Android Security Investigations

[vinmittal]

@srgnuclear is looking at android security anomalies algorithms. The first step is to observe the applications and their behavior. Please select an android network monitoring tool that keeps an eye on the processes. the first task is to deposit their logs

@rishabhsixfeet @DDhwanil

Sorry i forgot who all are keen on the android, please let me know.

[harshdattani]

I would like to work on Android

[srgnuclear]

We can use logcat provided by android studio to read all logs either in terminal using adb logcat or directly in android studio. We can also then save or filter logs using various commands provided on developer.android.com .

On Thu, Oct 1, 2015 at 12:33 PM, Harsh Dattani notifications@github.com wrote:

I would like to work on Android

On Oct 1, 2015 12:30 PM, vinmittal notifications@github.com wrote: @srgnuclear is looking at android security anomalies algorithms. The first step is to observe the applications and their behavior. Please select an android network monitoring tool that keeps an eye on the processes. the first task is to deposit their logs

@rishabhsixfeet @DDhwanil

Sorry if forgot who all are keen on the android, please let me know.

---

Reply to this email directly or view it on GitHub: https://github.com/vinmittal/SecurityTrainingPub/issues/6

— Reply to this email directly or view it on GitHub https://github.com/vinmittal/SecurityTrainingPub/issues/6#issuecomment-144638983 .

[harshdattani]

@vinmittal @srgnuclear Also we can use Android Device Moniter from Android Studio, also it helps monitering network trafic and process log. @DDhwanil and Me tried Android Device moniter yesterday.

Docs are here: http://developer.android.com/tools/help/monitor.html

[vinmittal]

Great, please submit some logs, hopefully you have some system and whatsapp activity as well.

Are most apps using http or http(S) to go talk to their hosted web services?

Please propose a method to remote sync android logs with a server?

In case of mobile we cannot connect to them over the network, so may be there needs to be an app to push the logs out.

Will flume work on android for example or there needs to be other ways to push/pull logs securely?

Thanks

Vineet

From: Harsh Dattani [mailto:notifications@github.com] Sent: 02 October 2015 12:54 To: vinmittal/SecurityTrainingPub SecurityTrainingPub@noreply.github.com Cc: vinmittal vineet.mittal@seria.in Subject: Re: [SecurityTrainingPub] Android Security Investigations (#6)

@vinmittal https://github.com/vinmittal @srgnuclear https://github.com/srgnuclear Also we can use Android Device Moniter from Android Studio, also it helps monitering network trafic and process log. @DDhwanil https://github.com/DDhwanil and Me tried Android Device moniter yesterday.

— Reply to this email directly or view it on GitHub https://github.com/vinmittal/SecurityTrainingPub/issues/6#issuecomment-144942277 . https://github.com/notifications/beacon/AJlkf15TV4K8u0s02v60NvAT1bXniJK2ks5o3iilgaJpZM4GHDPu.gif

[srgnuclear]

The attached file consists of: log messages those with the tag "ActivityManager", at priority "Info" or above, and all log messages with tag "whatsapp", with priority "Debug" or above. Will get back on the other questions listed in previous mail.

On Fri, Oct 2, 2015 at 1:27 PM, vinmittal notifications@github.com wrote:

Great, please submit some logs, hopefully you have some system and whatsapp activity as well.

Are most apps using http or http(S) to go talk to their hosted web services?

Please propose a method to remote sync android logs with a server?

In case of mobile we cannot connect to them over the network, so may be there needs to be an app to push the logs out.

Will flume work on android for example or there needs to be other ways to push/pull logs securely?

Thanks

Vineet

From: Harsh Dattani [mailto:notifications@github.com] Sent: 02 October 2015 12:54 To: vinmittal/SecurityTrainingPub SecurityTrainingPub@noreply.github.com Cc: vinmittal vineet.mittal@seria.in Subject: Re: [SecurityTrainingPub] Android Security Investigations (#6)

@vinmittal https://github.com/vinmittal @srgnuclear < https://github.com/srgnuclear> Also we can use Android Device Moniter from Android Studio, also it helps monitering network trafic and process log. @DDhwanil https://github.com/DDhwanil and Me tried Android Device moniter yesterday.

— Reply to this email directly or view it on GitHub < https://github.com/vinmittal/SecurityTrainingPub/issues/6#issuecomment-144942277> . < https://github.com/notifications/beacon/AJlkf15TV4K8u0s02v60NvAT1bXniJK2ks5o3iilgaJpZM4GHDPu.gif>

— Reply to this email directly or view it on GitHub https://github.com/vinmittal/SecurityTrainingPub/issues/6#issuecomment-144949452 .

