Black Hat ASIA Singapore March 28-31. FRIED APPLES: JAILBREAK DIY by Alex Hude, Max Bazaliy, Vlad Putin. ANTI-PLUGIN: DON'T LET YOUR APP PLAY AS AN ANDROID PLUGIN by Cong Zheng, Tongbo Luo, Xin Ouyang, Zhi Xu. REMOTELY COMPROMISING IOS VIA WI-FI AND ESCAPING THE SANDBOX by Marco Grassi. 3G/4G INTRANET SCANNING AND ITS APPLICATION ON THE WORMHOLE VULNERABILITY by Guangdong Bai, Zhang Qing. MOBILE-TELEPHONY THREATS IN ASIA by Lion Gu, Marco Balduzzi, Payas Gupta. MASHABLE: MOBILE APPLICATIONS OF SECRET HANDSHAKES OVER BLUETOOTH LE by Yan Michalevsky.
CanSecWest Vancouver Canada, March 15-17. Qidan He : Pwning Nexus of Every Pixel: Chain of Bugs demystified. Logic Bug Hunting in Chrome on Android by Georgi Hershey & Robert Miller.
Zer0Con Seoul, Korea April 13-14. Ian Beer : Through the mach portal.
OsmoCon (Osmocom Conference) 2017 is the first technical conference for Osmocom users, operators and developers! April 21, Berlin. All about Osmocom!
HITB Amsterdam April 13-14. FEMTOCELL HACKING: FROM ZERO TO ZERO DAY by JeongHoon Shin. CAN'T TOUCH THIS: CLONING ANY ANDROID HCE CONTACTLESS CARD by Slawomir Jasek. EXTRACTING ALL YOUR SECRETS: VULNERABILITIES IN ANDROID PASSWORD MANAGERS by Stephan Huber, Steven Artz, Siegfried Rasthofer. HUNTING FOR VULNERABILITIES IN SIGNAL by Markus Vervier.
Opcde Dubai, UAE April 26-27. Practical attacks against Digital Wallet by Loic Falletta.
I took a way too long break again. So many things happen in the world of mobile security every week. I really wish I had more time for this. I also have a bunch of small things I need to put on this blog but I think they are too specific for the news and will likely get their own posts.
Some news from MWC (I didn't attend):
First the BlackBerry KEYone a new Android-based phone with a physical keyboard. Other then the BB Priv the KEYone's keyboard is fix and doesn't slide. Movable parts are really not a good idea, they break way too fast. In my opinion this device looks super solid and likely will be supported longer than the average flagship phone from other manufacturers (data on this would be awesome).
Nokia released 3 new Android phones the 3 (MTK), 5 (QCOM) and 6 (QCOM). The phones seem to run Android N without any modifications or vendor crap. Very low price (230Euro for the 6). The bottom of their website specifically says: You get an experience that's focused and clutter-free, and we'll make sure you keep getting regular updates, so you'll always stay on top of features and security. that is what you should expect in 2017.
The Android Devices Security Patch Status page is an awesome resource to determine if a specific device from a specific vendor has been patched and when the patch was released. From the page: This list is Prepared to Serve as a Quick reference to identify which Device is being actively maintained by the Vendor.. This is super useful, thanks!
Xiaomi launching own SoC for Android phones-upgradable baseband with fake base station detection capabilities. IMSI catchers r threat now ;) pic.twitter.com/S0hzDBIiQd— Ravishankar Borgaonk (@raviborgaonkar) March 2, 2017
Apple 0day is expensive. https://t.co/F1UEUU0s3r— Collin Mulliner (@collinrm) February 22, 2017
MOSEC mobile security conference in June in Shanghai. This seems to be the 3rd year of the conference. There is no schedule yet.
The story of the day Vault 7: CIA Hacking Tools Revealed. Vault 7: CIA Hacking Tools Revealed : iOS Exploit list. Yes, the CIA uses n-day exploits! The Android exploits.
They talk about Android, Defcon, and backdooring your repo? ;-)
Pic of the month:
ENISA: Smartphone Secure Development Guidelines
Android Security Bulletin - March 2017
Android Security Bulletin - February 2017
Vault 7: CIA Hacking Tools Revealed
Multi-BTS with Osmocom and a single UmTRX
Obfuscation-Resilient Privacy Leak Detection for Mobile Apps Through Differential Analysis Paper and Tool
Booting into fastboot mode Instructions for all Nexus devices
TROOPERS17 GSM Network - How about your own SMPP Service?
MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models paper
Exploiting Android S-Boot: Getting Arbitrary Code Exec in the Samsung Bootloader (1/2)
Android ransomware requires victim to speak unlock code
Hacking Android phone. How deep the rabbit hole goes.
Sunny with a chance of stolen credentials: Malicious weather app found on Google Play 5k installs via Google Play!
iOS keychain items used to persist after app uninstall. As of iOS 10.3 beta 2, deleting app deletes keychain items via @hubert3
SunShine 3.4.27 is out - Bringing unlock support for Droid Turbo on 6.0.x
Cellular re-broadcast over satellite
Identifying Rebroadcast (GSM) also linked in post above
ios-triage - Node.js cli for iOS incident response. Program will extract, process and report (including diffs) on iOS device and app telemetry.
Remote control: Companies blur lines over who owns devices
Shodan.io iOS App
Analysis of iOS.GuiInject Adware Library
Patching and Re-Signing iOS Apps
Lifting the (Hyper) Visor: Bypassing Samsung's Real-Time Kernel Protection
Android ransomware repurposes old dropper techniques
Deobfuscating libMobileGestalt keys
Samsung: Stack buffer overflow in OTP TrustZone trustlet
How easy it would be to hack Trump's phone by my friend Zach aka @quine
iOS 10.2 Yalu Jailbreak Now Supports All 64-bit Devices except iPhone 7 and iPad Air 2
Android bootloader (aboot) parser
Tracking Android Security Update across Devices
SAMSUNG KNOX 1.0 ECRYPTFS KEY GENERATOR WEAK ENCRYPTION
Deep Analysis of Android Rootnik Malware Using Advanced Anti-Debug and Anti-Hook, Part II: Analysis of The Scope of Java
Black market Blackphones get sent a kill message that bricks them
iOS/MacOS kernel memory corruption due to userspace pointer being used as a length
Update on the Fancy Bear Android malware (poprd30.apk)
An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps (paper)
Charger Malware Calls and Raises the Risk on Google Play
Secrets leak in Android apps online service to test APKs
26 security issues in major Android password manager apps
Easy 4G/LTE IMSI Catchers for Non-Programmers (paper)
App-in-the-Middle Attack Bypasses Android for Work Secure Framework
Android FRIDA: Add support for enumerateLoadedClasses() on ART
Android: Inter-process munmap in android.util.MemoryIntArray
Owning a Locked OnePlus 3/3T: Bootloader Vulnerabilities
Binary based obfuscation in a way of CTF kids. We obfuscate your apps, support both iOS/Android.
Android (Huawei) privilege escalation in EMUI keyguard app via loading shellcode in theme pack
The Story of Firefox OS
Recon Brussels Brussels, 27-29 January. Analyzing iOS apps: road from AppStore to security analysis report by Lenar Safin, Yaroslav Alexandrov, Egor Fominykh, Alexander Chernov.
31CON Auckland NZ, 23-24 February. RAVISHANKAR BORGAONKAR (UK): PRIVACY ISSUES IN 4G. PHILIPPE LANGLOIS (FRANCE): something about mobile networks.
Android Security Symposium 2017 Vienna Austria, March. Many interesting talks.
Troopers Heidelberg, Germany. March. Hunting For Vulnerabilities in Signal by Jean-Philippe Aumasson, Markus Vervier. Samsung Pay: Tokenized Numbers, Flaws and Issues by Salvador Mendoza.
TelcoSecDay @ Troopers It's no use crying over spilled 2G,3G,4G - what we need to fix in 5G. Outlook on 5G security from 3GPP perspective. Automated large-scale detection of rogue base stations: A field report. Exploring fraud in telephony networks, an illustration with Over-The-Top Bypass.
Infiltrate Miami, FL. March. Jean-Philippe Aumasson, Markus Vervier: Hunting For Vulnerabilities in Signal. Georgi Geshev, Robert Miller: Logic Bug Hunting in Chrome on Android. Marco Grassi, Liang Chen: Remotely Compromising a Modern iOS Device. Vasilis Tsaousoglou, Patroklos Argyroudis: The Shadow over Android: Heap exploitation assistance for Android's libc allocator. Ralf-Phillip Weinmann: Did I hear a shell popping in your baseband?.
CFPs backdoor story is just bad and will drive users away from a secure messaging app (maybe even the biggest install based of all of them). Zeynep Tufekci wrote an open letter to the Guardian to have them update the story. Moxie also wrote a blog post about these claims. The Guardian should have asked people with the technical expertise for advice before publishing the story.
AT&T 2G network shutdown happened on Dec 31 2016
AndroidXRef is looking for sponsors!
The mobile talks from 33c3 are all totally worth watching (no particular order):
Dissecting modern (3G/4G) cellular modemsPics of the month:
Downgrading iOS: From past to present
Geolocation methods in mobile networks
Shut Up and Take My Money! The Red Pill of N26 Security
Code BROWN in the Air. A systemic update of sensitive information that you sniff from pagers
Samsung Android Security Updates for January
Secure boot and image authentication in mobile tech (white paper)
Practical Android Debugging Via KGDB
We reverse engineered 16k apps, here's what we found (hardcoded secrets mostly) they also have an online tool
Very detailed description of hacking the Kyocera KC-S701(Russian)
LG G3 Arbitrary File Retrieval from Cloud Services
Trojanized Photo App on Google Play Signs Up Users for Premium Services
OnePlus 3/3T Bootloader Vulnerability Allows Changing of SELinux to Permissive Mode in Fastboot
Qualcomm releases whitepaper detailing pointer authentication on ARMv8.3 (whitepaper)
IoT mode fuzzing with OpenBTS
buy a BlackPhone for 120 Euros
Security conferences in 2017
Summary of Critical and Exploitable iOS Vulnerabilities in 2016
Switcher: Android joins the attack-the-router club
Cyanogen's Services Will Be Shutting Down (the commercial part of CyanoGen mode)
V3SPA: An Open Source Tool for Visually Analyzing and Diffing SELinux/SE for Android Security Policies
Project Zero exploit for iOS 10.1.1
OWASP Mobile Security Testing Guide (Work in Progress)
Android Banking Trojan Source Code Leaked Online, Leads to New Variation Right Away
A theme pack got you pwned with system privilege on Huawei's EMUI
Google Rolls Out Instant Apps Feature For Android: Download And Run Apps Without Installing Them
Open source 3GPP LTE library
fastboot oem sha1sum
Automating iOS blackbox security scanning (slides)
Meitu Android App TearDown
Hooking Android System Calls for Pleasure and Benefit
iOS9 iCloud backup retrieval proof of concept
Pixel bootlaoder exploit for reading flash storage
Android Vulnerabilities: Attacking Nexus 6 and 6P Custom Boot Modes
Wap Push bugs in Samsung Android phones
Virulent Android malware returns, gets >2 million downloads on Google Play
HIJACKING WHATSAPP ACCOUNTS USING WHATSAPP WEB
Security Analysis of the Telegram IM (a Master's Thesis)
Android Security Bulletin - January 2017
Classification of Smartphone Users Using Internet Traffic (paper)
LG posts January security bulletin ahead of Google with Android and LG-specific patches
Analysis of multiple vulnerabilities in AirDroid
Android banking Trojan asks victims to send selfies with ID cards
A Whale of a Tale: HummingBad Returns
iOS Dropbear SSH
33c3 Hamburg, Germany 27-30 December. Downgrading iOS: From past to present by tihmstar. A look into the Mobile Messaging Black Box by Roland Schilling and Frieder Steinmetz. Dissecting modern (3G/4G) cellular modems by LaForge and holger. Geoloation methods in mobile networks by Erik.
Shmoocon Washington D.C. January. A Context-Aware Kernel IPC Firewall for Android - David Wu, Sergey Bratus.
Black Hat ASIA March 2017. FRIED APPLES: JAILBREAK DIY by Alex Hude and Max Bazaliy. MASHABLE: MOBILE APPLICATIONS OF SECRET HANDSHAKES OVER BLUETOOTH LE by Yan Michalevsky. REMOTELY COMPROMISING IOS VIA WI-FI AND ESCAPING THE SANDBOX by Marco Grassi.
I had to skip the November update due to a long overdue vacation. Playing with iOS webviews also did cost some time. Writing this blog becomes more and more time consuming since for some parts I would rather spent time on research than writing about other peoples research. Will see next year if I continue doing this or not. I'm doing this since January 2009 so it has been a few years.
Opcde ConferenceSamsung confirms it will render the US Note 7 useless with next update since the owners don't seem to care to return the phones to Samsung even tho they would get a replacement device. This is kind of hilarious.
Browser based iOS 9.3.x jailbreak (64bit only) it has been a while.
Chinese company installed secret backdoor on hundreds of thousands of phones
Here is the BLU R1 blind system command execution via Adups from July of this year - anyone think they care? pic.twitter.com/veUMGD8zSy— Tim Strazzere (@timstrazz) November 22, 2016
Recently the topic of SMS 2FA came up again. While I agree that SMS is not the most secure version of 2FA it is far far better then not providing any 2FA mechanism for your service.
Seems like the right ordering, but when deployment is 98% < 2% < .5% < .01% complaining about SMS security is pretty silly. https://t.co/5ex3naa5a5— Alex Stamos (@alexstamos) December 1, 2016
Oxygen 9.0.3 allows to brute force a passcode for any Windows Phone 8 device from its physical dump!
Android system_server Code Loading Bypass
"Root" via dirtyc0w privilege escalation exploit (automation script) / Android (32 bit) Raw
Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems (paper)
JTAGing Mobile Phones (from August)
The limitations of Android N Encryption
The fight against Ghost Push continues
BitUnmap: Attacking Android Ashmem
Saving Data: Reducing the size of App Updates by 65% (looks interesting)
More Than 1 Million Google Accounts Breached by Gooligan
Telstra is switching off their GSM network
Qualcomm has a Bug Bounty now
Nintendo has a Bug Bounty now
Secure Rom extraction on iPhone 6s
Android Security Bulletin - December 2016
HackingTeam back for your Androids, now extra insecure!
SunShine 3.4.18 has been released. Bring Support for Android 7.x.x and latest HTC 10 updates
A detailed security assessment on Android Full Disk Encryption (paper)
BitUnmap: Attacking Android Ashmem
Fuzzing Android OMX (slides)
Anonymous web-based SMS
Mobile Network Codes (MNC) for the international identification plan for public networks and subscriptions (According to Recommendation ITU-T E.212 (09/2016))
Call me maybe: Exploiting iOS WebViews to force automatic FaceTime calls
Android Banking Malware Masquerading as Email App Targets German Banks
Second Chinese Firm in a Week Found Hiding Backdoor in Firmware of Android Devices
Powerful backdoor/rootkit found preinstalled on 3 million Android phones
RAGENTEK ANDROID OTA UPDATE MECHANISM VULNERABLE TO MITM ATTACK
New Reliable Android Kernel Root Exploitation Techniques (slides)
Analysis of iOS.GuiInject Adware Library
Android Security Bulletin - November 2016
HelDroid: Dissect Android Apps Looking for Ransomware Functionalities
Rooting Every Android From Extension To Exploitation by Di Shen (slides)
Mobile Espionage in the Wild Pegasus and Nation-State Level Attacks (slides)
The Android Security Center
Technical Analysis of the Pegasus Exploits on iOS (paper)
Just a place to dump the cdma data I collected while at Defcon 2016
CRiOS: Toward Large-Scale iOS Application Analysis (paper)
Exploring LTE security and protocol exploits with open source software and low-cost software radio by Roger Jover (slides)
Your smartphone is a civil rights issue (TED talk)
Receive SMS Online
Android wear MiTM
*droid: Assessment and Evaluation of Android Application Analysis Tools (paper)
Using Google Fi on an iPhone
iOS WebView auto dialer bug
TL;DR: Google Fi on an iPhone is iMessage plus Google Wifi calling with awesome international coverage.
Google Project Fi is super interesting as it provides an actual low cost alternative to other carriers especially if you travel. The free data-only SIM is also a nice add-on.
Project Fi is exclusively targeting users of Google Nexus Android devices and you actually need one of the supported phones to activate the SIM which can be ordered on the Fi website.
I currently use an iPhone SE (mainly due to the device's tech specs and form-factor - I can't stand phablets!) so I was curious if I can just buy a Google Fi SIM and use it in an iPhone or any other phone actually. Of course I'm not the first person to think about this, but the only decent article on this topic is this one. Sadly most articles that are returned for a search on iPhone Google Fi are just totally useless. Even this article is not good.
I decided to just order Google Fi and a data-only SIM and give it a try. I used a Nexus 5x that I have access to for activating the SIM card. The activation process is really simple. Basically you need to put the SIM card into a compatible phone and install the Google Fi app. Done.
The activated SIM card can be put into any other phone, I tried an iPhone 5c and it just works. You automatically get the APN settings (the mobile data settings) pushed to your phone. Cellular data immediately works! Voice calls work too.
