Overview
Explore a critical security vulnerability discovered in Samsung devices that allows non-privileged applications to access sensitive log data, circumventing Android's READ_LOGS permission restrictions. Learn about the attack methodology, which exploits the /system/bin/dumpstate binary and requires only the RECEIVE_BOOT_COMPLETED permission. Understand how this vulnerability affects Samsung devices from Galaxy S1 to S5 and Note 4, potentially exposing private data from various applications and system processes. Discover the implications for 12 specific Samsung builds where notification content is logged by default, enabling access to sensitive information from popular messaging apps, emails, and system notifications. Examine the technical details of the exploit, including the use of the dumpstate binary, error handling in native code, and the creation of exploit applications. Compare Samsung's notification handling with AOSP (Android Open Source Project) and explore potential threat mitigation strategies. Gain insights into the broader impact on Android platform security and participate in a Q&A session to deepen your understanding of this significant security issue.
Syllabus
Intro
android.permission.READ_LOGS
Why regain READ_LOGS perm
Notifications in the Android Log
Write all the sensitive data to the log
Regaining Android Log Access
Three Different Bricks
dumpstate binary
Error in native code
Dumpstate Files on Samsung Android
data/log directory
dumpstate file snippet
Create exploit application
Samsung vs AOSP Notifications
Notification ManagerServer
Vulnerable Builds
Android Platform Usage
Threat Mitigation
Conclusion
Questions and Discussion
Taught by
Black Hat