App World Dynamic Licensing HOWTO

I started releasing commercial applications on BlackBerry App World and yesterday was the first time I used the Dynamic Licensing model.  I devised a quick solution for working with Dynamic Licensing based on Google App Engine and this post shows how this can be achieved and also includes sample source code for other developers in a similar situation.  Dynamic Licensing provides a mechanism for granting activation codes to user who purchase applications.  The system works like this:

As with almost all commercial, downloadable applications, online purchase and activation codes have become the norm.  The end-user pays for the product, downloads it and waits for an activation code to be sent to his email address.  Once he receives the code, he enters it into the app and he can begin using it.  This is straightforward if the developer sells the app on his own store that is hosted on his own server.  If he is to sell it on other stores, however, things become tricky.  Usually, well established stores like MobiHand and others have a mechanism that allows a developer to interface with their storefront for various purposes.  One of these instances is when activation codes are involved.  In cases like these, here is a quick run-down of how the purchase flow works:

1. End-user visits Online Store

2. End-user buys app from the Online Store

3. Online Store contacts the Developer Server (using an HTTP POST request) with end-user specific details

4. Developer Server generates the activation key

5. Developer Server responds to the Online Store POST request with an activation key

6. Online Store then presents this activation key to the End-user

It is the Developer’s responsibility to get his activation server up and running to ensure steps 3-5 are completed.  Sometimes this can be a painful task; especially after you’ve spent a few grueling weeks in developing your latest and greatest application.  Here then are the steps to help simplify the process:

My solution is to setup a free account on Google App Engine to host my activation server routines there.  Why bother you ask?  Here are some advantages that I can see:

1. App Engine is free and can easily be converted to a paid model (reasonably priced) based only on usage of resources

2. App Engine offers Java so its more likely to be familiar to a BlackBerry developer

3. No administrative overhead with setting up a server or maintaining it

4. It’s cool if you like to get into “Cloud Computing”

5. It’s very easy to move off Google App Engine and onto your own server when you’re ready because of the standardized modules

I’m not going to talk you through how to get an account, sign-up, etc.  Google has tons of docs and tutorials on how to do so.  I’ll assume you’ve already got your App Engine and know how to deploy apps on it.  What we’re going to create is a servlet and optionally, some classes to help us persist the incoming information to the app engine database.  If you’re using Eclipse with the Google App Engine plugin, then creating a project is simple.  On Eclipse simply click File->New->Project and then choose Web Application Project under the Google folder.  By default, a new project will be created with a servlet having the “doGet” method.  This method handles only HTTP GET requests.  You also need to create your own “doPost” method.  This is usually because stores including App World will POST the data to your URL.  What I do is just swap the doGet with doPost.

I then write my routines to handle the incoming request.  I usually capture all relevant information, extract some key parameters, use it to generate my activation key and provide a response.  For the sake of simplifying things.  Here is the code for my servlet that captures information from BlackBerry App World, generates the Activation Code and responds with that code:

If you paste the code above into your Eclipse, you will run into some errors.  These are the typical ones and how they can be fixed:

1. The KeyGen Class isn’t available.  This is my own KeyGen routine for generating Activation Keys.  It takes the BlackBerry PIN as an argument and does some magic on it.  You have to write this one yourself.

2. The Hex Class isn’t available.  In my case, I wanted to work with Hex strings and convert them back and forth.  I looked up the source to the Apache Commons Codec project and copied across the source code for the Hex class and all its dependencies into my own project.  You do not need to use it, but if you do, then I advise you to look at the Apache Commons Project.

3. The PMF class is missing.  This class is used if you want to Persist or store data. The PMF class source code is standard and Google App Engine has the sample code for it here.  If you need it, I’ve attached the code later on in this post.

As far as I recall this is what you will need to address.  Now, lets move onto storing the incoming data on the database.  I store each request in a class called an Entry.  Thus, each POST request to my servlet will be checked and if it isn’t tagged as a test, then it will be stored to the database.  The Entry object is marked as persistable and this makes it easy to store in the App Engine datastore.  Here is the code for the Entry object:

Once you get this up and running, you have about the simplest mechanism for working with Dynamic Licensing with not only BlackBerry App World, but other stores as well.  You can, of course, make this as grandiose as you wish; that part is left as an exercise.  I’m just giving you a point to start at.

I started releasing commercial applications on BlackBerry App World and yesterday was the first time I used the Dynamic Licensing model.  I devised a solution based on Google App Engine and this post shows how this can be achieved and also includes sample source code for other developers in a similar situation.  Dynamic Licensing provides a mechanism for granting activation codes to user who purchase applications.  The system works like this:

App World Flow

As with almost all commercial, downloadable applications, online purchase and activation codes have become the norm.  The end-user pays for the product, downloads it and waits for an activation code to be sent to his email address.  Once he receives the code, he enters it into the app and he can begin using it.  This is straightforward if the developer sells the app on his own store that is hosted on his own server.  If he is to sell it on other stores, however, things become tricky.  Usually, well established stores like MobiHand and others have a mechanism that allows a developer to interface with their storefront for various purposes.  One of these instances is when activation codes are involved.  In cases like these, here is a quick run-down of how the purchase flow works:

1. End-user visits Online Store
2. End-user buys app from the Online Store
3. Online Store contacts the Developer Server (using an HTTP POST request) with end-user specific details
4. Developer Server generates the activation key
5. Developer Server responds to the Online Store POST request with an activation key
6. Online Store then presents this activation key to the End-user

It is the Developer’s responsibility to get his activation server up and running to ensure steps 3-5 are completed.  Sometimes this can be a painful task; especially after you’ve spent a few grueling weeks in developing your latest and greatest application.  My solution is to setup a free account on Google App Engine to host my activation server routines there.  Why bother you ask?  Here are some advantages that I can see:

1. App Engine is free and can easily be converted to a paid model (reasonably priced) based only on usage of resources
2. App Engine offers Java so its more likely to be familiar to a BlackBerry developer
3. No administrative overhead with setting up a server or maintaining it
4. It’s cool if you like to get into “Cloud Computing”
5. It’s very easy to move off Google App Engine and onto your own server when you’re ready because of the standardized modules

I’m not going to talk you through how to get an account, sign-up, etc.  Google has tons of docs and tutorials on how to do so.  I’ll assume you’ve already got your App Engine and know how to deploy apps on it.  What we’re going to create is a servlet and optionally, some classes to help us persist the incoming information to the app engine database.  If you’re using Eclipse with the Google App Engine plugin, then creating a project is simple.  On Eclipse simply click File->New->Project and then choose Web Application Project under the Google folder.  By default, a new project will be created with a servlet having the “doGet” method.  This method handles only HTTP GET requests.  You also need to create your own “doPost” method.  This is usually because stores including App World will POST the data to your URL.  What I do is just swap the doGet with doPost.

I then write my routines to handle the incoming request.  I usually capture all relevant information, extract some key parameters, use it to generate my activation key and provide a response.  For the sake of simplifying things.  Here is the code for my servlet that captures information from BlackBerry App World, generates the Activation Code and responds with that code:

package net.zenconsult.keyserver;

import java.io.IOException;

import javax.jdo.PersistenceManager;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import net.zenconsult.codec.binary.Hex;


@SuppressWarnings("serial")
public class KeyServerServlet extends HttpServlet {
	public void doPost(HttpServletRequest req, HttpServletResponse resp)
			throws IOException {
		// The RIM POST Format:
		// PIN=12341234&email=customeremail@email.com&product=product&version=1.2&transactionid=123&test=false

		String PIN = req.getParameter("PIN");
		String email = req.getParameter("email");
		String product = req.getParameter("product");
		String version = req.getParameter("version");
		String transactionId = req.getParameter("transactionid");
		String test = req.getParameter("test");
		String verify = req.getParameter("verify");

		//Init vlaues
		if(email == null)
		{
			email = "";
		}
		if(product == null)
		{
			product = "";
		}
		if(version == null)
		{
			version = "";
		}
		if(transactionId == null)
		{
			transactionId = "";
		}
		if(test == null)
		{
			test = "true";
		}

		// I realize using String.matches is taboo, but I did it anyway.  Feel free to change it
		// Since you can also pass your own parameters, I am passing the "verify" parameter; security by obscurity, I know,
		// but when using App Engine, your Servlet is publicly accessible, so...

		if((PIN.matches("\\p{XDigit}{8}")) && (verify != null) && (verify.equalsIgnoreCase("bbappworld")) )
		{
			// This is my own Key Generation Routine
			KeyGen kg = new KeyGen(PIN);
			String hexString = new String(Hex.encodeHex(kg.genKey()));

			String Key = hexString.toUpperCase();
			if(test.equals("false"))
			{
				PersistenceManager pm = PMF.get().getPersistenceManager();
				Entry entry = new Entry(email, product, version, transactionId);
				pm.makePersistent(entry);
				pm.close();
			}
			resp.setContentType("text/plain");
			resp.getWriter().println("key="+Key);
		}


	}
}

If you paste the code above into your Eclipse, you will run into some errors.  These are the typical ones and how they can be fixed:

1. The KeyGen Class isn’t available.  This is my own KeyGen routine for generating Activation Keys.  It takes the BlackBerry PIN as an argument and does some magic on it.  You have to write this one yourself.
2. The Hex Class isn’t available.  In my case, I wanted to work with Hex strings and convert them back and forth.  I looked up the source to the Apache Commons Codec project and copied across the source code for the Hex class and all its dependencies into my own project.  You do not need to use it, but if you do, then I advise you to look at the Apache Commons Project.
3. The PMF class is missing.  This class is used if you want to Persist or store data. The PMF class source code is standard and Google App Engine has the sample code for it here.  If you need it, I’ve attached the code later on in this post.

As far as I recall this is what you will need to address.  Now, lets move onto storing the incoming data on the database.  I store each request in a class called an Entry.  Thus, each POST request to my servlet will be checked and if it isn’t tagged as a test, then it will be stored to the database.  The Entry object is marked as persistable and this makes it easy to store in the App Engine datastore.  Here is the code for the Entry object:

package net.zenconsult.keyserver;

import java.util.Date;

import javax.jdo.annotations.IdGeneratorStrategy;
import javax.jdo.annotations.IdentityType;
import javax.jdo.annotations.PersistenceCapable;
import javax.jdo.annotations.Persistent;
import javax.jdo.annotations.PrimaryKey;

import com.google.appengine.api.datastore.Key;



@PersistenceCapable(identityType = IdentityType.APPLICATION)
public class Entry
{
	@PrimaryKey
    @Persistent(valueStrategy = IdGeneratorStrategy.IDENTITY)
    private Key key;

	@Persistent
	private String email;

	@Persistent
	private String product;

	@Persistent
	private String version;

	@Persistent
	private String transactionId;

	@Persistent
	private Date creationDate;

	public Entry(String email, String product, String version, String transactionId)
	{
		setEmail(email);
		setProduct(product);
		setVersion(version);
		setTransactionId(transactionId);
		setCreationDate(new Date());
	}

	/**
	 * @param key the key to set
	 */
	public void setKey(Key key) {
		this.key = key;
	}

	/**
	 * @return the key
	 */
	public Key getKey() {
		return key;
	}

	/**
	 * @param email the email to set
	 */
	public void setEmail(String email) {
		this.email = email;
	}

	/**
	 * @return the email
	 */
	public String getEmail() {
		return email;
	}

	/**
	 * @param product the product to set
	 */
	public void setProduct(String product) {
		this.product = product;
	}

	/**
	 * @return the product
	 */
	public String getProduct() {
		return product;
	}

	/**
	 * @param version the version to set
	 */
	public void setVersion(String version) {
		this.version = version;
	}

	/**
	 * @return the version
	 */
	public String getVersion() {
		return version;
	}

	/**
	 * @param transactionId the transactionId to set
	 */
	public void setTransactionId(String transactionId) {
		this.transactionId = transactionId;
	}

	/**
	 * @return the transactionId
	 */
	public String getTransactionId() {
		return transactionId;
	}

	/**
	 * @param creationDate the creationDate to set
	 */
	public void setCreationDate(Date creationDate) {
		this.creationDate = creationDate;
	}

	/**
	 * @return the creationDate
	 */
	public Date getCreationDate() {
		return creationDate;
	}


}

Once you get this up and running, you have about the simplest mechanism for working with Dynamic Licensing with not only BlackBerry App World, but other stores as well.  You can, of course, make this as grandiose as you wish; that part is left as an exercise.  I’m just giving you a point to start at.

The theory behind BlackBerry phone taps

The new version of FlexiSpy (which I dissected and posted about) promises to allow a user to spy on a target when he is on a call.  They call it Call Interception.  The site says: “Call Interception is the ability to listen in to an active phone call on the target device. You specify the numbers you are interested in and when any calls to or from these numbers occur on the target, FlexiSPY PRO-X will send a secret SMS to your mobile. If you now call the target mobile, you will be added to the call.”

Knowing the APIs of the BlackBerry, I can confirm that this will work only if and when a target has conference calling enabled.  The theory is simple again.  The application hooks the “callConnected” method on the PhoneListener class.  Then when it detects a specific number that has been specified, it sends an SMS to a pre-defined number.  Once that same pre-defined number calls in during an active call, the phone automatically answers and adds the user into a three-way conference.  So its dependent on the target and his phone plan.  Thus this feature is not a guaranteed one.  One thing I plan to try out is to see if the target will actually hear the call-waiting tone before the third call is connected.  Here’s a graphic that explains how it works:

Bob calls Alice on her bugged phone

Alice's phone sends an SMS to Charlie

Charlie calls Alice's phone & is added to the conversation

In the scene above, Bob is a friend who calls Alice.  Alice has had her phone bugged by Charlie.  Charlie wants to listen into conversations between Bob and Alice.  For this to work, Alice needs to have the ability to make conference calls.  This is typically a value-added service from the mobile network operator.  Thus this attack is dependent on Alice having subscribed to such services.

Like all the other things, I’ve written about, I need to conduct some more research on it.  I’ve been busy these days with the day job and my research is taking a back seat.  Sad really.  Maybe its time to look for a job that pays me to do this stuff??  If you want the tool that lets you test out how you can remotely listen in on ambient noise and conversations, look here.

The Anatomy Of A Spyware Application – Part 1

In keeping with the spirit of raising awareness, I’m pleased to present an in-depth look at the commercial spyware application known as FlexiSpy.  Looking at its creation date, the FlexiSpy domain started its online life in July of 2008 April of 2006, more than a three years ago [thanks Spyphoneguy for pointing that out].  The site sells several products meant for mobile phones, most of them can be classified as surveillance tools.  Their product suite, once purchased, will need to be installed on a “target’s” phone.  This target is a person on whom surveillance is conducted.  Functionality includes remotely reading emails, SMS messages, call logs and of course remote listening.  Depending on the product, this will set a buyer back about $200 – $300.

Once a buyer parts with his $300, he will receive a user manual that provides information on how the application can be installed on a target’s phone.  I examined the version for the BlackBerry.  When going through the user manual, one of the first things that jumped out at me was this: explicit instructions to set the Default Permissions of the BlackBerry handheld to Allow All. This means that not just FlexiSpy, but every single application the target installs on his phone after this can gain full control (within the scope of the programming interface or API) over his handheld.  Obviously user protection is not a high priority in this case.

At this point, I haven’t installed the app yet.  I begin to do so.  By using the phone’s built-in browser, I am asked to visit the site http://djp.cc.  I need to enter my activation key here and then I am presented with a download dialog.  This download dialog is simply a JAD file.  The contents of which are listed below:

Manifest-Version: 1.0
MIDlet-Version: 3.02.04
MIDlet-Jar-Size: 232073
RIM-COD-URL-2: net_rim_app_console_pro-2.cod
MicroEdition-Configuration: CLDC-1.1
MIDlet-Jar-URL: net_rim_app_console_pro.jar
RIM-COD-Module-Dependencies: net_rim_cldc,net_rim_bbapi_mailv2,net_rim_os,net_rim_bbapi_phone,
net_rim_locationapi
RIM-COD-SHA1-2: 49 d9 a2 9c 2e 55 c2 fc da b4 2d 96 01 67 ef 7a 89 26 25 ac
RIM-COD-URL-1: net_rim_app_console_pro-1.cod
RIM-COD-SHA1-1: ab 26 1a 63 7c e9 e4 83 bc 04 2b 69 22 c7 54 5b 73 02 13 ce
RIM-COD-Size-2: 31304
RIM-COD-Size-1: 87268
RIM-COD-Module-Name: net_rim_app_console_pro
MIDlet-Name: net_rim_app_console_pro
RIM-COD-Size: 78756
RIM-COD-Creation-Time: 1246442605
RIM-COD-URL: net_rim_app_console_pro.cod
RIM-Library-Flags: 3
RIM-COD-SHA1: c9 33 b8 05 92 d8 08 e0 03 a6 21 e3 56 e7 70 0a f8 42 63 b5
MicroEdition-Profile: MIDP-2.0
MIDlet-Vendor: <unknown>