--------- beginning of crash --------- beginning of system I/ActivityManager( 977): Start proc livio.pack.lang.en_US for broadcast livio.pack.lang.en_US/.BasicWidgetXL: pid=29121 uid=10167 gids={50167, 9997, 3003, 1028, 1015} abi=armeabi-v7a I/ActivityManager( 977): Process com.motorola.context (pid 28991) has died I/ActivityManager( 977): Start proc com.google.android.talk for broadcast com.google.android.talk/com.google.android.apps.hangouts.realtimechat.RealTimeChatService$AlarmReceiver: pid=29167 uid=10068 gids={50068, 9997, 3003, 1028, 1015, 3002} abi=armeabi-v7a I/ActivityManager( 977): Process com.android.providers.calendar (pid 28965) has died I/ActivityManager( 977): Process com.google.android.calendar (pid 29017) has died I/ActivityManager( 977): START u0 {act=android.intent.action.CALL_PRIVILEGED dat=tel:xxxxxxxxxxx cmp=com.android.server.telecom/.PrivilegedCallActivity (has extras)} from uid 10014 on display 0 I/ActivityManager( 977): START u0 {act=android.intent.action.MAIN flg=0x10840000 cmp=com.android.dialer/com.android.incallui.InCallActivity (has extras)} from uid 10014 on display 0 I/ActivityManager( 977): START u0 {act=android.intent.action.MAIN cat=[android.intent.category.HOME] flg=0x10200000 cmp=com.android.launcher/com.android.launcher2.Launcher} from uid 1000 on display 0 I/ActivityManager( 977): START u0 {act=android.telecom.action.INCOMING_CALL flg=0x10000000 pkg=com.android.server.telecom cmp=com.android.server.telecom/.IncomingCallActivity (has extras)} from uid 1001 on display 0 E/ActivityManager( 977): Invalid thumbnail dimensions: 384x384 I/ActivityManager( 977): Start proc android.process.media for content provider com.android.providers.media/.MediaProvider: pid=29804 uid=10016 gids={50016, 9997, 1028, 1015, 1023, 1024, 2001, 3003, 3007} abi=armeabi-v7a I/ActivityManager( 977): Start proc com.android.deskclock for broadcast com.android.deskclock/com.android.alarmclock.DigitalAppWidgetProvider: pid=29836 uid=10012 gids={50012, 9997, 1028} abi=armeabi-v7a I/ActivityManager( 977): Process livio.pack.lang.en_US (pid 29121) has died I/ActivityManager( 977): START u0 {act=android.intent.action.MAIN flg=0x10840000 cmp=com.android.dialer/com.android.incallui.InCallActivity (has extras)} from uid 10014 on display 0 I/ActivityManager( 977): Start proc com.android.mms for broadcast com.android.mms/.transaction.PrivilegedSmsReceiver: pid=29922 uid=10028 gids={50028, 9997, 3003, 1028, 1015} abi=armeabi-v7a I/ActivityManager( 977): Process android.process.media (pid 29804) has died I/ActivityManager( 977): Process com.google.android.gms:car (pid 28600) has died I/ActivityManager( 977): Process com.android.deskclock (pid 29836) has died I/ActivityManager( 977): START u0 {act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] flg=0x1000c000 cmp=com.android.mms/.ui.ConversationList} from uid 10028 on display 0 I/ActivityManager( 977): START u0 {dat=content://mms-sms/conversations/370 flg=0x34000000 cmp=com.android.mms/.ui.ComposeMessageActivity} from uid 10028 on display 0 --------- beginning of main I/ActivityManager( 977): Start proc com.motorola.context for broadcast com.motorola.context/.receiver.DateChangeBroadcastReceiver: pid=30378 uid=10008 gids={50008, 9997, 3001, 3002, 3003} abi=armeabi-v7a I/ActivityManager( 977): Start proc com.qualcomm.timeservice for broadcast com.qualcomm.timeservice/.TimeServiceBroadcastReceiver: pid=30431 uid=10095 gids={50095, 9997} abi=armeabi-v7a I/ActivityManager( 977): Start proc com.android.deskclock for broadcast com.android.deskclock/.AlarmInitReceiver: pid=30407 uid=10012 gids={50012, 9997, 1028} abi=armeabi-v7a I/ActivityManager( 977): Start proc com.google.android.calendar for broadcast com.google.android.calendar/com.android.calendar.widget.CalendarAppWidgetProvider: pid=30449 uid=10063 gids={50063, 9997, 3003, 1028, 1015} abi=armeabi-v7a I/ActivityManager( 977): Start proc com.android.providers.calendar for content provider com.android.providers.calendar/.CalendarProvider2: pid=30470 uid=10005 gids={50005, 9997, 3003, 1028, 1015} abi=armeabi-v7a I/ActivityManager( 977): Killing 29167:com.google.android.talk/u0a68 (adj 15): empty #7 I/ActivityManager( 977): Start proc com.socialnmobile.dictapps.notepad.color.note for broadcast com.socialnmobile.dictapps.notepad.color.note/com.socialnmobile.colornote.receiver.TimeChangedReceiver: pid=30545 uid=10116 gids={50116, 9997, 1028, 1015, 3003} abi=armeabi-v7a I/ActivityManager( 977): Killing 28582:com.android.incallui/u0a14 (adj 15): empty #7 I/ActivityManager( 977): Killing 29922:com.android.mms/u0a28 (adj 15): empty #7 