Sign in to follow this  
Followers 0
FLdtL9

Android WPA key unrooted

6 posts in this topic

I was wondering since I have a Chromecast for not so long.

The Home application from Google, read the wpa_supplican.conf file and sends the WPA password of your network to your chromecast.
How can this app that runs in the same limited dvm/jvm read this config file while others can't because you need root access? 

/My life off

Now let's extract Home_com.google.android.apps.chromecast.app and decompile the code and search for some strings/hints.

asgasg.png

/com/google/android/apps/chromecast/app/o/m.smali / a.class

package com.google.android.apps.chromecast.app.o;

import android.content.Context;
import android.content.Intent;
import android.content.pm.PackageManager;
import android.net.ConnectivityManager;
import android.net.NetworkInfo;
import android.net.wifi.ScanResult;
import android.net.wifi.WifiConfiguration;
import android.net.wifi.WifiInfo;
import android.net.wifi.WifiManager;
import android.os.Build.VERSION;
import android.provider.Settings.Global;
import android.provider.Settings.Secure;
import android.text.TextUtils;
import com.google.android.apps.chromecast.app.a.b;
import com.google.android.apps.chromecast.app.a.c;
import com.google.android.apps.chromecast.app.util.aa;
import com.google.android.apps.chromecast.app.util.ae;
import com.google.b.b.f.v;
import java.lang.reflect.Field;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.BitSet;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;

public final class a
{
  static
  {
    new ArrayList(Arrays.asList(new Integer[] { Integer.valueOf(0), Integer.valueOf(2412), Integer.valueOf(2417), Integer.valueOf(2422), Integer.valueOf(2427), Integer.valueOf(2432), Integer.valueOf(2437), Integer.valueOf(2442), Integer.valueOf(2447), Integer.valueOf(2452), Integer.valueOf(2457), Integer.valueOf(2462), Integer.valueOf(2467), Integer.valueOf(2472), Integer.valueOf(2484) }));
  }
  
  public static String a(WifiInfo paramWifiInfo)
  {
    if (paramWifiInfo == null) {
      return "";
    }
    return a(paramWifiInfo.getSSID());
  }
  
  private static String a(String paramString)
  {
    String str;
    if (paramString == null) {
      str = "";
    }
    do
    {
      do
      {
        return str;
        str = paramString;
      } while (!paramString.startsWith("\""));
      str = paramString;
    } while (!paramString.endsWith("\""));
    return paramString.substring(1, paramString.length() - 1);
  }
  
  public static Set a(Context paramContext, String[] paramArrayOfString)
  {
    HashSet localHashSet = new HashSet();
    paramContext = (WifiManager)paramContext.getSystemService("wifi");
    if (paramContext != null) {
      try
      {
        paramContext = paramContext.getScanResults();
        if (paramContext != null)
        {
          paramContext = paramContext.iterator();
          while (paramContext.hasNext())
          {
            ScanResult localScanResult = (ScanResult)paramContext.next();
            String str = a(localScanResult.SSID);
            if ((!TextUtils.isEmpty(str)) && (!a(localScanResult.BSSID, paramArrayOfString))) {
              localHashSet.add(str);
            }
          }
        }
        localHashSet.size();
      }
      catch (RuntimeException paramContext)
      {
        aa.a("NetworkUtil", "Could not get Wi-Fi scan results: %s", new Object[] { paramContext });
        return localHashSet;
      }
    }
    aa.a();
    return localHashSet;
  }
  
  public static boolean a(int paramInt)
  {
    return (paramInt >= 4915) && (paramInt <= 5825);
  }
  
  public static boolean a(Context paramContext)
  {
    paramContext = ((ConnectivityManager)paramContext.getSystemService("connectivity")).getActiveNetworkInfo();
    return (paramContext != null) && (paramContext.isConnected());
  }
  
  public static boolean a(Context paramContext, k paramk)
  {
    if (!paramk.b().k) {}
    do
    {
      do
      {
        return false;
      } while ((!a(paramk, null)) || (!a(paramk.a(), null)) || (!ae.h()));
      paramContext = ((WifiManager)paramContext.getSystemService("wifi")).getConfiguredNetworks();
    } while (paramContext == null);
    paramContext = paramContext.iterator();
    WifiConfiguration localWifiConfiguration;
    do
    {
      if (!paramContext.hasNext()) {
        break;
      }
      localWifiConfiguration = (WifiConfiguration)paramContext.next();
    } while ((TextUtils.isEmpty(localWifiConfiguration.SSID)) || (!TextUtils.equals(localWifiConfiguration.SSID.replaceAll("^\"|\"$", ""), paramk.a())));
    for (boolean bool = true;; bool = false) {
      return bool;
    }
  }
  
