Hi, we decided to publish this advisory without coordination with the vendor (GOOD Technology) as they were not cooperative (again). There is a blog-posting about why we decided to not proceed with Responsible Disclosure this time: http://www.modzero.ch/modlog/archives/2015/09/24/on_responsible_full_disclosure/index.html You can find this advisory right here: http://www.modzero.ch/advisories/MZ-15-03-GOOD-Auth-Delegation.txt We also published an old advisory from 2013 - you should read the blog-post to learn, why we didn't published it back in 2013. cheers, ths -https://twitter.com/mod0 ---------------------------------------------------------------- v1 - modzero Security Advisory: Insecure application-coupling in Good Authentication Delegation [MZ-15-03] --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Timeline --------------------------------------------------------------------- * 2015-08-18: Vulnerability has been discovered * 2015-09-09: Vendor contact to agree on responsible disclosure * 2015-09-25: Public Disclosure. --------------------------------------------------------------------- 2. Summary --------------------------------------------------------------------- Vendor: Good Technology, Inc. Products known to be affected: * Combination of Android Good Dynamics SDK version 1.11.1206 Android Good Access app version 2.3.1.626 Android Good for Enterprise app version 3.0.0.415 Good Control server version 1.10.47.31 Good Proxy server version 1.10.47.2 Good for Enterprise server version 7.2.2.5c * Other products, versions and apps using authentication-delegation may be affected as well. Severity: Medium/High The Good Mobile Device Management solution provides two separate Android applications, Good for Enterprise [1] (a mobile device management Android application with functionality such as E-Mail) and Good Access [2] (an Android application that has similar functionality as a regular browser app to access company intranet servers). Both apps use the underlying Good Dynamics framework to communicate with the Good server located in the customer's company network. Authentication delegation is a method to provision the Good Access Android app by using the Good for Enterprise Android app. Using this mechanism, an employee does not need to manually enter an activation key to provision the Good Access app, if Good for Enterprise was already provisioned before. Third-party apps can spoof their identity and try to request access to company servers and data. Users could be tricked into allowing access to company intranet servers to a faked Good Access app. The server administrator is not able to prevent or detect the unauthorized access. A CVE has not yet been assigned to this vulnerability. --------------------------------------------------------------------- 3. Details --------------------------------------------------------------------- As a precondition for this vulnerability, the Good servers have to allow access to intranet servers on the company network via the Good Access app. It is also necessary to enable authentication delegation through Good for Enterprise. A specially crafted third-party Android app can use an Android package name that starts with "com.good.gdgma" (the Good Access package name). Subsequently the app is able to announce itself as the Good Access app to the authentication delegate (Good for Enterprise). The user of the Android device has to explicitly grant access to this third-party app [3], even though the specially crafted application might be indistinguishable from the legitimate app for a user. It is possible to activate not only one, but several faked apps through the authentication delegate (Good for Enterprise) by using different package names (e.g. "com.good.gdgma.test1", "com.good.gdgma.test2", etc.). The Good Dynamics server administrator can not distinguish between a malicious third-party app and the legitimate app accessing company data, as the provisioned app in the Good backend web interface is showing that Good Access was provisioned. As a mitigation the Good for Enterprise app could protect its authentication-delegation-API intent (Android IPC mechanism) with the signature level protection provided by the Android operating system (android:protectionLevel="signature"). Only apps signed with the same private key can use such permissions. --------------------------------------------------------------------- 4. Impact --------------------------------------------------------------------- After tricking a user into installing a modified application that pretends to be a Good Access app towards the authentication delegation mechanism, the missing authentication can be exploited to gain access to the intranet data via the Good servers. Additionally, other third-party apps could request permission to access company-data from the user - the Good server administrator is not able to prevent usage of such third-party apps. --------------------------------------------------------------------- 5. Proof of concept exploit --------------------------------------------------------------------- As a proof of concept, an example app of the Good Dynamics Android SDK can be used. modzero used the ApacheHttp example application. After loading the example project in the Android Studio IDE, the GDApplicationID variable in the included settings.json file has to be changed to "com.good.gdgma". Additionally the package name in the AndroidManifest.xml file must be changed to a value that starts with "com.good.gdgma". The included classes have to be refactored to match the new package name. After installing the example application and clicking the button to use authentication delegation, Good for Enterprise will show the dialog to confirm access to company data [3]. If the user enters his Good for Enterprise app password, the malicious application is allowed to access intranet servers [4]. An alternative to demonstrate the issue is probably to disassemble the Good Access app via apktool [5], add malicious code to the application and reassemble the app via apktool. --------------------------------------------------------------------- 6. Workaround --------------------------------------------------------------------- Users can deactivate authentication delegation and revoke access for Good Access. Another workaround is not known. --------------------------------------------------------------------- 7. Fix --------------------------------------------------------------------- It is not known to modzero, if a security fix is available. --------------------------------------------------------------------- 8. References --------------------------------------------------------------------- [1] https://play.google.com/store/apps/details?id=com.good.android.gfe [2] https://play.google.com/store/apps/details?id=com.good.gdgma [3] http://www.modzero.ch/advisories/media/good_dynamics_provisioning.png [4] http://www.modzero.ch/advisories/media/good_dynamics_usage.png [5] https://ibotpeaches.github.io/Apktool/ --------------------------------------------------------------------- 9. Credits --------------------------------------------------------------------- * Tobias Ospelt --------------------------------------------------------------------- 10. About modzero --------------------------------------------------------------------- The independent Swiss company modzero AG assists clients with security analysis in the complex areas of computer technology. The focus lies on highly detailed technical analysis of concepts, software and hardware components as well as the development of individual solutions. Colleagues at modzero AG work exclusively in practical, highly technical computer-security areas and can draw on decades of experience in various platforms, system concepts, and designs. https://www.modzero.ch contact@xxxxxxxxxx --------------------------------------------------------------------- 11. Disclaimer --------------------------------------------------------------------- The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.