I/ActivityManager( 977): Start proc com.google.android.googlequicksearchbox:search for service com.google.android.googlequicksearchbox/com.google.android.sidekick.main.TrafficIntentService: pid=30603 uid=10041 gids={50041, 9997, 3003, 3001, 1028, 3002, 1015, 1005} abi=armeabi-v7a I/ActivityManager( 977): Start proc com.google.android.partnersetup for content provider com.google.android.partnersetup/.RlzAppProvider: pid=30676 uid=10023 gids={50023, 9997, 3003} abi=armeabi-v7a I/ActivityManager( 977): Killing 30431:com.qualcomm.timeservice/u0a95 (adj 15): empty #7 I/ActivityManager( 977): Killing 30545:com.socialnmobile.dictapps.notepad.color.note/u0a116 (adj 15): empty #7 I/ActivityManager( 977): START u0 {act=android.telecom.action.INCOMING_CALL flg=0x10000000 pkg=com.android.server.telecom cmp=com.android.server.telecom/.IncomingCallActivity (has extras)} from uid 1001 on display 0 I/ActivityManager( 977): Start proc com.google.android.talk for broadcast com.google.android.talk/com.google.android.apps.hangouts.phone.PhoneStateReceiver: pid=30746 uid=10068 gids={50068, 9997, 3003, 1028, 1015, 3002} abi=armeabi-v7a I/ActivityManager( 977): Killing 30378:com.motorola.context/u0a8 (adj 15): empty #7 I/ActivityManager( 977): Start proc com.android.incallui for service com.android.dialer/com.android.incallui.InCallServiceImpl: pid=30778 uid=10014 gids={50014, 9997, 3003, 1028, 1015, 1023} abi=armeabi-v7a I/ActivityManager( 977): Start proc com.google.android.gms:car for service com.google.android.gms/.car.InCallServiceImpl: pid=30795 uid=10020 gids={50020, 9997, 3003, 1028, 1015, 3002, 3001, 1005, 1007, 3007, 2001, 3006} abi=armeabi-v7a I/ActivityManager( 977): Start proc android.process.media for content provider com.android.providers.media/.MediaProvider: pid=30815 uid=10016 gids={50016, 9997, 1028, 1015, 1023, 1024, 2001, 3003, 3007} abi=armeabi-v7a I/ActivityManager( 977): Start proc com.google.android.gms.wearable for service com.google.android.gms/.wearable.service.WearableService: pid=30842 uid=10020 gids={50020, 9997, 3003, 1028, 1015, 3002, 3001, 1005, 1007, 3007, 2001, 3006} abi=armeabi-v7a I/ActivityManager( 977): START u0 {act=android.intent.action.MAIN flg=0x10840000 cmp=com.android.dialer/com.android.incallui.InCallActivity (has extras)} from uid 10014 on display 0 W/ActivityManager( 977): Activity pause timeout for ActivityRecord{35a0efb8 u0 com.android.dialer/com.android.incallui.InCallActivity t1150} I/ActivityManager( 977): Displayed com.android.dialer/com.android.incallui.InCallActivity: +990ms (total +2s545ms) I/ActivityManager( 977): Killing 30449:com.google.android.calendar/u0a63 (adj 15): empty #7 I/ActivityManager( 977): Killing 30470:com.android.providers.calendar/u0a5 (adj 15): empty #7 I/ActivityManager( 977): Start proc com.android.defcontainer for service com.android.defcontainer/.DefaultContainerService: pid=30952 uid=10010 gids={50010, 9997, 1028, 1015, 1023, 2001, 1035} abi=armeabi-v7a I/ActivityManager( 977): Waited long enough for: ServiceRecord{330e4e6c u0 com.truecaller/.service.CallerIdService} I/ActivityManager( 977): Killing 30407:com.android.deskclock/u0a12 (adj 15): empty #7 I/ActivityManager( 977): Process com.facebook.katana (pid 23794) has died W/ActivityManager( 977): Scheduling restart of crashed service com.facebook.katana/com.facebook.push.mqtt.service.MqttPushService in 1000ms I/ActivityManager( 977): Killing 30676:com.google.android.partnersetup/u0a23 (adj 15): empty #7 I/ActivityManager( 977): Start proc com.facebook.katana for service com.facebook.katana/com.facebook.push.mqtt.service.MqttPushService: pid=31058 uid=10343 gids={50343, 9997, 1028, 1015, 3003} abi=armeabi-v7a I/ActivityManager( 977): Killing 30603:com.google.android.googlequicksearchbox:search/u0a41 (adj 15): empty #7 I/ActivityManager( 977): Start proc livio.pack.lang.en_US for broadcast livio.pack.lang.en_US/.BasicWidgetXL: pid=31245 uid=10167 gids={50167, 9997, 3003, 1028, 1015} abi=armeabi-v7a I/ActivityManager( 977): Killing 30815:android.process.media/u0a16 (adj 15): empty #7 I/ActivityManager( 977): Start proc com.google.android.googlequicksearchbox:search for service com.google.android.googlequicksearchbox/com.google.android.sidekick.main.TrafficIntentService: pid=31309 uid=10041 gids={50041, 9997, 3003, 3001, 1028, 3002, 1015, 1005} abi=armeabi-v7a I/ActivityManager( 977): Process com.google.android.gms.wearable (pid 30842) has died I/ActivityManager( 977): Process com.qualcomm.atfwd (pid 24168) has died W/ActivityManager( 977): Scheduling restart of crashed service com.qualcomm.atfwd/.AtFwdService in 1000ms