Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

[MOD][Apr 29] TD Fuzzer - Change device provisioning data for Touchdown

OP agentdr8

29th April 2014, 09:40 PM   |  #1  
agentdr8's Avatar
OP Senior Member
Flag Cowtown, CA
Thanks Meter: 1,138
 
2,271 posts
Join Date:Joined: Mar 2007
Donate to Me
More
TD Fuzzer

This is a simple Xposed module designed to help those that utilize Nitrodesk's Touchdown to connect to their Exchange Activesync systems. Some EAS implementations prohibit certain device types/models from connecting, or if you'd rather present an alternate device when provisioning, this module can help with that. Keep in mind, if your IT staff/Info Security Office discover that you're circumventing their security controls and/or policies, I can't be held accountable if you get reprimanded and/or fired. This module won't circumvent specific policy requirements, such as device or sdcard encryption, strong password requirements, or disabled feature sets (disable IR, disable BT, etc). All it does is replace device-specific information that is collected during device provisioning, and also during each Activesync session (User-Agent header).

A picture is worth a thousand words, or so the saying goes:



The device on the top is my HTC One (m7) running Touchdown 8.4.00082 on KK 4.4.2, and the one beneath it is an actual iPhone 5s. The only discernible difference is the Device ID (which can't easily be changed in TD without breaking stuff).

This module should work on most devices running most ROMs. It only hooks the Touchdown package, and has been tested on TD 8.1.x and 8.4.x against Exchange 2010 SP1 (Activesync v14.1).

Install/Configuration
  • Install Xposed Framework
  • Activate Xposed app_process
  • Install this module and enable in Xposed Installer
  • Open TD Fuzzer settings and configure options
  • Reboot or soft-reset
  • Open Touchdown and provision device (or if already provisioned, go to TD Settings, Connection, ActiveSync button, Refresh ActiveSync Settings)

Source
You can find it on my github

Alternate Install
Also available in the xposed repo
Attached Thumbnails
Click image for larger version

Name:	tdfuzzss.png
Views:	472
Size:	89.3 KB
ID:	2716265  
Attached Files
File Type: apk TDFuzzer_v1.0.apk - [Click for QR Code] (234.2 KB, 20 views)
Last edited by agentdr8; 29th April 2014 at 10:00 PM.
The Following 3 Users Say Thank You to agentdr8 For This Useful Post: [ View ]
29th April 2014, 10:03 PM   |  #2  
agentdr8's Avatar
OP Senior Member
Flag Cowtown, CA
Thanks Meter: 1,138
 
2,271 posts
Join Date:Joined: Mar 2007
Donate to Me
More
@cities516 can you add to your module index?
The Following User Says Thank You to agentdr8 For This Useful Post: [ View ]
2nd May 2014, 05:15 PM   |  #3  
agentdr8's Avatar
OP Senior Member
Flag Cowtown, CA
Thanks Meter: 1,138
 
2,271 posts
Join Date:Joined: Mar 2007
Donate to Me
More
Until I get around to adding some device presets into the module, here are some examples straight out of OWA:

iPhone 4S
Phone friendly name: Black iPhone 4S
Device Model: iPhone4C1
Phone OS: iOS 7.0.4 11B554a
Device Operating System Language: en
User agent: Apple-iPhone4C1/1102.55400001

SAMSUNG SGH-I747 (AT&T GS3)
Phone friendly name: d2uc
Device Model: SAMSUNG-SGH-I747
Phone OS: Android
Device Operating System Language: English
User agent: SAMSUNG-SGH-I747/101.403

SAMSUNG SGH-I317 (AT&T GN2)
Phone friendly name: t0lteatt
Device Model: SAMSUNG-SGH-I317
Phone OS: Android
Device Operating System Language: English
User agent: SAMSUNG-SGH-I317/100.40102
Last edited by agentdr8; 5th May 2014 at 08:38 PM.
The Following User Says Thank You to agentdr8 For This Useful Post: [ View ]
7th November 2014, 07:34 AM   |  #4  
Junior Member
Thanks Meter: 0
 
1 posts
Join Date:Joined: Nov 2014
Thumbs up Great Work!
I've been search for a solution for this for ages and must I say that your xposed module is by far the only and most effective solution. Big congrats and very much obliged, man.

Because without this, although Touchdown can spoof a device name, the OS, protocols during the Activesync provisioning process will still be "Android 4.4.x" and "Touchdown x.x.x". So from the admin's side, it is still able to identify the spoofing by looking at the OWA mobile log.

Three questions:

1. How does it work? Modifying provisioning communication packets between Touchdown and ActiveSync server? I'm asking this because I want to know if future versions of Touchdown can be supported.
2. Will you consider supporting Android 5.0?
3. Will you consider supporting AOSP email apps, (preferably the apks with Exchange Security byPass working for 4.4.4 and 5.0)

Again, many thanks to you for the great work!
7th November 2014, 05:26 PM   |  #5  
agentdr8's Avatar
OP Senior Member
Flag Cowtown, CA
Thanks Meter: 1,138
 
2,271 posts
Join Date:Joined: Mar 2007
Donate to Me
More
Quote:
Originally Posted by XDAAdvocate

1. How does it work? Modifying provisioning communication packets between Touchdown and ActiveSync server? I'm asking this because I want to know if future versions of Touchdown can be supported.

I've replaced the writeDeviceInfo() method, which builds the provisioning XML object (com.nitrodesk.wbxml.WBXMLSerializer object, to be precise). This should be compatible with any version of TD; it's more specific to the Activesync protocol version (14.1 in this case). If MS changes how devices send provisioning data, then it would have to be updated. Also, there's information that's passed to EAS in the User-Agent header, which this module replaces.

Quote:

2. Will you consider supporting Android 5.0?

Sure, once I have a device running Android L and the Xposed Framework.

Quote:

3. Will you consider supporting AOSP email apps, (preferably the apks with Exchange Security byPass working for 4.4.4 and 5.0)

I've run across at least one xposed module out there that bypasses the AOSP email security restrictions for EAS. Since I don't normally run AOSP roms, it's much harder for me to do any sort of debugging/dev work.
Last edited by agentdr8; 7th November 2014 at 05:45 PM.
Today, 11:42 AM   |  #6  
Junior Member
Thanks Meter: 0
 
2 posts
Join Date:Joined: Dec 2010
Quote:
Originally Posted by agentdr8

......
I've run across at least one xposed module out there that bypasses the AOSP email security restrictions for EAS. Since I don't normally run AOSP roms, it's much harder for me to do any sort of debugging/dev work.

Can you tell me where to find the modules to bypass these security restrictions for EAS. There are indeed some modules to bypass the mandatory PIN for example. But no module to bypass and change the device provisioning data.
Today, 01:26 PM   |  #7  
Falcon G's Avatar
Senior Member
Thanks Meter: 884
 
390 posts
Join Date:Joined: May 2014
More
This is what I needed thanks will try and report

The Following User Says Thank You to Falcon G For This Useful Post: [ View ]
Post Reply Subscribe to Thread

Tags
kitkat, touchdown, xposed
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes