Exploit the Android SecretPhoto Taking Vulnerability
来源:互联网 发布:单片机微型打印机 编辑:程序博客网 时间:2024/05/22 00:53
Exploit the Android Secret Photo Taking Vulnerability
1. Introduction
Nowadays, almost all the smart phones integrate cameras. At the same time, apps use cameras are increasing sharply. Yet more and more apps declare camera access permission to do something misbehaving.
It was about May 2014 when Szymon Sidor published the secret photo taking vulnerability. With this flaw, apps can take photo without knowing byanyone. The idea is simple and effective ---- just make the preview small enough so that it can be hardly seen. The following part will present how to craft a secret photo taking demo and run it on a real device.
2. Pre-study
According to safe.baidu.com, in Android platforms, if one wants to take photos using a camera, it must invoke the method “startPreview()”. Oncethis method is called, a preview will present to the user. If the preview is eliminated from the screen or become invisible, photos could be secretly taken without knowing by anyone.
Figure1: Preview
Figure2: Exploit Code Snippet
As the picture shows, in the code snippet, the width and height of LayoutParams is set to 1, with flag not_focusable, not_touchable and so on. Then with this LayoutParams, a mPreview is passed to the WindowManager.addView method, so that the surface view is posted on the screen and occupies only one pixel. This is almost equal to “invisible”.
This code snippet is quite simple, but lacks the context information of the whole exploitation. The next part, I’ll add those lacked information andbuild a usable exploit.
3. Exploit Crafting
Let’s begin with the procedure of taking a picture. As figure 3 shows, to hide a preview is to hide the surface view. A straightforward way is writtenas this:
<span style="font-size:14px;">wm.addView(surfaceView, layoutParams);</span>
It passes the surface view directly to the WindowManager’s addView method with the crafted layout parameters. But it doesn’twork when running. That may because SurfaceView can’t be set to 1x1 pixels directly.
To bypass this restriction, we can create a view group object, like a layout. Then add our surface view to this view group. At last, pass this view group object to the function WindowManager.addView. And it works!
The exploit contains an activity and a service. See figure 4. The main functionality is implemented in service. Once this app runs, it’ll take photos all day every several seconds, until you kill this process.
Figure 3: Procedure of taking pictures
Figure 4: A brief figure about the exploit
4. Summary
In my opinion, secret photo taking is like a trick more than a vulnerability. Whatever, as long as we can do something interesting on it!
5. References
http://safe.baidu.com/2014-05/android-camera-exploit.html
http://snacksforyourmind.blogspot.com/2014/05/exploring-limits-of-covert-data.html
https://github.com/zeqiii/PhotoCapturer
- Exploit the Android SecretPhoto Taking Vulnerability
- Exploit for the FreeBSD protosw vulnerability
- A New Vulnerability in the Android Framework: Fragment Injection
- The Futex Vulnerability
- Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research
- Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research
- Struts2 S2-045 RCE Vulnerability Analysis & Brand New Exploit
- QSEE privilege escalation vulnerability and exploit (CVE-2015-6639)
- exploit - mona.py - the manual
- Taking Advantage of the Winlogon Notification Package
- Taking Your iPhone to the Max
- Taking Advantage of the Winlogon Notification Package
- Taking Advantage of the Winlogon Notification Package
- Taking Photos with the Camera(拍照)
- Taking Videos with the Camera(摄像)
- Sun Microsystems Java GIF File Parsing Memory Corruption Vulnerability Prove Of Concept Exploit
- The advices of exploit the oversea market
- Patching OpenSSL for the Heartbleed Vulnerability
- Android Button点击效果(按钮背景变色、文字变色)
- 完全数
- hdu2095 像水题的不错题 异或运算
- CocoaPods安装和使用教程
- web_inject学习
- Exploit the Android SecretPhoto Taking Vulnerability
- 使用LauncherActivity开发启动的列表
- 用CO自带SDK实现二维码扫描
- cocos2d-x学习笔记
- asm磁盘加载小记
- Java消息服务(JMS)学习小结
- OpenCV使用不同方式访问图像数据
- JSP EL表达式获取数据
- java枚举元素集合