ConferencesPacSec Nov 1-2, Tokyo, Japan. Grandma's old bag, how outdated libraries spoil Android app security by Marc Schoenefeld. When encryption is not enough: Attacking Wearable - Mobile communication over BLE by Kavya Racharla. The Art of Exploiting Unconventional Use- after-free Bugs in Android Kernel by Di Shen.
DeepSec Nov 14-17, Vienna, Austria. Normal Permissions In Android: An Audiovisual Deception by Constantinos Patsakis.
Black Hat Europe 2017 Dec 4-7, London, UK. ATTACKING NEXTGEN ROAMING NETWORKS by Daniel Mende, Hendrik Schmidt. ATTACKS AGAINST GSMA'S M2M REMOTE PROVISIONING by Maxime Meyer. BLUEBORNE - A NEW CLASS OF AIRBORNE ATTACKS THAT CAN REMOTELY COMPROMISE ANY LINUX/IOT DEVICE by Ben Seri, Gregory Vishnepolsky. DIFUZZING ANDROID KERNEL DRIVERS by Aravind Machiry, Chris Salls, Jake Corina, Shuang Hao, Yan Shoshitaishvili. HOW SAMSUNG SECURES YOUR WALLET AND HOW TO BREAK IT by HC MA. INSIDE ANDROID'S SAFETYNET ATTESTATION by Collin Mulliner, John Kozyrakis. JAILBREAKING APPLE WATCH by Max Bazaliy. RO(O)TTEN APPLES: VULNERABILITY HEAVEN IN THE IOS SANDBOX by Adam Donenfeld.
Quick conference review: both 44con and ekoparty were great. Ekoparty was especially awesome since I got to check the last continent off my list. Also the size of ekoparty was way beyond what I was expecting. They managed to have a really good conference that is professionally run while stilling maintaining the vibe of a hacker / underground con <3
Two weeks ago there was a post on Medium about two companies that provide a mobile identification service. That service basically can be used to convert your phone's IP address into real information about the owner of the phone (the contract owner). This is done via APIs that are provided by multiple Mobile Network Operators (such as AT&T). The medium article linked to demo pages of those two service providers (payfone and danal inc) that show not only your phone number but also your operator's name, your name and address.
I played with the two demo sites for a bit (while they were still online - offline now). I'm on Google Fi with a number proted from T-Mobile (pre-paid). Payfone only had my phonenumber and old carrier (T-Mobile) while Danal inc showed no data at all. I never provided any data to T-Mobile since it is not required for a pre-paid card. Google has all the data but likely does not share it with 3rd parties.
Overall this is a service that I really don't want to exist. I don't want an abritary company to be able to identify me while visiting their website from my mobile phone. I hope those companies don't just sell their services to anybody. Read the Medium article again: AT&T consumer choice opt-out doesn't affect this!
iOS 11 the tragedy continues: 11.0 had a bunch of flaws that were annyoing. Now 11.0.3 randomly frezzes my phone for minutes. Also I have some issues with voice call audio not working sometimes. Highly disaspointing!
Pictures of the month:Saw a throne of phones in Göteborg. pic.twitter.com/wE6M5e2WPa
— Mikko Hypponen (@mikko) October 17, 2017
Today marks the third time one of my iPhones has vibrated itself out of alignment with its wireless charging pad over night. pic.twitter.com/HFchysZ7L9
— Matthew Panzarino (@panzer) October 10, 2017
Have you ever seen two Android Banking Trojans beating each other for victim's credit card information? #Malware cc @malwrhunterteam pic.twitter.com/EY6yQifVqp
— Lukas Stefanko (@LukasStefanko) June 27, 2017
— jellphonic (@jellphonic) September 25, 2017
LinksIT TAKES JUST $1,000 TO TRACK SOMEONE'S LOCATION WITH MOBILE ADS
Oppo/Oneplus .ops Firmware decrypter
[WIP] Crappy iOS app analyzer
Magisk v14.3
Down the Rabbit Hole with a BLU Phone Infection
eSIM for Consumer Devices (PDF)
Android Crypto-Ransomware that misuses accessibility services + encrypts data + changes PIN.
iOS jailbreak detection toolkit now available from TraiOfBits
Administering Chromebooks For teams traveling to complex and hostile environments
HackingTeam back for your Androids, now extra insecure!
iOS 11 security updates
Researchers: Uber's iOS App Had Secret Permissions That Allowed It to Copy Your Phone Screen
How To Obtain Real-Time Data from iCloud and Forget About 2FA with Just an Old iTunes Backup. No Passwords Needed
Meet Danny, the Guy Authorities Say Is Selling Encrypted Phones to Organized Crime
Android Reverse Engineering tools Not the Usual Suspects (slides)
Understanding new APK Signature Scheme V2?
Google Play Security Reward Program
SAMSUNG TEEgris
source for suhide
Dieser Mann weiss, wie man in Smartphones einbricht (German)
NEW Rainbow Table added: GSM A5/1 table, 1.52 Terabytes in size. Torrent now available
Alarming number of DNS requests made by iOS devices
Bluetooth Hacking Tools Comparison
Unpatched Bugs Rampant on Mobile Devices in Financial Services Firms
Legitimacy: a Memory Research Platform for iOS
Samsung Android Security Bulletin Oct 2017 (a very long list!)
SELinux in Android Oreo or: How I Learned to Stop Worrying and Love Attributes (slides)
Android Security Bulletin - October 2017 (now calling out individual vendors)
Frida All The Things (slides)
Magisk Module to Allow Location Mocking, Screenshots in Any App, and Disabling System Signature Verification
notes on Hacking BLE - list of resources
Blue Pill for Your Phone (slides)
Bill Gates just switched to an Android phone (Windows Phones is dead!)
NFC - Contactless Cards: Brute Forcing Processing Options
Over The Air - Vol. 2, Pt. 1: Exploiting The Wi-Fi Stack on Apple Devices
XNU kernel 4570.1.46 sources
Linux Kernel Self Protection Project (slides)
CLKSCREW: Exposing the perils of security-oblivious energy management (paper)
(pdf)
In a first, Android apps abuse serious 'Dirty Cow' bug to backdoor phones
Label enums for Android JNI to aid in reversing
IDA jni helper
Google Play apps with as many as 2.6m downloads added devices to botnet
Samsung is gonna let you run any Linux distro on a Galaxy
Shim to grab keystore backed data
Android Security Reference (largely private notes of @doriancussen)
Google Play Billing Library 1.0 released
The Stony Path of Android Bug Bounty - Bypassing Certificate Pinning
Hardening the Kernel in Android Oreo
ConferencesBlack Hat USA Las Vegas, July 26-27. ALL YOUR SMS & CONTACTS BELONG TO ADUPS & OTHERS by Angelos Stavrou, Azzedine Benameur, Ryan Johnson. NEW ADVENTURES IN SPYING 3G AND 4G USERS: LOCATE, TRACK & MONITOR by Altaf Shaik, Andrew Martin, Jean-Pierre Seifert, Lucca Hirschi, Ravishankar Borgaonkar, Shinjo Park. SS7 ATTACKER HEAVEN TURNS INTO RIOT: HOW TO MAKE NATION-STATE AND INTELLIGENCE ATTACKERS' LIVES MUCH HARDER ON MOBILE NETWORKS by Martin Kacer, Philippe Langlois. FIGHTING TARGETED MALWARE IN THE MOBILE ECOSYSTEM by Andrew Blaich, Megan Ruthven. GHOST TELEPHONIST LINK HIJACK EXPLOITATIONS IN 4G LTE CS FALLBACK by Haoqi Shan, Jun Li, Lin Huang, Qing Yang, Yuwei Zheng. HONEY, I SHRUNK THE ATTACK SURFACE – ADVENTURES IN ANDROID SECURITY HARDENING by Nick Kralevich. DEFEATING SAMSUNG KNOX WITH ZERO PRIVILEGE by Di Shen. BLUE PILL FOR YOUR PHONE by Oleksandr Bazhaniuk, Yuriy Bulygin. CLOAK & DAGGER: FROM TWO PERMISSIONS TO COMPLETE CONTROL OF THE UI FEEDBACK LOOP by Chenxiong Qian, Simon Pak Ho Chung, Wenke Lee, Yanick Fratantonio.
Black Hat and Defcon have a really good number of mobile related talks this year.
Defcon Las Vegas. Jailbreaking Apple Watch by Max Bazaliy. Inside the "Meet Desai" Attack: Defending Distributed Targets from Distributed Attacks by CINCVolFLT (Trey Forgety). macOS/iOS Kernel Debugging and Heap Feng Shui by Min(Spark) Zheng & Xiangyu Liu. Using GPS Spoofing to Control Time by David "Karit" Robinson. Phone System Testing and Other Fun Tricks by "Snide" Owen. Unboxing Android: Everything You Wanted To Know About Android Packers by Avi Bashan & Slava Makkaveev. Ghost in the Droid: Possessing Android Applications with ParaSpectre by chaosdata. Ghost Telephonist' Impersonates You Through LTE CSFB by Yuwei Zheng & Lin Huang. Bypassing Android Password Manager Apps Without Root by Stephan Huber & Siegfried Rasthofer. Man in the NFC by Haoqi Shan & Jian Yuan.
USENIX Workshop on Offensive Technologies (WOOT) Vancouver Canada, 14-15 August. Shattered Trust: When Replacement Smartphone Components Attack by Omer Shwartz, Amir Cohen, Asaf Shabtai, and Yossi Oren. White-Stingray: Evaluating IMSI Catchers Detection Applications by Shinjo Park and Altaf Shaik, Ravishankar Borgaonkar, Andrew Marti, Jean-Pierre Seifert. fastboot oem vuln by Roee Hay.
It was a busy month and July will be even busier. I'll be at GSMA DSG, Black Hat and Defcon July and Usenix WOOT in mid August
OEM just told Google a bug I submitted isn't a bug. It is a FULL permement secureboot bypass.
— Jon Sawyer (@jcase) July 6, 2017
Picture of month:
Liang Chen is demostrating iOS 11.0 beta 2 jailbreak on iPhone 7. pic.twitter.com/wA7U9AQ32E
— vangelis (@vangelis_at_POC) June 23, 2017
There is a lot happening in the Android boot loader world at the moment. I guess this is what happens when the devices get more and more locked down - people go after the root of trust.
Links:Emulation and Exploration of BCM WiFi Frame Parsing using LuaQEMU
New attack can now decrypt satellite phone calls in "real time"
Library injection for debuggable Android apps
Attack TrustZone with Rowhammer
All slides from MOSEC 2017
Researchers Build Firewall to Deflect SS7 Attacks
Android Security Bulletin - July 2017
mobile CTF by HackerOne
Secure Mobile Application Development
ANDROID O AND DEX 38: DALVIK OPCODES FOR DYNAMIC INVOCATION
IMSecure - Attacking VoLTE (and other Stuff)
Telecom Signaling Exploitation Framework - SS7, GTP, Diameter & SIP
Thieves caught hours after stealing GPS tracking devices from tech company
How the Osmocom GSM stack is funded
OWASP list of the most important security tools for Android and iOS
For $500, this site promises the power to track a phone and intercept its texts
A recopilatory of useful android tools
Privacy Threats through Ultrasonic Side Channels on Mobile Devices (paper)
Subscribers remote geolocation and tracking using 4G VoLTE enabled Android phone (paper)
Breaking and Fixing VoLTE: Exploiting Hidden Data Channels and Mis-implementations (paper)
Dvmap: the first Android malware with code injection
JNI method enumeration in ELF files
root shell on Moto G4 & G5 with a Secure Boot and Device Locking Bypass
Breaking Samsung Galaxy Secure Boot through Downloaded mode (paper)
A very minimalist smali emulator that could be used to "decrypt" obfuscated strings
anti vm on android
Back That App Up: Gaining Root on the Lenovo Vibe
PoCs for Android July bulletin: CVE-2017-8260 CVE-2017-0705 CVE-2017-8259
Secure initialization of TEEs: when secure boot falls short
Reverse Engineering Samsung S6 SBOOT - Part II
No permission required for SMS verification in Android O
ConferencesBlack Hat USA July 26-27 Las Vegas. 'GHOST TELEPHONIST' LINK HIJACK EXPLOITATIONS IN 4G LTE CS FALLBACK by Haoqi Shan, Jun Li, Lin Huang, Qing Yang, Yuwei Zheng. ALL YOUR SMS & CONTACTS BELONG TO ADUPS & OTHERS by Angelos Stavrou, Azzedine Benameur, Ryan Johnson. BROADPWN: REMOTELY COMPROMISING ANDROID AND IOS VIA A BUG IN BROADCOM'S WI-FI CHIPSETS by Nitay Artenstein. CLOAK & DAGGER: FROM TWO PERMISSIONS TO COMPLETE CONTROL OF THE UI FEEDBACK LOOP by Chenxiong Qian, Simon Pak Ho Chung, Wenke Lee, Yanick Fratantonio. DEFEATING SAMSUNG KNOX WITH ZERO PRIVILEGE by Di Shen. FIGHTING TARGETED MALWARE IN THE MOBILE ECOSYSTEM by Andrew Blaich, Megan Ruthven. HONEY, I SHRUNK THE ATTACK SURFACE – ADVENTURES IN ANDROID SECURITY HARDENING by Nick Kralevich. NEW ADVENTURES IN SPYING 3G AND 4G USERS: LOCATE, TRACK & MONITOR by Altaf Shaik, Andrew Martin, Jean-Pierre Seifert, Lucca Hirschi, Ravishankar Borgaonkar, Shinjo Park. SONIC GUN TO SMART DEVICES: YOUR DEVICES LOSE CONTROL UNDER ULTRASOUND/SOUND by Aimin Pan, Bo Yang, Shangyuan LI, Wang Kang, Zhengbo Wang. SS7 ATTACKER HEAVEN TURNS INTO RIOT: HOW TO MAKE NATION-STATE AND INTELLIGENCE ATTACKERS' LIVES MUCH HARDER ON MOBILE NETWORKS by Martin Kacer, Philippe Langlois. THE FUTURE OF APPLEPWN - HOW TO SAVE YOUR MONEY by Timur Yunusov.