I/ActivityManager( 977): Start proc com.google.android.partnersetup for content provider com.google.android.partnersetup/.RlzAppProvider: pid=31351 uid=10023 gids={50023, 9997, 3003} abi=armeabi-v7a I/ActivityManager( 977): Start proc com.android.deskclock for broadcast com.android.deskclock/com.android.alarmclock.DigitalAppWidgetProvider: pid=31388 uid=10012 gids={50012, 9997, 1028} abi=armeabi-v7a I/ActivityManager( 977): Start proc com.qualcomm.atfwd for service com.qualcomm.atfwd/.AtFwdService: pid=31412 uid=1000 gids={41000, 9997, 1021, 3004, 3005, 1000, 3009, 1015, 1023, 1010, 1004, 2002, 3006, 1028, 3002, 3001, 3003} abi=armeabi-v7a I/ActivityManager( 977): Start proc com.android.providers.calendar for content provider com.android.providers.calendar/.CalendarProvider2: pid=31429 uid=10005 gids={50005, 9997, 3003, 1028, 1015} abi=armeabi-v7a I/ActivityManager( 977): Process com.android.defcontainer (pid 30952) has died I/ActivityManager( 977): Killing 30778:com.android.incallui/u0a14 (adj 15): empty #7 W/ActivityManager( 977): Slow operation: 264289ms so far, now at startProcess: returned from zygote! W/ActivityManager( 977): Slow operation: 264289ms so far, now at startProcess: done updating battery stats W/ActivityManager( 977): Slow operation: 264290ms so far, now at startProcess: building log message I/ActivityManager( 977): Start proc com.motorola.context for broadcast com.motorola.context/.publisher.calendar.CalendarReceiver: pid=31515 uid=10008 gids={50008, 9997, 3001, 3002, 3003} abi=armeabi-v7a W/ActivityManager( 977): Slow operation: 264290ms so far, now at startProcess: starting to update pids map W/ActivityManager( 977): Slow operation: 264290ms so far, now at startProcess: done updating pids map W/ActivityManager( 977): Slow operation: 264290ms so far, now at startProcess: done starting proc! I/ActivityManager( 977): Killing 30795:com.google.android.gms:car/u0a20 (adj 15): empty #7 I/ActivityManager( 977): Start proc com.google.android.calendar for broadcast com.google.android.calendar/com.android.calendar.alerts.AlertReceiver: pid=31547 uid=10063 gids={50063, 9997, 3003, 1028, 1015} abi=armeabi-v7a I/ActivityManager( 977): Killing 30746:com.google.android.talk/u0a68 (adj 15): empty #7 I/ActivityManager( 977): Killing 31245:livio.pack.lang.en_US/u0a167 (adj 15): empty #7 I/ActivityManager( 977): Start proc com.google.android.talk for broadcast com.google.android.talk/com.google.android.apps.hangouts.service.NetworkStateReceiver: pid=31737 uid=10068 gids={50068, 9997, 3003, 1028, 1015, 3002} abi=armeabi-v7a I/ActivityManager( 977): Killing 31351:com.google.android.partnersetup/u0a23 (adj 15): empty #7 I/ActivityManager( 977): Process com.google.android.googlequicksearchbox:search (pid 31309) has died I/ActivityManager( 977): Process com.android.providers.calendar (pid 31429) has died I/ActivityManager( 977): START u0 {act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] flg=0x10200000 cmp=com.android.dialer/.DialtactsActivity bnds=[40,1040][168,1168](has extras)} from uid 10027 on display 0 I/ActivityManager( 977): START u0 {act=android.intent.action.CALL_PRIVILEGED dat=tel:xxxxxxxxxxxxx cmp=com.android.server.telecom/.PrivilegedCallActivity (has extras)} from uid 10014 on display 0 I/ActivityManager( 977): Start proc com.android.incallui for service com.android.dialer/com.android.incallui.InCallServiceImpl: pid=31971 uid=10014 gids={50014, 9997, 3003, 1028, 1015, 1023} abi=armeabi-v7a I/ActivityManager( 977): Process com.motorola.context (pid 31515) has died I/ActivityManager( 977): Start proc com.google.android.gms:car for service com.google.android.gms/.car.InCallServiceImpl: pid=31988 uid=10020 gids={50020, 9997, 3003, 1028, 1015, 3002, 3001, 1005, 1007, 3007, 2001, 3006} abi=armeabi-v7a I/ActivityManager( 977): START u0 {act=android.intent.action.MAIN flg=0x10840000 cmp=com.android.dialer/com.android.incallui.InCallActivity (has extras)} from uid 10014 on display 0 I/ActivityManager( 977): Start proc com.google.android.gms.wearable for service com.google.android.gms/.wearable.service.WearableService: pid=32029 uid=10020 gids={50020, 9997, 3003, 1028, 1015, 3002, 3001, 1005, 1007, 3007, 2001, 3006} abi=armeabi-v7a I/ActivityManager( 977): Displayed com.android.dialer/com.android.incallui.InCallActivity: +1s190ms (total +1s970ms) I/ActivityManager( 977): Process com.google.android.calendar (pid 31547) has died I/ActivityManager( 977): Process com.android.deskclock (pid 31388) has died W/ActivityManager( 977): Launch timeout has expired, giving up wake lock! I/ActivityManager( 977): Process com.google.android.music:main (pid 24845) has died W/ActivityManager( 977): Scheduling restart of crashed service com.google.android.music/.playback.MusicPlaybackService in 1000ms W/ActivityManager( 977): Scheduling restart of crashed service com.google.android.music/.wear.WearDataTransferConnectionService in 11000ms I/ActivityManager( 977): Config changes=480 {1.0 405mcc54mnc en_US ldltr sw360dp w598dp h335dp 320dpi nrml land finger -keyb/v/h -nav/h s.157spn1417459055} I/ActivityManager( 977): Start proc com.google.android.music:main for service com.google.android.music/.playback.MusicPlaybackService: pid=32330 uid=10077 gids={50077, 9997, 3003, 1028, 1015} abi=armeabi-v7a I/ActivityManager( 977): Process com.facebook.orca (pid 23853) has died W/ActivityManager( 977): Scheduling restart of crashed service com.facebook.orca/com.facebook.push.mqtt.service.MqttPushService in 1000ms I/ActivityManager( 977): Config changes=480 {1.0 405mcc54mnc en_US ldltr sw360dp w360dp h567dp 320dpi nrml port finger -keyb/v/h -nav/h s.158spn1417459055} I/ActivityManager( 977): Start proc com.motorola.android.providers.userpreferredsim for content provider com.motorola.android.providers.userpreferredsim/.UserPreferredSimProvider: pid=32402 uid=10040 gids={50040, 9997, 3003} abi=armeabi-v7a I/ActivityManager( 977): Start proc com.facebook.orca for service com.facebook.orca/com.facebook.push.mqtt.service.MqttPushService: pid=32419 uid=10289 gids={50289, 9997, 3003, 1028, 1015} abi=armeabi-v7a I/ActivityManager( 977): Start proc com.google.android.googlequicksearchbox:search for service com.google.android.googlequicksearchbox/com.google.android.sidekick.main.TrafficIntentService: pid=32631 uid=10041 gids={50041, 9997, 3003, 3001, 1028, 3002, 1015, 1005} abi=armeabi-v7a I/ActivityManager( 977): Start proc com.android.deskclock for broadcast com.android.deskclock/com.android.alarmclock.DigitalAppWidgetProvider: pid=32653 uid=10012 gids={50012, 9997, 1028} abi=armeabi-v7a I/ActivityManager( 977): Start proc com.google.android.partnersetup for content provider com.google.android.partnersetup/.RlzAppProvider: pid=32762 uid=10023 gids={50023, 9997, 3003} abi=armeabi-v7a I/ActivityManager( 977): Process com.google.android.talk (pid 31737) has died I/ActivityManager( 977): Process com.android.incallui (pid 31971) has died I/ActivityManager( 977): Process com.google.android.gms:car (pid 31988) has died I/ActivityManager( 977): Start proc com.android.providers.calendar for content provider com.android.providers.calendar/.CalendarProvider2: pid=363 uid=10005 gids={50005, 9997, 3003, 1028, 1015} abi=armeabi-v7a I/ActivityManager( 977): Start proc com.motorola.context for broadcast com.motorola.context/.publisher.calendar.CalendarReceiver: pid=518 uid=10008 gids={50008, 9997, 3001, 3002, 3003} abi=armeabi-v7a I/ActivityManager( 977): Process com.truecaller (pid 24761) has died W/ActivityManager( 977): Scheduling restart of crashed service com.truecaller/.service.ClipboardService in 1000ms W/ActivityManager( 977): Scheduling restart of crashed service com.truecaller/.service.CallStateService in 11000ms I/ActivityManager( 977): Start proc com.google.android.calendar for broadcast com.google.android.calendar/com.android.calendar.alerts.AlertReceiver: pid=542 uid=10063 gids={50063, 9997, 3003, 1028, 1015} abi=armeabi-v7a I/ActivityManager( 977): Process com.motorola.android.providers.userpreferredsim (pid 32402) has died I/ActivityManager( 977): Start proc livio.pack.lang.en_US for broadcast livio.pack.lang.en_US/.BasicWidgetXL: pid=571 uid=10167 gids={50167, 9997, 3003, 1028, 1015} abi=armeabi-v7a I/ActivityManager( 977): Start proc com.truecaller for service com.truecaller/.service.ClipboardService: pid=593 uid=10113 gids={50113, 9997, 3003, 1028, 1015, 3002, 3001} abi=armeabi-v7a I/ActivityManager( 977): Killing 32653:com.android.deskclock/u0a12 (adj 15): empty #7 I/ActivityManager( 977): Killing 32762:com.google.android.partnersetup/u0a23 (adj 15): empty #7 I/ActivityManager( 977): Start proc com.android.deskclock for broadcast com.android.deskclock/com.android.alarmclock.DigitalAppWidgetProvider: pid=691 uid=10012 gids={50012, 9997, 1028} abi=armeabi-v7a I/ActivityManager( 977): Killing 32631:com.google.android.googlequicksearchbox:search/u0a41 (adj 15): empty #7 I/ActivityManager( 977): Start proc us.spy.camera.spycamera.free.hd for broadcast us.spy.camera.spycamera.free.hd/com.mm1373232063.android.MessageReceiver1373232063: pid=715 uid=10015 gids={50015, 9997, 1028, 1015, 3003} abi=armeabi-v7a I/ActivityManager( 977): Killing 518:com.motorola.context/u0a8 (adj 15): empty #7 I/ActivityManager( 977): Start proc com.google.android.googlequicksearchbox:search for service com.google.android.googlequicksearchbox/com.google.android.sidekick.main.TrafficIntentService: pid=850 uid=10041 gids={50041, 9997, 3003, 3001, 1028, 3002, 1015, 1005} abi=armeabi-v7a I/ActivityManager( 977): Start proc com.google.android.partnersetup for content provider com.google.android.partnersetup/.RlzAppProvider: pid=972 uid=10023 gids={50023, 9997, 3003} abi=armeabi-v7a I/ActivityManager( 977): Process com.rhmsoft.fm:service (pid 25035) has died W/ActivityManager( 977): Scheduling restart of crashed service com.rhmsoft.fm/com.cleanmaster.fm.service.BackgroundService in 1000ms I/ActivityManager( 977): Killing 363:com.android.providers.calendar/u0a5 (adj 15): empty #7 I/ActivityManager( 977): Start proc com.android.providers.calendar for content provider com.android.providers.calendar/.CalendarProvider2: pid=1021 uid=10005 gids={50005, 9997, 3003, 1028, 1015} abi=armeabi-v7a I/ActivityManager( 977): Killing 542:com.google.android.calendar/u0a63 (adj 15): empty #7 I/ActivityManager( 977): Start proc com.rhmsoft.fm:service for service com.rhmsoft.fm/com.cleanmaster.fm.service.BackgroundService: pid=1050 uid=10233 gids={50233, 9997, 3003, 1028, 1015} abi=armeabi I/ActivityManager( 977): Start proc com.motorola.context for broadcast com.motorola.context/.publisher.calendar.CalendarReceiver: pid=1092 uid=10008 gids={50008, 9997, 3001, 3002, 3003} abi=armeabi-v7a I/ActivityManager( 977): Killing 571:livio.pack.lang.en_US/u0a167 (adj 15): empty #7 I/ActivityManager( 977): Start proc com.google.android.calendar for broadcast com.google.android.calendar/com.android.calendar.alerts.AlertReceiver: pid=1115 uid=10063 gids={50063, 9997, 3003, 1028, 1015} abi=armeabi-v7a I/ActivityManager( 977): Killing 32029:com.google.android.gms.wearable/u0a20 (adj 15): empty #7 I/ActivityManager( 977): Process us.spy.camera.spycamera.free.hd (pid 715) has died I/ActivityManager( 977): Start proc com.motorola.genie for broadcast com.motorola.genie/.prefetch.PowerStatusReceiver: pid=1204 uid=10024 gids={50024, 9997, 3003, 1028, 1015} abi=armeabi-v7a I/ActivityManager( 977): Start proc com.google.android.apps.plus for broadcast com.google.android.apps.plus/.service.BatteryReceiver: pid=1250 uid=10085 gids={50085, 9997, 3003, 3002, 1028, 1015} abi=armeabi-v7a I/ActivityManager( 977): Start proc android.process.media for content provider com.android.providers.media/.MediaProvider: pid=1275 uid=10016 gids={50016, 9997, 1028, 1015, 1023, 1024, 2001, 3003, 3007} abi=armeabi-v7a I/ActivityManager( 977): Killing 691:com.android.deskclock/u0a12 (adj 15): empty #7 I/ActivityManager( 977): Killing 972:com.google.android.partnersetup/u0a23 (adj 15): empty #7 I/ActivityManager( 977): Start proc com.android.chrome for broadcast com.android.chrome/com.google.android.apps.chrome.precache.PrecacheServiceLauncher: pid=1342 uid=10054 gids={50054, 9997, 3003, 1028, 1015} abi=armeabi-v7a I/ActivityManager( 977): Killing 850:com.google.android.googlequicksearchbox:search/u0a41 (adj 15): empty #7 I/ActivityManager( 977): Killing 1092:com.motorola.context/u0a8 (adj 15): empty #7 I/ActivityManager( 977): START u0 {act=android.intent.action.MAIN cat=[android.intent.category.HOME] flg=0x10200000 cmp=com.android.launcher/com.android.launcher2.Launcher} from uid 1000 on display 0 I/ActivityManager( 977): Start proc com.android.vending for broadcast com.android.vending/com.google.android.finsky.receivers.PackageMonitorReceiver$RegisteredReceiver: pid=1508 uid=10036 gids={50036, 9997, 3003, 1028, 1015} abi=armeabi-v7a I/ActivityManager( 977): Start proc com.google.android.gms:car for service com.google.android.gms/.car.CarService: pid=1589 uid=10020 gids={50020, 9997, 3003, 1028, 1015, 3002, 3001, 1005, 1007, 3007, 2001, 3006} abi=armeabi-v7a I/ActivityManager( 977): Start proc com.google.android.googlequicksearchbox:search for broadcast com.google.android.googlequicksearchbox/com.google.android.search.core.icingsync.IcingCorporaChangedReceiver: pid=1653 uid=10041 gids={50041, 9997, 3003, 3001, 1028, 3002, 1015, 1005} abi=armeabi-v7a I/ActivityManager( 977): Start proc com.google.android.gms.wearable for service com.google.android.gms/.wearable.service.WearableControlService: pid=1674 uid=10020 gids={50020, 9997, 3003, 1028, 1015, 3002, 3001, 1005, 1007, 3007, 2001, 3006} abi=armeabi-v7a I/ActivityManager( 977): Process com.limitskyapps.CodingCalendar (pid 25110) has died W/ActivityManager( 977): Scheduling restart of crashed service com.limitskyapps.CodingCalendar/.MyNewService in 1000ms