Wifi calling also works, although it (obviously) only works via the Hangout app but it does work. I put my phone into airplane mode and called the number from another phone and yea it rings.
The only service that is a bit unsatisfying is SMS (text messaging). The default option for Google Fi is to send and receive SMS via Google Hangout. Google Hangout exists for iOS and if you login with your Google Account that is associated with your Google Fi service you just install Hangouts and everything just works! If you actually want to use the iOS Messages app you can deactivate SMS via Hangout in the Hangout app on your phone. This will allow you to send and receive SMS via Messages. The only issue here is that incoming SMS messages get some Google specific data attached, as shown below. This is a little annoying but is only on incoming messages (you don't look like an idiot when sending messages to other people). Most of my contacts are on iMessage anyway these days so this is a non issue. Also I'm ok with using Hangouts for SMS since yea iMessage and other messaging apps.
The switch to change between native SMS and Hangout SMS the switch above it does the same for voice calls (to enable Wifi calling).
The broken* incoming SMS, the ~Dgr... is added by Google Fi, this does not show up in Hangouts. Other people have reported that this just went away after short time.
Things that don't work? switching between T-Mobile, Sprint, and US Cellular since this is done via the Google Fi app on Android devices (I actually don't have any idea about this yet).
Altogether Google Fi looks pretty cool and works with an iPhone (besides the hick-up with SMS). iMessage works (it is just an Internet service after all). Wifi calling via Hangouts is nice.
If you are a hardcore iOS/Mac user Google Fi is too much Google for you. I'm a Linux user with an iPhone so Google Fi makes a lot of sense. Desktop calls and SMS via Hangouts is a nice thing to have in addition to iMessage.
Google Fi on an oooold phone (Android 4.0). Hangouts seem to work fine too.
*The data is a BASE64 encoded blob, no obvious data after looking at a bunch of them of an hour or less.
PacSec October, Tokyo. Demystifying the Secure Enclave Processor by Mathew Solnik. Finding Vulnerabilities in Firefox for iOS by Muneaki Nishimura.
ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM) October, Vienna Austria. All talks are related to mobile security.
O'Reilly Security Conference October, NYC. Securing 85% of the world's smartphones by Adrian Ludwig. How Plantronics honed its headsets to create secure wearables by Erik Perotti.
SyScan360 November, Shanghai. Browser Bug Hunting and Mobile by Francisco Alonso and Jaime Penalba. Demystifying the Secure Enclave Processor by Mathew Solnik. Running Code in the TrustZone Land by Edgar Barbosa. Analysis of iOS 9.3.3 Jailbreak & Security Enhancements of iOS 10 by Team Pangu. Security Vulnerabilities on Online Payment: Summary and Detection by Zhang Qing and Bai Guangdong.
KiwiCon November Wellington, NZ. Let's do the Timewarp Again by Karit.
I'm going to be at the O'Reilly Security Conference on Monday the 31st (maybe also the other days). I super excited to speak at KiwiCon this year!
I'm interested in Google's Project Fi does anybody have insights into using it with non Android phones? I've found several posts on this topic but nothing convincing yet. Posts also seem conflicting.
Best of mobile security in pictures:
I've seen this warning a lot in the last couple of weeks while traveling:
This is the real reason for the Galaxy Note 7 recall
While searching for the link to the recall:
Android Banking Trojan Tricks Victims into Submitting Selfie Holding their ID Card
Kwetza: Infecting Android Applications
Pork Explosion Unleashed - Manufacturer Backdoor in the Foxconn Android bootloader
Decap of a SIM card (video)
Android Qualcomm GPS/GNSS Man-In-The-Middle (bug that is fixed now)
KNOXout - Bypassing Samsung KNOX (paper)
Android CVE PoCs for the October bulletin
Osmocom 3G circuit switched voice support with IuCS and Iuh
Multiple Backdoors found in D-Link DWR-932 B LTE Router (hardcoded admin:admin and root:1234)
BlackBerry axes smartphone business
How to keep your Android phone safe from prying eyes
Xiny Android trojan evolves to root phones and infect system processes
IMSI Catcher Report Calls for Transparency, Proportionality, and Minimization Policies
The Messenger Shoots Back: Network Operator Based IMSI Catcher Detection (paper)
How to wipe your phone (or tablet) for resale
attack against compromised Apple accounts to perform SMS spamming
Android Premium SMS Warning Message Manipulation (small android bug, now fixed)
Nexus Support Lifecycle
Google has less control over Pixel devices than people claimed. HTC still signs the bootchain. (via @jcase)
Talk is Cheap, Show Me the Code - How we rooted 10 million phones with one exploit (slides)
The new Android system permissions model analysis and early warning (in Chinese)
Android full-disk encryption: a security assessment (paper)
Android cryptfs.bt for 101editor
iOS9 iCloud backup retrieval proof of concept
Black Hat EU November, London UK. ARMAGEDDON: HOW YOUR SMARTPHONE CPU BREAKS SOFTWARE-LEVEL SECURITY AND PRIVACY Speaker: Clementine Maurice, Moritz Lipp. DETACH ME NOT - DOS ATTACKS AGAINST 4G CELLULAR USERS WORLDWIDE FROM YOUR DESK Speaker: Bhanu Kotte, Dr. Silke Holtmanns, Siddharth Rao. MOBILE ESPIONAGE IN THE WILD: PEGASUS AND NATION-STATE LEVEL ATTACKS Speaker: Max Bazaliy, Seth Hardy. POCKET-SIZED BADNESS: WHY RANSOMWARE COMES AS A PLOT TWIST IN THE CAT-MOUSE GAME Speaker: Federico Maggi, Stefano Zanero. ROOTING EVERY ANDROID: FROM EXTENSION TO EXPLOITATION Speaker: Di Shen, Jiahong (James) Fang. SIGNING INTO ONE BILLION MOBILE APP ACCOUNTS EFFORTLESSLY WITH OAUTH2.0 Speaker: Ronghai Yang, Wing Cheong Lau. STUMPING THE MOBILE CHIPSET Speaker: Adam Donenfeld. WIFI-BASED IMSI CATCHER Speaker: Piers O'Hanlon, Ravishankar Borgaonkar.The most interesting read this week was The bumpy road towards iPhone 5c NAND mirroring a paper by Sergei Skorobogatov. In this paper he shows how to implement a NAND mirroring attack against an iPhone 5C. The basic idea behind this attack is erase the PIN failure counter between each set of tries to avoid the artificial brute force delay and to avoid data deletion after N failed PINs. The paper goes into great detail on various problems he encountered while implementing the attack. I highly recommend reading this paper. The picture below is taken from this paper.
PacSec Tokyo Japan, October. Demystifying the Secure Enclave Processor by Mathew Solnik.
Google's Project Zero now has an Android "Prize" for achieving RCE on a Nexus device with only knowing it's email address or phone number. Apparently you can't use a BTS (via @jduck) for this attack. Overall this looks interesting, I wonder if anybody is going to claim the money soon. Announcement: Project Zero Prize.
iCloud, iHack, iSpam
Android Premium SMS Warning Message Manipulation
tool to inspect, dump, modify, search and inject libraries into Android processes.
How My Rogue Android App Could Monitor & Brute-force Your App's Sensitive Metadata
APK Signature Scheme v2
Just One Photo Can Silently Hack Millions Of Androids (@TimStrazz)
Parse the Qualcomm DIAG format and convert 2G, 3G and 4G radio messages to Osmocom GSMTAP for analysis in wireshark and other utilities.
PEGASUS iOS Kernel Vulnerability Explained by Stefan Esser
Undocumented Patched Vulnerability in Nexus 5X Allowed for Memory Dumping via USB
VB2016 preview: Mobile Applications: a Backdoor into Internet of Things?
Hiding root with suhide
Xiaomi Can Silently Install Any App On Your Android Phone Using A Backdoor
Reverse Engineering Xiaomi's Analytics app
A Case of Misplaced Trust: How a Third-Party App Store Abuses Apple's Developer Enterprise Program to Serve Adware
File-Based Encryption in Android 7
Linux Security Summit Videos a lot is Android relevant
Harvesting Inconsistent Security Configurations in Custom Android ROMs via Differential Analysis (paper)
suhide v0.51 released
Introducing BLESuite and BLE-Replay: Python Tools for Rapid Assessment of Bluetooth Low Energy Peripherals
Samsung Android Security Updates - September
A Survey on Android ELF Malware
Keeping Android safe: Security enhancements in Nougat
Nexus Device Downloads via jduck @ droidsec
Black Hat EU November: ARMAGEDDON: HOW YOUR SMARTPHONE CPU BREAKS SOFTWARE-LEVEL SECURITY AND PRIVACY by Clementine Maurice and Moritz Lipp. DETACH ME NOT - DOS ATTACKS AGAINST 4G CELLULAR USERS WORLDWIDE FROM YOUR DESK by Bhanu Kotte, Siddharth Rao and Silke Dr Holtmanns. POCKET-SIZED BADNESS: WHY RANSOMWARE COMES AS A PLOT TWIST IN THE CAT-MOUSE GAME by Federico Maggi and Stefano Zanero. STUMPING THE MOBILE CHIPSET by Adam Donenfeld.
DerbyCon September: Beyond The ?Cript: Practical iOS Reverse Engineering by Michael Allen. AWSh*t. Pay-as-you-go Mobile Penetration Testing by Nathan Clark. Breaking Android Apps for Fun and Profit by Bill Sempf.
AppSec USA November: QARK: Android App Exploit and SCA Tool by Tushar Dalvi and Tony Trummer. SecureMe - Droid: Android Security Application by Vishal Asthana and Abhineet Jayaraj. OWASP Reverse Engineering and Code Modification Prevention Project (Mobile) by Dave Bott and Jonathan Carter. ShadowOS: Modifying the Android OS for Mobile Application Testing by Ray Kelly.
Apple now has a bug bounty program. Details were presented at Black Hat in Ivan Krstic's talk BEHIND THE SCENES OF IOS SECURITY. Also see Starting this fall, Apple will pay up to $200,000 for iOS and iCloud bugs (via Ars).
Motorola confirms that it will not commit to monthly security patches. This is pretty bad since I actually liked their Pure Edition devices (devices that basically are just AOSP).
Protecting Android with more Linux kernel defenses. They added some features from Grsecurity. This makes me happy.
Google's Android has gotten so out of control that $55 billion Salesforce had to take drastic measures, basically Salesforce in the close future will only support specific Samsung Galaxy and Nexus devices. This is an interesting way to deal with the very diverse Android ecosystem.
Pegasus Spyware / Trident for iOS was based on 3 vulnerabilities unsurprisingly a WebKit memory corruption, a Kernel info leak, and a kernel memory corruption. The spyware was capable of accessing text messages, iMessages, calls, emails, logs, and more from apps including Gmail, Facebook, Skype, WhatsApp, Viber, Facetime, Calendar, Line, Mail.Ru, WeChat, Surespot, Tango, Telegram, and others. (Source: Lookout Technical Report).
Oversec.io seems to implement our idea of mobile OTR on top of any messenger app. Oversec still looks very beta and I haven't tried it out. If anybody has tried it I would like to hear about it.
Pictures of the month:
Technical Analysis of Pegasus Spyware (pdf)
Chainfire suhide tries to hide your Android root access
Android: protecting the kernel (slides)
Wie das BKA Telegram-Accounts von Terrorverdaechtigen knackt (German)
Hackers accessed Telegram messaging accounts in Iran - researchers (same as a above but in English)
Stumping the Mobile Chipset (Qualrooter) (slides)
Analysis of multiple vulnerabilities in different open source BTS products
gpapi (node lib for talking to Play Store)
Demystifying the Secure Enclave Processor (paper)
CopperheadOS ART no longer attempts to use executable code from /data/dalvik-cache, only boot.art
The slide and exploit of: A Way of Breaking Chrome's Sandbox in Android
Adaptive Kernel Live Patching: An Open Collaborative Effort to Ameliorate Android N-day Root Exploits (slides)
iOS 10 - Kernel Heap Revisited (slides)
Hacking Soft Tokens (Android) (slides)
Understanding Dalvik Static Fields part 2 of 2
Attacking BaseStations (slides)
GODLESS Mobile Malware Uses Multiple Exploits to Root Devices (android)
Android Binder Firewall (slides / paper / source)
ARM is bought by SoftBank
iREVERSE ENGINEERING AND EXPLOITING SAMSUNG'S SHANNON BASEBAND (tools)
LTE security, protocol exploits and location tracking experimentation with low-cost software radio (paper)
BtleJuice: The Bluetooth Smart MitM Framework (slides)
CuckooDroid: Automated Android Malware Analysis
Stagefright: An Android Exploitation Case Study (slides from usenix WOOT)
Tracking the Trackers: The most advanced rogue systems exploiting the SS7 Network today
SS7 Security : Putting the pieces together
ARMv8 Shellcodes from A to Z (paper)