This took a long time again. It gets harder and harder do to this since this stuff is not directly what I do on a day to day basis currently.
(Black Hat has a very strong mobile security line up this year.)
Defcon July 27-30 Las Vegas. Man in the NFC by Haoqi Shan & Jian Yuan. (speaker selection not final)
MOSEC June, Shanghai added a bunch of talks (all mobile security related, obviously).
Recon June 16-18 Montreal, Canada. FreeCalypso: a fully liberated GSM baseband by Mychaela Falconia. Hacking Cell Phone Embedded Systems by Keegan Ryan.
The Qualcomm Mobile Security summit was excellent again! Fantastic talks and again I met a bunch of people I mostly knew from email and/or twitter or haven't seen in quite some time. This conference still is unparalleled!
I had a minute to play with the BlackBerry KeyOne and it feels like a super solid device. The screen is bigger then I thought it would be and this makes the device almost too big for my taste - but this is hard to say from playing with it for just a minute.
So iOS will finally support NDEF tags.
This talk is really interesting for anybody interested in mobile application security. This is not about mobile app reverse engineering but about app, backend, phone infrastructure interaction.Detect NFC tags on iOS 11.0! pic.twitter.com/70szXo1yny
— Aaron (@iosaaron) June 5, 2017Pictures of the month:Previously top secret #TR16 talk on pwning Uber & Lyft (w/ live demos!) by @vlad_penetrator & @gramx is finally out! https://t.co/cqtAC69p7w
— Kelly Shortridge (@swagitda_) May 31, 2017Some old PalmOS devices on street in my hood <3 pic.twitter.com/gkePP0Uzd8
— Collin Mulliner (@collinrm) May 28, 2017
A Symbian phone appears #QPSISummit2017 pic.twitter.com/MFHiAEKl4T
— Collin Mulliner (@collinrm) May 18, 2017
So basically set your smartphone's name to %x%x%x%x and test for format string vulns in connected devices . here's a 2011 BMW 330i #Hackers pic.twitter.com/vhLKRnKYud
— Eهاb Huسein (@__Obzy__) May 17, 2017
LinksPapers and Slides from MOBILE SECURITY TECHNOLOGIES (MOST) 2017 an Academic Workshop
Android Security Bulletin - June 2017
LazyDroid - bash script to facilitate some aspects of an Android application assessment
factory and OTA images for Nexus devices
Android: Multiple Android devices do not revoke QSEE trustlets
Brazilian phishers are now asking for victim's IMEI in their fake bank pages, aiming to steal their accounts via mobile access
50+ iOS 11 Features Apple Didn't Announce On Stage [List]
Android Mazar 3.0 targets 41 banking apps
Google Publishes List of 42 Phones Running Latest Android Security Updates 42 is not a lot!
City-Wide IMSI-Catcher Detection
Up to $200,000 for Android exploits!
Mobile subscriber WiFi privacy (WiFi IMSI catcher!!) (paper)
Collection of the most common vulnerabilities found in iOS applications
Android O feature spotlight: Android tells you if an app is displaying a screen overlay
Priorities for Securing the Mobile Ecosystem (slides)
Cloak & Dagger Android Overlay attacks
Cloak & Dagger (slides)
Cloak & Dagger talk(youtube)
Honey, I Shrunk the Attack Surface Adventures in Android Security Hardening (slides)
With great speed comes great leakage - How processor performance is tied to side-channel leakage (slides)
Pwning the Nexus of Every Pixel (slides)
initroot: Bypassing Nexus 6 Secure Boot through Kernel Command-line Injection
Android Encryption Demystified
iPhone 7 and 7 Plus get a stable jailbreak on iOS 10.1.1 with extra_recipe+yaluX
The Shadow over Android (slides)
Apparently Google Play Store can now manage your app signing keys, and 'opt-in is permanent (via Nikolay Elenkov)
Hacking iOS Applications a detailed testing guide (doc)
Android malware that infected 3500 devices/day
iOS/macOS bugs slaughter list by P0's Ian Beer
Hacking the Samsung Galaxy S8 Irisscanner
Learning about Bluetooth protocols and reverse-engineering them.
A Simple Tool for Linux Kernel Audits
Google VS Root: Why SafetyNet is now standard for developers
Google Play can now restrict app distribution based on SafetyNet Attestation results, SoC vendor etc (via John Kozyrakis)
US Senate Adopts Signal, HTTPS A Year After Trying To Kill Encryption
Alarming Security Defects in SS7, the Global Cellular Network - and How to Fix Them
iOS Kernel utilities
Dutch Cops Bust Another PGP BlackBerry Company for Alleged Money Laundering
Multiple MediaTek vulnerabilities
Google Working on Fix for Android Permission Weakness
More Android phones than ever are covertly listening for inaudible sounds in ads
The Jiu-Jitsu of Detecting Frida
Thieves drain 2fa-protected bank accounts by abusing SS7 routing protocol
Over 100 CF-Auto-Roots were updated by ChainfireXDA
Android Security Bulletin - May 2017
de-obfuscate Android Ztorg obfuscated strings
Android Applications Reversing 101
A diagram of the Android Activity / Fragment lifecycle
Example of a powerful overlay attack executed by Android banker (video)
Identifying an Android Device - Available Identifiers
Diving Deeper into Android O
How To Put Any Android Smartphone Into Monitor Mode Using Custom Script Without bcmon
Android app analysis and feature extraction library
Introduction to Fridump
Here's How To Track The Smartphone Apps That Are Tracking You
AssetHook: A Redirector for Android Asset Files Using Old Dogs and Modern Tricks
Android Package Inspector - dynamic analysis with api hooks, start unexported activities and more. (Xposed Module)
The Mobile App Pentest cheat sheet was created to provide concise collection of high value information on specific mobile application penetration testing topics.
TruSpy: Cache Side-Channel Information Leakage from the Secure World on ARM Devices (paper)
Dirty COW and why lying is bad even if you are the Linux kernel
How to build and integrate OpenSSL into your Android NDK project
iOS DeviceCheck. Access per-device, per-developer data that your associated server can use in its business logic.
Changes to Trusted Certificate Authorities in Android Nougat
ConferencesCanSecWest Vancouver, Canada. Don't Trust Your Eye: Apple Graphics Is Compromised! - Liang Chen + Marco Grassi. Having fun with secure messengers and Android Wear - Artem Chaykin. Pwn a Nexus device with a single vulnerability - Guang Gong.
Troopers Heidelberg, Germany. QNX: 99 Problems but a Microkernel ain't one! Georgi Geshev, Alex Plaskett.
Looks like I will go to very few conferences this year.
We finally published our paper on Android application analysis support using intelligent GUI stimulation. The work CuriousDroid: Automated User Interface Interaction for Android Application Analysis Sandboxes uses / enhances Andrubis.
Excellent post on Apple vs FBI by Dan Guido: Apple can comply with the FBI court order
LinksBlackBerry powered by Android Security Bulletin - March 2016
Nexus Security Bulletin - March 2016
Attack on Zygote: a new twist in the evolution of mobile threats
How to FBI-proof your iPhone
Reverse Engineering Samsung S6 Modem
Security Analysis of Wearable Fitness Devices (Fitbit)
Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems
GPS hacking (PART 1)
How does Dalvik handle 'this' registers?
Pirated iOS App Store's Client Successfully Evaded Apple iOS Code Review
FileSystem Monitor Tool For iOS and Android
Scammers use mobile POS terminals to scan people cards via NFC (paypass,paywave etc) technology without them knowing
Android: Calling getpidcon for One Way Binder Transactions Returns Wrong Security Context
Network Security Policy configuration for Android apps
[Xposed module] Disable device compatibility check
The ARMv8-A architecture and its ongoing development
Android Secure Coding Free PDF Book
Decoding Syscalls in ARM64
Adafruit Bluefruit LE Sniffer – Bluetooth Low Energy (BLE 4.0)
Conferences:Black Hat Asia March 29, Singapore. ANDROID COMMERCIAL SPYWARE DISEASE AND MEDICATION by Mustafa Saad. ENTERPRISE APPS: BYPASSING THE IOS GATEKEEPER by Avi Bashan & Ohad Bobrov. HEY YOUR PARCEL LOOKS BAD - FUZZING AND EXPLOITING PARCEL-IZATION VULNERABILITIES IN ANDROID by Qidan He. SU-A-CYDER: HOMEBREWING MALWARE FOR IOS LIKE A B0$$! by Chilik Tamir.
