, in a user-specific location. If untrusted people can read local data on your computer, you may not wish to install Burp’s CA certificate. INSTALLING THE CERTIFICATE Export Burp CA certificate and save to your local computer using .crt extension (e.g. PortSwiggerCA.crt) • Push the “PortSwiggerCA.crt” certificate to a microSD card on your android device. • Go to: System Setting -> More tab -> Security ->install from device storage. • Follow the on screen instructions, and reboot the device once it says the certificate has been in-stalled. CONFIGURE THE DEVICE Once we have configured Burp we will need to configure our Android device to use burp for external con-nections. To do this: • Go to: Settings -> Connections -> Wi-Fi • Long press on the network connection you want to configure. • Select “Modify network config” from the menu. • Check the “Show advanced options”, click the “Proxy settings” combo box and select “Manual”. • Configure Burp suite machine address and port. If everything works correctly you now should have a trusted certificate installed successfully on an an-droid device! From this point you basically can intercept and explore any Ingress android app – http and https re-quests using burp. And this is the point where we will start our analysis. LAUNCHING INGRESS When launching Ingress on your device and while watching burp history tab, you can observe the data and traffic between your device and the web-services API server. This data includes a few general in-gress application important processes such as authentication, verification, synchronization and more. The data also includes basic functions results such actions and events. In the next objectives we will ex-plore few Ingress android application common requests. OBJECTIVE TWO: INTERCEPT, DECODE AND EXPLORE COMMON INGRESS HTTPS REQUESTS VERIFICATION The first process and requested data we will explore is the verification step. The Ingress app send an HTTPS GET request to the server in attempt to verify the user’s account. In the image below we can ob-serve the verification GET request and navigates to: m-dot-betaspike.appspot.com/handshake.
  • 12. HACKING INGRESS – ANDROID APPLICATION REVERSE ENGINEERING Figure 22. Verification GET request The request contains few headers includes: Content-Type – the content type of the request is application/json Accept-Encoding – gzip User-Agent – Nemesis (gzip) Cookie – the session cookie of the user X-XsrfToken – the users token Host – m-dot-betaspike.appspot.com In addition, json URL variable contains json data with information about the google user. We can observe that the authentication step will be probably be completed by SSL handshake process. GOOGLE AUTHENTICATION Following the verification step we can observe that the Ingress app send another HTTPS POST request to google in order to authenticate the user’s account. In the image below we can observe the authentica-tion POST request which done during SSL handshake process. The first request navigates to: android. clients.google.com. Figure 23. HTTPS POST request to google www.eForensicsMag.com 23
  • 13. 24 The request contains few headers includes: Authorization – the user’s authentication challenge token. Content-Type – the content type of the request is application/x-www-form-urlencoded User-Agent – AndroidC2DM/1.1 (ja3g JDQ39) X-XsrfToken – the users token Host – android.clients.google.com The request’s data includes few parameters send to the application server: ‘X-GOOG.USER_AID’, ‘app’, ‘sender’, ‘cert’, ‘device’ and ‘device_user_id’ As a result from the last request contains the challenge token we will get the authentication response to-ken in the response HTTPS body. Figure 24. The authentication response token Using the authentication response token, the Ingress app generates the authentication token in order to authorize the user’s device account and the second request navigates to: play.googleapis.com Figure 25. Ingress app generates the authentication token The request contains few headers and the requests body contains data with information about the google user. In the last request of the login process, Ingress app send HTTPS POST request to Ingress application server with the same token.
  • 14. HACKING INGRESS – ANDROID APPLICATION REVERSE ENGINEERING Figure 26. The last request of the login process REQUEST::GLOBALREGIONMAP The next request in the process of launching Ingress app is the globalRegionMap. In the image below we can observe the globalRegionMap HTTPS GET request which navigates to: m-dot-betaspike.appspot.com Figure 27. The globalRegionMap HTTPS GET request The request contains a few headers includes: Content-Type – the content type of the request is application/json Accept-Encoding – gzip User-Agent – Nemesis (gzip) Cookie – the session cookie of the user X-XsrfToken – the users token Host – m-dot-betaspike.appspot.com www.eForensicsMag.com 25
  • 15. 26 REQUEST::GETINVITEINFO The last request in the process of launching Ingress app is the ‘getInviteInfo’ which will check how many agent’s invitation lefts to the user. In the image below we can observe the ‘getInviteInfo’ POST request which navigates to: m-dot-betaspike.appspot.com/rpc/playerUndecorated/getInviteInfo Figure 28. ’getInviteInfo’ https POST request The request contains few headers includes: Content-Type – the content type of the request is application/json Accept-Encoding – gzip User-Agent – Nemesis (gzip) Cookie – the session cookie of the user X-XsrfToken – the users token Host – m-dot-betaspike.appspot.com In addition, the body contains json data with an empty “params” array. RESPONSE::GETINVITEINFO The ‘getInviteInfo’ response contains https headers sent from the server back to the client and includes a json string with two arrays as well: Figure 29. ‘getInviteInfo’ https response ‘result’ array: General array that contains information about the ‘numAvailableInvites’ remain to the user. ‘gameBasket’ array: General array that contains information about the user’s inventory, game entities and more (‘gameEntities’, ‘inventory’ and ‘deletedEntityGuids’). We will be able to observe this array po-tently in few other common requests.
  • 16. HACKING INGRESS – ANDROID APPLICATION REVERSE ENGINEERING REQUEST::GETINVENTORY Figure 30. Ingress OPS button In order to synchronize the user’s inventory database the Ingress app sends ‘getInventory’ request to the server. In the image below we can observe the HTTPS POST request which navigates to: m-dot-betaspike.appspot.com/rpc/playerUndecorated/getInventory Figure 31. ‘getInventory’ https POST request The request contains few headers includes: Content-Type – the content type of the request is application/json Accept-Encoding – gzip User-Agent – Nemesis (gzip) Cookie – the session cookie of the user X-XsrfToken – the users token Host – m-dot-betaspike.appspot.com In addition, the body contains json data with “params” array and ‘lastQueryTimeStemp’ parameter. www.eForensicsMag.com 27
  • 17. 28 RESPONSE::GETINVENTORY Figure 32. ’getInventory’ https response The response contains https headers sent from the server back to the client and includes a json string with two arrays as well: Result array: General array that contains the value to update the ‘lastQueryTimeStemp’ parameter that will be used for the next request. gameBasket array: General array that contains information about the user’s inventory, game entities and more (gameEntities, inventory and deletedEntityGuids). This time we can observe the items that the user store in his inventory. We will be able to observe this array potentially in few other common request as well. As a result the user’s inventory will be available to the user. Figure 33. Ingress OPS – Inventory screen
  • 18. HACKING INGRESS – ANDROID APPLICATION REVERSE ENGINEERING REQUEST:: COLLECTSITEMSFROMPORTAL Figure 34. Portal’s details view screen Behind the scene, when the user click the “HACK portal” button, Ingress app sends ‘collectsItemsFromPor-tal’ request to the server. In the image below we can observe the POST request which navigates to: m-dot-betaspike.appspot.com/rpc/gameplay/collectsItemsFromPortal Figure 35. ‘collectsItemsFromPortal’ https request The request contains few headers includes: Content-Type – the content type of the request is this case is application/json Accept-Encoding – gzip User-Agent – Nemesis (gzip) Cookie – the session cookie of the user X-XsrfToken – the users token Content-Encoding – gzip Host – m-dot-betaspike.appspot.com www.eForensicsMag.com 29
  • 19. 30 In addition, the body contains json gzipped data that we will have to decode. To do that we will use the built-in burp’s decoder tool: • Select the data you want to decode from the request data below • Right-click and select “send to decoder”. Figure 36. ‘collectsItemsFromPortal’ request – send to decoder Now move to the “Decoder” tab in burp, and in the combo box “Decode as…” on the right, select “Gzip”: Figure 37. ‘collectsItemsFromPortal’ request – send to decoder – decode as gzip We can see the result data of the gzip decode process below to the encoded data: Figure 38. ‘collectsItemsFromPortal’ request – send to decoder – decode as gzip – result Now we can see in clear text that the body contains json gzipped data with a ‘clientBasket’ array in a “params” array. The ‘clientBasket’ array include the following parameters: ‘clientBlob’ – the client blob’s data. ‘energyGlobGuids’ – with an empty value. ‘itemGuid’ – the portal ‘itemGuid’ the user want to “hack”. ‘playerLocation’ – the geolocation data of the user in a hexadecimal “altitude, longitude” format.
  • 20. HACKING INGRESS – ANDROID APPLICATION REVERSE ENGINEERING EXAMPLE REQUEST BODY DATA {“params”:{“clientBasket”:{“clientBlob”:”MEE9cey2ssygjADvD5jeeuS0pqnwAqSrmFapvy4ZwZzUKlBqHF4fnZiCqmO8 aJ51IXG7m8jsomWlecgeAH7mx MLqQJOUDsQ29z/ +kW+/upF7nY3yEUQZseYCfDKHhj95P9c77LslYt5K8tlRjvIr4g0TLKSqJ0G VGgYWy2WU0pZNSCAES2JIJSWaE6Tss43v3G1fQ9cRahmAwEyCqrdpOlFRq4y4v0Y2nIKy3j0GnIlhSMDC4rBkTPan/OJ9AoXzeifv +g9Qi6uR/107UW9IXWMAoN46NXp4wtKrpU19AhiynyBD9uP2csbQWd0YezcomQtW/NsmrBDlJO5YuGIjFDfnjmJ83 +Eqs1zW/P93y 3mvGC +hL2fkWX6SuNpAaKm2yNs4Dh8xsAJcZWJsesX3E +6TbHpbMV7q+eFqInVW9pK6bllorMug9poIfZ6FdkHhGR5PuAqYlhOw R4+94idOMpbC70ZD+kh82X+5y0SdrS7LeQEozYSTp +WXy2b6lQmuIfEtX0eHGBzeC5ZDk5gc8Tp6MM/EbCQGFZ4CFcMLVLguuPue 1ZONmIBN3HUn2sUK1uYxEBXdUSVqHFmN1hVFHQ3FSQsUQojw8veNvvSDjj0YSJrsGcy +kvtfsqy1sEG5+fKyWx0PNMfF75eT75yn ZUIAOD8WFwrflRYRGy9gCHU”},”energyGlobGuids”:[],”itemGuid”:”0ac46f4c69c8b993b1e5784838ff.12”, ”knobSyncTimestamp”:1394236374863,”playerLocation”:”0f40a9b7,d834d4ff”}} RESPONSE::COLLECTSITEMSFROMPORTAL The result of the “HACK portal” action should get the user’s inventory new items. In the image below we can observe that the items data return in a HTTP response message body. Figure 39. ‘collectsItemsFromPortal’ response In our case the “HACK portal” action didn’t return any items but if we explore the HTTP response, we will see that it contains https headers sent from the server back to the client and includes a json string as body, with two arrays as well: ‘result’ array: General array that generally contains the value to update the ‘lastQueryTimeStemp’ pa-rameter that will be used for the next request but in the case of ‘collectsItemsFromPortal’ request re-mains empty. ‘gameBasket’ array: General array that contains information about the user’s inventory, game entities and more (gameEntities, inventory and deletedEntityGuids). This time we can observe the items the us-ers hacked from the portal. We will be able to observe this array potently in few other common request as well. This response also sync the user’s inventory with the new items that were collected. This means that in case the user wants to hack the game and to add more items to his inventory by hacking the HTTP response body, it will be useless, since the fake items are not generated on the application server and do not exist on the application server’s database. But as you probably can guess, by modifying the request data that we send to the server we can fake the user’s geo-location and to hack any remote portal we want. This will bring a full items inventory to the user. Let’s try to see how it works. To modify the request or response data, you can use Burp suite’s repeater module. By clicking on the “Repeater” tab (in Burp Suite). However, In order to get rid from the process of decoding and encoding the request data in your tests, we will discover another simple but useful tool. OBJECTIVE THREE: MODIFY AN INGRESS HTTPS REQUEST AND COMMUNICATE WITH THE SERVER MODIFYING THE REQUEST::COLLECTSITEMSFROMPORTAL DATA To modify the request and to avoid from the process of encoding and decoding the data in every request in our analysis we will use the Firefox Add-ons ‘HttpRequester’. www.eForensicsMag.com 31
  • 21. 32 To read more about the Firefox Add-ons ‘HttpRequester’ refer to the “Reverse Engineering – Environ-ment preparation” section. Let’s modify the collectsItemsFromPortal HTTPS request data, to do this: • Open HttpRequester Add-on via the Tools menu, or via the Add-on-bar icon. • In the URL text input, write the full request path (for example: “m-dot-betaspike.appspot.com/rpc/ gameplay/collectsItemsFromPortal”). • Click on the “Headers” tab and add all the request’s HTTPS Headers by ‘Name’ and ‘Value’ (see the example in the image below). • OPTIONAL: modify the “Cookie” and “X-XsrfToken” values (in order to collect and add the items from the portal to other user J account). Figure 40. Adding the HTTPS headers • Click on the “Content to Send” tab. In the “Content Type:” text input write: “gzip” • Copy the ‘collectsItemsFromPortal’ request body (the one we decoded earlier – Example request body data) and paste it to the “Content” text area in ‘HttpRequester’ (see the example in the image below). • OPTIONAL: modify the “player location” values (remember to convert the longitude and altitude val-ues from hexadecimal to decimal format) • Click “Submit” button. Figure 41. Modifying request body data, setting the “Content-Type” as gzip and click “Submit”
  • 22. HACKING INGRESS – ANDROID APPLICATION REVERSE ENGINEERING Figure 42. Paste the request body data and click “Submit” button CONGRATULATIONS!!! In the image below we can observe the server response. It is seems that we’ve successfully collected new items from the portal by hacking the portal remotely. Figure 43. Successfully collected new items from the portal Which means that by intercepting and collecting more “HACK portal” actions requests from our device, we will able to hack portals remotely using any device (PC, Smart phone, Tablet, etc…) in the future. CYBERWARRIOR | INGRESS HACKING POC CyberWarrior developed by 0xICF as proof of concept (POC) in order to demonstrate the results of auto-mated vulnerabilities exploitation of the threats and security breaches that were found during the security analysis of Google, Niantic Project – Ingress app. Google, Niantic Project – Ingress game involve near-real time augmented reality by the need to take control over portals (real-locations) by physically moving between them which means Ingress players community will have to go around cities, places and sites in attempt to gain more power (XM’s), “hack”, take control or even attack Ingress portals. www.eForensicsMag.com 33
  • 23. 34 Naturally, Ingress players must be physically near objects on the map to interact with them. The mobile client represents the player as a small arrow in the center of a 40-meter oval which represents the perim-eter within which direct interaction is possible. By simply configure any Ingress player id and token, CyberWarrior allows the Ingress player to play remotely and to perform different actions in the game includes: • Hacking portals • Attack portals • Create portals links • Create control fields • Recharge XM’s • Collect and use portal keys • And more… Figure 44. CyberWarrior – Dashboard view HOW CYBERWARRIOR WORKS? At the beginning of this analysis we discovered how it is possible to manipulate the scanner module of Ingress app to allow mock locations (e.g. fake GPS location signals). By exploiting this weakness, Cy-berWarrior is able to travel between portals and to collect relevant portals data remotely. Figure 45. CyberWarrior – Portals view CyberWarrior uses that data further to perform different actions. In the “Events” view below we can see how CyberWarrior reports about every action performed on behalf of the Ingress player.
  • 24. HACKING INGRESS – ANDROID APPLICATION REVERSE ENGINEERING Figure 46. CyberWarrior – Events view SUMMARY In this article we discovered a few weakness in the android application binary code and the web services API of Google – Niantic Project, Ingress. As we learned, the Ingress game logic suffers from multiple vul-nerability and weaknesses that allows the attacker (or in our case the cheater) to hack the Ingress game rules easily and conduct automated actions to manipulate and influence other’s experience. It is important to mention that other vulnerabilities that were found during the analysis and related to the Google location services were not reported in this document but may influence other Googles android applications. However, we do not encourage any misuse or illegal use of Google, Niantic Project – Ingress game (even in winter) or any other games. It is important to remember that while a cheater is destroying other Ingress player’s portals, links and fields, he will cause to others to go out from their homes or from any other cushy place in order to fight back. The user ‘Hatulero’ that was used during this analysis is for demonstration purpose only and has been deleted with the end of this analysis. Hope you enjoyed reading this article, see you next time. About the Author Eran Goldstein is a Senior Cyber Security Researcher at Samsung Electronics and the founder of Frogteam|Security, a cyber security vendor company in USA and Israel. He is also the creator and devel-oper of “Total Cyber Security – TCS” product line. Eran Goldstein is a senior cyber security expert and a software developer with over 10 years of experience. He specializes at penetration testing, reverse engineering, code reviews and application vulnerability as-sessments. Eran has a vast experience in leading and tutoring courses in application security, software analysis and se-cure development as EC-Council Instructor (C|EI). For more information about Eran and his company you may go to: http://www.frogteam-security.com www.eForensicsMag.com 35