vfsfitvnm
commented
10 months ago Hi :smile:
The following are January 2022 findings of mine mixed to what I read online - I don't know the details and they might be outdated!
- Loading the second payload into memory (a
mmapsyscall) so that it can be executed: you just can'tmmapa file from an arbitrary path as executable - you must change its security context tou:object_r:apk_data_file:s0first. - Loading the target library (using
dlopen): certain regions of memory are allowed todlopencertain paths only (due to linker namespaces); the second payload has no explicit namespace attached to it, hence it can only load libraries that lives in the app native library folder (and probably from somewhere else). The quickest solution I could think of is simply copying the target library into the app library folder (e.g./data/app/com.example.application/lib/arm64/), so that an anonymous region of memory candlopenit. The fun fact is that any file in the very same directory can also bemmapped as executable, so I also copy the second payload in there to avoid changing its security context.
I don't think it breaks the app integrity as it's a reversible operation - but yes - copying the target library overwrites any existing file with the same name - so make sure there is no clash between file names.
This is probably a workaround rather than a caveat, but I can already imagine it won't be feasible anymore in future Android versions. Moreover, an application could simply check for intruders in its native library directory :smiley_cat:
Hello! Thank you for sharing this cool project.
I'm interested in understanding the following caveat you mention about Android:
Specifically, do you think copying the lib to the native library directory could cause problems in terms for breaking app integrity? Or if not, why exactly is this caveat a caveat? Thanks very much!