  public static boolean a(k paramk, c paramc)
  {
    if (!paramk.b().k) {}
    do
    {
      return false;
      if ((paramk.b() != m.c) && (paramk.b() != m.d)) {
        break;
      }
    } while (paramc == null);
    paramk = new com.google.android.apps.chromecast.app.a.a(v.s).a(paramc);
    b.a().a(paramk.a(4));
    return false;
    return true;
  }
  
  public static boolean a(String paramString, c paramc)
  {
    if (TextUtils.isEmpty(paramString)) {}
    do
    {
      return false;
      if ((ae.a(paramString)) || (ae.i())) {
        break;
      }
    } while (paramc == null);
    paramString = new com.google.android.apps.chromecast.app.a.a(v.s).a(paramc);
    b.a().a(paramString.a(3));
    return false;
    return true;
  }
  
  public static boolean a(String paramString1, String paramString2)
  {
    if ((paramString1 == null) || (paramString2 == null)) {
      return false;
    }
    return a(paramString1).equals(a(paramString2));
  }
  
  private static boolean a(String paramString, String[] paramArrayOfString)
  {
    if (paramArrayOfString == null) {}
    for (;;)
    {
      return false;
      int j = paramArrayOfString.length;
      int i = 0;
      while (i < j)
      {
        String str = paramArrayOfString[i];
        if (paramString.toUpperCase().startsWith(str.toUpperCase())) {
          return true;
        }
        i += 1;
      }
    }
  }
  
  public static boolean b(Context paramContext)
  {
    paramContext = ((ConnectivityManager)paramContext.getSystemService("connectivity")).getNetworkInfo(1);
    return (paramContext != null) && (paramContext.isConnected());
  }
  
  public static k c(Context paramContext)
  {
    if (!b(paramContext)) {}
    WifiInfo localWifiInfo;
    do
    {
      return null;
      paramContext = (WifiManager)paramContext.getSystemService("wifi");
      localWifiInfo = paramContext.getConnectionInfo();
    } while (localWifiInfo == null);
    paramContext = paramContext.getConfiguredNetworks();
    Object localObject;
    if (paramContext != null)
    {
      localObject = paramContext.iterator();
      do
      {
        if (!((Iterator)localObject).hasNext()) {
          break;
        }
        paramContext = (WifiConfiguration)((Iterator)localObject).next();
      } while (paramContext.networkId != localWifiInfo.getNetworkId());
    }
    for (;;)
    {
      localObject = new k();
      ((k)localObject).a(a(localWifiInfo));
      if (paramContext != null) {
        ((k)localObject).d(paramContext.BSSID);
      }
      if (paramContext != null) {
        if (paramContext.allowedKeyManagement.get(1)) {
          paramContext = m.h;
        }
      }
      for (;;)
      {
        ((k)localObject).a(paramContext);
        return (k)localObject;
        if ((paramContext.allowedKeyManagement.get(2)) || (paramContext.allowedKeyManagement.get(3)))
        {
          paramContext = m.i;
        }
        else if (paramContext.wepKeys[0] != null)
        {
          paramContext = m.c;
        }
        else
        {
          paramContext = m.b;
          continue;
          paramContext = m.a;
        }
      }
      paramContext = null;
    }
  }
  
  public static void d(Context paramContext)
  {
    paramContext = (WifiManager)paramContext.getSystemService("wifi");
    if (paramContext != null) {
      paramContext.startScan();
    }
  }
  
  public static String e(Context paramContext)
  {
    paramContext = ((WifiManager)paramContext.getSystemService("wifi")).getConnectionInfo();
    if (paramContext == null) {
      return "";
    }
    return a(paramContext);
  }
  
  public static boolean f(Context paramContext)
  {
    paramContext = paramContext.getContentResolver();
    int i;
    if (Build.VERSION.SDK_INT >= 17)
    {
      i = Settings.Global.getInt(paramContext, "wifi_watchdog_poor_network_test_enabled", -1);
      if (i == -1) {
        break label48;
      }
      if (i != 1) {
        break label46;
      }
    }
    label46:
    label48:
    while (Build.VERSION.SDK_INT < 17)
    {
      return true;
      i = Settings.Secure.getInt(paramContext, "wifi_watchdog_poor_network_test_enabled", -1);
      break;
      return false;
    }
    try
    {
      paramContext = Class.forName("android.net.wifi.WifiWatchdogStateMachine").getField("DEFAULT_POOR_NETWORK_AVOIDANCE_ENABLED");
      if (!paramContext.isAccessible()) {
        paramContext.setAccessible(true);
      }
      boolean bool = paramContext.getBoolean(null);
      return bool;
    }
    catch (IllegalAccessException paramContext)
    {
      return false;
    }
    catch (NoSuchFieldException paramContext)
    {
      return false;
    }
    catch (ClassNotFoundException paramContext)
    {
      return false;
    }
    catch (IllegalArgumentException paramContext) {}
    return false;
  }
  