I/ActivityManager( 977): Killing 1021:com.android.providers.calendar/u0a5 (adj 15): empty #7 I/ActivityManager( 977): Start proc com.limitskyapps.CodingCalendar for service com.limitskyapps.CodingCalendar/.MyNewService: pid=1729 uid=10108 gids={50108, 9997, 3003} abi=armeabi-v7a I/ActivityManager( 977): Start proc com.google.android.partnersetup for content provider com.google.android.partnersetup/.RlzAppProvider: pid=1758 uid=10023 gids={50023, 9997, 3003} abi=armeabi-v7a I/ActivityManager( 977): Process com.google.android.calendar (pid 1115) has died I/ActivityManager( 977): Process com.motorola.genie (pid 1204) has died I/ActivityManager( 977): Process com.android.chrome (pid 1342) has died I/ActivityManager( 977): Process com.google.android.googlequicksearchbox:search (pid 1653) has died I/ActivityManager( 977): Process com.google.android.apps.plus (pid 1250) has died I/ActivityManager( 977): START u0 {act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] flg=0x10000000 cmp=com.whatsapp/.Main bnds=[360,785][520,985](has extras)} from uid 10027 on display 0 I/ActivityManager( 977): START u0 {cmp=com.whatsapp/.HomeActivity} from uid 10104 on display 0 I/ActivityManager( 977): Displayed com.whatsapp/.HomeActivity: +1s86ms (total +1s505ms) I/ActivityManager( 977): START u0 {flg=0x14000000 cmp=com.whatsapp/.Conversation (has extras)} from uid 10104 on display 0 I/ActivityManager( 977): Displayed com.whatsapp/.Conversation: +1s538ms I/ActivityManager( 977): START u0 {flg=0x14000000 cmp=com.whatsapp/.Conversation (has extras)} from uid 10104 on display 0 I/ActivityManager( 977): Process com.google.android.gms:car (pid 1589) has died I/ActivityManager( 977): Displayed com.whatsapp/.Conversation: +620ms I/ActivityManager( 977): START u0 {flg=0x14000000 cmp=com.whatsapp/.Conversation (has extras)} from uid 10104 on display 0 I/ActivityManager( 977): Displayed com.whatsapp/.Conversation: +325ms I/ActivityManager( 977): Start proc com.google.android.apps.plus for service com.google.android.apps.plus/com.google.android.apps.moviemaker.service.PluggedInAnalyzerService: pid=2314 uid=10085 gids={50085, 9997, 3003, 3002, 1028, 1015} abi=armeabi-v7a I/ActivityManager( 977): START u0 {flg=0x14000000 cmp=com.whatsapp/.Conversation (has extras)} from uid 10104 on display 0 I/ActivityManager( 977): Displayed com.whatsapp/.Conversation: +1s524ms I/ActivityManager( 977): Process com.android.vending (pid 1508) has died I/ActivityManager( 977): Process com.google.android.partnersetup (pid 1758) has died I/ActivityManager( 977): START u0 {flg=0x14000000 cmp=com.whatsapp/.Conversation (has extras)} from uid 10104 on display 0 I/ActivityManager( 977): Process com.google.android.gms.wearable (pid 1674) has died I/ActivityManager( 977): Displayed com.whatsapp/.Conversation: +366ms I/ActivityManager( 977): START u0 {flg=0x14000000 cmp=com.whatsapp/.Conversation (has extras)} from uid 10104 on display 0 I/ActivityManager( 977): Displayed com.whatsapp/.Conversation: +430ms I/ActivityManager( 977): START u0 {flg=0x14000000 cmp=com.whatsapp/.Conversation (has extras)} from uid 10104 on display 0 I/ActivityManager( 977): Displayed com.whatsapp/.Conversation: +501ms I/ActivityManager( 977): Process com.google.android.apps.plus (pid 2314) has died I/ActivityManager( 977): START u0 {flg=0x14000000 cmp=com.whatsapp/.Conversation (has extras)} from uid 10104 on display 0 I/ActivityManager( 977): Displayed com.whatsapp/.Conversation: +249ms I/ActivityManager( 977): START u0 {flg=0x14000000 cmp=com.whatsapp/.Conversation (has extras)} from uid 10104 on display 0 I/ActivityManager( 977): Displayed com.whatsapp/.Conversation: +427ms I/ActivityManager( 977): START u0 {flg=0x14000000 cmp=com.whatsapp/.Conversation (has extras)} from uid 10104 on display 0 I/ActivityManager( 977): Displayed com.whatsapp/.Conversation: +261ms I/ActivityManager( 977): START u0 {flg=0x14000000 cmp=com.whatsapp/.Conversation (has extras)} from uid 10104 on display 0 I/ActivityManager( 977): Displayed com.whatsapp/.Conversation: +538ms I/ActivityManager( 977): START u0 {act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] flg=0x10000000 cmp=com.whatsapp/.Main bnds=[360,785][520,985](has extras)} from uid 10027 on display 0 I/ActivityManager( 977): START u0 {cmp=com.whatsapp/.HomeActivity} from uid 10104 on display 0 I/ActivityManager( 977): Displayed com.whatsapp/.HomeActivity: +375ms (total +490ms) I/ActivityManager( 977): START u0 {flg=0x14000000 cmp=com.whatsapp/.Conversation (has extras)} from uid 10104 on display 0 I/ActivityManager( 977): Displayed com.whatsapp/.Conversation: +312ms

