Monday, March 03 2014
Saturday, January 25 2014
InfoSecSouthWest April 4-6 Austin Texas. jduck: Android Security Research and Testing at Scale. Thomas Wang: Breaking through the bottleneck: Mobile malware is outbreak spreading like wildfire.
TextSecure: secure and easy to use text (SMS) for Android (and soon iOS)
I'm not really into advertising for stuff here but the recent update of
TextSecure made a gigantic impression on me. The application works well, is uber user friendly, and looks just great.
They further added IM like functionality (using IP rather then SMS), see here: The New TextSecure: Privacy Beyond SMS. Further there is the possibility to run your own
server for TextSecure IP backend, see here.
I switched to TextSecure for a number of reasons: transparent encrypted SMS, super usable application (I can finally stop using the Hangout app - worst thing so far on my Nexus 5), TextSecure source code is available, and did I mention that the UI looks really great? All in all this is good quality security software that even looks better then the less secure competitors, YES!
WebViews and Security on Android
The security (insecurity) of WebView lately got a lot of attention.
Sunday, January 05 2014
This is an early update for February. Two reasons, I have stuff to write
about right now, second I'm going to be super busy in February.
This year I attended ShmooCon for the first time. I liked it a lot and plan
to go again. I didn't know ShmooCon was running for 10 years already. They
seem to have a good grip on the conference and don't let it explode in size.
CanSecWest one of my favorite cons (maybe my #1). Talks: No Apology Required: Deconstructing Blackberry10 - Zach Lanier, Ben Nei ; Duo Security & Accuvant. Outsmarting Bluetooth Smart - Mike Ryan ; iSEC Partners. The Real Deal of Android Device Security: the Third Party - Colin Mulliner, Jon Oberheide ; Northwestern University, Duo Security.
Troopers (Heidelberg, Germany). There is one mobile talk in the main conference but there in addition they have TelSecDay (invite only) that focuses on Telecommunication security. The main conference talk is: Modern smartphone forensics: Apple iOS: from logical and physical acquisition to iCloud backups, document storage and keychain; encrypted BlackBerry backups (BB 10 and Olympia Service)
by Vladimir Katalov.
nullcon (Goa, India) has a mobile talk this year: Modern smartphone forensics: Apple iCloud, encrypted BlackBerry backups, Windows Phone 8 cloud backup - by Vladimir Katalov.
SyScan 2014 looks super awesome this year. Josh "Monk" Thomas : "How to train your Snapdragon: Exploring Power Regulation Frameworks on Android". Dr Thaddeus (The) Grugq : "Click and Dragger: Denial and Deception on Android Smartphones". Alex Plaskett & Nick Walker "Navigating a sea of Pwn? : Windows Phone 8 AppSec".
Black Hat Asia THE INNER WORKINGS OF MOBILE CROSS-PLATFORM TECHNOLOGIES by Simon Roses Femerling.
HITB Amsterdam Shellcodes for ARM: Your Pills Don't Work on Me, x86 by SVETLANA GAIVORONSKI and IVAN PETROV.
RootedCON (Spain) talks: Raul Siles - iOS: Regreso al futuro, Pau Oliva - Bypassing wifi pay-walls with Android. Some talks look like they are mobile talks too :) (my Spanish is kinda bad)
There are a lot of interesting talks in the next month. I'm working on (and finished) some interesting projects that I can hopefully talk about soon.
Our Android book is finalized and thus should be available in April.
The Defcon CFP is already open so make sure you submit your talks early. Also checkout Area 41 a fine security conference in Switzerland, the CFP is still open.
This year I'm co-chairing ARES an academic security conference. Please consider submitting your papers.
If you are interested in NFC (Near Field Communication) check out the current draft of the Web NFC API. The standard defines how a "web page" can interact with NFC devices.
Thursday, November 21 2013
awesome. A lot of good talks, many friendly people, and an awesome location.
The recordings of all talks can be found here.
The slides and source for my talk Android DDI are available here: slides and source.
I was super busy so I guess I missed a lot that was going on in the 2nd half of December. I will start posting stuff again later this month.
I'm going to ShmooCon in mid January and to Troopers in March.
Advertisement: If you are a computer science student and are interested in security and want to spent some time in the US, please contact me. I'm always looking for motivated people to do research with.
Friday, October 11 2013
30c3 did not announce the program yet but I know a bunch of people who got their talks accepted. It is going to be a good conference. I will talk about my Dynamic Dalvik Instrumentation framework for Android (more about this soon).
