ekoparty Sep 27-29, Buenos Aires. Blue Pill for your phone by Oleksandr Bazhaniuk. Unbox Your Phone - Exploring and Breaking Samsung's TrustZone Sandboxes by Daniel Komaromy. Inside Android's SafetyNet Attestation: Attack and Defense by Collin Mulliner. How to cook Cisco: Exploit Development for Cisco IOS by George Nosenko. Bypass Android Hack by Marcelo Romero.Some comments on BlueBorne: I've been involved with Bluetooth security since like forever (not active in the last 10+ years). The early Bluetooth vulnerabilities were mostly logic bugs and issues such as missing authentication. Bluetooth devices could not be set to hidden and would always show up when scanning for devices. Stuff like that. BlueBorne is different as it is a remote exploitable memory corruption vulnerability in Linux, Android, and Windows. This is quite a novelty since we haven't seen a bug that is more ore less the same on two platforms. Even more interesting is that this bug is pre-authentication and gives you kernel privileges (code exec in the kernel).
Virus Bulletin 4-6 Oct, Madrid Span. Last-minute paper: Publishing our malware stats by Jason Woloz (Google) [This is about Android Malware]. Android reverse engineering tools: not the usual suspects by Axelle Apvrille.
In theory this set of vulnerabilities can be bad, bad. In practice the issue is much less of an issue. Exploit mitigations and built variances help mitigating the risk. Devices are not always visible therefore the attacker cannot easily find your device and attack it.
Also see: Hackers Could Silently Hack Your Cellphone And Computers Over Bluetooth.
FaceID: I think it is a really horrible idea! Do not put biometric systems in to consumer products ever! I will not buy products with mandatory biometrics so far iOS allows me to turn it off and use a passphrase - thats why I even consider buying iOS devices. I hate this change -- biometrics are bad.
Huh, here I was looking to get a phone similar to Walmarts in-store model... And eBay just has their actual in-store model... Perfect! pic.twitter.com/sq4pUtCBe3— Tim Strazzere (@timstrazz) September 17, 2017
https://t.co/zqdwIa27IR— sp (@LambdaCube) August 28, 2017
"Certified devices are also required to ship without pre-installed malware"
A good requirement IMHO. 😛
I agree ^^^
SELinux in Android Oreo or: How I Learned to Stop Worrying and Love Attributes (presentation)
Kernel Driver mmap Handler Exploitation (paper)
BabelView: Evaluating the Impact of Code Injection Attacks in Mobile Webviews (paper)
AndroidXRef now with Android O/8
Now the native-shim loader can create VM's for ART based Android devices by rednaga
Good thread about the Android Key Store API
IDA AArch64 processor extender extension: Adding support for ARMv8.1 opcodes
INJECTING MISSING METHODS AT RUNTIME
Oppo/Oneplus .ops Firmware decrypter
Android Hardware-backed Keystore (docs)
Samsung to Launch Mobile Security Rewards Program, Welcoming Security Research Community
Android 8.0 includes the following security-related changes
WHAT'S NEW IN KNOX 2.9?
ANDROID O AND DEX 38: DALVIK OPCODES FOR DYNAMIC INVOCATION
The public release of shadow v2 jemalloc exploitation tool with support for Android (both ARM32 and ARM64)
Making it safer to get apps on Android O
Dig Deep into FlexiSpy for Android
Tool for leaking and bypassing Android malware detection system
iOS 8.4.1 32 bit jailbreak
toorcon san diego Aug 28th - Sep 3rd. Dig Deep into FlexiSpy for Android by Kai Lu(@k3vinlusec).Quick Conference Review
HITB Singapore August 21-25. The Original Elevat0r - History of a Private Jailbreak by Stefan Esser. The Nightmare of Fragmentation: A Case Study of 200+ Vulnerabilities in Android Phones by BAI GUANGDONG and ZHANG QING.
Tencent Security Conference, August 30-31. Pointer Authentication by Robert James Turner. Finding iOS vulnerabilities in an easy way by Tiefel Wang and Hao Xu. Bare-metal program tracing on ARM by Ralf-Philipp Weinmann.
44con 13-15 September London, UK. Inside Android's SafetyNet Attestation: What it can and can't do lessons learned from a large scale deployment by Collin Mulliner.
BalCCon2k17 Novi Sad, Vojvodina, Serbia. September 15-17. Mobile phone surveillance with BladeRF by Nikola Rasovic.
T2 October 26-27 Helsinki, Finland. Breaking Tizen by Amihai Neiderman.
DeepSec Vienna 13-17 November. Normal permissions in Android: An Audiovisual Deception by Constantinos Patsakis. How secure are your VoLTE and VoWiFi calls? by Sreepriya Chalakkal.