  public static Intent g(Context paramContext)
  {
    Intent localIntent = new Intent("android.settings.WIFI_IP_SETTINGS");
    if (paramContext.getPackageManager().resolveActivity(localIntent, 65536) != null) {}
    for (int i = 1; i != 0; i = 0) {
      return localIntent;
    }
    return null;
  }
}

Hmm..

Share this post


Link to post
Share on other sites

App must  have different permissions or is executed differently?

Share this post


Link to post
Share on other sites
10 hours ago, Protocol said:

App must  have different permissions or is executed differently?

Not sure, but none of the applications in the Google Play Store are able to read the wpa_supplicant.conf file, I tried it with a terminal emulator as well. No results (access denied).
While on a rooted device, you can read it without problems, it's a plain text file. I thought It would be handy to read it some time when you lost a password.

Here are the Home application permissions :

Quote

    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
    <uses-permission android:name="android.permission.ACCESS_WIFI_STATE"/>
    <uses-permission android:name="android.permission.CHANGE_NETWORK_STATE"/>
    <uses-permission android:name="android.permission.CHANGE_WIFI_STATE"/>
    <uses-permission android:name="android.permission.GET_ACCOUNTS"/>
    <uses-permission android:name="android.permission.MANAGE_ACCOUNTS"/>
    <uses-permission android:name="android.permission.INTERNET"/>
    <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/>
    <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
    <uses-permission android:name="android.permission.BLUETOOTH"/>
    <uses-permission android:name="android.permission.BLUETOOTH_ADMIN"/>
    <uses-permission android:name="android.permission.WAKE_LOCK"/>
    <uses-permission android:name="com.google.android.c2dm.permission.RECEIVE"/>
    <uses-permission android:name="com.google.android.apps.chromecast.app.permission.C2D_MESSAGE"/>
    <uses-permission android:name="com.google.android.providers.gsf.permission.READ_GSERVICES"/>

 

Share this post


Link to post
Share on other sites

Have you also checked what chmod permissions /chown/user groups the app belongs to / as this might shed a little more light on the problem, I don't own a chromecast so I am just suggesting ideas.

Is there a debug app you can run against the app to see where it read/write from?

Share this post


Link to post
Share on other sites

Posted (edited)

3 hours ago, Protocol said:

Have you also checked what chmod permissions /chown/user groups the app belongs to / as this might shed a little more light on the problem, I don't own a chromecast so I am just suggesting ideas.

Is there a debug app you can run against the app to see where it read/write from?

I can't debug it,as soon as I rebuild the decompiled smali code, with apktool after adding android:debuggable="true" it won't install on my phone. Parsing error so rebuilding the xml file fails, and editing with a hex editor did the same. Can't do really much besides that I guess :(

Edited by FLdtL9

Share this post


Link to post
Share on other sites

Posted (edited)

I found out by reverse engineering another android application that adding the debuggable attribute to true, the applcation can indeed be debugged in a live device in user mode, but it's useless imho. I first had to build my own debuggable app and then deflate the pkz and cp the right hex bytes and added these to another xml manifest file, because apktool_2.0.x.x was broken on newer builds. Now in the new apktool_2.2.2 that I've tried yesterday it nicely works and manifest is ok.

But I still didn't reach my goal yet.. Next vector was trying not to patch the dalvik executable in such way to be able to do what I wanted but to downgrade all secure SSL connections. Eventually it worked and did a man in the middle attack. Strangely enough I can't get the application to do what I want it to do. I debugged the application with AS IDE and it again was a pain in the arsh to find out the application really got feeded with my altered network reponse.. Problem is I can't find anything related in the source code, function names are all messed up hence there's no obfucator used of some kind. The src is just so big that it uses classes2.dex lol. If this worked I would have tried to mess with xposed framework, because I know the function name, but I haven't found the code that belongs to it (So I don't know what to alter..). Will try to give JEB a shot maybe I will be able to find what I am looking for..

Perhaps my expectations are a bit too high for a application that has a big financial budget in development and security.. Ah well, it was worth the time anyway.

 

Edited by FLdtL9

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0