I guess it is still too early in the year for conference programs. ShmooCon just concluded, Infiltrate doesn't have any mobile talks, and SyScan didn't post accepted talks yet. This weekend I attended the first BSidesNYC. The conference was pretty good, some expected and some unexpected good talks. The conference venue was pretty nice and spacious. I will go again.
If you are into NFC research checkout: ChameleonMini - A Versatile NFC Card Emulator a new kickstarter project. The guys who run it definitely know what they are doing.
Links:Updated Android malware steals voice two factor authentication
Phone Hackers: Britain's Secret Surveillance Video by vice
Android-based Smart TVs Hit By Backdoor Spread Via Malicious App (not mobile but close enough)
Create an anonymous Signal phone number w/ Android
Covert Communication in Mobile Applications (paper)
Vulnerability in Blackphone Puts Devices at Risk for Takeover
spectrum monitoring system for GSM providers (a tool)
Nexus Security Bulletin - January 2016 has a bunch of critical stuff
(Un)Trusted Execution Environments (slides)
Parsing iOS Frequent Locations
A Forensic Analysis of Tinder (iOS)
How to Bypass Factory Reset Protection on your Nexus 6P, 5X, 5, & 6 (YouTube video)
[CVE-2015-7292] Amazon Fire Phone kernel stack based buffer overflow
Mediatek/Obi nerfed ALL property space security any user can control any property, even ro ones
CopperheadOS's OpenBSD malloc port uncovered a use-after-free in Android's fancy new over-the-air update sorcery
Added support to crack Android FDE (Samsung DEK) to oclHashcat v2.10! 171kH/s @ 290x, 217.7 kH/s @ 980Ti
DIVA (Damn insecure and vulnerable App) for Android
A pattern based Dalvik deobfuscator which uses limited execution to improve semantic analysis and the slides for it.
Experimental version of QEMU with basic support for ARM TrustZone (security extensions)
How to NOT disable SELinux on Android
ConferencesBlack Hat Europe November, Amsterdam NL. ALL YOUR ROOT CHECKS BELONG TO US: THE SAD STATE OF ROOT DETECTION by Azzedine Benameur & Nathan Evans & Yun Shen. ANDROBUGS FRAMEWORK: AN ANDROID APPLICATION SECURITY VULNERABILITY SCANNER by Yu-Cheng Lin. AUTHENTICATOR LEAKAGE THROUGH BACKUP CHANNELS ON ANDROID by Guangdong Bai. FAUX DISK ENCRYPTION: REALITIES OF SECURE STORAGE ON MOBILE DEVICES by Daniel Mayer & Drew Suarez. FUZZING ANDROID: A RECIPE FOR UNCOVERING VULNERABILITIES INSIDE SYSTEM COMPONENTS IN ANDROID by Alexandru Blanda. LTE & IMSI CATCHER MYTHS by Ravishankar Borgaonkar & Altaf Shaik & N. Asokan & Valtteri Niemi & Jean-Pierre Seifert. TRIAGING CRASHES WITH BACKWARD TAINT ANALYSIS FOR ARM ARCHITECTURE by Dongwoo Kim & Sangwho Kim.
Secret Conference October 9th, NYC. Talks by Jon Callas and Dan Ford from Silent Circle / Blackphone.
Ruxcon October 24-25 Melbourne, Aus. TEAM PANGU on DESIGN, IMPLEMENTATION AND BYPASS OF THE CHAIN-OF-TRUST MODEL OF IOS. MARK DOWD on MALWAIRDROP: COMPROMISING IDEVICES VIA AIRDROP. JOSHUA KERNELSMITH SMITH on HIGH-DEF FUZZING: EXPLORING VULNERABILITIES IN HDMI-CEC. BABIL GOLAM SARWAR on HACK NFC ACCESS CARDS & STEAL CREDIT CARD DATA WITH ANDROID FOR FUN &PROFIT. COLBY MOORE on SPREAD SPECTRUM SATCOM HACKING: ATTACKING THE GLOBALSTAR SDS.
ToorCon San Diego October 24-25, San Diego, CA. The Phr3$h Pr1nc3 0f Bellk0r3 on Fuzzing GSM for fun and profit.
SyScan360i October 21-22 Beijing China. Fuzzing Android System Service by Binder Call to Escalate Privilege by Guang Gong.
PacSec November, Tokyo JP. BlueToot / BlueProx - when Bluetooth met NFC by Adam Laurie.
ZeroNights 25-26 November, Russia. Extracting the painful (Blue)tooth by Matteo Beccaro and Matteo Collura.
HP / ZDI will not run Mobile Pwn2Own at PacSec (in Japan) due to export restrictions. Source Dragos Ruiu. This is unfortunate.
Personal note: Since September I'm working for Square doing mobile security engineering. This blog will only be temporarily affected by the job switch as I get settled I will return to more then one post per month.
LinksMotorola Marketed The Moto E 2015 On Promise Of Updates, Is Now Apparently Ending Them After 219 Days
ANDROID PAY: PROXY NO MORE Super interesting post on the insides of Android Pay and Google Wallet
iOS 9 code vulnerability lets hackers steal thousands of dollars worth of in-app purchases
XcodeGhost Source
AndFix is a library that offer hot-fix for Android App. some parts looks very very similar to PatchDroid. I have to look closer at this.
Announcing Android Vulnerability Test Suite
PoC code for 32 bit Android OS - ping pong root
Android 5.x Lockscreen Bypass (CVE-2015-3860)
Defeating SSL Pinning in Coin's Android Application
Assessing Android Applications Using Command-Line Fu (slides)
The Latest on Stagefright: CVE-2015-1538 Exploit is Now Available for Testing Purposes
SunShine - The #1 Bootloader Unlock tool For Your HTC or Motorola Smartphone! not new but not too many people know about this
DexHunter General Automatic Unpacking Tool for Android Dex Files
SafetyNet Helper wraps the Google Play Services SafetyNet.API and verifies Safety Net API response with the Android Device Verification API.
SafetyNet: Google's tamper detection interesting insights in the on-device parts of SafetyNet.
Zimperium zLabs is Raising the Volume: New Vulnerability Processing MP3/MP4 Media.
baksmali 2.1
The Nexus 5X And 6P Have Software-Accelerated Encryption, But The Nexus Team Says It's Better Than Hardware Encryption
Android Now Shows Your Device's "Android Security Patch Level" In Marshmallow
The road to efficient Android fuzzing
An IDA Pro based Dex Dumper plugin
Kernel Vulnerabilities in the Samsung S4
Mobile Security Challenge Organized by Alibaba
Ruminations on App CVEs
Spoofing and intercepting SIM commands through STK framework (Android 5.1 and below) (CVE-2015-3843)
DexHook is a small xposed module for hooking BaseDexClassLoader and capturing dynamically loaded jars/dex files without interfering with the normal run of the application.
Android M Begins Locking Down Floating Apps, Requires Users To Grant Special Permission To Draw On Other Apps
Hack Brief: Upgrade to iOS 9 to Avoid a Bluetooth iPhone Attack
Android Security Symposium - all slides online
Unbillable: Exploiting Android In App Purchases by Alfredo Ramirez at Derbycon 2015 I haven't watched this yet.
The problems with JNI obfuscation in the Android Operating System by Rick Ramgattie at Derbycon 2015 Haven't watched this yet.
Finally I have time to write a new blog post again. The last couple of weeks have been super busy for me. I had to finish a project, prepare a talk about it, and give a bunch of talks at various places in July and August.
ConferencesT2 Helsinki, Finland. LTE (in) Security Ravishankar Borgaonkar & Altaf Shaik.
BalcCon Novi Sad, Vojvodina, Serbia. Private communications with mobile phones in the post-Snowden world, the _open_source_ way by Bojan Smiljanic.
APPSEC USA San Francisco, CA. QARK: Android App Exploit and SCA Tool by Tushar Dalvi and Tony Trummer. SecureMe - Droid' Android Security Application by Vishal Asthana and Abhineet Jayaraj. OWASP Reverse Engineering and Code Modification Prevention Project (Mobile) by Jonathan Carter. ShadowOS: Modifying the Android OS for Mobile Application Testing by Ray Kelly.
GrrCon Grand Rapids, MI. Phones and Privacy for Consumers by Matthew and David
SmartwatchesI recently bought an Apple Watch. The primary reason was fun. Also since I switched to Two-Factor Authentication (2FA) for all my private infrastructure and all my web accounts that support it I though it would make life easier. I use Duo 2FA for my own stuff and they have a Watch app which is pretty convenient. Before I owned the first pebble watch. I liked that a lot even tho I had a lot of issues with the Bluetooth connection between the pebble and my Nexus 5. Sometimes it worked great and sometimes it just didn't work at all. I also got a LG G Watch R (W110) (Android Wear) but I didn't really use it. It was much too big for my wrist. Also the round display was kinda strange. Some of the apps seem to not be designed for it and cut off parts of the information that should be displayed. I also found the interface to be confusing, but this might be due to my very very short trial run of the watch. Between the pebble and the LG Watch I also had a Toq but the Toq had many issues besides its size so I never really used it. I tried to wear it like once.