This tells a BlackBerry where to go to get the actual binary or COD file.  In this case its http://djp.cc/net_rim_app_console_pro.cod and http://djp.cc/net_rim_app_console_pro-1.cod.  Generally, if a COD file exceeds size limitations or consists of several pre-compile external libraries, there will be a need to download more than 1 file.  This is interesting because the first thing I did after installing it is look for it in my Applications screen.  It turns out that FlexiSpy is never hidden on your BlackBerry.  It remains in plain sight, but with an obscure name that looks very similar to a RIM native library.  The application is also tagged as a library.

How FlexiSpy looks when installed

FlexiSpy is installed as a library

So there it is, if you want to look for the latest version of FlexiSpy on your BlackBerries, go to Options->Advanced Options->Applications and look for “net_rim_app_console_pro“.  One thing very interesting is that if something is marked as a Library, in theory at least, you should be able to access some of the classes and methods within.  Curious, I did a “strings” on each of the COD files.  True enough, there was a list of package names, classes and methods visible – at least their names.  Since I’ve given out the URL, I’ll leave this exercise up to the reader.  I will explore possibilities of how this can be done and if indeed other applications can make use of FlexiSpy’s libraries.

Behavior

FlexiSpy requires activation before it can begin to spy on a target.  To do this, a user has to dial the number *#900900900 and then a hidden screen is activated.  On this screen, a user is prompted to enter the activation code.  Never one to leave home without my Wireshark, I sniffed the traffic that went through during the activation process.  Here is the information that went across the wire:

POST /t4l-mcli/cmd/productactivate?mode=0&ver=0302&pid=FSP_BB_V4.2&actcode=[Activation Code]
&hash=[IMEI]&phmodel=8300(4.5.0.44) HTTP/1.1

This request is made to a server with second level domain “aabackup.info” It resolves to the same IP Address as the host djp.cc listed above.  As you can see, the phone’s IMEI is being sent back to FlexiSpy HQ.  Also visible is the Activation Code.  What is returned is a hash value which I didn’t look into very closely yet.  Presumably the phone calculates a similar algorithm and waits for a matching hash.  Once the correct hash is received the app is activated.

From this point out, its a case of configuring the application to intercept SMS messages, email messages, call logs, etc.  The application has a command channel through SMS.  Thus, you have a list of about 8 commands which do the following:

• Start Capture – Begin capturing events like email, sms, location, etc
• Stop Capture – Stop an already started capture
• Send Immediate – Send all collected events to the central logging host
• Send Diagnostics – Send diagnostic info
• Start SIM Monitor – Watch for any attempt at changing the SIM
• Stop SIM Monitor – Stop
• Start Mic Monitor – Wait for calls from a trigger number
• Stop Mic Monitor – Stop

The funny thing is that the command channel SMS messages cannot be deleted, so the manual advises a user to select short phrases like “Good morning” or some such to begin capturing information.  The phrases should be chosen so as not to arouse the target’s suspicion.

Detection

FlexiSpy relies very heavily on Listeners.  Even to bring up its secret screen, it adds a PhoneListener to wait for a specific number to be dialed.  This ensures that no running applications exist on the phone.  It uses these built-in features of the BlackBerry to remain cloaked.  It sits in plain sight in your applications directory and FlexiSpy can choose to constantly change its name whenever they release a new version.  I am incorporating the detection of both FlexiSpy and Mobile-Spy in my Kisses app.  I have a few ideas on how I can write a one time detector for FlexiSpy and Mobile-Spy.  The theories are on the drawing board at the moment.  I have to find a way to bring it into the code.

I expect to do a much more detailed write up on both FlexiSpy and Mobile-Spy and a much needed paper on what BlackBerry users can do to protect themselves.

Acknowledgments

Special thanks go out to Spyphoneguy for all his help!

