Wednesday, 13 February 2019

Say OK Google!

Hi Internet,

Summary: The inbuilt applock of Dr. Safety can be bypassed locally by saying "OK Google" and then viewing the activity pane, which was left unpatched by TrendMicro.

Img Src:

After finding Same Origin Policy Bypass in Trend Micro Dr. Safety for Android (Consumer), I started digging more on this application. It also has a feature of applock which enables users to lock their respective applications via secure pin or fingerprint.

This may not be a great bug because only a local attacker can exploit the issue, but the steps to reproduce this issue was innovative (personal opinion).

Steps to reproduce:
1. Lock all your apps using Dr. Safety app lock. (Google, Gmail, Slack etc.)
2. Once all applications are locked by Dr. Safety app lock, Say OK Google. (Assuming your OK Google service is also locked it will ask for pin or pattern).
3. But continue saying such as "My emails from Sanjay"
4. In background "OK Google" replies "This is what i found ...." (However, still we cant see the data because Dr. Safety app is asking for pin/pattern #Step2).
5. Now, just try closing that window by using activity pane. (Which actually allows you to close all running apps).
6. Bingo! In app preview you will see the glimpse of email from "Sanjay" or Mr.XYZ. Below PoC for reference.


I believe from a malicious attacker's perspective, the application still fails to prevent exposure of other applications which are being locked by Dr Safety, thus leaking such confidential information, which in my opinion is a concern.

I went ahead and spent some time by analyzing the APK file and found AppLockMain.xml file can be responsible for this issue.

As a recommendation, I can suggest that when the user accesses the activity pane using the hardware/software buttons on the phone, the Dr. Safety app can detect if it's running in the background and use a screen overlay of it's own to mask the other applications which are being display in the activity pane.

Alternative applock:
and guess what? there is an alternative app in playstore which also locks the recent app list (activity pane) in the same fashion which i mentioned above. So Norton App Lock from play store allows users to lock their activity pane also in such case the above attack scenario will be failed.

Trend Micro security team left this issue unpatched and replied:
* User could easily clear all recent activities.
* On Android 7 and above, users could easily dismiss the ‘draw over other apps’ in status bar, so the page blocked ‘Recent’ will be dismissed. Thus, we could not provide this enhancement efficiently.
I hope you like the read.

Thank you

1 comment:

  1. Useful content. Thanks for Sharing. It shows your indepth knowledge on the subject. Pls keep updating.

    Guest posting sites