Good Technology Authentication Insecure Coupling

2015-09-26T00:00:00
ID PACKETSTORM:133715
Type packetstorm
Reporter Tobias Ospelt
Modified 2015-09-26T00:00:00

Description

                                        
                                            `---------------------------------------------------------------- v1 -  
  
modzero Security Advisory: Insecure application-coupling in Good  
Authentication Delegation [MZ-15-03]  
  
---------------------------------------------------------------------  
  
---------------------------------------------------------------------  
  
1. Timeline  
  
---------------------------------------------------------------------  
  
* 2015-08-18: Vulnerability has been discovered  
* 2015-09-09: Vendor contact to agree on responsible disclosure  
* 2015-09-25: Public Disclosure.  
  
---------------------------------------------------------------------  
  
2. Summary  
  
---------------------------------------------------------------------  
  
Vendor: Good Technology, Inc.  
Products known to be affected:  
* Combination of Android Good Dynamics SDK version 1.11.1206  
Android Good Access app version 2.3.1.626  
Android Good for Enterprise app version 3.0.0.415  
Good Control server version 1.10.47.31  
Good Proxy server version 1.10.47.2  
Good for Enterprise server version 7.2.2.5c  
* Other products, versions and apps using authentication-delegation  
may be affected as well.  
Severity: Medium/High  
  
The Good Mobile Device Management solution provides two separate  
Android applications, Good for Enterprise [1] (a mobile device  
management Android application with functionality such as E-Mail) and  
Good Access [2] (an Android application that has similar  
functionality as a regular browser app to access company intranet  
servers). Both apps use the underlying Good Dynamics framework to  
communicate with the Good server located in the customer's company  
network.  
  
Authentication delegation is a method to provision the Good Access  
Android app by using the Good for Enterprise Android app. Using this  
mechanism, an employee does not need to manually enter an activation  
key to provision the Good Access app, if Good for Enterprise was  
already provisioned before.  
  
Third-party apps can spoof their identity and try to request access  
to company servers and data. Users could be tricked into allowing  
access to company intranet servers to a faked Good Access app. The  
server administrator is not able to prevent or detect the  
unauthorized access.  
  
A CVE has not yet been assigned to this vulnerability.  
  
---------------------------------------------------------------------  
  
3. Details  
  
---------------------------------------------------------------------  
  
As a precondition for this vulnerability, the Good servers have to  
allow access to intranet servers on the company network via the Good  
Access app. It is also necessary to enable authentication delegation  
through Good for Enterprise.  
  
A specially crafted third-party Android app can use an Android  
package name that starts with "com.good.gdgma" (the Good Access  
package name). Subsequently the app is able to announce itself as the  
Good Access app to the authentication delegate (Good for Enterprise).  
The user of the Android device has to explicitly grant access to this  
third-party app [3], even though the specially crafted application  
might be indistinguishable from the legitimate app for a user. It is  
possible to activate not only one, but several faked apps through the  
authentication delegate (Good for Enterprise) by using different  
package names (e.g. "com.good.gdgma.test1", "com.good.gdgma.test2",  
etc.).  
  
The Good Dynamics server administrator can not distinguish between a  
malicious third-party app and the legitimate app accessing company  
data, as the provisioned app in the Good backend web interface is  
showing that Good Access was provisioned.  
  
As a mitigation the Good for Enterprise app could protect its  
authentication-delegation-API intent (Android IPC mechanism) with the  
signature level protection provided by the Android operating system  
(android:protectionLevel="signature"). Only apps signed with the same  
private key can use such permissions.  
  
---------------------------------------------------------------------  
  
4. Impact  
  
---------------------------------------------------------------------  
  
After tricking a user into installing a modified application that  
pretends to be a Good Access app towards the authentication  
delegation mechanism, the missing authentication can be exploited to  
gain access to the intranet data via the Good servers. Additionally,  
other third-party apps could request permission to access  
company-data from the user - the Good server administrator is not  
able to prevent usage of such third-party apps.  
  
---------------------------------------------------------------------  
  
5. Proof of concept exploit  
  
---------------------------------------------------------------------  
  
As a proof of concept, an example app of the Good Dynamics Android  
SDK can be used. modzero used the ApacheHttp example application.  
After loading the example project in the Android Studio IDE, the  
GDApplicationID variable in the included settings.json file has to be  
changed to "com.good.gdgma". Additionally the package name in the  
AndroidManifest.xml file must be changed to a value that starts with  
"com.good.gdgma". The included classes have to be refactored to match  
the new package name. After installing the example application and  
clicking the button to use authentication delegation, Good for  
Enterprise will show the dialog to confirm access to company data  
[3]. If the user enters his Good for Enterprise app password, the  
malicious application is allowed to access intranet servers [4].  
  
An alternative to demonstrate the issue is probably to disassemble  
the Good Access app via apktool [5], add malicious code to the  
application and reassemble the app via apktool.  
  
---------------------------------------------------------------------  
  
6. Workaround  
  
---------------------------------------------------------------------  
  
Users can deactivate authentication delegation and revoke access for  
Good Access. Another workaround is not known.  
  
---------------------------------------------------------------------  
  
7. Fix  
  
---------------------------------------------------------------------  
  
It is not known to modzero, if a security fix is available.  
  
---------------------------------------------------------------------  
  
8. References  
  
---------------------------------------------------------------------  
  
[1] https://play.google.com/store/apps/details?id=com.good.android.gfe  
[2] https://play.google.com/store/apps/details?id=com.good.gdgma  
[3] http://www.modzero.ch/advisories/media/good_dynamics_provisioning.png  
[4] http://www.modzero.ch/advisories/media/good_dynamics_usage.png  
[5] https://ibotpeaches.github.io/Apktool/  
  
---------------------------------------------------------------------  
  
9. Credits  
  
---------------------------------------------------------------------  
  
* Tobias Ospelt  
  
---------------------------------------------------------------------  
  
10. About modzero  
  
---------------------------------------------------------------------  
  
The independent Swiss company modzero AG assists clients with  
security analysis in the complex areas of computer technology. The  
focus lies on highly detailed technical analysis of concepts,  
software and hardware components as well as the development of  
individual solutions. Colleagues at modzero AG work exclusively in  
practical, highly technical computer-security areas and can draw on  
decades of experience in various platforms, system concepts, and  
designs.  
  
https://www.modzero.ch  
  
contact@modzero.ch  
  
---------------------------------------------------------------------  
  
11. Disclaimer  
  
---------------------------------------------------------------------  
  
The information in the advisory is believed to be accurate at the  
time of publishing based on currently available information. Use of  
the information constitutes acceptance for use in an AS IS condition.  
There are no warranties with regard to this information. Neither the  
author nor the publisher accepts any liability for any direct,  
indirect, or consequential loss or damage arising from use of, or  
reliance on, this information.  
  
`