Update write-up

README.md

@@ -1,5 +1,14 @@
 # Kakaotalk Analysis
 
+- [Setup](#setup)
+  - [SSH](#ssh)
+  - [Setup Burp Suite](#configure-emulator-to-work-with-burp-suite)
+  - [Setup Frida](#setup-frida-to-disable-certificate-pinning)
+  - [Kakaotalk Login](#kakaotalk-account-setup)
+  - [Tools to try](#tools-to-play-with)
+- [Misc Commands](#misc-commands)
+- [Resources](#resources)
+
 ## Setup
 
 Prepare your `~/.bashrc` or `~/.zshrc`:
@@ -122,7 +131,7 @@ peterplan
 fMcz2Jtr
 ```
 - In the KakaoTalk app, login with your email address:
-  - When prompted add your phone number
+  - When prompted add your phone number. You'll receive a SMS with a pin number.
   - **Optional**: you may have to send a SMS including a base64 string (e.g., `KakaoTalk HgAAABIwAGgAQGQAAAAAAjEABwAAADE1Mjc2MAAA`) to a KakaoTalk phone number (you won't receive any SMS response back). After that, you need to tap/click the `Check verification` button in the app and the registration process should be completed.
 
 <img width="318" alt="image" src="https://user-images.githubusercontent.com/14765446/233626988-8bf6be98-c855-4f29-99cb-77d2d44dcb60.png">
@@ -164,16 +173,9 @@ adb shell dumpsys package | grep -Eo $(printf "^[[:space:]]+[0-9a-f]+[[:space:]]
 adb shell am start -a android.settings.SETTINGS
 ```
 
-## Possible E2E Attack Vectors
-
-- Register an attacker's device to the victim's KakaoTalk account
-- MITM the protocol on the wire
-- Operator-side MITM (e.g., by changing public keys)
-- Tamper with the ciphertext on the wire -> code injection
-- Send a chat message to a victim to retrieve the E2E encryption key -> code injection
-- Install a malcious app on the victim's device to retrieve the E2E key via IPC
-
 ## Resources
 
+Third-party Kakaotalk clients:
+
 - https://github.com/KiwiTalk/KiwiTalk
 - https://github.com/jhleekr/kakao.py

RECON.md

@@ -9,6 +9,13 @@
 - [Open-Source Libs](#open-source-libs)
 - [Crypto](#crypto)
   - [E2E](#e2e)
+- [Possible Vectors](#possible-attack-vectors)
+  - [Registration and Login](#registration-and-login)
+  - [Cloud](#cloud)
+  - [LOCO Protocol Attackss](#loco-protocol-attacks)
+  - [Message Parsing](#message-parsing-zero-click)
+  - [Malicious App](#malicious-third-party-app)
+  - [Operator-side Attacks](#operator-side-attacks)
 
 ## General infos
 
@@ -101,6 +108,7 @@ Java interfaces with interesting Rest APIs (interface names generated by `jadx`)
 
 **TO-DO**: Add GET and POST requests. Use `sqlmap -r` to *fuzz* the Rest APIs.
 
+Interesting classes:
 ```
 com.kakao.p129i.appserver.AppApi
 com.kakao.talk.net.retrofit.BackupRestoreService
@@ -312,3 +320,58 @@ Version: 3
 ### E2E
 
 Main implementation in package `com.kakao.talk.secret` and the `LocoCipherHelper ` class.
+
+## Possible Attack Vectors
+
+### Registration and Login
+
+- Register an attacker's device to the victim's KakaoTalk account
+    - Get victims account credentials (e.g., via a data dump on breached.vc)
+    - Brute-force 4-digit pin
+- During registration a pincode is sent via SMS (intercept with SS7 access)
+- Register an attacker's device via flaws in the LOCO protocol (`CHECKIN` and `LOGINLIST` commands)
+- Check out insecure REST API endpoints
+- QR Code login (`xm.a` and `vm.q` Java classes)
+	- `/talk/account/qrCodeLogin/info.json?id=eyJwcm90b2NvbCI6InYxIiwiY2hhbGxlbmdlIjoiNlB6MFMzdkRQMmlFUTZoRXh5YW5mWGtOelNHU0RRIn0=`
+	- `{"protocol":"v1","challenge":"6Pz0S3vDP2iEQ6hExyanfXkNzSGSDQ"}`
+		- `m.w.R1` method computes a MAC of the challenge
+		- The OAuth Refresh Token seems to be the MAC key
+			- How to obtain them? How are they generated? How long do they live?
+			- `ym.a` class builds the POST request
+	- API endpoints in interface `e31.j`
+
+### Cloud
+
+- Cloud back-up (weak password)
+  - Secret Chat messages won’t be stored
+- Tamper with plaintext asset downloads via HTTP (parser attacks on the client possible?)
+
+### LOCO Protocol Attacks
+
+- Spoof victim (`CHECKIN` packet)
+  - Spoof victim’s device ID (**TODO**: How is it generated?)
+- Spoof KakaoTalk server
+  - Send the attacker’s public key to the victim (maybe there’s a LOCO command for updating RSA public keys on the client?)
+  - MITM traffic
+- Tamper messages (CFB malleability —> [Efail](https://jaads.de/Bachelorthesis/Bachelorthesis_Jan_Arends.pdf))
+  - [Owncloud CFB malleability bug](https://blog.hboeck.de/archives/880-Pwncloud-bad-crypto-in-the-Owncloud-encryption-module.html)
+  - Use the `LOGINLIST` command with `chatDatas`, `attachment` or `code` JSON fields to run code on the client app?
+- Replay messages
+- Drop messages (maybe there's a way to fallback to unencrypted comms?)
+- Sniff plaintext LOCO packets (`CHECKIN` packet)
+
+### Message Parsing ("Zero Click")
+
+- Send a chat message to a victim to retrieve the E2E encryption key -> code injection
+  - URL rendering
+  - Calendar invite rendering
+  - Emojis
+
+### Malicious third-party app
+
+- Install a malcious app on the victim's device to retrieve the E2E key via IPC
+- Send malicious intents (code injection)
+
+### Operator-side Attacks
+
+- Operator-side MITM (e.g., by changing public keys)