It was good to see everybody in Vegas, even better meeting new people. Especially some folks I wanted to meet for a long time. I had a good time at WOOT, meeting old friends was especially good. Maybe it helped that it was in the CanSecWest hotel. I link a few relevant papers below.
Stefan Esser is running a kickstarter for an iOS Kernel Exploitation Training Course for Development of a freely available online iOS kernel exploitation training course based on iOS 9.3.5 on 32 bit devices. If you are into iOS security you should support Stefan's project!
Ralf is on point as usual:
Pictures of the month:
Exhibit A) Our communities are tribalized: https://t.co/e1uATFviYT (JTAG on iPhone 4S BB + exploitation of baseband vulns from SIM, in 2014)— Ralf (RPW) (@esizkur) August 19, 2017
Burner kiddies at defcon be like: pic.twitter.com/3QyPTuJwFg— the grugq (@thegrugq) July 22, 2017
Some Chinese USB adapters have a hidden SIM that will send a text message with GPS coordinates to track an unknowing victim… https://t.co/PK5bpkaBmv— Dimitri Bouniol (@dimitribouniol) August 9, 2017
中国のUSB充電アダプター型盗聴器が先進的すぎる。— 若ちゃん (@wk_tyn) August 8, 2017
BootStomp: On the Security of Bootloaders in Mobile Devices (paper)
Fixes in iOS 10.3.3
Reviewing the Security of ASoC Drivers in Android Kernel
Hacking Cell Phone Embedded Systems
Intercept, modify, repeat and attack Android's Binder transactions using Burp Suite
Seccomp filter in Android O
This source code was obtained by reversing a sample of SLocker. It's not the original source code
Trust Issues: Exploiting TrustZone TEEs
Universal Android SSL Pinning bypass with Frida
USING AN RTL-SDR AS A SIMPLE IMSI CATCHER
BROADPWN: REMOTELY COMPROMISING ANDROID AND IOS VIA A BUG IN BROADCOM'S WI-FI CHIPSETS
Surveillance: German police ready to hack WhatsApp messages
Google May Have Just Uncovered An Israeli Surveillance Start-Up Spying On Androids
Gas Pump Skimmer Sends Card Data Via Text
Defeating Samsung KNOX with zero privilege (slides)
Path of Least Resistance: Cellular Baseband to Application Processor Escalation on Mediatek Devices
Port(al) to the iOS Core
New Adventures in Spying 3G & 4G Users: Locate, Track, Monitor
Ghost Telephonist Link Hijack Exploitations in 4G
OnePlus 2 Lack of SBL1 Validation Broken Secure Boot
iOS 10.3.2 XPC Userland Jailbreak Exploit Tutorial - CVE-2017-7047 by Ian Beer (Video)
Samsung: Trustonic t-base TEE does not perform revocation of trustlets
A (hopefully) generic unpacker for packed Android apps
The original elevat0r jailbreak exploit explained
Tinker is a hot-fix solution library for Android, it supports dex, library and resources update without reinstall apk.
Shattered Trust: When Replacement Smartphone Components Attack (paper)
Patch iOS Apps, The Easy Way, Without Jailbreak
Android Banking Trojan misuses accessibility services
Get details and download apps from https://play.google.com by emulating an Android (Nexus 5X) device by default.
vTZ: Virtualizing ARM TrustZone (paper)
objection - runtime mobile exploration
Xposed for Nougat & abforce Submodule Explained, and Why It's Worth Waiting for rovo89's Full Release
A Linux kernel IPC firewall and logger for Android and Binder
White-Stingray: Evaluating IMSI Catchers Detection Applications (paper)
BootStomp: a bootloader vulnerability finder
iOS 11 has a 'cop button' to temporarily disable Touch ID
Simple tool to dynamically discover hidden fastboot OEM commands based on static knowledge
Blue Pill for your Phone
Android Instant Apps: Best practices for managing download size (who has played with instant apps yet?)
Decrypt the iOS SEP
How much does your phone know about you?
Identifying and Evading Android Protections
Breaking Mobile App Protection Mechanisms
Isolation of HALs in Android O
ANTIVIRUS FOR ANDROID HAS A LONG, LONG WAY TO GO
Fake Snapchat in Google Play Store
Next-generation Dex Compiler Now in Preview
Detecting Android Root Exploits by Learning from Root Providers (paper)
Downgrade Attack on TrustZone (paper)
Testing Biometric Authentication
shadow v2 public release
Android O security changes
SonicSpy: Over a thousand spyware apps discovered, some in Google Play
SMS touch sends customer information and SMS messages over a cleartext network
ZIMPERIUM blog post that describes how the Zero Packet Inspection (ZPI) approach is trained
Using Hover to Compromise the Confidentiality of User Input on Android (paper)
Various Scripts for Mobile Pen-testing with Frida
circuit board (PCB) schematics for 30-pin iPod serial debugging
SS7 Attacker Heaven turns into Riot: How to make Nation-State and Intelligence Attackers' lives much harder on mobile networks (slides)
Black Hat USA Las Vegas, July 26-27. ALL YOUR SMS & CONTACTS BELONG TO ADUPS & OTHERS by Angelos Stavrou, Azzedine Benameur, Ryan Johnson. NEW ADVENTURES IN SPYING 3G AND 4G USERS: LOCATE, TRACK & MONITOR by Altaf Shaik, Andrew Martin, Jean-Pierre Seifert, Lucca Hirschi, Ravishankar Borgaonkar, Shinjo Park. SS7 ATTACKER HEAVEN TURNS INTO RIOT: HOW TO MAKE NATION-STATE AND INTELLIGENCE ATTACKERS' LIVES MUCH HARDER ON MOBILE NETWORKS by Martin Kacer, Philippe Langlois. FIGHTING TARGETED MALWARE IN THE MOBILE ECOSYSTEM by Andrew Blaich, Megan Ruthven. GHOST TELEPHONIST LINK HIJACK EXPLOITATIONS IN 4G LTE CS FALLBACK by Haoqi Shan, Jun Li, Lin Huang, Qing Yang, Yuwei Zheng. HONEY, I SHRUNK THE ATTACK SURFACE – ADVENTURES IN ANDROID SECURITY HARDENING by Nick Kralevich. DEFEATING SAMSUNG KNOX WITH ZERO PRIVILEGE by Di Shen. BLUE PILL FOR YOUR PHONE by Oleksandr Bazhaniuk, Yuriy Bulygin. CLOAK & DAGGER: FROM TWO PERMISSIONS TO COMPLETE CONTROL OF THE UI FEEDBACK LOOP by Chenxiong Qian, Simon Pak Ho Chung, Wenke Lee, Yanick Fratantonio.Black Hat and Defcon have a really good number of mobile related talks this year.
Defcon Las Vegas. Jailbreaking Apple Watch by Max Bazaliy. Inside the "Meet Desai" Attack: Defending Distributed Targets from Distributed Attacks by CINCVolFLT (Trey Forgety). macOS/iOS Kernel Debugging and Heap Feng Shui by Min(Spark) Zheng & Xiangyu Liu. Using GPS Spoofing to Control Time by David "Karit" Robinson. Phone System Testing and Other Fun Tricks by "Snide" Owen. Unboxing Android: Everything You Wanted To Know About Android Packers by Avi Bashan & Slava Makkaveev. Ghost in the Droid: Possessing Android Applications with ParaSpectre by chaosdata. Ghost Telephonist' Impersonates You Through LTE CSFB by Yuwei Zheng & Lin Huang. Bypassing Android Password Manager Apps Without Root by Stephan Huber & Siegfried Rasthofer. Man in the NFC by Haoqi Shan & Jian Yuan.
USENIX Workshop on Offensive Technologies (WOOT) Vancouver Canada, 14-15 August. Shattered Trust: When Replacement Smartphone Components Attack by Omer Shwartz, Amir Cohen, Asaf Shabtai, and Yossi Oren. White-Stingray: Evaluating IMSI Catchers Detection Applications by Shinjo Park and Altaf Shaik, Ravishankar Borgaonkar, Andrew Marti, Jean-Pierre Seifert. fastboot oem vuln by Roee Hay.
It was a busy month and July will be even busier. I'll be at GSMA DSG, Black Hat and Defcon July and Usenix WOOT in mid August
OEM just told Google a bug I submitted isn't a bug. It is a FULL permement secureboot bypass.— Jon Sawyer (@jcase) July 6, 2017
Picture of month:
Liang Chen is demostrating iOS 11.0 beta 2 jailbreak on iPhone 7. pic.twitter.com/wA7U9AQ32E— vangelis (@vangelis_at_POC) June 23, 2017
There is a lot happening in the Android boot loader world at the moment. I guess this is what happens when the devices get more and more locked down - people go after the root of trust.
Emulation and Exploration of BCM WiFi Frame Parsing using LuaQEMU
New attack can now decrypt satellite phone calls in "real time"
Library injection for debuggable Android apps
Attack TrustZone with Rowhammer
All slides from MOSEC 2017
Researchers Build Firewall to Deflect SS7 Attacks
Android Security Bulletin - July 2017
mobile CTF by HackerOne
Secure Mobile Application Development
ANDROID O AND DEX 38: DALVIK OPCODES FOR DYNAMIC INVOCATION
IMSecure - Attacking VoLTE (and other Stuff)
Telecom Signaling Exploitation Framework - SS7, GTP, Diameter & SIP
Thieves caught hours after stealing GPS tracking devices from tech company
How the Osmocom GSM stack is funded
OWASP list of the most important security tools for Android and iOS
For $500, this site promises the power to track a phone and intercept its texts
A recopilatory of useful android tools
Privacy Threats through Ultrasonic Side Channels on Mobile Devices (paper)
Subscribers remote geolocation and tracking using 4G VoLTE enabled Android phone (paper)
Breaking and Fixing VoLTE: Exploiting Hidden Data Channels and Mis-implementations (paper)
Dvmap: the first Android malware with code injection
JNI method enumeration in ELF files
root shell on Moto G4 & G5 with a Secure Boot and Device Locking Bypass
Breaking Samsung Galaxy Secure Boot through Downloaded mode (paper)
A very minimalist smali emulator that could be used to "decrypt" obfuscated strings
anti vm on android
Back That App Up: Gaining Root on the Lenovo Vibe
PoCs for Android July bulletin: CVE-2017-8260 CVE-2017-0705 CVE-2017-8259
Secure initialization of TEEs: when secure boot falls short
Reverse Engineering Samsung S6 SBOOT - Part II
No permission required for SMS verification in Android O
Black Hat USA July 26-27 Las Vegas. 'GHOST TELEPHONIST' LINK HIJACK EXPLOITATIONS IN 4G LTE CS FALLBACK by Haoqi Shan, Jun Li, Lin Huang, Qing Yang, Yuwei Zheng. ALL YOUR SMS & CONTACTS BELONG TO ADUPS & OTHERS by Angelos Stavrou, Azzedine Benameur, Ryan Johnson. BROADPWN: REMOTELY COMPROMISING ANDROID AND IOS VIA A BUG IN BROADCOM'S WI-FI CHIPSETS by Nitay Artenstein. CLOAK & DAGGER: FROM TWO PERMISSIONS TO COMPLETE CONTROL OF THE UI FEEDBACK LOOP by Chenxiong Qian, Simon Pak Ho Chung, Wenke Lee, Yanick Fratantonio. DEFEATING SAMSUNG KNOX WITH ZERO PRIVILEGE by Di Shen. FIGHTING TARGETED MALWARE IN THE MOBILE ECOSYSTEM by Andrew Blaich, Megan Ruthven. HONEY, I SHRUNK THE ATTACK SURFACE – ADVENTURES IN ANDROID SECURITY HARDENING by Nick Kralevich. NEW ADVENTURES IN SPYING 3G AND 4G USERS: LOCATE, TRACK & MONITOR by Altaf Shaik, Andrew Martin, Jean-Pierre Seifert, Lucca Hirschi, Ravishankar Borgaonkar, Shinjo Park. SONIC GUN TO SMART DEVICES: YOUR DEVICES LOSE CONTROL UNDER ULTRASOUND/SOUND by Aimin Pan, Bo Yang, Shangyuan LI, Wang Kang, Zhengbo Wang. SS7 ATTACKER HEAVEN TURNS INTO RIOT: HOW TO MAKE NATION-STATE AND INTELLIGENCE ATTACKERS' LIVES MUCH HARDER ON MOBILE NETWORKS by Martin Kacer, Philippe Langlois. THE FUTURE OF APPLEPWN - HOW TO SAVE YOUR MONEY by Timur Yunusov.This took a long time again. It gets harder and harder do to this since this stuff is not directly what I do on a day to day basis currently.
(Black Hat has a very strong mobile security line up this year.)
Defcon July 27-30 Las Vegas. Man in the NFC by Haoqi Shan & Jian Yuan. (speaker selection not final)
MOSEC June, Shanghai added a bunch of talks (all mobile security related, obviously).
Recon June 16-18 Montreal, Canada. FreeCalypso: a fully liberated GSM baseband by Mychaela Falconia. Hacking Cell Phone Embedded Systems by Keegan Ryan.
The Qualcomm Mobile Security summit was excellent again! Fantastic talks and again I met a bunch of people I mostly knew from email and/or twitter or haven't seen in quite some time. This conference still is unparalleled!
I had a minute to play with the BlackBerry KeyOne and it feels like a super solid device. The screen is bigger then I thought it would be and this makes the device almost too big for my taste - but this is hard to say from playing with it for just a minute.
So iOS will finally support NDEF tags.
This talk is really interesting for anybody interested in mobile application security. This is not about mobile app reverse engineering but about app, backend, phone infrastructure interaction.
Detect NFC tags on iOS 11.0! pic.twitter.com/70szXo1yny— Aaron (@iosaaron) June 5, 2017
Some old PalmOS devices on street in my hood <3 pic.twitter.com/gkePP0Uzd8— Collin Mulliner (@collinrm) May 28, 2017
Papers and Slides from MOBILE SECURITY TECHNOLOGIES (MOST) 2017 an Academic Workshop
Android Security Bulletin - June 2017
LazyDroid - bash script to facilitate some aspects of an Android application assessment
factory and OTA images for Nexus devices
Android: Multiple Android devices do not revoke QSEE trustlets
Brazilian phishers are now asking for victim's IMEI in their fake bank pages, aiming to steal their accounts via mobile access
50+ iOS 11 Features Apple Didn't Announce On Stage [List]
Android Mazar 3.0 targets 41 banking apps
Google Publishes List of 42 Phones Running Latest Android Security Updates 42 is not a lot!
City-Wide IMSI-Catcher Detection
Up to $200,000 for Android exploits!
Mobile subscriber WiFi privacy (WiFi IMSI catcher!!) (paper)
Collection of the most common vulnerabilities found in iOS applications
Android O feature spotlight: Android tells you if an app is displaying a screen overlay
Priorities for Securing the Mobile Ecosystem (slides)
Cloak & Dagger Android Overlay attacks
Cloak & Dagger (slides)
Cloak & Dagger talk(youtube)
Honey, I Shrunk the Attack Surface Adventures in Android Security Hardening (slides)
With great speed comes great leakage - How processor performance is tied to side-channel leakage (slides)
Pwning the Nexus of Every Pixel (slides)
initroot: Bypassing Nexus 6 Secure Boot through Kernel Command-line Injection
Android Encryption Demystified
iPhone 7 and 7 Plus get a stable jailbreak on iOS 10.1.1 with extra_recipe+yaluX
The Shadow over Android (slides)
Apparently Google Play Store can now manage your app signing keys, and 'opt-in is permanent (via Nikolay Elenkov)
Hacking iOS Applications a detailed testing guide (doc)
Android malware that infected 3500 devices/day
iOS/macOS bugs slaughter list by P0's Ian Beer
Hacking the Samsung Galaxy S8 Irisscanner
Learning about Bluetooth protocols and reverse-engineering them.
A Simple Tool for Linux Kernel Audits
Google VS Root: Why SafetyNet is now standard for developers
Google Play can now restrict app distribution based on SafetyNet Attestation results, SoC vendor etc (via John Kozyrakis)
US Senate Adopts Signal, HTTPS A Year After Trying To Kill Encryption
Alarming Security Defects in SS7, the Global Cellular Network - and How to Fix Them
iOS Kernel utilities
Dutch Cops Bust Another PGP BlackBerry Company for Alleged Money Laundering
Multiple MediaTek vulnerabilities
Google Working on Fix for Android Permission Weakness
More Android phones than ever are covertly listening for inaudible sounds in ads
The Jiu-Jitsu of Detecting Frida
Thieves drain 2fa-protected bank accounts by abusing SS7 routing protocol
Over 100 CF-Auto-Roots were updated by ChainfireXDA
Android Security Bulletin - May 2017
de-obfuscate Android Ztorg obfuscated strings
Android Applications Reversing 101
A diagram of the Android Activity / Fragment lifecycle
Example of a powerful overlay attack executed by Android banker (video)
Identifying an Android Device - Available Identifiers
Diving Deeper into Android O
How To Put Any Android Smartphone Into Monitor Mode Using Custom Script Without bcmon
Android app analysis and feature extraction library
Introduction to Fridump
Here's How To Track The Smartphone Apps That Are Tracking You
AssetHook: A Redirector for Android Asset Files Using Old Dogs and Modern Tricks
Android Package Inspector - dynamic analysis with api hooks, start unexported activities and more. (Xposed Module)
The Mobile App Pentest cheat sheet was created to provide concise collection of high value information on specific mobile application penetration testing topics.
TruSpy: Cache Side-Channel Information Leakage from the Secure World on ARM Devices (paper)
Dirty COW and why lying is bad even if you are the Linux kernel
How to build and integrate OpenSSL into your Android NDK project
iOS DeviceCheck. Access per-device, per-developer data that your associated server can use in its business logic.
Changes to Trusted Certificate Authorities in Android Nougat
Black Hat USA July 22-27 Las Vegas. BROADPWN: REMOTELY COMPROMISING ANDROID AND IOS VIA A BUG IN BROADCOM'S WI-FI CHIPSETS by Nitay Artenstein. (Program not complete)
SyScan360 May 30-31 Seattle. Exploit iOS 9.x Userland with LLDB JIT by Wei Wang. The wounded android WIFI driver New attack surface in cfg80211 by Hao Chen.
MOSEC June, Shanghai. Revisiting the Kernel Security Enhancements in iOS 10 AND Pwning Apple Watch. (Program still not complete)
Recordings for the first OsmoCon are available here. OsmoCon is, of course, a conference about the OsmoCom projects!
Android O news: will prompt for pin/passcode before enabling developer options, further Android O changes device identifiers and how to access them.
If you are interested in mobile backing Trojans you should follow Lukas Stefanko:
Somebody released the source code of FlexiSpy (mobile phone spyware) to the public. The release notes are here: readme.txt. The download is here: FlexiSpyOmni.zip, collection of all data is here: Source code and binaries of FlexiSpy from the Flexidie dump and a writeup of the dump is here: FlexSpy Application Analysis. I bet we will see more details in the coming weeks!
Does Blackberry give out review samples for the KEYone? I would really like one and give it a try (would post full review here of course!).
All Nokia phones ever made.
ss7 assessment tool
ss7 map testing tool
Fried Apples (slides)
The Galaxy S8's facial scanner can, unsurprisingly, be tricked with a photo (Biometrics are convenience not security)
jtrace - augmented, Android aware strace
Mobile Telephony Threats in Asia (slides)
Security updates in iOS 10.3.1 a lot of webkit and kernel bugs
Pegasus for Android (paper)
3G/4G Intranet Scanning (slides)
Know your community - Stefan Esser
Protection Profile for Mobile Device Fundamentals
CVE-2017-2416 Remote code execution triggered by malformed GIF in ImageIO framework, affecting most iOS/macOS apps (blog post)
Easy 4G/LTE IMSI Catchers for Non-Programmers (paper)
More Android Anti-Debugging Fun
Analysis of the Facebook.app for iOS [v. 87.0] (blog post)
Over The Air: Exploiting Broadcom's Wi-Fi Stack (Part 1)
Over The Air: Exploiting Broadcom's Wi-Fi Stack (Part 2)
Slides for the Android Security Symposium 2017
FemotoCell Hacking (slides)
iOS Kernel Integrity Protection bypass via Tick (FPU) Tock (IRQ)
DexGuard vs. ProGuard (WARNING: post is by a app protection company)
Bose headphones secretly data-mine users if they have the app installed on their phone!
Cellular Provider Record Retention Periods
Attack TrustZone with Rowhammer (slides)
A surprise encounter with a telco APT (slides)
The Shadow over Android Heap exploitation assistance for Android's libc allocator (slides)
Vulnerability Exploitation and Mitigation in Android (slides by Google)
Stetho: A debug bridge for Android applications
Why Banker Bob (still) Can't Get TLS Right: A Security Analysis of TLS in Leading UK Banking Apps (blog post + paper)
Calling JNI Functions with Java Object Arguments from the Command Line (blog post)
Logic Bug Hunting in Chrome on Android (slides)
Redex and Android byteCode optimizer
AppMon is an automated framework for monitoring and tampering system API calls of native apps on macOS, iOS and Android
Android Security Bulletin - April 2017
Android Vendor Test Suite (VTS)
Mobile Security Research - 2017 Q1
Forensics Investigation of Android Phone using Andriller
Using Frida on Android without root
Introducing 'gnirehtet', a reverse tethering tool for Android
Man sues Confide: I wouldn't have spent $7/month if I'd known it was flawed
Who owns your runtime?
Qualcomm Mobile Security Summit 2017 San Diego, May. All talks are on mobile security - super strong lineup!
AppSec EU May 11-12, Belfast. How to steal mobile wallet? - Mobile contactless payments apps attack and defense. Fixing Mobile AppSec: The OWASP Mobile Project.
MOSEC June Shanghai. Pwning Apple Watch. (program not complete yet!)
OffensiveCon is a new security conference in Berlin Germany focused on Offense. No details yet but they chose the right location for sure.
For everybody who didn't make it to the Android Security Symposium, they recorded the talks and the videos are available: here.
Google published a blog post and a detailed report on Android Security in 2016. The report covers everything from patching and update stats to high impact vulnerabilities. People posted a lot of summaries but you should really read it yourself if you work with Android.
Google pulls March security update for Nexus 6, after it breaks SafetyNet and Android Pay. This was pretty interesting, not the fact that they broke SafetyNet but that they broke it for their own devices (Nexus). This happened to some really small manufacturer before and if you have an idea of how SN works on the backend - it is clear what happened.
execute USSD codes in iOS 10.2.xx --bug-Impact: Tapping a tel link in a PDF document could trigger a call without prompting the user #lol— Ravishankar Borgaonk (@raviborgaonkar) March 27, 2017
Android anti-debugging tricks can be patented? This is stupid in so many ways https://t.co/IjXfg45xoN— Bernhard Mueller (@muellerberndt) March 25, 2017
Anti Debugging fun Android Art
PageSwitch an exploit toolkit for the Nintendo switch
Ransomware scammers exploited Safari bug to extort porn-viewing iOS users
Increasing Android app security for freei (slides)
Looking Back at Android Security in 2016 by DuoSecurity
OWASP Mobile - Anti Reversing Checks
Android/Ztorg teardown - It detects the Android SDK emulator, but also emulators from Genymotion, Bluestacks and BuilDroid. It also detects tainted environments. Several of its checks will be difficult to bypass
Owning OnePlus 3/3T with a Malicious Charger
The updated iOS Security Guide now covers iOS 10
iOS 10.3 fixes a large number of Kernel and WebKit bugs
Statistical Deobfuscation for Android (I suppose this is for Dex code only)
Hacking Android Apps with Frida (part 2)
Nexus 5X Owners Say Device Boot-Looping Kills Phones; Getting Runaround From LG
This American Surveillance Tool Helped Russians Spy On Androids And iPhones
Apple cracking down on developers who use SDKs like Rollout to update apps without App Store approval (Apple going after hot-patching frameworks)
Attacking Nexus 9 with Malicious Headphones
GSMA Coordinated Vulnerability Disclosure Program
gdrive-appdata: Tries to fetch the contents of the appdata hidden folder from Google Drive.
Harald Welte about TelcoSecDay 2017 @ Troopers
NDK changes for API level 26
O-MG, the Developer Preview of Android O is here!
Android API Differences Report
Frustrated by robo callers & an AT&T subscriber? Get the AT&T call protect app
Samsung commits to monthly security updates for unlocked US smartphones
Android phone market stats
20 bestselling mobile phones of all time
Android Kernel CVE PoCs
Mobile Malware Masquerades as POS Management App
Judge an Android malware scanner by rednaga.io (@timstrazz and @caleb_fenton)
The Art Of Bootloader Unlocking: Exploiting Samsung S-Boot (video from nullcon talk)
Having fun with Secure Messengers and Android Weari (slides CansecWest 2017)
Pwning the NExus of Every Pixel (slides CanSecWest 2017)
Injecting Metasploit Payloads into Android Applications
Receive FREE SMS online (number in various countries)
TrustZone An Attackers Perspective (slides)
Reverse Engineering Samsung S6 SBOOT - Part I
Letter to the FCC on SS7 Security by Ron Wyden
FCC: Legacy Systems Risk Reductions (it's about ss7)
Black Hat ASIA Singapore March 28-31. FRIED APPLES: JAILBREAK DIY by Alex Hude, Max Bazaliy, Vlad Putin. ANTI-PLUGIN: DON'T LET YOUR APP PLAY AS AN ANDROID PLUGIN by Cong Zheng, Tongbo Luo, Xin Ouyang, Zhi Xu. REMOTELY COMPROMISING IOS VIA WI-FI AND ESCAPING THE SANDBOX by Marco Grassi. 3G/4G INTRANET SCANNING AND ITS APPLICATION ON THE WORMHOLE VULNERABILITY by Guangdong Bai, Zhang Qing. MOBILE-TELEPHONY THREATS IN ASIA by Lion Gu, Marco Balduzzi, Payas Gupta. MASHABLE: MOBILE APPLICATIONS OF SECRET HANDSHAKES OVER BLUETOOTH LE by Yan Michalevsky.
CanSecWest Vancouver Canada, March 15-17. Qidan He : Pwning Nexus of Every Pixel: Chain of Bugs demystified. Logic Bug Hunting in Chrome on Android by Georgi Hershey & Robert Miller.
Zer0Con Seoul, Korea April 13-14. Ian Beer : Through the mach portal.
OsmoCon (Osmocom Conference) 2017 is the first technical conference for Osmocom users, operators and developers! April 21, Berlin. All about Osmocom!
HITB Amsterdam April 13-14. FEMTOCELL HACKING: FROM ZERO TO ZERO DAY by JeongHoon Shin. CAN'T TOUCH THIS: CLONING ANY ANDROID HCE CONTACTLESS CARD by Slawomir Jasek. EXTRACTING ALL YOUR SECRETS: VULNERABILITIES IN ANDROID PASSWORD MANAGERS by Stephan Huber, Steven Artz, Siegfried Rasthofer. HUNTING FOR VULNERABILITIES IN SIGNAL by Markus Vervier.
Opcde Dubai, UAE April 26-27. Practical attacks against Digital Wallet by Loic Falletta.
I took a way too long break again. So many things happen in the world of mobile security every week. I really wish I had more time for this. I also have a bunch of small things I need to put on this blog but I think they are too specific for the news and will likely get their own posts.
Some news from MWC (I didn't attend):
First the BlackBerry KEYone a new Android-based phone with a physical keyboard. Other then the BB Priv the KEYone's keyboard is fix and doesn't slide. Movable parts are really not a good idea, they break way too fast. In my opinion this device looks super solid and likely will be supported longer than the average flagship phone from other manufacturers (data on this would be awesome).
Nokia released 3 new Android phones the 3 (MTK), 5 (QCOM) and 6 (QCOM). The phones seem to run Android N without any modifications or vendor crap. Very low price (230Euro for the 6). The bottom of their website specifically says: You get an experience that's focused and clutter-free, and we'll make sure you keep getting regular updates, so you'll always stay on top of features and security. that is what you should expect in 2017.
The Android Devices Security Patch Status page is an awesome resource to determine if a specific device from a specific vendor has been patched and when the patch was released. From the page: This list is Prepared to Serve as a Quick reference to identify which Device is being actively maintained by the Vendor.. This is super useful, thanks!
Xiaomi launching own SoC for Android phones-upgradable baseband with fake base station detection capabilities. IMSI catchers r threat now ;) pic.twitter.com/S0hzDBIiQd— Ravishankar Borgaonk (@raviborgaonkar) March 2, 2017
Apple 0day is expensive. https://t.co/F1UEUU0s3r— Collin Mulliner (@collinrm) February 22, 2017
MOSEC mobile security conference in June in Shanghai. This seems to be the 3rd year of the conference. There is no schedule yet.
The story of the day Vault 7: CIA Hacking Tools Revealed. Vault 7: CIA Hacking Tools Revealed : iOS Exploit list. Yes, the CIA uses n-day exploits! The Android exploits.
They talk about Android, Defcon, and backdooring your repo? ;-)
Pic of the month:
ENISA: Smartphone Secure Development Guidelines
Android Security Bulletin - March 2017
Android Security Bulletin - February 2017
Vault 7: CIA Hacking Tools Revealed
Multi-BTS with Osmocom and a single UmTRX
Obfuscation-Resilient Privacy Leak Detection for Mobile Apps Through Differential Analysis Paper and Tool
Booting into fastboot mode Instructions for all Nexus devices
TROOPERS17 GSM Network - How about your own SMPP Service?
MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models paper
Exploiting Android S-Boot: Getting Arbitrary Code Exec in the Samsung Bootloader (1/2)
Android ransomware requires victim to speak unlock code
Hacking Android phone. How deep the rabbit hole goes.
Sunny with a chance of stolen credentials: Malicious weather app found on Google Play 5k installs via Google Play!
iOS keychain items used to persist after app uninstall. As of iOS 10.3 beta 2, deleting app deletes keychain items via @hubert3
SunShine 3.4.27 is out - Bringing unlock support for Droid Turbo on 6.0.x
Cellular re-broadcast over satellite
Identifying Rebroadcast (GSM) also linked in post above
ios-triage - Node.js cli for iOS incident response. Program will extract, process and report (including diffs) on iOS device and app telemetry.
Remote control: Companies blur lines over who owns devices
Shodan.io iOS App
Analysis of iOS.GuiInject Adware Library
Patching and Re-Signing iOS Apps
Lifting the (Hyper) Visor: Bypassing Samsung's Real-Time Kernel Protection
Android ransomware repurposes old dropper techniques
Deobfuscating libMobileGestalt keys
Samsung: Stack buffer overflow in OTP TrustZone trustlet
How easy it would be to hack Trump's phone by my friend Zach aka @quine
iOS 10.2 Yalu Jailbreak Now Supports All 64-bit Devices except iPhone 7 and iPad Air 2
Android bootloader (aboot) parser
Tracking Android Security Update across Devices
SAMSUNG KNOX 1.0 ECRYPTFS KEY GENERATOR WEAK ENCRYPTION
Deep Analysis of Android Rootnik Malware Using Advanced Anti-Debug and Anti-Hook, Part II: Analysis of The Scope of Java
Black market Blackphones get sent a kill message that bricks them
iOS/MacOS kernel memory corruption due to userspace pointer being used as a length
Update on the Fancy Bear Android malware (poprd30.apk)
An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps (paper)
Charger Malware Calls and Raises the Risk on Google Play
Secrets leak in Android apps online service to test APKs
26 security issues in major Android password manager apps
Easy 4G/LTE IMSI Catchers for Non-Programmers (paper)
App-in-the-Middle Attack Bypasses Android for Work Secure Framework
Android FRIDA: Add support for enumerateLoadedClasses() on ART
Android: Inter-process munmap in android.util.MemoryIntArray
Owning a Locked OnePlus 3/3T: Bootloader Vulnerabilities
Binary based obfuscation in a way of CTF kids. We obfuscate your apps, support both iOS/Android.
Android (Huawei) privilege escalation in EMUI keyguard app via loading shellcode in theme pack
The Story of Firefox OS