[vinmittal]

I think we can what is being sent to the whatsapp display can be intercepted, lets probe around this area to see the hack?

[vinmittal]

is there a way to turn on more information about the processes, this is not good enough. For example ports, memory, protocol, access priveleges of each processes. All these apps want access to different apps, how do they retrieve that data?

[harshdattani]

@vinmittal Sure we can expand those logs for more info. Studio logs just provides basic info only.

[srgnuclear]

@Harsh have you found out any way to expand the logs or again access to privileged logs? I was searching around a bit and found that since 4.1 version reading sensitive logs has been made more secured. This paper exploits a vulnerability and reads those logs on all samsung devices of version 4.4 and before. https://www.blackhat.com/docs/asia-15/materials/asia-15-Johnson-Resurrecting-The-READ-LOGS-Permission-On-Samsung-Devices-wp.pdf . If not than we may have to try out the implementation of the first hack in paper.

On Tue, Oct 6, 2015 at 12:06 PM, Harsh Dattani notifications@github.com wrote:

@vinmittal https://github.com/vinmittal Sure we can expand those logs for more info. Studio logs just provides basic info only.

— Reply to this email directly or view it on GitHub https://github.com/vinmittal/SecurityTrainingPub/issues/6#issuecomment-145754128 .

[harshdattani]

@srgnuclear I have tried Runtime.getRuntime().exec(cmd); to save logs to SDCard but after 4.1 it restricts to own process only, but before 4.1 we can get logs of all processes. Will push the code to Git soon.