Kiss your BlackBerry spyware goodbye

I have released the latest version of Kisses.  I promised everyone in my Hack In The Box presentation that I would release newer versions of the toolkit Bugs & Kisses.  Today, I hopefully deliver on that promise.  As far as I’m aware, this tool is the first of its kind to be offered to BlackBerry users that is free.  In short, the tool detects hidden programs installed on your handheld.  If any are found, it allows you to reveal them so that you can remove them more easily.  If you recall the Etisalat fiasco, their spyware tool would hide itself and make it very difficult for an average user to remove from his BlackBerry [whitepaper here].  With Kisses, you will be able to reveal such programs very easily.  Additionally, Kisses also shows you any hidden processes on your handheld.  It also allows you to drill down further into each program and reveal information about its vendor, download date/time, size and process id.

Before I released the tool, I had a lot of people asking me if it will detect the FlexiSpy program.  While I didn’t want to spend close to $200 just to find out if it does, I am very certain that Kisses can detect it.  How do I know? Because Kisses will probe 2 areas of your handheld:  1) All running processes belonging to all applications on your handheld 2) All installed applications regardless of whether they are hidden or not.  This gives you an idea of exactly what is running on your handheld at any one time.  By letting you drill down further, you can discover more details of each application module.  With these capabilities, you’re bound to find not only FlexiSpy, but other bits of spyware  or suspicious applications as well (provided an undiscovered variant exists).

This is a project I’m very keen in and will be actively pursuing its upkeep.  I have a whole list of enhancements and features to add to it.  You can check the website for updates.  Alternatively subscribing to this blog, following me on twitter or LinkedIn will also keep you updated.

BlackBerry OS 5.0.0 knows what you install

I took a look at the new BlackBerry version 5.0.0 Operating System API.  RIM is offering the simulator and development kit as a Beta release and I think the OS has already been leaked online.  One excellent feature that RIM have added is the CodeModuleListener.  This interface allows a developer to design an application that knows when applications or modules are installed, deleted or scheduled for deletion on the handheld.  Its got three methods:

1. moduleDeletionsPending()
2. modulesAdded()
3. modulesDeleted()

Once implemented correctly, you can look at it like a security guard that sits in front of a room, guarding the door.  Nothing is allowed into or out of the room without the guard knowing.  Once the guard knows somethings coming in, he can call up central that tells him what to do next: block the entry, for example.

I plan on implementing this interface in my Kisses application; most likely in a later release as most of my code is ready to go and I’m only testing things out right now.  Once completed, Kisses will not only be able to detect hidden processes and programs, but it will also be able to warn you when something is either being installed or removed from your handheld (that is, only if you have 5.0.0).  You can jury rig a similar set of functionality, but you’d have to write a lot of code for it and even then, it won’t be as real-time as using CodeModuleListener so I’m not going in that direction.

The trick is, that it can be a double-edged sword, though.  If an application can use this feature for good, then an application might be able to use this feature for evil purposes as well.  It requires a bit more research and I’ll share the results here.

Remote Listening for the BlackBerry

I first blogged about PhoneSnoop, a component of Bugs, a few days ago.  PhoneSnoop demonstrates how a BlackBerry can be used to spy on its owner.  It cannot listen into phone conversations or conduct phone taps on BlackBerry handhelds at the moment.  It is, however, possible to add a feature that makes phone taps work.  I have written more on how to tap phone calls here.  FlexiSpy is offering this service in its new version.  Incidentally, I took apart FlexiSpy and wrote a brief post on it.  While the BlackBerry remains one of the more secure devices out there, user awareness and education is paramount to remaining completely safe from spyware.  I tweaked the application since my first post now allowing anyone to download, install and try it.  PhoneSnoop now has the ability for a user to customize the ‘trigger number’; rather than me having to give out customized versions.

Download PhoneSnoop and take a look at the User Guide

PhoneSnoop – Turn a BlackBerry into a portable bug

I’m back at work after attending Hack in the Box security conference.  It was an excellent conference and I managed to catch up with a few friends and industry professionals.  The Malaysian conference is still by far bigger than the one held in Dubai.  This year saw roughly 600 people.  I also heard that the HITB crew is adding a new location to the list of venues – Amsterdam.  Now that will most likely be an awesome con.