Anyway the only reason I write about smartwatches is because I really like the Duo 2FA watch app. This makes 2FA much much easier and user friendly. I known I'm not the first to write about smartwatches or wearables in the security context but the user friendliness could really make a difference. Also a watch is harder to loose then a token (if you still use one of those).
StagefrightI guess I don't have to say much about the Stagefright series of Android security vulnerabilities. The vulnerabilities are present in Android's media format handling library (named stagefright). Several factors make this bugs interesting. First, every Android version after 2.2 was vulnerable (at the time of discovery) that was around 95% of all devices. Second, the bug can be remotely triggered via MMS. Yes MMS once again provides the ultimate attack vector against smartphones. Who would have known? ;-)
Links
The bug was patched relatively fast by Google since Joshua provided patches. Google started shipping OTA updates for their Nexus devices relatively fast. Still most Android devices will not get patched or will receive their patches super late (and thus users will not be protected in a timely fashion). The reason for this is mostly the mobile ecosystem which is largely not suited for fast patch deployment. I provided some comments about this issue on NPR in late July.
While patches/updates were rolled out Jordan from Exodus found that the patches are not complete and contain more vulnerabilities in the exact code that was fixed in the update. His blog post describing the issue is here.
The only way to protect yourself is to update your device to firmware version that does not contain the vulnerability. If you are one of the many people who own phones that did not yet receive an update your only chance is to disable MMS auto-download. This will not kill the bug since you can still be attacked using other vectors (e.g. download and play a .mp4 file) but disabling MMS auto-download will at at least remove the automatic remote exploitation problem. A step by step way to disable MMS auto-download for various MMS clients is provided by Lookout here.
Stagefright links:
Demo video is: here.
Joshua's Black Hat slides are: here
Android detector app is: here
There is even a wikipedia page for Stagefright_(bug)
StageFright, Telegram Stage-Left & WhatsApp Stage-Rightdisarm - Quick & (very) dirty command line instruction lookup for ARM64
JEB Plugin for decrypt DexGuard encrypted Strings.
Android linux kernel privilege escalation vulnerability and exploit (CVE-2014-4322)
Fuzzing utility which enables sending arbitrary SCMs to TrustZone
Full TrustZone exploit for MSM8974
Android Security Toolkit
First public Android Security Bulletin
Locker: an Android ransomware full of surprises
Remote Exploitation of an Unaltered Passenger Vehicle (white paper) I link this because the cars were sitting on cellular networks with OPEN ports that allowed to issue D-Bus commands to activate the wipers or change volume on the radio. CRAZINESS
Exploring Qualcomm's TrustZone implementation
HTC "zerodays" from our Defcon workshop
Qualcomm LPE vuln from our #defcon workshop
Black Hat slides are online now
New acquisition method based on firmware update protocols for Android smartphones
Boxify: Full-fledged App Sandboxing for Stock Android
Android Market Downloaders
ONE CLASS TO RULE THEM ALL 0-DAY DESERIALIZATION VULNERABILITIES IN ANDROID (paper)
Universal Android rooting (slides Black Hat USA 2015)
Faux Disk Encryption - Realities of Secure Storage on Mobile Devices slides (Black Hat 2015)
Koodous collaborative platform for Android malware analysts
Windows Phone PIN cracking
Hardening Android's Bionic libc
How to use old GSM protocols/encodings to know if a user is Online on the GSM Network AKA PingSMS 2.0
imgtool quick tool to unpack Android images
Android M: A Security Research Perspective (Part 1)
SnooperStopper: Automatically prompts you to change FDE password if lockscreen PIN/password is changed (needs root) Android App
HackingTeam's Android Exploit < nice review by Tencent Sec Response Center.
PGP on Android using GPG applet on Yubikey, via NFC. Useful to PGP while mobile without storing priv key on dev.
Android Vulnerability that Can Lead to Exposure of Device Memory Content
dexposed enable 'god' mode for single android application (fork of exposed)
Xposed for lollipop (5.0) now allows hooking native methods, also arm64 and x86
A Program Analysis Toolkit for Android
Could it be true that Android 5.1.1_r5 enables both dm-verity *and* HW accelerated FDE? Great success if so.
Password storage in Android M
lecture: Advanced interconnect attacks Chasing GRX and SS7 vulns