Android supports external accessories(hardware) to interact with the android-powerd devices and they are connected by USB. There are mainly two ways in Android to communicate with the external hardware: ADB and AOA. However, both of them exist security issues if you are using them mistakenly or even not.
The traditional way of enabling communication between the the external hardware and android devices is ADB (Android debug bridge). It’s a tool let you communicate with an Android driver. It also supports the external hardware to communicate with an app in Android. For example, the app can creates a TCP server, and the external hardware acts as a client to connect the server via ADB port forwarding.
Since the TCP server is open, all the apps in the same Android device can connect to it if they know the port. Worse, if the server IP is set as “0.0.0.0”, which means it is open to everyone in the Internet if he or she knows the IP and port. Thus, setting the IP as localhost
is necessary and it should do authentication for each TCP connection. Otherwise, the attackers can do:
- If the server binds to limited number, attackers can push the connections to the limitation and then the server is unusable.
- A malicious app can impersonate the external hardware and is able to send bogus data to the server or get privacy-sensitive information from it.
AOA (Android Open Accessory) is a built-in library that allows external USB hardware to interact with Android device in accessory mode since Android 4.1. It needs Android permission and doesn’t allow other apps to connect to the app using AOA. So,it make me feel like AOA is more secure.
However, a bug in the Android platform allowed attacks to succeed.
The approach is to send a android.hardware.usb.action.USB_ACCESSORY_ DETACHED
broadcast to tear down the existing AOA connection.
You may say this is a protected broadcast, and the user-level apps is unable to send it. But, unfortunately, we found that Android does not add it to core/res/AndroidManifest.xml
(The xml file defines protected broadcasts) mistakenly. Therefore, any app can send this broadcast. In the xml file, we found it contains two duplicate lines for android.hardware.usb.action.USB_ACCESSORY_ATTACHED
. This appears to be a copy-and-paste bug and had existed since Anroid 2.3.4 (It exists in 5.1.1 still). We have reported this bug (ANDROID-24188595) and it has been fixed now(see the log).
The attacks to AOA can be more seriously:
- Any AOA connection can be torn down.
- Attackers can impersonate the victim app to connect to the hardware.