[Android] HushSMS ROOT Edition released

Posted on by

I am aware of so many users wanting all HushSMS features for their devices even if their ROM does not provide the API. Well, the wait is over…if you’re willing to switch to a CM based ROM.

(INFO: If you have access to the ROM signing keys for the ROM you use, you can simply unsingn the HushSMS-ROOT.apk and resign it with the singning keys from your ROM and everything should be fine. At keast in theory as I have not tried this way)

Why only CM?

Short answer: Because the app has to be a system app and the signing keys for CM are public.

Long answer: The sendRawPdu API has been removed since ages and only some devices like HTC with Sense still have it available. There is still one class that has this API method available. It’s the SMSDispatcher class. Unfortunately this class is hidden and internal making it only available to system apps. To become a system app, the app in question has to be signed with the manufacturers key and need to be installed in the /system/app path. This key is only available for CM and obviously not for original ROMs like from Samsung, LG or HTC.

HushSMS ROOT Edition only supports three types of messages. To be exact these are the ones that are missing in the market version on devices which do not support the above mentioned API method. Why not all message types you ask? Well, HushSMS ROOT Edition needs to use the following in the Manifest to function properly:

android:sharedUserId="android.uid.phone"

and

android:process="com.android.phone"

This is necessary to access the SMSDispatcher. Unfortunately the com.android.phone UID is not allowed to use the permission android.permission.SEND_SMS because it has been set with the enforceCallingPermission instead of enforceCallingOrSelfPermission in the IccSmsInterfaceManager class but this is needed to use the sendData API method. Because of this the permission requested by HushSMS ROOT Edition is ignored. So why the hell am I not reflecting this method from the SMSDispatcher also? Because it is declared as an abstract and cannot be reflected.
As you see above I really tried the best to get this working as comfortable as possible, but I am limited to what the OS allows me to do with it’s APIs.

So how do you install this app on your shiny CM powered device now?

I made a post over at XDA dev which I will c&p here for simplicities sake.

- Make sure you have installed the official play store version. HushSMS ROOT Edition will not work without the official version installed.
- Download HushSMS-ROOT.apk from here
- Copy it to your PC/MAC
- Connect your phone via USB
- Open a console and change to the dir where you saved the file
- Type “adb root” (without the quotes of course)
- Then type “adb remount”
- Then type “adb push HushSMS-ROOT.apk /system/app/”

After that you should be able to start the app right from your drawer. If you can’t see it just reboot your device.

You will now be able to send the following message types:
- Class 0 (Flash SMS)
- Type 0 (Silent Ping)
- Message Waiting Indicator for Voice Messages activation and deactivation messages

If something goes wrong, feel free to contact me. I’m always willing to help and fix things as soon as I get a chance.

PS: If you can open the app but nothing happens if you try to send a message double check that you have the official play store version of HushSMS installed.

Cheers

[HowTo] Install Metasploit (and other usefull stuff) under archlinuxarm on your Android device

Posted on by

A thread on XDA-Devs by user flashdrv [1] catched my attention on this topic. I read through the there mentioned blog entry from Lance R. Vick [2] and looked at the stuff on archlinux.org [3]. This was something that I wanted. So let’s start getting it up:

- On your linux workstation (or bootable cd) download the Archlinuxarm disk image for exynos (= my galaxy note 10.1, or for other cpus see here: http://archlinuxarm.org/platforms) here: http://archlinuxarm.org/os/ArchLinuxARM-odroidx-latest.img.gz

- Other platforms might have a TAR file instead of a full disk image. In this case skip a few steps an d head over to lrvick’s guide below.

- install (#sudo apt-get install kpartx) and use kpartx like follows:

#kpartx ArchLinuxARM-odroidx-latest.img
loop0p1 : 0 8191 /dev/loop0 1
loop0p2 : 0 106496 /dev/loop0 8192
loop0p3 : 0 6291456 /dev/loop0 114688

#kpartx -a -v ArchLinuxARM-odroidx-latest.img
add map loop0p1 (253:0): 0 8191 linear /dev/loop0 1
add map loop0p2 (253:1): 0 106496 linear /dev/loop0 8192
add map loop0p3 (253:2): 0 6291456 linear /dev/loop0 114688

#mkdir /mnt/archlinuxarm
#mount /dev/mapper/loop0p3 /mnt/archlinuxarm
#cd /mnt/archlinuxarm
#tar czf archlinux.tgz ./*