ShmooCon has announced a number of talks. Armor For Your Android Apps by Roman Faynberg, Apple iOS Certificate Tomfoolery by Tim Medin, How Smart Is Bluetooth Smart? by Mike Ryan, Protecting Sensitive Information on iOS Devices by David Schuetz
News and Links
I bet I missed a lot of stuff that happened in the last weeks.
I'm going to be at 30c3 in Hamburg, Germany between Christmas an New Years.
Friday, August 30 2013
September was a busy month, but the monthly update is back!
HACK.LU Debugging and Reversing the HTC Android Bootloader by Cedric Halbronn and Nicolas Hureau, Grand Theft Android: Phishing with permission by Joany Boutet and Tom Leclerc, Abusing Dalvik Beyond Recognition by Jurriaan Bremer, Playing Hide and Seek with Dalvik executables by Axelle Apvrille. So Hack.Lu has a lot of Android talks this year, but most of the other talks look super interesting too. I would love to go, but can't.
PacSec Tokyo, November 2013. "Android games + free Wi-Fi = Privacy leak" Takayuki Sugiura & Yosuke Hasegawa, NetAgent, @hasegawayosuke, "Defeating the protection mechanism on Android platform"
Tim Xia, Baidu, "Mobile Phone Baseband Exploitation in 2013: Hexagon challenges"
Dr. Ralf-Philipp Weinmann, Affiliation, @esizkur, "Deeper than ever before: Exploring, Subverting, Breaking and Pivoting with NAND Flash Memory"
Josh m0nk Thomas. The PacSec program kicks ass!
Missed conferences: ekopart 2013 they had a bunch of mobile (mostly Android) talks.
Monday, August 12 2013
DeepSec Cracking And Analyzing Apple iCloud Protocols: iCloud Backups, Find My iPhone, Document Storage:
Vladimir Katalov (ElcomSoft Co. Ltd.), Bypassing Security Controls with Mobile Devices: Georgia Weidman (Bulb Security LLC), Using memory, filesystems, and runtime to app pen iOS and Android: Andre Gironda, Mobile Fail: Cracking Open "Secure" Android Containers: Chris John Riley (c22.cc), Building the first Android IDS on Network Level: Jaime Sánche
Hack in the Box - Kuala Lumpur Tales from iOS 6 Exploitation and iOS 7 Security Changes: Stefan Esser, Cracking and Analyzing Apple's iCloud Protocols: Vladimir Katalov, Android DDI: Dynamic Dalvik Instrumentation of Android Applications and Framework: Collin Mulliner
BreackPoint Ruxcon A TALE OF TWO ANDROIDS: Jon Oberheide, ADVANCED IOS KERNEL DEBUGGING FOR EXPLOIT DEVELOPERS: Stefan Esser
BruCON Jake Valletta - CobraDroid, David Perez/Jose Pico - Geolocation of GSM mobile devices, even if they do not want to be found., Stephan Chenette - Building Custom Android Malware for Penetration Testing
Hackers2Hackers Android: Game of Obfuscation: Bremer & Chiossi, At ARMs length yet so far away: Brad Spengler
Android PRNG Stuff:
So I guess everybody knows about the Android PRNG issue. See
Some SecureRandom Thoughts
Google confirms critical Android crypto flaw used in $5,700 Bitcoin heist
OpenSSL PRNG Is Not Really Fork-safe
Upcoming paper at CCS'13: Soo Hyeon Kim (The Attached Institute of ETRI and KOREA Unisversity), Daewan Han (The Attached Institute of ETRI), Dong Hoon Lee (KOREA University) Predictability of Android OpenSSL's Pseudo Random Number Generator (those guys also got credited with reporting some issues about Android's OpenSSL PRNG usage). So they know about this for some time since the submission deadline for CCS was early in May. I wonder if the bitcoin heist could have been avoided if they notified the devs of the Android bitcoin wallet apps instead of Google.
SyScan 360 Tales from iOS 6 Exploitation and iOS 7 Security Changes by Stefan Esser; Mr. Big-dumb or Mr. Big-data: How smart is your mobile security intelligent system by Wayne Yan; Android Forensic Analysis Deep Dive by Bradley Schatz; Detecting Advanced Android Malware by Data Flow Analysis Engine by pLL and Zu Hao
I'm going to speak at HITB in Kuala Lumpur in October. My talk will be about Dynamic Dalvik Instrumentation. I will release all my code after the talk.
HITB does not have a program yet.
30c3 in Hamburg Germany (awesome location!)
Black Hat USA slides are available here.
Make sure to check out the first release of POC||GTFO