I promised everyone at the conference that I’d have a working application that can spy on the audio of other users who own a BlackBerry.  I am ready to deliver on that promise today.  This post is a prelude to the release of the tool.  I’ve so far not packaged it with Bugs.  Its a separate program that I named PhoneSnoop.  Please note that PhoneSnoop is not an application that does Phone Taps or give you the ability to listen into phone calls.  It can be done, however, and you can read more on that how to tap calls here.  I’d like to have some volunteer beta testers  to see how well the application works You can now download PhoneSnoop directly from here by using your BlackBerry (be sure to read the guide and also make sure to set your input language to English US for the app to work correctly).  You will be able to configure your own phone number.  If you’re interested, please mail me on zen.chopstick@gmail.com For the chickens out there, here’s a video of the app in action (I’ve not got audio on it, but it has closed captioning so make sure you turn it on).  I’m working on a video that shows the app on a real handheld with commentary, but for now, make do with this :p

PhoneSnoop – BlackBerry Bugging Application

Here’s how it works:

You install and run PhoneSnoop on a victims’ BlackBerry.  PhoneSnoop sets up a PhoneListener and waits for an incoming call from a specific number.  Once it detects a call from that specific number, it automatically answers the victims’ phone and puts the phone into SpeakerPhone mode.  This way, the attacker that called can now hear whats going on at the victims end.  Pretty simple right?  In the video above, I have setup PhoneSnoop to listen in for calls originating from +12120031337.  I first make a call from +12120031336 to show that there’s no effect.  Then, I show what happens when a call is made from the expected number.  The demo is on the BlackBerry simulator for now, but I’m working on bringing you a video that demonstrates the application on a real BlackBerry Bold.

Installation Instructions:

1. Grab your friend’s BlackBerry
2. Download PhoneSnoop from the URL I mail you
3. Once installed, go to Options->Advanced Options->Applications->PhoneSnoop->Edit Permissions and change the “Input Simulation/Event Injection” to “Allow”
4. Run PhoneSnoop

Checking the bugging capabilities:

1. Call the victims phone number
2. Listen

I will need to give you a customized version of PhoneSnoop hence there’s no download.  If you’re interested in trying it, mail me at zen.chopstick@gmail.com.  Include your phone number so that I can code it into the application.  I’m not doing a general release at the moment because of the implications of this tool.  I’m mainly looking for feedback so that I can refine the tool and write a paper on it. The tool is now available for general release.  Anyone can download it.  Go here to read more.

BlackBerry QRCodes – A look inside

So I was curious about what the new BlackBerry Messenger 5.0 QRCodes actually contained.  More than that, I was curious to find out if someone can inject weird characters and make the handhled do weird things.  So the first thing I did was get a hold of my own QRCode.  Then I grabbed a copy of the QRCode Library from SourceForge.  I then ran it on my own QRCode to see what was inside.  Here’s what I found:

So the output of my QRCode is

bbm:20fe2f6059cc5086Sheran Gunasekera

Okay, breaking it down, the first 4 characters, “bbm:” indicate the protocol (BlackBerry Messenger).  The next 8 characters is my PIN.  Still trying to figure out what the remaining 8 characters are, and then lastly, my name.

Then I thought I’d create my own QRCode and try to see what I can make the handheld.  I visited Kaywa and generated my own QRCodes and had the BlackBerry Messenger read it in.  Here are my results:

Changing the PIN:

I changed the PIN to various numbers, letters and characters.  The BBM only read a QRCode where the PIN was a Hex number.  It would then immediately send a Invite to the specific PIN number that I had entered.

Changing the remaining 8 Hex characters:

When I changed the 8 characters adjacent to the PIN, the invitation would go out normally.  I tried with non Hex characters and it still went through.  When I changed the characters to ones like “¡™£¢∞§¶•” made using the Alt key and numbers on my Mac, nothing happened; meaning the QRCode was not read by the BBM.

Changing the name:

I changed my name and nothing really happened.  When I did the special characters like the ones from above, the QRCode was not read.  I’m still wondering if this is as a result of the Kawaya QRCode generator or because the BBM is explicitly told to ignore these characters.

I tried to generate a long name by filling the name field with all A’s.  The BBM read the code without much of an issue.  I think as per QRCode standards, the amount of data you can store in one is limited anyway.  The official QRCode site lists the Maximum amount of data you can store on a QRCode (Binary/Byte) is 2953 characters.  I set out to find a generator that can build me a QRCode of that size.  I downloaded the trial version of the Java Barcode generator from BarCodeLib.com.  Using their tool to generate a QRCode, the maximum size I was successfully able to read was 106 characters.  Granted I only tried a small percentage of the features available to me, but for this post, I’ll go with this amount.  I will continue to test and post results whenever I feel like it.  For now that’s as good as it gets.

So in summary: The BBM QRCode reader has a specific format for invites.  It is not possible to alter these values to a certain extent.  It is not possible to inject data long enough to cause any overflows.  It is also not possible to inject unexpected characters.  On a sort of related note, the new BBM 5.0 sucks.  Its file transfer for photos is the worst thing RIM have ever done.  Since I upgraded, I have not been able to successfully send my contacts a photo from my BB.

@ HITB in KL

I’m at HackInTheBox in KL at the moment.  Delivered my presentation early on today.  The tools I spoke about, Bugs and Kisses, are available in the Resources section.  I’ll do a more detailed write up sometime in the future.

How I tell my clients that XSS is bad

The mixed bag of reactions to XSS or Cross Site Scripting vulnerabilities is interesting to watch.  As a security professional, I’ve audited banking applications based on web technologies and have in all cases come away with at least one XSS vulnerability.  When presented to the client and to the vendor, I get some interesting reactions.

“You can’t compromise an application using XSS”

Before I open up this can of worms, I can tell you that both vendor and client have told me this.  I then try to explain to them how things are generally interwoven and connected to each other and how you CAN own an application through XSS if done in a correct manner.

With XSS, you usually end up owning the USER of the application and thus can build up on your attack.

“You cannot alter any data using XSS”

With a reflected XSS attack, yes, you cannot change any stored data on an application.  You can, however, change the User Interface significantly.  You can swap out an entire page using a reflected XSS attack to make a user think he is on another screen of the application.  Like the login page for example or injecting an iframe.  The only catch is that you have crafted this login page using HTML and JavaScript and have presented it to him as if it were part of the legitimate site.  The login form sends his password to a server you control, but nothing is altered on the application database to begin with.

In the above examples and all cases of XSS, one thing is common.  The scope of this vulnerability is confined to that of the application user.  You do not use XSS to attack the application directly.  You use it to attack the user and indirectly attack the application.  So an XSS is more comparable to a pseudo social-engineering attack where you are tricking the user into revealing his credentials (enter his password on a crafted password screen or stealing his cookie).

The easiest way I find to present an XSS vulnerability, even before I put it in a report, is to call all the project stakeholders into a room and demo it to them.  I tell them that I have some findings to share with them and would like a few minutes to show them a live demo.  I then load up the application page that they are all familiar with.  Open up my email client to a received message[1], click on the XSS laden link[2] and show them a perfectly legitimate login screen of their application.  I log in using credentials I was given and then continue to access one of the application’s functions as normal.

After a few seconds, I stop and tell them that I was just a victim of an XSS attack.  Then I move into the technical details.  I find this approach to be quite effective[3].  It raises awareness in a way that the client can relate to.  What they perceive to be a legitimate session turns out to be an attacker controlled phishing attack of sorts.

[1] I create this message and send it to myself to simulate a company employee receiving an email from another person.

[2] I sometimes obfuscate the link, but usually I use HTML mail to show them an underlined “Click Here” phrase when the actual link is a stager.  I send an include (hex encoded <script src> tag) to a remote JavaScript file that contains the code to render the fake login page.

[3] My setup includes a remote site under my control where I host the malicious, custom written JavaScript files.  I have a backend script to pick up the posted information and send me a neat little email containing the cookie (if any), username and password and some other relevant data.  If one of the executives has a connected laptop, I will invite him to try it himself.  In the early days, I would send the link out to all the application users first by spoofing an internal email.  Then, I’d compile a list of the users affected and share the information with the executives in the meeting.

I’ve had more positive responses using this approach than trying to put it in the report only to have several opinions thrown back from the client and the vendor that show a lack of knowledge on the subject.

XSS attacks are very common and can be used to great effect.  I am not alone when I say that XSS is very badly misunderstood and the threat that it poses is often ignored.  I think a hands-on approach of this nature, even though it takes more time and effort, is worthwhile in spreading the word.  Sometimes, you just have to spend the effort to demo your vulnerabilities to put things into context.  Your clients will appreciate it and remember it more than just reading a report.