Dropbox (and other Python Apps) Reverse-Engineered

From: Dave Brockman 
Hash: SHA1




Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


=============================================================== From: Benjamin Stewart ------------------------------------------------------ Interesting read, thanks for posting! Question for the security programmer folks: Are there code obfuscation techniques, for Python or other languages, that actually work against such a determined attacker, or is this DropBox client pretty close to "state of the art?" You can't really just say "don't use Python," because C et al. can be decompiled, too.

=============================================================== From: Stephen Haywood ------------------------------------------------------ Everything can be decompiled, reverse engineered, or otherwise = deobfuscated. Security through obscurity NEVER works. -- Stephen Haywood Owner, ASG Consulting CISSP, GSEC, OSCP 423.305.3700 stephen@averagesecurityguy.info On Aug 28, 2013, at 8:49 AM, Benjamin Stewart = wrote: such "state of wrote: https://www.usenix.org/system/files/conference/woot13/woot13-kholia.pdf

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Short answer is no. Given enough time, determination and debugger, at the very least, whatever assembly code your obfuscated code produces can be captured. If it's software, it can be decompiled.... Regards, dtb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSHfZ1AAoJEMP+wtEOVbcdWeEH/1IzOSrCIkquTmYrwwz0R3Cx /Sr1EldScLl550JyK/tZrU1h1Teni6ITmBPCa1pTdfQdqRp061GiXYM5r3A6dwU7 VO8n6LaLc96uLojSzYzKM943Uj8KQJdn3YxUrrQGa49/FTuiKL1yAJYT0wFnJE4L RBjs4k7wQe+yfnDVd9wPumDRQY0hbfAbDaVvebECsqHYXEfb+5FGDN2V1n7ennJv Su9wJFI0pUwnWz0utBDUINqOOIh9Fe9H3BIGjDwCpwgG3tO1h+dyDmN124meqMAF 6tDCF12PCjrmA12g6Dv2GEAzLQW98uwK0mWPeAYemSIBmtFYHnv1/D2zfwaeecE= =js+H -----END PGP SIGNATURE-----

=============================================================== From: Ed King ------------------------------------------------------ if it's hardware, it can be sawzall'd

=============================================================== From: Benjamin Stewart ------------------------------------------------------ That was my suspicion. So then, when you go on the defensive, what do you do? How do you build a system that, even when you can see clearly into it, provides reasonable security?

=============================================================== From: Mike Harrison ------------------------------------------------------ It does raise the bar, and interest of people whome can hack it.

=============================================================== From: Stephen Haywood ------------------------------------------------------ You have to think through the system from beginning to end and determine = the threats to the system and the attack surface of the system. Then you = have to implement compensating controls in the system to mitigate (not = remove) those threats. The most cost effective method is to reduce the = attack surface but sometimes you can't do that. Typically, you need someone with experience breaking and building = security, to help you think through this stuff. If you have a system in = mind, I would be glad to sit down over supper and help you think about = the threats, attack surfaces, and compensating controls. -- Stephen Haywood Owner, ASG Consulting CISSP, GSEC, OSCP 423.305.3700 stephen@averagesecurityguy.info On Aug 28, 2013, at 9:33 AM, Benjamin Stewart = wrote: you it, wrote: at

=============================================================== From: Benjamin Stewart ------------------------------------------------------ Sadly, I don't have any projects that interesting going at the moment, but I will keep your offer in mind! Maybe we can talk about it when you do your pentesting class. When I do write security-related code, though, I always feel a tension between having to somehow keep secrets secret, and feeling like there's an attacker looking over my shoulder at my code, already breaking my secrets as I write it. I'm sure I'm terrible at it, but I do my best. Seeing this, and similar things I've seen, it seems that many people do almost as badly as I do or worse. That's terrifying! (Well, dropbox was way more obfuscated than anything I've done, but still!)

=============================================================== From: Christopher Rimondi ------------------------------------------------------ Important to keep in mind that you it largely depends on how you define "decompile". If you mean going binary ---> what the developer actually wrote, then no you can't decompile everything. However, if you want to go from binary --> assembly language instructions then that is definitely a possibility. Case in point is Android Dalvik files which can easily be disassembled versus iOS Mach-O binaries which are incredibly difficult to even get the low-level assembly language code. Can it be done? Of course. Does that level of obfuscation help from a security standpoint? I think it does demonstrably. Android apps are routinely trojaned and back doored by bad guys and put back into the marketplace. iOS are almost never modified and put back. Part of that is due to app signing, but the level of effort required is ridiculous for commercial malware writers. It also helps with the theft of intellectual property since grabbing source on Android is trivial.

=============================================================== From: wes ------------------------------------------------------ A smarter plan is to remove the need for secrets. Use strong encryption and authentication, which are essentially provided for you already in the shape of libraries. Leave the workings in the open. All that remains is for your users' keys to be compromised, and the attacker can then gain access to that user's data only. This is the power of open source: with many eyes on the system, the weaknesses will be brought to light quite rapidly. -wes

=============================================================== From: Benjamin Stewart ------------------------------------------------------ I agree. In fact, that's my strategy. The problem I've run into in the past, however, is essentially the same as dropbox's biggest problem above. That is, being able to do something automatically for the user without making them enter a password every single time. As soon as you cache a password(or token), you have a secret. You can't encrypt it securely, either, because the code must necessarily have the key at that point, and your attacker can see the code and the key. I suppose the proper answer is simply never to do that, but people (users, not me!) want programs to remember them.

=============================================================== From: wes ------------------------------------------------------ That's all client-side. Let the user take the risk if he so chooses. It's only his data that's exposed. I think the bigger deal is that Dropbox doesn't want any third-party software interfacing with their hosted service. That's what they're really trying to protect. The last thing they want is for someone to release a way to use Dropbox service for something actually useful ;) -wes

=============================================================== From: DaWorm ------------------------------------------------------ We've been dealing with this as well where I work with a mobile app. Making it totally secure is difficult, if not impossible. The thing is, even with a user entered password, all is not well. If the attacker can get you to update to a compromised app, then the altered code can easily copy the password entered and send it off to the attacker for use later. Jeff

=============================================================== From: Mike Harrison ------------------------------------------------------ Regarding the keys. I'm temped to add AGP to my Android phone so I can decrypt email from the 5 or so people I can use GPG'd email with from my phone. But my quandry is putting my private keys on the phone, which I really don't trust to keep them private on, or creating a different keyset for my phone, but then I'd have multiple keys for other people to decide which I might be using to read their email, or encrypt with both.. or.. or.. So I'm just using one machine right now for GPG.. and I'm not so sure I trust it much, but I trust it more than I trust my phone.

=============================================================== From: Christopher Rimondi ------------------------------------------------------ "This is the power of open source: with many eyes on the system, the weaknesses will be brought to light quite rapidly." In theory that statement is great. Theoretically the more eyes on the code will find bugs faster. In practice I don't think so. I have heard of some pretty old bugs in popular open source libraries. Finding security bugs in software is a lot of work. I bet if a company was developing a commercial application where security counted that relied on open source libraries they would never rest on the assumption that the "many eyes looked at the code" so it must be secure. They pay someone to review the code every time.

=============================================================== From: wes ------------------------------------------------------ if big comany A pays someone to review the open source code, let's say they find bugs and commit the changes upstream, then company B pays someone to review the code later, they now have 2 independent reviews of the same code (whether more fixes are supplied or not), rather than the 1 you would get from rolling your own. -wes

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At some point you have to make a decision. Convenience or Security. You can't have both, I offer the past three decades of computing history as my proof. Regards, dtb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSHm5dAAoJEMP+wtEOVbcdWB0H/0/lZ2Gqmxk0SAvwsGBwk0ZF agudqVatfcBSN4I3QU2yPlGXFQBCNGqeu3r0DxJhxKlBLlej3DExZ+ImQ2xjO983 wJqLWo9bLX9B3g1ADdpKGn/eZ8M59obuXAIgBdGFkMYc43wzHpbxgivMlQVe32WD C747S46BX0pR4nlvgFRpvL0W6NuAvs80INIb5vQPEB4SeFUNvyLLtUP48DnjOdDX yKHsNJ9tQxXu0Fc5HTY5e+re3O/DnePGswCm2BxW/VMzWx56Igqud+vIX3Lh0CwD qwOkcQlI4iKplb0I2wvqFmUDdAk/oagaw5e/OUHyg7q1KIL6QPdm2rA+vxdk8uA= =4bZ9 -----END PGP SIGNATURE-----

=============================================================== From: Dan Lyke ------------------------------------------------------ On Wed, 28 Aug 2013 08:49:32 -0400 Benjamin Stewart wrote: I have worked with one hardware vendor who bragged about the steps they took to prevent people from "sanding" off the chip carrier and reading the PROM contents with a scanning electron microscope. Whether or not this was actually effective, this discussion was useful when talking about security with the client. It's all a matter of weighing the costs of the attack vector against the value of the protected information. You'll find most often that obfuscation and data hiding mechanisms are usually used in situations where the vendor is trying to create economic friction to extract more value from the customer. Seems apt here... Dan

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Based on the SSH vulnerabilities caused by OpenSSL libraries used in Cisco code in the last 12-18 months, I'd take that bet.... Regards, dtb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSHpSeAAoJEMP+wtEOVbcdIS8H/jjZZpvA7rkeSlc6VSole/VG 95ACaVTl0t1fHcZwmrLAudAQSX0pSw2RY2WpvKivnRKf8BGQhtjLAdM7P6hqaKjA ZYI0lVlbf7WyWPVgmyk389aaO3hRvuthZmjBwXz4b4RXmg6nLUPv6owsH4Qjp2NS ebOAvbyARbxzwJLD0sjaPObsEb3LDYKpK7YO5LkB5/opew1leHdrSCCn2APxLxnh ensUflgL4iVnBeq8Vjs5WneDvlUdX4DvH0to4ojob1bt+oI82PRAO/+9mWqNFxZz QKflUzbKIV3hPTB72En6A90nISH78HdNzm2sLBqyycZtd9rdzMpcDKu5FGx3eQg= =psB/ -----END PGP SIGNATURE-----

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 1) I think you severely underestimate commercial malware authors. 2) I think IOS vs Andriod has more to do with marketshare than anything else. If Apple gained a whole lot of marketshare in the global market, you'd see just as much crud for the iphone... As of Q2 this year, iphone had < 14%, Android had > 79%. Same reason 98% of all crud used to be written for Windows, 80+% marketshare. That's easy math, even for the total script kiddie.... Regards, dtb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSHpv+AAoJEMP+wtEOVbcdY/kH/0PdSWFXes//sQ4/61ZjOKWO gvx1/eDJFaUPYgJ2SxN7jmGU1RZgPd9qBEf6SC8WfqnYSOabdauYE2p2fIC/l6bQ 2giDZ0qPccTR+o3ihWBf6ofPGmVNoCxZJa0iYtGFbUCgMesN/Jibm8R4Vvi11YlP INT0o8IKda9pi81KZtU+U1I0aODEpw2pBNgETrO3MTlo+RthkhRYsj9Il5r3zfMO TjI/0j6ZQgJSF2uqf/XzH9U1TjDvh1n65pwL1WrAOd+L9i1WFd3k9rG9b4LcSTmj l5oMHrX6QHYv1tqtzOIAjgbif3jqZvsa4oVMAy5Uc5mg8rHVTzKY6gba6krsxMM= =WFvG -----END PGP SIGNATURE-----

=============================================================== From: Benjamin Stewart ------------------------------------------------------ I'm not sure I completely buy point #2 there, Dave. Windows has had enough market share to be status quo since at least the 90s (forever ago to a script kiddie!). However, Android has enjoyed a clear market share advantage for about a year according to the source I found below. Did the script kiddies read the trends better than Apple? I'm not saying everything (anything) Apple is un-hackable, but people do tend to go for low-hanging fruit, as long as there's some return. Interesting side-note: From looking at the chart, I'd say Android's recent gain has been at the expense of Symbian, not IOS! Mobile market share source: http://gs.statcounter.com/#mobile

=============================================================== From: Mike Harrison ------------------------------------------------------ Hmm, hadn't thought of using the scanning electron microscope. I do have some gadgets with the important chips epoxied in a bed of copper mesh that supposedly fry's the eeprom. Or at least, that is what they say.

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iphone has never come close to having the majority of marketshare, let alone nearly 80% of it. Let's see, write something to attack those Apple devices, because they have ~10% of the desktops and ~20% of the mobiles.... you know what, why bother. I'd probably have to target some rich ass in the US to find someone to use it on..... Not to say they haven't raised the bar, and are not the lowest hanging fruit. I still assert if iphone had 80% marketshare, the amount of malware written for it would be much greater as well, and all the "security" apple has baked in wouldn't stop the commercial authors for more than a few days at a time. Or in other words, apple cannot lose what it has never possessed! (additional marketshare to lose) :) Regards, dtb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSH0brAAoJEMP+wtEOVbcd2JkIAK3JJ1uoThn03umW0Tkz5xo0 iQnmziE9chM5cUOD34qQwRwkhJ6f5OyS8Sr3SxYQuI14Eqya+bDvTjh/vA/2oo50 TI0oPJmRmqMcUfK/EBgqODViLaRsOt0IZZrXBkp0HyLB3ekeLKVbhLPDGbQHafq9 PaIv99Jf+i5PZDIzgNLpuRoVPWRBpnQse3/upmawh2Cx7Y+XTiiiG7muhTJGhZNv l0I/oo0gu9UpO5zmOSoGl0X6LShwOfrSxMEdKgFW2dQx1mrK9NCsdOlQrYvm1g38 F/UgGWkiRiFdgo7wqHJhyk9+Y8hGOUdsw0PrFXg7ethn88oo7XKwR/KfIwDRC6E= =gK7P -----END PGP SIGNATURE-----

=============================================================== From: Mike Harrison ------------------------------------------------------ Dave: Sigh, I had this discussion recently with a very talented young WOMAN. She makes good very money with a behemouth as a senior programmer doing normal biz-process stuff. She was arguing, half seriously, that she could make a lot more money faster, doing evil, than good. Her goal is to be financially secure by 35 and travel as much as she wants (she likes it). Or she can be a cubicle monkey in Atlanta for about 100k per year... work on her slumlord portfolio... And yeah, I wonder where I would be if I had taken some job offers many years ago..

=============================================================== From: Christopher Rimondi ------------------------------------------------------ Dave, are you really saying that malware writers don't target iOS because they are not financially incentivized enough? Two big problems with the statistics you threw out. #1 They only include smart phones. If you want to get an accurate picture of OS market share for IOS and Android you need to include tablets. A good way to do that is looking at browser stats. You look at browser stats or even if you look total mobile devices sold (smartphone + tablet) you get a totally different picture. #2 Even if those stats you quoted were relevant "Android" is not monolithic. The number of versions of Android running now is incredible. Further compounding the issue is that every vendor version of Android is different per device. When doing exploit development, nuances in the OS matter. A lot. Malware authors would get a lot more mileage out of writing a single exploit for iOS then dealing with a fragmented Android market. The real three reasons why there is 1000x more malware for Android then IOS: 1. Effective code signing and app screening on IOS and a joke of a process Android. Well over 50% of Android malware is just submitted to the app store. No exploit necessary just social engineering. 2. IOS has pretty good DEP. Not perfect but much better then any other commercial OS. To my knowledge in the last few years there was only one DEP bypass in IOS and that was via the JS JIT compiler. Apple fixed the bug fairly quickly. In Android code executing from data memory segments is practically a feature. 3. IOS does a fairly good job on pushing code updates because it depends on Apple and not on the carrier. Android depends on the carrier which is why 2.2 still has such a huge market share. Personally, I think high end Android devices are far better from a usability perspective and I would carry one if it weren't for the pathetic job they did with security.

=============================================================== From: Dan Lyke ------------------------------------------------------ On Thu, 29 Aug 2013 13:01:38 +0000 (UTC) Mike Harrison wrote: Yep. I have no way to verify much of this stuff, but determined attackers will attack determinedly. To the Android vs iOS reverse engineering portion of this thread: The big differences of each as a virus target as I see it: 1. I can install apps from third party sources (ie; Amazon Marketplace) on my Android. To install anything not from the app store on my iOS devices I have to either hand around UDIDs to people who've paid Apple for the time-limited ability to write to that, or I have to pay Apple $100/year to compile my own code for the device. 2. Apple's qualification process is stricter. 3. Partially due to #1, and partially due to stronger control over devices, Apple has a much less complex ecosystem to police. So cleaning up the mess is easier. The problem with open systems is that they require lots of eyeballs and people understanding the processes. Most people don't. I'm not sure the openness scales. (I used to be an iOS user, we have one iOS device left, headed towards Android) Dan