Building Android Sandcastles in Android's Sandbox presented at BlackHatAbuDhabi 2010

by Nils ,


Summary : The well-known way of breaking out of the Android sandbox is using a recent local Linux kernel exploit for privilege escalation. However, why always pick on Linus in Ring-0 when there is so much more to explore in user mode. Join me in a fascinating journey through Android's sandbox implementation with a lot of IPC endpoints, Services, Content providers, Serialisation, Permissions, Activities and much more, all scattered through multiple processes with different privilege levels. From a single point of entry we will build our majestic sandcastle in Android's sandbox, spanning multiple processes to hopefully obtain the holy grail of Android permissions: android.permission.INSTALL_PACKAGES