Below are some simple instructions to help you along the way. I’m using a Mac, so you may need to use slightly different commands if you’re using Linux.

Step 1: Download the Android SDK onto the box

You’ll want to grab the latest SDK from Google’s Android SDK page. As of this post, the latest version for Mac is android-sdk_r16-macosx.zip. I used this command to download this on my Mac:

$ curl -C - -O http://dl.google.com/android/android-sdk_r16-macosx.zip

Step 2: Unzip the SDK

I decided to put the SDK in my /Applications directory. You can put it wherever you want, but if you want to follow my lead you can use the following commands to get it into the /Applications dir:

$ mv android-sdk_r16-macosx.zip /Applications
$ cd /Applications
$ unzip android-sdk_r16-macosx.zip

Step 3: Determine what API levels, tools, and documentation you want to install

You now have a base SDK installed, but you still need to download the corresponding Android APIs for whichever Android version you’re developing for. In order to know what you need to install, you’ll want to list the available APIs, tools, and docs. We can use the android tool to do this and the –no-ui flag to alert the tool that we’re on the command line. Here is how to get a list of what’s available:

$ cd /Applications/android-sdk-macosx
$ tools/android list sdk --no-ui
Refresh Sources:
  Fetching https://dl-ssl.google.com/android/repository/addons_list-1.xml
  Validate XML
  Parse XML

  ...snip...

Packages available for installation or update: 61
   1- Documentation for Android SDK, API 15, revision 1
   2- SDK Platform Android 4.0.3, API 15, revision 2
   3- SDK Platform Android 4.0, API 14, revision 3
   4- SDK Platform Android 3.2, API 13, revision 1
   5- SDK Platform Android 3.1, API 12, revision 3
   6- SDK Platform Android 3.0, API 11, revision 2
   7- SDK Platform Android 2.3.3, API 10, revision 2
   8- SDK Platform Android 2.2, API 8, revision 3
   9- SDK Platform Android 2.1, API 7, revision 3
  10- SDK Platform Android 1.6, API 4, revision 3
  11- SDK Platform Android 1.5, API 3, revision 4

  ...snip...

  56- Android Support package, revision 6
  57- Google Admob Ads Sdk package, revision 4
  58- Google Analytics Sdk package, revision 2
  59- Google Market Billing package, revision 1
  60- Google Market Licensing package, revision 1
  61- Google Webdriver package, revision 2

Step 4: Install your packages

Ok, so you have a list of the APIs and tools. See which ones you want to install and find their corresponding number. If you want to install API 15 and the Android Support package, you’ll want number 2 and 56. We can use the android tool again and the –filter flag to alert it that we only want to install package 2 and 56:

$ tools/android update sdk --filter 2,56 --no-ui

You’re done!

Happy hacking Android devs!

[2010-05-04 01:53:46 - HelloAndroid] ------------------------------
[2010-05-04 01:53:46 - HelloAndroid] Android Launch!
[2010-05-04 01:53:46 - HelloAndroid] adb is running normally.
[2010-05-04 01:53:46 - HelloAndroid] Performing com.example.helloandroid.HelloAndroid activity launch
[2010-05-04 01:53:46 - HelloAndroid] Automatic Target Mode: launching new emulator with compatible AVD 'myAVD'
[2010-05-04 01:53:46 - HelloAndroid] Launching a new emulator with Virtual Device 'myAVD'
[2010-05-04 01:53:58 - HelloAndroid] New emulator found: emulator-5554
[2010-05-04 01:53:58 - HelloAndroid] Waiting for HOME ('android.process.acore') to be launched...
[2010-05-04 01:53:59 - Emulator] 2010-05-04 01:53:59.501 emulator[10398:903] Warning once: This application, or a library it uses, is using NSQuickDrawView, which has been deprecated. Apps should cease use of QuickDraw and move to Quartz.
[2010-05-04 01:54:23 - HelloAndroid] emulator-5554 disconnected! Cancelling 'com.example.helloandroid.HelloAndroid activity launch'!

The crash report was identifying the problem as a segfault:

Process:         emulator [10472]
Path:            /Applications/android-sdk-mac_86/tools/emulator
Identifier:      emulator
Version:         ??? (???)
Code Type:       X86 (Native)
Parent Process:  eclipse [10468]

Date/Time:       2010-05-04 02:25:41.153 -0500
OS Version:      Mac OS X 10.6.3 (10D573)
Report Version:  6

Interval Since Last Report:          2558914 sec
Crashes Since Last Report:           4
Per-App Crashes Since Last Report:   2
Anonymous UUID:                      C5F178C1-5290-4CA9-AD6E-E9C4F5582754

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x000000001fd2f000
Crashed Thread:  3

The explanation

As best I could tell a snapshot of my AVD was saved while the previous version of HelloAndroid was running. And so when I went to run the new version of HelloAndroid (after making some code changes) the new package was copied over and then the emulator was restored. At this point it was in a corrupt state where the old version was still in memory but the new version existed in local storage. This may or may not be exactly what was happening, but it appeared to be what was causing the app to crash.

The fix

For me, I simply turned snapshots off on my AVD. To do that in Eclipse you can just follow this menu/button options:
Window -> AVD Manager -> [select your avd] -> Click Edit -> Uncheck “Enabled” next to Snapshots

If this doesn’t work you can also delete the AVD and create a new one with the same settings but with snapshots disabled.

If you’re still running into trouble, check out this thread over at StackOverflow. It didn’t solve my problems, but your mileage may vary.

Happy Android Coding!

E/AndroidRuntime(673): java.lang.RuntimeException: Unable to start activity
ComponentInfo{com.example.helloandroid/com.example.helloandroid.HelloAndroidActivity}: android.os.NetworkOnMainThreadException

From Google’s documentation:

The exception that is thrown when an application attempts to perform a networking operation on its main thread.

This is only thrown for applications targeting the Honeycomb SDK or higher. Applications targeting earlier SDK versions are allowed to do networking on their main event loop threads, but it’s heavily discouraged.

The fix

The problem here is simply that you need to make your web service calls (or what-have-you) on a separate thread. So, quite simply, you’ll need to look into how to do threading with Android. Unfortunately this can be a bit of a pain because you need to make your service calls on a separate thread, but you need to update the UI on the main thread. Normally this would require passing data between the threads, which involves handlers or other complexities. Luckily the Android platform provides the Async Task to handle this, which alleviates some of this complexity and may help you avoid some clutter in your code.

Useful documentation to migrate your network calls to threads (or Android’s Async Task)

Painless Threading (from the Android Developer docs)
Async Task (from the Android Developer docs)
Android Threads, Handlers and AsyncTask – Tutorial
Designing for Responsiveness (from the Android Developer docs)

Good luck!

About a week ago, TechCrunch discussed a panorama application for Android. The application is called 360 and it was created by Vineet Devaiah‘s company TeliportMe. It’s received praise from some other reputable sources as well and has even managed to attract about 30,000 users; but as will become more apparent over time I love to dig into the security of these sorts of apps. Unfortunately for TeliportMe, their web security is not up to snuff.

Warning

I will warn you one more time! DANGER! DANGER! DANGER! Proceed with reading this article and/or partaking in any action on TeliportMe’s 360 website or mobile application with extreme caution and at your own risk. I highly recommend that you DO NOT visit TeliportMe’s 360 website or PhotoTour.in directly. By the time you read this someone else may have already used this information to exploit the site and/or its visitors. YOU HAVE BEEN WARNED!

The 360 Exploits

There are various ways you can go about exploiting this application. I’ll discuss a few of the information disclosures, how to modify any photo’s name, and a few ways to use XSS.

Information Disclosures

360 as well as PhotoTour.in both use a REST API to pass data around internally via XML. This is an excellent way to build a reusable system and makes it very easy to build new applications as your company grows (great job devs!). Where they went wrong is in securing this system, because guess what!? That’s right! IT’S PUBLIC! Below are some cool links you can use to query their API.

Recent Photo Stream

This is the recent photo stream. You can also use a few variables to limit your query. Nothing special here outside of maybe the addresses and geographical coordinates. Most of this is available via the website anyway.

http://360.vtcreator.com/api/stream/

http://360.vtcreator.com/api/stream/index?count=10&type=upload

User Data

This is how to obtain information about a user. Luckily this doesn’t contain any really sensitive information, but it does make it easy to tell who is signed up on the site, how many people are signed up, and you can potentially grab some users’ email and Facebook info. Below is the link to one of the CEO’s accounts. You can of course change the 5 to any number you want to try other accounts.

http://360.vtcreator.com/api/users/5

Photo Data

You can also obtain photo data. Nothing special here really outside of more geographical info and vote info. Looks like they were considering implementing a dislike feature.

http://360.vtcreator.com/api/environments/3117

More Fun

There are lots of other fun things you can do like getting the photo comments or posting new comments. I won’t go into all the details, but below is a link to get photo comments.

http://360.vtcreator.com/api/threads/phototour_environment_2515

Editing Any Photo’s Info

From the website

The good thing about this exploit is it’s not public; you do have to be logged into the site. The bad part is when I say edit any photo I literally mean ANY photo on ANYONE’S account. Of course the photo then becomes associated with your account, but obviously a malicious user could just use a proxy if he wanted to protect his identity and then go around modifying user photos. Below is a link to edit one of Vineet’s photos, but of course you can change the photo id from 3117 to anything you want.

http://360.vtcreator.com/profile/editphoto/id/3117

Using Your Own Form

If you want to get really crafty you can build an HTML form yourself and just post data to http://360.vtcreator.com/profile/upload. Then you can edit a few more details like the photo location. I won’t go into those details here.

Liking (Voting for) Any Photo As Any User

This is another exploit that will allow you to impersonate any user and vote for any photo. By impersonating different users you can spam votes for one photo to get it to the top of the “Top Rated” list on the 360 website. This one requires making an HTTP POST request, so you could copy and paste the below into a file called 360_voter.html and then use it to submit false votes. You can change 3117 to any photo ID and 5 to any user ID to vote for that photo as that user.

<html>
<body>
<form method="post" action="http://360.vtcreator.com/api/environments/3117/votes/">
<input name="user_id" type="text" value="5" /><br />
<input name="environment_id" type="text" value="3117" /><br />
<input type="hidden" name="value" value="1" /><br />
<input type="submit" name="submit" value="Vote" class="submit-button"/>
</form>
</body>
</html>

Cross Site Scripting (XSS)

Photo Names

And of course, the ever prevalent XSS exploits. There are a couple on the 360 site and even more on PhotoTour.in, but I’ll only discuss the 360 site in this post. The first is that when editing any user’s photos you can inject JavaScript into the Photo name.

Photo Comments

Secondly, when viewing photos you can add comments which can also contain injected JavaScript. You could use this to target specific users by injecting JavaScript into all of their photos; something that steals their cookie would do nicely, unlike the harmless alert below.

Hijacking the Homepage

With this information you could easily hijack the homepage to redirect users somewhere else.

• Upload a photo
• Rename the photo to add JavaScript that redirects users to another website
• Spam votes using the vote exploit to get the photo to the top of the list of “Top Rated” photos which is displayed as the homepage

Of course the site you redirect to could easily be a drive-by install site that installs malware on the users’ PCs or pretty much anything you wanted. Scary!

Things to Ponder

SQL Injection

With all the things I see on this site it certainly appears that one could do more devious deeds. I wouldn’t be surprised to see some SQL injection, but I didn’t attempt to exploit it myself.

Account Deletion

360 uses HTTP POSTs to delete things. Generally you just POST something like method=delete&user_id=1&access_token=123abc to one of the API URLs. I suspect a crafty user could bypass this simple access_token check. Below is an example URL; that URL would delete the photo if it were a POST request instead of a GET and if it had a valid access_token and user_id:

http://360.vtcreator.com/api/environments/3117?method=delete&user_id=1&access_token=123abc

Lessons Learned

• New websites can easily become playgrounds for malicious users
• Where there’s one exploit, there’s another
• Multiple exploits can allow a crafty attacker to perform even worse attacks (like hijacking your homepage)

The features available for iPhone match those available for Android devices and include the group messaging Huddle capability. For a closer look at what the mobile app can do, take a look at the video below.