- copy and extract the resulting tgz to your device (folder /data/local/arch)

#cd /data/local/arch
#tar xzf archlinux.tgz

- now follow the excellent guide at http://lrvick.net/blog/arch_linux_terminals_in_android/

- after everthing is up and running do the following to get metasploit installed (you have to already be in archlinuxarm chroot)
- pulling the msf svn will take some hours so relax and take a nap or do something else

#pacman -S ruby
#pacman -S zlib
#pacman -S uniconvertor
#pacman -S svn
#cd /opt
#svn co https://www.metasploit.com/svn/framework3/trunk/ msf3
#cd msf3/
#./msfconsole

- you’re done if you can see the msfconsole running
- go and install additional packages like
- nmap (#pacman -S nmap)
- kismet (#pacman -S kismet)
- aircrack-ng (#pacman -S aircrack-ng)
- ettercap (#pacman -S ettercap)
- etc. (you can search for packages here: http://archlinuxarm.org/packages)

- If you get a problem that your user cannot access network stuff see [4]

- If you want DB support in metasploit you can it like follows:
- Install some needed stuff

#pacman -S postgresql
#pacman -S gcc
#pacman -S make
#gem install pg

- This will allow you to set up the db and use it in Metasploit (google for the setup procedure)

References:
[1] http://forum.xda-developers.com/showthread.php?t=2015812
[2] http://lrvick.net/blog/arch_linux_terminals_in_android/
[3] http://archlinuxarm.org/
[4] https://blog.tuinslak.org/socket-permission-denied

[Android] HushSMS got cracked again. Do I care? No! Should you? Yes! (read why)

Posted on by

Well,
first of all thanks to the crackers (I’m sure you’re reading this some day). You draw some more attention to my App.

So my App got cracked (again) and I simply do not care. Why you ask? Because I personaly don’t mind if you use a manipulated App from an untrusted source that can send out messages and thus costs you money. But why should you care?
To make it short: This App is developed with maximum caution to not cause you any harm or generate costs by accidently sending thousands messages that will cost you a lot of money. So if you use the cracked version of HushSMS there is no guarantee that the protection mechanisms are still valid and you will not lose money by improper code.

Additionaly a general note on using cracked Apps: Android Apps are written in Java. They can be decompiled, manipulated and recompiled easily. Thus you will never know if the cracked App you use contains malicious code or malware, and you will not become aware of because malware writers are clever too…

However, if you can’t afford the small fee for buying HushSMS (or any other App) from an official source you should simply continue to use the cracked version and risk losing money, get scammed by malicious code or get assimilated by a Borg collective :-)

[Security Advisory] Samsung leaves it’s Android Smartphones with WAP-Push Feature Open to Attacks (one sms to rule them all)

Posted on by

Samsung is currently the biggest smartphone vendor in the world. Their Android based smartphones also have the hugest market share among all vendors.

They recently updated multiple devices to Android 4.0.x and more are on the waitlist. Android Smartphones with ICS from Samsung support WAP Push messages to enable the user to receive Logos, Ringtones etc.

The default setting for WAP Push messages is set to always accept which leaves these Smartphones open to attacks.

There are two kind of WAP Push Messages:

Attack 1.) Service Indication Message (SI) will present a message on the device with an embedded URL. The user can open the message and follow the URL by one click.

The senders number is not displayed by the device. The user is unable to verify who sent this message and if the contained link can be trusted. This leaves room for either social engineering, phishing or, if an exploit exists a compromise of the whole device. Obviously this kind of sms also allows malicious people to sent anonymous messages to their victims.

Attack 2.) Service Load Message (SL) will allow a provider to push software updates to the device or let logos or ringtones be pushed to the device.

A service load message can be configured in the way it should be received by the target device. Among others one option is to force the target device to load the defined content from a URL without interacting with the user. Again the senders number is not displayed by the device. If such a forced message is received by the device it will open the default browser and either display the URL defined in the message or download the targeted payload from the URL. This can be any filetype, even an APK. In case of an APK the user gets asked to if he will install the file. If sideloading is activated in the device settings the provided file will be installed.
If the browser contains a vulnerability this kind of message can be used to fully compromise the device.

Risk Mitigation: Open the SMS App and Press Menu -> Settings. Go to “Push message settings” and either disable the service, or if you need it set “Service loading” to “Prompt” or “Never”. To test if your devices is vulnerable you can use HushSMS for Android to send WAP Push SI and WAP Push SL messages.


Screenshot of a received WAP Push SI message.

[APP] Raider – A special use case backup tool ;-)

Posted on by

Just finished the work on the initial release of Raider. Like I wrote in the last post this tool is inspired by p2p-adb from Kyle Osborn, so all creds go to him. This app requires root and adb installed on the device. You can find adb for arm7 here. I successfully tested Raider on my Xoom running Honeycomb 3.2 and on my Galaxy Tab running ICS. As target I used several rooted phones which all could be “backed up”.

This is the initial work I’ve done on this topic. The app is not threaded currently so if something goes wrong…

All backup files go to the devices sdcard (internal or external) and the filenames begin with raider-xxx.tar

Enjoy it and leave a comment if you like it (else just go ahead).

Grab it while it is on the play store

[Android] Work in progress: Raider – A phone to phone adb app based on @theKos’s idea

Posted on by

Yesterday Kyle Osborn twitted a method to use adb on an android device with usb host to connect to another android device which has debugging enabled. The scripts he kindly made available (source available at github) look promising and I decide to write an app for exactly the purpose he posted about. I already started development but am currently unable to test as I’m on a business trip and don’t have enough gadgets with me to test (lack of usb-otg cable and second android device). Looks like in the future I’ll have to carry more luggage just in case stuff like this comes out again when I’m on the road.
However, expect a first beta to be out in a week when I’m back.

[Android] btCrawler – Bluetooth Diagnostic Tool for Android released today

Posted on by

It’s done, finaly. I ported my Bluetooth Scanning Tool btCrawlerto Android. Sure, some features from the WinMo version are missing, but as time comes I will add more features to it.

So what is btCrawler and what can I do with it?

On startup a list of currently paired devices is shown. By touching a device entry a popup menu appears which lets you query sdp services or pair/unpair a device. There are three buttons at the top. The left lets you scan for devices arround you which are in discoverable mode. After devices have been found, you can again touch an entry and get the popup menu again. The middle button lets you change your device’s discoverable mode and make it visible to others for 300 second or make it invisible again. The right button shows you the list of currently paired devices again.

When you press the sdp query option in the popup menu a query for services will be performed for the chosen device and displayed in a popup.

I hope you enjoy this tool.

Cheers

Screenshots:

[Android] btPair – Bluetooth Pairing Helper released

Posted on by

Today I released btPair for Android, a helper utility for pairing and unpairing surrounding visible bluetooth devices.

Why?  U ask?

Ever sat in a rental car wanting to quickly pair your phone with the handsfree unit?
Ever bought some new BT equipment and wanted to pair ASAP?

In Android, managing bluetooth sucks. So I wrote this tool to quickly pair an unpair visible surrounding devices. If you start the tool and press scan you will be prompted with a list off visible devices and their current pairing state. Just click on a device to quickly pair or unpair with a device. A red or green icon shows the current pairing (I know, in reality it’s called bonding) state.

Enjoy

See a screenshot here.

[Android] HushSMS Full Version availabe

Posted on by

I just published the first full version release of HushSMS for Android in the Android Marketplace. You can find it here.

For a full description of the program and all message types please visit: http://www.silentservices.de/HushSMS-Android.html

This is my first Android Software, so there might still be some bugs. If you find any please report them to me so I can make the software even better.

I suggest that you first install the free Lite version to check if your device is capable of sending the different message types. After that you can decide to buy the full version or just uninstall the Lite version again. Whatever you think, please rate the app in the market enad tell me your thoughts so I can improve it.

Cheers

 

[Android] HushSMS for Android is on it’s way

Posted on by

Yesterday I published the demo version of the first release of HushSMS for Android to the market. Unfortunately and even with enough testing there was a bug that prevented the sent and delivered notifications from working properly for some messages.
In this demo there is a character limit of 30 per each message. This demo is to check if it works on your device. A full version will follow soon.

Demo version message types for fully supported devices (mainly all HTC with Sense UI):

- Normal SMS
- Flash SMS (Class0)
- WAP Push SI
- WAP Push SL
- MMSN (MMS Notification)
- MWIVA (Message Waiting Indicator Voice Activation = 1 new voice msg waiting)
- MWIVD (Message Waiting Indicator Voice DeActivation)

Demo version message types for partially supported devices:

- Normal SMS
- WAP Push SI
- WAP Push SL
- MMSN (MMS Notification)

The full version will add the following message types:

- PING (Type0)
- PING2

Check this blog for updates or follow me on twitter.