mountainfire77 / droidbox

Automatically exported from code.google.com/p/droidbox
0 stars 0 forks source link

Dummy IMEI can be bypassed in Droid 4.1 #60

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. adb shell
2. su
3. service call iphonesubinfo 1

What is the expected output? What do you see instead?
The hard-coded dummy IMEI "357242043237511" should appear.
Instead, a full-zero IMEI is returned.

What version of the product are you using? On what operating system?
DroidBox 4.1, Ubuntu 12.04 x64 and Windows 7 x64

Please provide any additional information below.

The problem is due to an incorrect implementation of dummy IMEI. 
The dummy IMEI is at droidbox4.1.1/patches/framework_base.patch:2147

We note that the dummy IMEI should be implemented in IPhoneSubinfo.java instead 
of TelephonyManager.java.
A malicious application can bypass the TelephonyManager and directly talks to 
the iphonesubinfo service with Binder IPC. Therefore, the dummy IMEI cannot 
cheat a malicious app to believe that it is not in an emulator.
Furthermore, "357242043237511" is not a valid IMEI.

A fix can be found at droidbox23/framework_base.patch:377

We are security researchers from SEFCOM, Arizona State University 
(http://sefcom.asu.edu). We have discussed this issue in our paper "Morpheus: 
Automatically Generating Heuristics to Detect Android Emulators", which will 
appear at the 30th Annual Computer Security Applications Conference 
(http://www.acsac.org/2014). 
Should you have any comments please feel free to let us know.
Please contact Yiming Jing (ymjing@asu.edu) and Dr. Gail-Joon Ahn 
(gahn@asu.edu).

Original issue reported on code.google.com by yji...@asu.edu on 4 Sep 2014 at 11:48

GoogleCodeExporter commented 9 years ago
Please have a look at the attached files. IMEI1.PNG shows the output returned 
by the TelephoneManager and IMEI2.PNG shows the value returned by the Settings 
and ADB. On further analysis I observed that the "357242043237511" has been 
embedded in system.img supplied with Droidbox, where as "000000000000000" was 
modified by me to "123123123123123" in emulator image file supplied with the 
Android SDK. Apparently when an application requests for IMEI "357242043237511" 
is shown. Kindly look into the issue.

Easy Fix: Modify the emulator image with the same IMEI.

Original comment by shiris...@gmail.com on 2 Apr 2015 at 9:30

Attachments: