Collin R. Mulliner

IT TAKES JUST $1,000 TO TRACK SOMEONE'S LOCATION WITH MOBILE ADS

Black Hat Europe 2017

Quick conference review: both 44con and ekoparty were great. Ekoparty was especially awesome since I got to check the last continent off my list. Also the size of ekoparty was way beyond what I was expecting. They managed to have a really good conference that is professionally run while stilling maintaining the vibe of a hacker / underground con <3

Two weeks ago there was a post on Medium about two companies that provide a mobile identification service. That service basically can be used to convert your phone's IP address into real information about the owner of the phone (the contract owner). This is done via APIs that are provided by multiple Mobile Network Operators (such as AT&T). The medium article linked to demo pages of those two service providers (payfone and danal inc) that show not only your phone number but also your operator's name, your name and address.

I played with the two demo sites for a bit (while they were still online - offline now). I'm on Google Fi with a number proted from T-Mobile (pre-paid). Payfone only had my phonenumber and old carrier (T-Mobile) while Danal inc showed no data at all. I never provided any data to T-Mobile since it is not required for a pre-paid card. Google has all the data but likely does not share it with 3rd parties.

Overall this is a service that I really don't want to exist. I don't want an abritary company to be able to identify me while visiting their website from my mobile phone. I hope those companies don't just sell their services to anybody. Read the Medium article again: AT&T consumer choice opt-out doesn't affect this!

iOS 11 the tragedy continues: 11.0 had a bunch of flaws that were annyoing. Now 11.0.3 randomly frezzes my phone for minutes. Also I have some issues with voice call audio not working sometimes. Highly disaspointing!

Pictures of the month:

Saw a throne of phones in Göteborg. pic.twitter.com/wE6M5e2WPa
— Mikko Hypponen (@mikko) October 17, 2017

Today marks the third time one of my iPhones has vibrated itself out of alignment with its wireless charging pad over night. pic.twitter.com/HFchysZ7L9
— Matthew Panzarino (@panzer) October 10, 2017

Have you ever seen two Android Banking Trojans beating each other for victim's credit card information? #Malware cc @malwrhunterteam pic.twitter.com/EY6yQifVqp
— Lukas Stefanko (@LukasStefanko) June 27, 2017

pic.twitter.com/BBWLB8Zklu
— jellphonic (@jellphonic) September 25, 2017

Links

Oppo/Oneplus .ops Firmware decrypter

[WIP] Crappy iOS app analyzer

Magisk v14.3

Down the Rabbit Hole with a BLU Phone Infection

eSIM for Consumer Devices

Android Crypto-Ransomware that misuses accessibility services + encrypts data + changes PIN.

iOS jailbreak detection toolkit now available from TraiOfBits

Administering Chromebooks For teams traveling to complex and hostile environments

HackingTeam back for your Androids, now extra insecure!

iOS 11 security updates

Researchers: Uber's iOS App Had Secret Permissions That Allowed It to Copy Your Phone Screen

How To Obtain Real-Time Data from iCloud and Forget About 2FA with Just an Old iTunes Backup. No Passwords Needed

Meet Danny, the Guy Authorities Say Is Selling Encrypted Phones to Organized Crime

Android Reverse Engineering tools Not the Usual Suspects

Understanding new APK Signature Scheme V2?

Google Play Security Reward Program

SAMSUNG TEEgris

source for suhide

Dieser Mann weiss, wie man in Smartphones einbricht

NEW Rainbow Table added: GSM A5/1 table, 1.52 Terabytes in size. Torrent now available

Alarming number of DNS requests made by iOS devices

Bluetooth Hacking Tools Comparison

Unpatched Bugs Rampant on Mobile Devices in Financial Services Firms

Legitimacy: a Memory Research Platform for iOS

Samsung Android Security Bulletin Oct 2017

SELinux in Android Oreo or: How I Learned to Stop Worrying and Love Attributes

Android Security Bulletin - October 2017

Frida All The Things

Magisk Module to Allow Location Mocking, Screenshots in Any App, and Disabling System Signature Verification

notes on Hacking BLE - list of resources

Blue Pill for Your Phone

Bill Gates just switched to an Android phone

NFC - Contactless Cards: Brute Forcing Processing Options

Over The Air - Vol. 2, Pt. 1: Exploiting The Wi-Fi Stack on Apple Devices

XNU kernel 4570.1.46 sources

Linux Kernel Self Protection Project

CLKSCREW: Exposing the perils of security-oblivious energy management

(pdf)

In a first, Android apps abuse serious 'Dirty Cow' bug to backdoor phones

Label enums for Android JNI to aid in reversing

IDA jni helper

Google Play apps with as many as 2.6m downloads added devices to botnet

Samsung is gonna let you run any Linux distro on a Galaxy

Shim to grab keystore backed data

Android Security Reference (largely private notes of @doriancussen)

Google Play Billing Library 1.0 released

The Stony Path of Android Bug Bounty - Bypassing Certificate Pinning

Hardening the Kernel in Android Oreo

Biometrics and Smartphones

Mon, 25 Sep 2017 15:15:00 GMT

since I always rant about how I don't like biometrics in smartphones some people have asked me to formulate what I actually would like to see to happen in this area.

My dislike for biometrics is that you cannot change your password anymore because your password is your finger, eye (iris), or face. That means you basically show you password to everybody. A good example of this is here: Politician's fingerprint 'cloned from photos' by hacker.

The second part of the problem is that many biometric systems can be easily bypassed, some face recognition systems even with a picture shown on a smartphone screen.

My main issue is that biometric systems can be bypassed by forcing the owner of the device to unlock it. This can be done without leaving evidence, a funny example of this issue: 7-Year-Old Boy Uses Sleeping Dad's Finger To Unlock iPhone. Also see this interesting case: Court rules against man who was forced to fingerprint-unlock his phone.

The main argument I always hear is that people who wouldn't set a password (or use just a simple PIN) are using biometrics and therefore are more secure now with the help of biometrics. The kid from the previous story wasn't stopped by biometrics it was just as good as not having a password.

What would have stopped the kid from unlocking his dad's phone? A simple timeout! Basically what I want to see is a timeout for your biometrics. Once you entered your password you can unlock your phone using biometrics, after a specific amount of time you have to re-enter your password and cannot unlock the device using biometrics. With a timeout of say 30 minutes to one hour you can prevent simple attacks while still being able to use the convenience of biometrics. Apple recently introduced the SOS mode that will also disable biometric authentication until you enter your password. I wish this was taken one step further and let you set a timeout.

I personally see biometrics on a smartphone as a pure convenience feature and treat it as a weak security feature. I only use it for ApplePay.

I think it is pretty bad to get people used to biometric authentication, Apple may get it right but other companies wont. Normal users can't determine this easily. Also how much did the additional hardware components cost to implement fingerprint authentication or face recognition. FaceID doesn't use a normal camera so there are definitely additional costs that you as the user have to pay for this convenience feature.

Face recognition in consumer products also gets people to accept this as an normal everyday thing and thus helps the argument for face recognition being used in surveillance.

/rant

References:

Chaos Computer Clubs breaks iris recognition system of the Samsung Galaxy S8

Chaos Computer Club breaks Apple TouchID

Mobile Security News Update September 2017

Tue, 19 Sep 2017 15:36:00 GMT

Conferences

ekoparty

Virus Bulletin

Some comments on BlueBorne: I've been involved with Bluetooth security since like forever (not active in the last 10+ years). The early Bluetooth vulnerabilities were mostly logic bugs and issues such as missing authentication. Bluetooth devices could not be set to hidden and would always show up when scanning for devices. Stuff like that. BlueBorne is different as it is a remote exploitable memory corruption vulnerability in Linux, Android, and Windows. This is quite a novelty since we haven't seen a bug that is more ore less the same on two platforms. Even more interesting is that this bug is pre-authentication and gives you kernel privileges (code exec in the kernel).

In theory this set of vulnerabilities can be bad, bad. In practice the issue is much less of an issue. Exploit mitigations and built variances help mitigating the risk. Devices are not always visible therefore the attacker cannot easily find your device and attack it.

Also see: Hackers Could Silently Hack Your Cellphone And Computers Over Bluetooth.

FaceID: I think it is a really horrible idea! Do not put biometric systems in to consumer products ever! I will not buy products with mandatory biometrics so far iOS allows me to turn it off and use a passphrase - thats why I even consider buying iOS devices. I hate this change -- biometrics are bad.

Pics:

Huh, here I was looking to get a phone similar to Walmarts in-store model... And eBay just has their actual in-store model... Perfect! pic.twitter.com/sq4pUtCBe3
— Tim Strazzere (@timstrazz) September 17, 2017

https://t.co/zqdwIa27IR

"Certified devices are also required to ship without pre-installed malware"

A good requirement IMHO. 😛
— sp (@LambdaCube) August 28, 2017

I agree ^^^

Badass! @cmwdotme just demoed his new company's ARM hypervisor -- capable of running iOS instances on virtual iPhone6 hardware #TenSec pic.twitter.com/vb9ld8cjIE
— Ralf (RPW) (@esizkur) August 31, 2017

Android Oreo feature spotlight: Changes to Verified Boot won't allow you to start a downgraded OS https://t.co/9RZqASUyeb pic.twitter.com/Zz6OD4xliv
— Android Police (@AndroidPolice) September 5, 2017

Links

SELinux in Android Oreo or: How I Learned to Stop Worrying and Love Attributes

Kernel Driver mmap Handler Exploitation

BabelView: Evaluating the Impact of Code Injection Attacks in Mobile Webviews

AndroidXRef now with Android O/8

Now the native-shim loader can create VM's for ART based Android devices

Good thread about the Android Key Store API

IDA AArch64 processor extender extension: Adding support for ARMv8.1 opcodes

INJECTING MISSING METHODS AT RUNTIME

Oppo/Oneplus .ops Firmware decrypter

Android Hardware-backed Keystore (docs)

Samsung to Launch Mobile Security Rewards Program, Welcoming Security Research Community

Android 8.0 includes the following security-related changes

WHAT'S NEW IN KNOX 2.9?

ANDROID O AND DEX 38: DALVIK OPCODES FOR DYNAMIC INVOCATION

The public release of shadow v2 jemalloc exploitation tool with support for Android (both ARM32 and ARM64)

Making it safer to get apps on Android O

Dig Deep into FlexiSpy for Android

Tool for leaking and bypassing Android malware detection system

iOS 8.4.1 32 bit jailbreak

Mobile Security News Update August 2017

Tue, 22 Aug 2017 13:37:00 GMT

Conferences

Quick Conference Review

It was good to see everybody in Vegas, even better meeting new people. Especially some folks I wanted to meet for a long time. I had a good time at WOOT, meeting old friends was especially good. Maybe it helped that it was in the CanSecWest hotel. I link a few relevant papers below.
Stefan Esser is running a kickstarter for an iOS Kernel Exploitation Training Course for Development of a freely available online iOS kernel exploitation training course based on iOS 9.3.5 on 32 bit devices. If you are into iOS security you should support Stefan's project!

Ralf is on point as usual:

Exhibit A) Our communities are tribalized: https://t.co/e1uATFviYT (JTAG on iPhone 4S BB + exploitation of baseband vulns from SIM, in 2014)
— Ralf (RPW) (@esizkur) August 19, 2017

Pictures of the month:

Burner kiddies at defcon be like: pic.twitter.com/3QyPTuJwFg
— the grugq (@thegrugq) July 22, 2017

Some Chinese USB adapters have a hidden SIM that will send a text message with GPS coordinates to track an unknowing victim… https://t.co/PK5bpkaBmv
— Dimitri Bouniol (@dimitribouniol) August 9, 2017

中国のUSB充電アダプター型盗聴器が先進的すぎる。
充電器の上のふたを開けると、なんとSIMスロットがある。
SIMカードを挿入した状態で、このSIMカードの電話番号宛にSMSを送ると、コールバックし、これに出ると盗聴できる仕様。
もちろんGPS機能付きである。 pic.twitter.com/aMEF8sBdiL
— 若ちゃん (@wk_tyn) August 8, 2017

😂 accident happens #htc #privacy #security #Android pic.twitter.com/AJRAJRO1xK
— nixCraft (@nixcraft) July 19, 2017

Links

BootStomp: On the Security of Bootloaders in Mobile Devices

Fixes in iOS 10.3.3

Reviewing the Security of ASoC Drivers in Android Kernel

Hacking Cell Phone Embedded Systems

Intercept, modify, repeat and attack Android's Binder transactions using Burp Suite

Seccomp filter in Android O

This source code was obtained by reversing a sample of SLocker. It's not the original source code

Trust Issues: Exploiting TrustZone TEEs

Universal Android SSL Pinning bypass with Frida

USING AN RTL-SDR AS A SIMPLE IMSI CATCHER

BROADPWN: REMOTELY COMPROMISING ANDROID AND IOS VIA A BUG IN BROADCOM'S WI-FI CHIPSETS

Surveillance: German police ready to hack WhatsApp messages

Google May Have Just Uncovered An Israeli Surveillance Start-Up Spying On Androids

Gas Pump Skimmer Sends Card Data Via Text

Defeating Samsung KNOX with zero privilege

Path of Least Resistance: Cellular Baseband to Application Processor Escalation on Mediatek Devices

Port(al) to the iOS Core

New Adventures in Spying 3G & 4G Users: Locate, Track, Monitor

Ghost Telephonist Link Hijack Exploitations in 4G

OnePlus 2 Lack of SBL1 Validation Broken Secure Boot

iOS 10.3.2 XPC Userland Jailbreak Exploit Tutorial - CVE-2017-7047 by Ian Beer

Samsung: Trustonic t-base TEE does not perform revocation of trustlets

A (hopefully) generic unpacker for packed Android apps

The original elevat0r jailbreak exploit explained

Tinker is a hot-fix solution library for Android, it supports dex, library and resources update without reinstall apk.

Shattered Trust: When Replacement Smartphone Components Attack

Patch iOS Apps, The Easy Way, Without Jailbreak

Android Banking Trojan misuses accessibility services

Get details and download apps from https://play.google.com by emulating an Android (Nexus 5X) device by default.

vTZ: Virtualizing ARM TrustZone

objection - runtime mobile exploration

Xposed for Nougat & abforce Submodule Explained, and Why It's Worth Waiting for rovo89's Full Release

A Linux kernel IPC firewall and logger for Android and Binder

White-Stingray: Evaluating IMSI Catchers Detection Applications

BootStomp: a bootloader vulnerability finder

iOS 11 has a 'cop button' to temporarily disable Touch ID

Simple tool to dynamically discover hidden fastboot OEM commands based on static knowledge

Blue Pill for your Phone

Android Instant Apps: Best practices for managing download size

Decrypt the iOS SEP

How much does your phone know about you?

Identifying and Evading Android Protections

Breaking Mobile App Protection Mechanisms

Isolation of HALs in Android O

ANTIVIRUS FOR ANDROID HAS A LONG, LONG WAY TO GO

PoC CVE-2016-3935

PoC CVE-2016-6738

Fake Snapchat in Google Play Store

Next-generation Dex Compiler Now in Preview

Detecting Android Root Exploits by Learning from Root Providers

Downgrade Attack on TrustZone

Testing Biometric Authentication

shadow v2 public release

Android O security changes

Magisk Documentations

SonicSpy: Over a thousand spyware apps discovered, some in Google Play

SMS touch sends customer information and SMS messages over a cleartext network

ZIMPERIUM blog post that describes how the Zero Packet Inspection (ZPI) approach is trained

Using Hover to Compromise the Confidentiality of User Input on Android

Various Scripts for Mobile Pen-testing with Frida

circuit board (PCB) schematics for 30-pin iPod serial debugging

SS7 Attacker Heaven turns into Riot: How to make Nation-State and Intelligence Attackers' lives much harder on mobile networks

RE-Canary: Detecting Reverse Engineering with Canary Tokens

Sat, 05 Aug 2017 18:36:00 GMT

This blog post is to provide some more details about my idea that was mentioned on Risky Business #463 by Haroon Meer.

What are Canary Tokens (from Thinkst).

The idea: Embed Canary Tokens into binaries (or application data) to help identify reverse engineering of your software.

Every reverse engineer looks for unique information (often just strings) in the target binary to help understand it. The strings are thrown into Google (or other search engines) with the hope to get additional information. The returned information can be extremely helpful to determine what the software is, what other code is linked in, what versions, etc. Everybody who reverse engineers stuff does this! I personally don't reverse engineer for a living so I asked around to confirm that professionals actually do this (I already knew the answer anyway!).

The plan:

Embed unique looking strings into the binary
Stand-up web page that contains the string, log access to that page (alert on access)
Make Google crawl that page (various tools for that)
Ship software

This is pretty straight forward, right? But do you care about somebody who just ran strings on your binary? Likely not! So what's next?

Many applications protect their code and other assets that come with it through different kinds of methods (called obfuscation techniques for this article - even not all of it will be actual obfuscation). The next step for the RE-canaries is to generate canaries and embed them into each obfuscation layer. If someone accesses a more obfuscated canary you know that a certain level of effort was put into reversing your app. This part is really where the creativity of the RE-canary deployment comes into play. This will be highly depended on the specific software, on the protection mechanisms used, the language and framework that app is written in and so on. Mobile apps (I'm a mobile app guy, yeah!) contain API endpoints and URLs and maybe some hardcoded credentials (tokens of course). The URLs have the advantage that you wouldn't need to put up a website. You just make them accessible and add logging and alerting.

The final part of this is automation. You want to automate canary creation and embedding into your built process, so that you can generate unique canaries with each built or major release or whatever fits your software.

In the end it will likely happen that advanced REs are going to use an anonymization service such as TOR when searching for strings or trying out URLs (specifically for URLs!). In this case at least you will know that someone is looking at your stuff and passed a certain skill/time/effort threshold, which I guess in most cases is enough information.

That's it! This idea was inspired heavily by Haroon Meer's Canarytokens a great free service that I use once in awhile!

Comments and feedback is welcome via the usual channels.

Mobile Security News Update July 2017

Thu, 13 Jul 2017 13:19:00 GMT

Conferences

USENIX Workshop on Offensive Technologies (WOOT)

Black Hat and Defcon have a really good number of mobile related talks this year.

It was a busy month and July will be even busier. I'll be at GSMA DSG, Black Hat and Defcon July and Usenix WOOT in mid August

OEM just told Google a bug I submitted isn't a bug. It is a FULL permement secureboot bypass.
— Jon Sawyer (@jcase) July 6, 2017

Picture of month:

Liang Chen is demostrating iOS 11.0 beta 2 jailbreak on iPhone 7. pic.twitter.com/wA7U9AQ32E
— vangelis (@vangelis_at_POC) June 23, 2017

There is a lot happening in the Android boot loader world at the moment. I guess this is what happens when the devices get more and more locked down - people go after the root of trust.

Links:

Emulation and Exploration of BCM WiFi Frame Parsing using LuaQEMU

New attack can now decrypt satellite phone calls in "real time"

Library injection for debuggable Android apps

Attack TrustZone with Rowhammer

All slides from MOSEC 2017

Researchers Build Firewall to Deflect SS7 Attacks

Android Security Bulletin - July 2017

mobile CTF by HackerOne

Secure Mobile Application Development

ANDROID O AND DEX 38: DALVIK OPCODES FOR DYNAMIC INVOCATION

IMSecure - Attacking VoLTE (and other Stuff)

Telecom Signaling Exploitation Framework - SS7, GTP, Diameter & SIP

Thieves caught hours after stealing GPS tracking devices from tech company

How the Osmocom GSM stack is funded

OWASP list of the most important security tools for Android and iOS

For $500, this site promises the power to track a phone and intercept its texts

A recopilatory of useful android tools

Privacy Threats through Ultrasonic Side Channels on Mobile Devices

Subscribers remote geolocation and tracking using 4G VoLTE enabled Android phone

Breaking and Fixing VoLTE: Exploiting Hidden Data Channels and Mis-implementations

Dvmap: the first Android malware with code injection

JNI method enumeration in ELF files

root shell on Moto G4 & G5 with a Secure Boot and Device Locking Bypass

Breaking Samsung Galaxy Secure Boot through Downloaded mode

A very minimalist smali emulator that could be used to "decrypt" obfuscated strings

anti vm on android

Back That App Up: Gaining Root on the Lenovo Vibe

PoCs for Android July bulletin: CVE-2017-8260 CVE-2017-0705 CVE-2017-8259

Secure initialization of TEEs: when secure boot falls short

Reverse Engineering Samsung S6 SBOOT - Part II

No permission required for SMS verification in Android O

Mobile Security News Update June 2017

Tue, 06 Jun 2017 15:46:00 GMT

Conferences

This took a long time again. It gets harder and harder do to this since this stuff is not directly what I do on a day to day basis currently.

The Qualcomm Mobile Security summit was excellent again! Fantastic talks and again I met a bunch of people I mostly knew from email and/or twitter or haven't seen in quite some time. This conference still is unparalleled!

I had a minute to play with the BlackBerry KeyOne and it feels like a super solid device. The screen is bigger then I thought it would be and this makes the device almost too big for my taste - but this is hard to say from playing with it for just a minute.

So iOS will finally support NDEF tags.

Detect NFC tags on iOS 11.0! pic.twitter.com/70szXo1yny
— Aaron (@iosaaron) June 5, 2017

This talk is really interesting for anybody interested in mobile application security. This is not about mobile app reverse engineering but about app, backend, phone infrastructure interaction.

Previously top secret #TR16 talk on pwning Uber & Lyft (w/ live demos!) by @vlad_penetrator & @gramx is finally out! https://t.co/cqtAC69p7w
— Kelly Shortridge (@swagitda_) May 31, 2017

Pictures of the month:

Some old PalmOS devices on street in my hood <3 pic.twitter.com/gkePP0Uzd8
— Collin Mulliner (@collinrm) May 28, 2017

A Symbian phone appears #QPSISummit2017 pic.twitter.com/MFHiAEKl4T
— Collin Mulliner (@collinrm) May 18, 2017

So basically set your smartphone's name to %x%x%x%x and test for format string vulns in connected devices . here's a 2011 BMW 330i #Hackers pic.twitter.com/vhLKRnKYud
— Eهاb Huسein (@__Obzy__) May 17, 2017

Links

Papers and Slides from MOBILE SECURITY TECHNOLOGIES (MOST) 2017

Android Security Bulletin - June 2017

LazyDroid - bash script to facilitate some aspects of an Android application assessment

factory and OTA images for Nexus devices

Android: Multiple Android devices do not revoke QSEE trustlets

Brazilian phishers are now asking for victim's IMEI in their fake bank pages, aiming to steal their accounts via mobile access

50+ iOS 11 Features Apple Didn't Announce On Stage [List]

Android Mazar 3.0 targets 41 banking apps

Google Publishes List of 42 Phones Running Latest Android Security Updates

City-Wide IMSI-Catcher Detection

Up to $200,000 for Android exploits!

Mobile subscriber WiFi privacy (WiFi IMSI catcher!!)

Collection of the most common vulnerabilities found in iOS applications

Android O feature spotlight: Android tells you if an app is displaying a screen overlay

Priorities for Securing the Mobile Ecosystem

Cloak & Dagger

Cloak & Dagger talk

Honey, I Shrunk the Attack Surface Adventures in Android Security Hardening

With great speed comes great leakage - How processor performance is tied to side-channel leakage

Pwning the Nexus of Every Pixel

initroot: Bypassing Nexus 6 Secure Boot through Kernel Command-line Injection

Android Encryption Demystified

iPhone 7 and 7 Plus get a stable jailbreak on iOS 10.1.1 with extra_recipe+yaluX

The Shadow over Android

Apparently Google Play Store can now manage your app signing keys, and 'opt-in is permanent

Hacking iOS Applications a detailed testing guide

Android malware that infected 3500 devices/day

iOS/macOS bugs slaughter list by P0's Ian Beer

Hacking the Samsung Galaxy S8 Irisscanner

Learning about Bluetooth protocols and reverse-engineering them.

A Simple Tool for Linux Kernel Audits

Google VS Root: Why SafetyNet is now standard for developers

Google Play can now restrict app distribution based on SafetyNet Attestation results, SoC vendor etc

US Senate Adopts Signal, HTTPS A Year After Trying To Kill Encryption

Alarming Security Defects in SS7, the Global Cellular Network - and How to Fix Them

iOS Kernel utilities

Dutch Cops Bust Another PGP BlackBerry Company for Alleged Money Laundering

Multiple MediaTek vulnerabilities

Google Working on Fix for Android Permission Weakness

More Android phones than ever are covertly listening for inaudible sounds in ads

The Jiu-Jitsu of Detecting Frida

Thieves drain 2fa-protected bank accounts by abusing SS7 routing protocol

Over 100 CF-Auto-Roots were updated by ChainfireXDA

Android Security Bulletin - May 2017

de-obfuscate Android Ztorg obfuscated strings

Android Applications Reversing 101

A diagram of the Android Activity / Fragment lifecycle

Example of a powerful overlay attack executed by Android banker

Identifying an Android Device - Available Identifiers

Diving Deeper into Android O

How To Put Any Android Smartphone Into Monitor Mode Using Custom Script Without bcmon

Android app analysis and feature extraction library

Introduction to Fridump

Here's How To Track The Smartphone Apps That Are Tracking You

AssetHook: A Redirector for Android Asset Files Using Old Dogs and Modern Tricks

Android Package Inspector - dynamic analysis with api hooks, start unexported activities and more. (Xposed Module)

The Mobile App Pentest cheat sheet was created to provide concise collection of high value information on specific mobile application penetration testing topics.

TruSpy: Cache Side-Channel Information Leakage from the Secure World on ARM Devices

Dirty COW and why lying is bad even if you are the Linux kernel

How to build and integrate OpenSSL into your Android NDK project

iOS DeviceCheck. Access per-device, per-developer data that your associated server can use in its business logic.

Changes to Trusted Certificate Authorities in Android Nougat

iOS WebView Dialer Fixed

Wed, 10 May 2017 13:28:00 GMT

In November 2016 I wrote a post about the iOS WebView Auto Dialer bug specifically in the iOS Twitter and the iOS LinkedIn apps. Last weekend I finally had the time to retest those apps to see if the bug was fixed. Retests in December and January showed the bug was still present (as far as I remember). Both apps are fixed now!

Playing around with this a bit more I discovered a new security warning on iOS. There now seems to be a detection for the case where a website automatically tries to open a TEL URL. The dialog doesn't always appear but when it does you first have to click allow before being presented with the actual Call/Cancel dialog. Neat!

The conclusion seems to be that the bug was fixed and that they added a new detection and warning dialog. Good!

Mobile Security News Update April 2017

Tue, 25 Apr 2017 16:57:00 GMT

Conferences

The Galaxy S8's facial scanner can, unsurprisingly, be tricked with a photo

MOSEC

Recordings for the first OsmoCon are available here. OsmoCon is, of course, a conference about the OsmoCom projects!

Android O news: will prompt for pin/passcode before enabling developer options, further Android O changes device identifiers and how to access them.

If you are interested in mobile backing Trojans you should follow Lukas Stefanko:

[Research] Lately discovered another Mobile Banking Trojan on #GooglePlay with up to 5,000 installs. #Malware https://t.co/rcgmGr2Kgo pic.twitter.com/wW4lNsoCAn
— Lukas Stefanko (@LukasStefanko) April 19, 2017

Somebody released the source code of FlexiSpy (mobile phone spyware) to the public. The release notes are here: readme.txt. The download is here: FlexiSpyOmni.zip, collection of all data is here: Source code and binaries of FlexiSpy from the Flexidie dump and a writeup of the dump is here: FlexSpy Application Analysis. I bet we will see more details in the coming weeks!

Does Blackberry give out review samples for the KEYone? I would really like one and give it a try (would post full review here of course!).

All Nokia phones ever made.

"With this code quality, I don't think that's a good move" -- @esizkur on Chinese baseband explo{rat,oit}ion #youkillityoueatit pic.twitter.com/nkhuR1KPs2
— Morgan Marquis-Boire (@headhntr) April 6, 2017

Yo Ralf where the slides at?

Links

ss7 assessment tool

ss7 map testing tool

Fried Apples

jtrace - augmented, Android aware strace

Mobile Telephony Threats in Asia

Sunshine update

Security updates in iOS 10.3.1

Pegasus for Android

3G/4G Intranet Scanning

Know your community - Stefan Esser

Protection Profile for Mobile Device Fundamentals

CVE-2017-2416 Remote code execution triggered by malformed GIF in ImageIO framework, affecting most iOS/macOS apps

Easy 4G/LTE IMSI Catchers for Non-Programmers

More Android Anti-Debugging Fun

Analysis of the Facebook.app for iOS [v. 87.0]

Over The Air: Exploiting Broadcom's Wi-Fi Stack (Part 1)

Over The Air: Exploiting Broadcom's Wi-Fi Stack (Part 2)

Slides for the Android Security Symposium 2017

FemotoCell Hacking

iOS Kernel Integrity Protection bypass via Tick (FPU) Tock (IRQ)

DexGuard vs. ProGuard

Bose headphones secretly data-mine users if they have the app installed on their phone!

Cellular Provider Record Retention Periods

AndroidKernelExploitationPlayground

Attack TrustZone with Rowhammer

libmobiledevice 2.0

A surprise encounter with a telco APT

The Shadow over Android Heap exploitation assistance for Android's libc allocator

Vulnerability Exploitation and Mitigation in Android

Stetho: A debug bridge for Android applications

Why Banker Bob (still) Can't Get TLS Right: A Security Analysis of TLS in Leading UK Banking Apps

Calling JNI Functions with Java Object Arguments from the Command Line

Logic Bug Hunting in Chrome on Android

Redex and Android byteCode optimizer

AppMon is an automated framework for monitoring and tampering system API calls of native apps on macOS, iOS and Android

Android Security Bulletin - April 2017

Android Vendor Test Suite (VTS)

Mobile Security Research - 2017 Q1

Forensics Investigation of Android Phone using Andriller

Using Frida on Android without root

Introducing 'gnirehtet', a reverse tethering tool for Android

Man sues Confide: I wouldn't have spent $7/month if I'd known it was flawed

Who owns your runtime?

Mobile Security News Update March 2017 part2

Tue, 28 Mar 2017 15:21:00 GMT

Conferences

Qualcomm Mobile Security Summit 2017

AppSec EU

MOSEC

OffensiveCon is a new security conference in Berlin Germany focused on Offense. No details yet but they chose the right location for sure.

For everybody who didn't make it to the Android Security Symposium, they recorded the talks and the videos are available: here.

Google published a blog post and a detailed report on Android Security in 2016. The report covers everything from patching and update stats to high impact vulnerabilities. People posted a lot of summaries but you should really read it yourself if you work with Android.

Google pulls March security update for Nexus 6, after it breaks SafetyNet and Android Pay. This was pretty interesting, not the fact that they broke SafetyNet but that they broke it for their own devices (Nexus). This happened to some really small manufacturer before and if you have an idea of how SN works on the backend - it is clear what happened.

execute USSD codes in iOS 10.2.xx --bug-Impact: Tapping a tel link in a PDF document could trigger a call without prompting the user #lol
— Ravishankar Borgaonk (@raviborgaonkar) March 27, 2017

Android anti-debugging tricks can be patented? This is stupid in so many ways https://t.co/IjXfg45xoN
— Bernhard Mueller (@muellerberndt) March 25, 2017

Links

Anti Debugging fun Android Art

PageSwitch an exploit toolkit for the Nintendo switch

Ransomware scammers exploited Safari bug to extort porn-viewing iOS users

Increasing Android app security for free

Looking Back at Android Security in 2016 by DuoSecurity

OWASP Mobile - Anti Reversing Checks

Android/Ztorg teardown - It detects the Android SDK emulator, but also emulators from Genymotion, Bluestacks and BuilDroid. It also detects tainted environments. Several of its checks will be difficult to bypass

Owning OnePlus 3/3T with a Malicious Charger

The updated iOS Security Guide now covers iOS 10

iOS 10.3 fixes a large number of Kernel and WebKit bugs

Statistical Deobfuscation for Android

Hacking Android Apps with Frida (part 2)

Nexus 5X Owners Say Device Boot-Looping Kills Phones; Getting Runaround From LG

This American Surveillance Tool Helped Russians Spy On Androids And iPhones

Apple cracking down on developers who use SDKs like Rollout to update apps without App Store approval

Attacking Nexus 9 with Malicious Headphones

GSMA Coordinated Vulnerability Disclosure Program

gdrive-appdata: Tries to fetch the contents of the appdata hidden folder from Google Drive.

Harald Welte about TelcoSecDay 2017 @ Troopers

NDK changes for API level 26

O-MG, the Developer Preview of Android O is here!

Android API Differences Report

Frustrated by robo callers & an AT&T subscriber? Get the AT&T call protect app

Samsung commits to monthly security updates for unlocked US smartphones

Android phone market stats

20 bestselling mobile phones of all time

Android Kernel CVE PoCs

Mobile Malware Masquerades as POS Management App

Judge an Android malware scanner by rednaga.io (@timstrazz and @caleb_fenton)

The Art Of Bootloader Unlocking: Exploiting Samsung S-Boot

Having fun with Secure Messengers and Android Wear

Pwning the NExus of Every Pixel

Injecting Metasploit Payloads into Android Applications

Receive FREE SMS online

TrustZone An Attackers Perspective

Reverse Engineering Samsung S6 SBOOT - Part I

Letter to the FCC on SS7 Security by Ron Wyden

FCC: Legacy Systems Risk Reductions

Mobile Security News Update March 2017

Tue, 07 Mar 2017 19:59:00 GMT

Conferences

Black Hat ASIA

OsmoCon (Osmocom Conference) 2017 is the first technical conference for Osmocom users, operators and developers!

Zer0Con

HITB Amsterdam

Opcde

I took a way too long break again. So many things happen in the world of mobile security every week. I really wish I had more time for this. I also have a bunch of small things I need to put on this blog but I think they are too specific for the news and will likely get their own posts.

Some news from MWC (I didn't attend):

KEYone

You get an experience that's focused and clutter-free, and we'll make sure you keep getting regular updates, so you'll always stay on top of features and security.

The Android Devices Security Patch Status page is an awesome resource to determine if a specific device from a specific vendor has been patched and when the patch was released. From the page: This list is Prepared to Serve as a Quick reference to identify which Device is being actively maintained by the Vendor.. This is super useful, thanks!

Xiaomi launching own SoC for Android phones-upgradable baseband with fake base station detection capabilities. IMSI catchers r threat now ;) pic.twitter.com/S0hzDBIiQd
— Ravishankar Borgaonk (@raviborgaonkar) March 2, 2017

Apple 0day is expensive. https://t.co/F1UEUU0s3r
— Collin Mulliner (@collinrm) February 22, 2017

Ode to a dead 0-day - #Android #DirtyCOW explicated in iambic meter (from an #Andevcon 5-min flash talk back in Dec 16 :-) pic.twitter.com/IQ1RKmuW4f
— Jonathan Levin (@Morpheus______) March 5, 2017

MOSEC mobile security conference in June in Shanghai. This seems to be the 3rd year of the conference. There is no schedule yet.

The story of the day Vault 7: CIA Hacking Tools Revealed. Vault 7: CIA Hacking Tools Revealed : iOS Exploit list. Yes, the CIA uses n-day exploits! The Android exploits.

They talk about Android, Defcon, and backdooring your repo? ;-)

CIA Memes Pt 2 #Vault7 pic.twitter.com/5RH4EvNMXO
— Brendan Dolan-Gavitt (@moyix) March 7, 2017

Pic of the month:

Links

ENISA: Smartphone Secure Development Guidelines

Android Security Bulletin - March 2017

Android Security Bulletin - February 2017

Vault 7: CIA Hacking Tools Revealed

Multi-BTS with Osmocom and a single UmTRX

Obfuscation-Resilient Privacy Leak Detection for Mobile Apps Through Differential Analysis

Booting into fastboot mode

TROOPERS17 GSM Network - How about your own SMPP Service?

MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models

Exploiting Android S-Boot: Getting Arbitrary Code Exec in the Samsung Bootloader (1/2)

Android ransomware requires victim to speak unlock code

Hacking Android phone. How deep the rabbit hole goes.

Sunny with a chance of stolen credentials: Malicious weather app found on Google Play

iOS keychain items used to persist after app uninstall. As of iOS 10.3 beta 2, deleting app deletes keychain items

SunShine 3.4.27 is out - Bringing unlock support for Droid Turbo on 6.0.x

Cellular re-broadcast over satellite

Identifying Rebroadcast (GSM)

ios-triage - Node.js cli for iOS incident response. Program will extract, process and report (including diffs) on iOS device and app telemetry.

Remote control: Companies blur lines over who owns devices

Shodan.io iOS App

Analysis of iOS.GuiInject Adware Library

Patching and Re-Signing iOS Apps

Lifting the (Hyper) Visor: Bypassing Samsung's Real-Time Kernel Protection

Android ransomware repurposes old dropper techniques

Deobfuscating libMobileGestalt keys

Samsung: Stack buffer overflow in OTP TrustZone trustlet

How easy it would be to hack Trump's phone

iOS 10.2 Yalu Jailbreak Now Supports All 64-bit Devices except iPhone 7 and iPad Air 2

Android bootloader (aboot) parser

Tracking Android Security Update across Devices

SAMSUNG KNOX 1.0 ECRYPTFS KEY GENERATOR WEAK ENCRYPTION

Deep Analysis of Android Rootnik Malware Using Advanced Anti-Debug and Anti-Hook, Part II: Analysis of The Scope of Java

Black market Blackphones get sent a kill message that bricks them

iOS/MacOS kernel memory corruption due to userspace pointer being used as a length

Update on the Fancy Bear Android malware (poprd30.apk)

An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps

Charger Malware Calls and Raises the Risk on Google Play

Secrets leak in Android apps

26 security issues in major Android password manager apps

Easy 4G/LTE IMSI Catchers for Non-Programmers

App-in-the-Middle Attack Bypasses Android for Work Secure Framework

Android FRIDA: Add support for enumerateLoadedClasses() on ART

Android: Inter-process munmap in android.util.MemoryIntArray

Owning a Locked OnePlus 3/3T: Bootloader Vulnerabilities

Binary based obfuscation in a way of CTF kids. We obfuscate your apps, support both iOS/Android.

Android (Huawei) privilege escalation in EMUI keyguard app via loading shellcode in theme pack

The Story of Firefox OS

ENISA Smartphone Development Guidelines

Sun, 19 Feb 2017 16:39:00 GMT

The European Union Agency for Network and Information Security (ENISA) asked Ioannis Stais, Vincenzo Iozzo, and myself to update their guidelines for secure smartphone app development. The result is not much of an update but an entire rewrite of the guidelines. It was a fun project to do and I think all parties involved in the project are proud of the final result.

The Smartphone Development Guidelines website provides a brief overview of the effort. The actual document can be downloaded here Smartphone_development_Guidelines.pdf

I would like to thank everybody again who helped on the project the project coordinators at ENISA and everybody who reviewed the document and provided feedback!

Mobile Security News Update January 2017

Tue, 24 Jan 2017 19:17:00 GMT

Conferences

Recon Brussels

31CON

Android Security Symposium 2017

TelcoSecDay @ Troopers

CFPs

Dissecting modern (3G/4G) cellular modems

You Shot The Sheriff

I'm not a fan or a user of WhatsApp but this backdoor story is just bad and will drive users away from a secure messaging app (maybe even the biggest install based of all of them). Zeynep Tufekci wrote an open letter to the Guardian to have them update the story. Moxie also wrote a blog post about these claims. The Guardian should have asked people with the technical expertise for advice before publishing the story.

AT&T 2G network shutdown happened on Dec 31 2016

AndroidXRef is looking for sponsors!

The mobile talks from 33c3 are all totally worth watching (no particular order):

Intercoms Hacking

Downgrading iOS: From past to present

Pegasus Internals

Geolocation methods in mobile networks

Shut Up and Take My Money! The Red Pill of N26 Security

Code BROWN in the Air. A systemic update of sensitive information that you sniff from pagers

Pics of the month:

So, um… I guess the person who wrote @Medium's overly-florid app store release notes was part of the layoffs pic.twitter.com/YEbcuC5FVn
— Rod Begbie (@RodBegbie) January 14, 2017

@PatrickMcCanna again pic.twitter.com/UG4Fh1fYHM
— Jon Sawyer (@jcase) January 24, 2017

Best question so far about my 1992 Nokia 101: "How can it be older than the web, if it has a separate button for the #hashtag?" pic.twitter.com/Sa9drZwtPe
— Mikko Hypponen ଙ (@mikko) January 23, 2017

Links

Samsung Android Security Updates for January

Secure boot and image authentication in mobile tech

Practical Android Debugging Via KGDB

We reverse engineered 16k apps, here's what we found

Very detailed description of hacking the Kyocera KC-S701(Russian)

LG G3 Arbitrary File Retrieval from Cloud Services

Trojanized Photo App on Google Play Signs Up Users for Premium Services

OnePlus 3/3T Bootloader Vulnerability Allows Changing of SELinux to Permissive Mode in Fastboot

Qualcomm releases whitepaper detailing pointer authentication on ARMv8.3

IoT mode fuzzing with OpenBTS

buy a BlackPhone for 120 Euros

Security conferences in 2017

Summary of Critical and Exploitable iOS Vulnerabilities in 2016

Switcher: Android joins the attack-the-router club

Cyanogen's Services Will Be Shutting Down

V3SPA: An Open Source Tool for Visually Analyzing and Diffing SELinux/SE for Android Security Policies

Project Zero exploit for iOS 10.1.1

OWASP Mobile Security Testing Guide

Android Banking Trojan Source Code Leaked Online, Leads to New Variation Right Away

A theme pack got you pwned with system privilege on Huawei's EMUI

Google Rolls Out Instant Apps Feature For Android: Download And Run Apps Without Installing Them

Open source 3GPP LTE library

fastboot oem sha1sum

Automating iOS blackbox security scanning

Meitu Android App TearDown

Hooking Android System Calls for Pleasure and Benefit

iOS9 iCloud backup retrieval proof of concept

Pixel bootlaoder exploit for reading flash storage

Android Vulnerabilities: Attacking Nexus 6 and 6P Custom Boot Modes

Wap Push bugs in Samsung Android phones

Virulent Android malware returns, gets >2 million downloads on Google Play

HIJACKING WHATSAPP ACCOUNTS USING WHATSAPP WEB

Security Analysis of the Telegram IM

Android Security Bulletin - January 2017

Classification of Smartphone Users Using Internet Traffic

LG posts January security bulletin ahead of Google with Android and LG-specific patches

Analysis of multiple vulnerabilities in AirDroid

Android banking Trojan asks victims to send selfies with ID cards

A Whale of a Tale: HummingBad Returns

iOS Dropbear SSH

Mobile Security News Update December 2016

Tue, 13 Dec 2016 03:48:00 GMT

Conferences

33c3

Shmoocon

Black Hat ASIA

I had to skip the November update due to a long overdue vacation. Playing with iOS webviews also did cost some time. Writing this blog becomes more and more time consuming since for some parts I would rather spent time on research than writing about other peoples research. Will see next year if I continue doing this or not. I'm doing this since January 2009 so it has been a few years.

New Conference:

Opcde

Samsung confirms it will render the US Note 7 useless with next update since the owners don't seem to care to return the phones to Samsung even tho they would get a replacement device. This is kind of hilarious.

The scariest costume of all this Halloween is the Galaxy Note 7 recall https://t.co/g29SfWG9bO pic.twitter.com/Zc9Fe6s42X
— The Verge (@verge) October 19, 2016

Browser based iOS 9.3.x jailbreak (64bit only) it has been a while.

Chinese company installed secret backdoor on hundreds of thousands of phones

Here is the BLU R1 blind system command execution via Adups from July of this year - anyone think they care? pic.twitter.com/veUMGD8zSy
— Tim Strazzere (@timstrazz) November 22, 2016

Recently the topic of SMS 2FA came up again. While I agree that SMS is not the most secure version of 2FA it is far far better then not providing any 2FA mechanism for your service.

Seems like the right ordering, but when deployment is 98% < 2% < .5% < .01% complaining about SMS security is pretty silly. https://t.co/5ex3naa5a5
— Alex Stamos (@alexstamos) December 1, 2016

Links

Oxygen 9.0.3 allows to brute force a passcode for any Windows Phone 8 device from its physical dump!

Android system_server Code Loading Bypass

"Root" via dirtyc0w privilege escalation exploit (automation script) / Android (32 bit) Raw

Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems

JTAGing Mobile Phones

The limitations of Android N Encryption

The fight against Ghost Push continues

BitUnmap: Attacking Android Ashmem

Saving Data: Reducing the size of App Updates by 65%

More Than 1 Million Google Accounts Breached by Gooligan

Telstra is switching off their GSM network

Qualcomm has a Bug Bounty now

Nintendo has a Bug Bounty now

Secure Rom extraction on iPhone 6s

Android Security Bulletin - December 2016

HackingTeam back for your Androids, now extra insecure!

SunShine 3.4.18 has been released. Bring Support for Android 7.x.x and latest HTC 10 updates

A detailed security assessment on Android Full Disk Encryption

BitUnmap: Attacking Android Ashmem

Fuzzing Android OMX

Anonymous web-based SMS

Mobile Network Codes (MNC) for the international identification plan for public networks and subscriptions (According to Recommendation ITU-T E.212 (09/2016))

Call me maybe: Exploiting iOS WebViews to force automatic FaceTime calls

Android Banking Malware Masquerading as Email App Targets German Banks

Second Chinese Firm in a Week Found Hiding Backdoor in Firmware of Android Devices

Powerful backdoor/rootkit found preinstalled on 3 million Android phones

RAGENTEK ANDROID OTA UPDATE MECHANISM VULNERABLE TO MITM ATTACK

New Reliable Android Kernel Root Exploitation Techniques

Analysis of iOS.GuiInject Adware Library

Android Security Bulletin - November 2016

HelDroid: Dissect Android Apps Looking for Ransomware Functionalities

Rooting Every Android From Extension To Exploitation by Di Shen

Mobile Espionage in the Wild Pegasus and Nation-State Level Attacks

The Android Security Center

Technical Analysis of the Pegasus Exploits on iOS

Just a place to dump the cdma data I collected while at Defcon 2016

CRiOS: Toward Large-Scale iOS Application Analysis

Exploring LTE security and protocol exploits with open source software and low-cost software radio by Roger Jover

Your smartphone is a civil rights issue

Receive SMS Online

Drammer APK

Android wear MiTM

*droid: Assessment and Evaluation of Android Application Analysis Tools

Using Google Fi on an iPhone

iOS WebView auto dialer bug

Kiwicon X

Sat, 10 Dec 2016 23:35:00 GMT

I finally made it to Kiwicon this year (special thanks to vt for dragging us out!). I even managed to get a talk in (con bucket list--) making the trip even sweeter.

The conference was absolutely awesome. Well organized, friendly people (staff and attendees!), and a perfect venue. The conference had about 2500 attendees which seemed like a good fit for the venue. I liked the overall program, the intermissions and speaker introductions were absolutely fantastic. In my opinion Kiwicon is at the sweet spot on the issues of size and target audience. It is big enough to be attract different kinds of folks and it is small enough to find people and hangout. I also really love single track conferences!

Sadly it was announced that this was the last Kiwicon, I'm happy to have made it to the last one! Thanks!

Below a few photos and videos from Kiwicon, the official Kiwicon photos are here.

KiwiCon intro #kiwicon #latergram

A video posted by Collin (@collin_rm) on Dec 10, 2016 at 3:31pm PST

KiwiConX

A video posted by Collin (@collin_rm) on Nov 16, 2016 at 11:54am PST

At #KiwiConX with @collinrm pic.twitter.com/2ye9l7GMLw
— Martin Herfurt (@mherfurt) November 16, 2016

KiwiCon sheep

A photo posted by Collin (@collin_rm) on Nov 16, 2016 at 6:45pm PST

IR Fire detector #kiwicon

A video posted by Collin (@collin_rm) on Nov 17, 2016 at 3:22pm PST

KiwiCon beer

A photo posted by Collin (@collin_rm) on Nov 16, 2016 at 3:23pm PST

Subtle @kiwicon and I love you all for it pic.twitter.com/FBPZwQL4nU
— /wade (@vashta_nerdrada) November 22, 2016

Ohai KiwiCon pic.twitter.com/lZT7ldKw18
— Collin Mulliner (@collinrm) November 16, 2016

iOS WebView auto dialer bug

Tue, 08 Nov 2016 01:26:00 GMT

TL;DR: iOS WebViews can be used to automatically call an attacker controlled phone number. The attack can block the phone's UI for a short amount of time and therefore prevent the victim from canceling the call. The bug is an application bug that likely is due to bad OS/framework defaults. One major issue with this vulnerability is that it is really easy to exploit. App developers have to fix their code as soon as possible. The Twitter and LinkedIn iOS apps are vulnerable (other apps might be vulnerable too). Demo videos here: Twitter and LinkedIn (embedded videos are below on this page).

About a week ago (on a Friday) I read an news post [1,2] about a guy who got arrested for accidentally DoSing 911 by creating a web page that automatically dialed 911 when visited it from an iPhone. This was most likely due to a bug with the handling of TEL URI [4,5]. I immediately thought about a bug I reported to Apple in late October 2008 [3]. I couldn't believe this bug has resurfaced so I investigated. The article said something about posting links on Twitter.

If you think automatically dialing a phone number after clicking a link in an app is not a big issue think again. DoSing 911 is pretty terrible but there are other examples such as expensive 900 numbers where the attacker can actually make money. A stalker can make his victim dial his phone number so he gets his victim's number. Altogether things you don't want to happen. Anyway ... I went and looked at the iOS Twitter app. I got a very simple auto phone dialer working in a very short time. I was happy and also devastated that it was that easy. I first thought I reproduced the exact bug but later after re-reading the articles [1,2] more carefully I determined that it is likely a different bug or at least a different trigger. The article reported heavy use of JavaScript and pop-ups being shown and such. My original trigger was one line of HTML (a meta-refresh tag that points to a TEL URL) due to this I decided to report the bug to Twitter via their Bug Bounty program on HackerOne. I never reported to a bug bounty program before so I was happy to gain some experience (I normally report via security@), but it is 2016 and companies pay for bugs so here we go. Twitter acknowledged that it looks like a problem within a few days.

On Nov. 6th I updated the bug report to Twitter to add the UI blocking issue (continue reading) and uploaded a video. Today Twitter simply closes the bug as a duplicate without any comment. While this might be a simple duplicate they should have an interest in playing nice and being thankful to those who report bugs they find in their spare time. Because of this action I decided to post the full details of the issue today.
During the weekend I took some time to further investigate the issue. I determined that this might be a general issue with iOS apps the use WebViews to display content. I tested a few popular apps I had installed. Vulnerable apps need a way for users to post web links that will be opened in a WebView inside the app itself. Apps that open links in mobile Safari or Chrome would not be vulnerable (I tested this). One app I tested fairly early was the LinkedIn app since LinkedIn basically is social media for the business context. People can send messages and post updates. Updates usually are text and link. I posted a link and clicked it and yes it dialed my other phone (demo video below).

I wanted to submit the bug to LinkedIn and found that they have a bug bounty program. Unfortunately it was a private bounty and you would only be added if you previously submitted bugs. I tried to get around it but it didn't work. After some thinking I decided to not report it to LinkedIn privately but openly (parallel to this blog post). It is 2016 after all and if they don't want to add me to their program that is their choice. In general I will likely not report bugs outside of a bug bounty program if a private bug bounty program exists.

Another weekend comes I have some time and started playing with the bug again. Actually I started looking at my PoC from 2008 while trying to figure out if I report the bug to LinkedIn or not. After playing around for a bit I more or less get my old PoC working with the Twitter and LinkedIn apps. WOW!

Taking one step backwards. The original bug I reported to Twitter was triggering a phone call by visiting a website that redirect to a TEL URL. One could do this with various techniques such as: http-meta refresh, iframe, setting document.location, window.location, or an HTTP redirect (Location header). This would simply dial a number. The victim would see the dialer and the target number on the screen and of course could just cancel the call by pressing the big red button. Just causing the call is already bad since an unobservant person will be baffled (why is my phone dialing some number).

The beauty of my 2008 bug was that I could block the phone's UI for a few seconds and therefore prevent the user from canceling the call. I managed to abuse exactly the same trick to block the UI that I used in 2008. The trick is to cause the OS to open a second application while the phone is dialing the given number. Opening applications is pretty straight forward, you open a URL that causes the OS to spawn another application. This can be anything from the messages app (via the SMS: URL) or iTunes (via the itms-apps: URL). You can pretty much get any application to launch that has a URI binding. In 2008 I used a SMS URL with a really really long phone number to block the UI thread. My best guess on how this works is that the IPC subsystem actually has difficulties to move several kilobytes of URL data through the various layers into the app and the target app might also not be super happy about really large URLs. I ended-up with the code below. The code uses the combination of meta-refresh tag and window.location to execute the attack. The codes delays setting the window.location by 1.3 seconds to guarantee that the dialer is executed first. The delay cannot be too long otherwise the WebView will not execute the URL handler for launching the messages app. Basically you have to get the timing just right.

The PoC to trigger this bug.

Below two video demonstrations of this attack. You can clearly see that the UI is not responsive for a short amount of time. The time is long enough to make somebody pickup on the other side (especially service hot lines automatically pickup).

Normal good app behavior:
Apps should normally check the URL schema before executing it and show the user a pop-up dialog before executing an app on the device. Some examples are shown below:

Mobile Safari asking before calling the Apple Support number. This is how good apps should behave!

Dropbox showing a warning but not showing the target number. Ok but could be better.

The Yelp app normally behaves like Safari but if you hit it with an HTTP redirect it does not show the target number. I just included this for the fun of it.

App developers should review their use of WebViews to determine if they are vulnerable to this attack. Vulnerable apps need to be fixed. Service providers like Twitter and LinkedIn can inspect links posted to their sites for containing malicious code and prevent those links from being posted to their service.

Apple should change the default behavior of WebViews to exclude execution of TEL URIs and make it an explicit feature to avoid this kind of issues in the future. I reported this issue to Apple.

References:

Bug Bounty Hunter Launches Accidental DDoS Attack on 911 Systems via iOS Bug

iPhone hack that threatened emergency 911 system lands teen in jail

iPhone Safari phone-auto-dial vulnerability (original date: Nov. 2008)

RFC2806 URLs for Telephone Calls

RFC3966 The tel URI for Telephone Numbers

Mobile Security News Update October 2016

Tue, 18 Oct 2016 12:49:00 GMT

Conferences

ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM)

O'Reilly Security Conference

Android Banking Trojan Tricks Victims into Submitting Selfie Holding their ID Card

KiwiCon

I'm going to be at the O'Reilly Security Conference on Monday the 31st (maybe also the other days). I super excited to speak at KiwiCon this year!

I'm interested in Google's Project Fi does anybody have insights into using it with non Android phones? I've found several posts on this topic but nothing convincing yet. Posts also seem conflicting.

Best of mobile security in pictures:

source ThreatPost

I've seen this warning a lot in the last couple of weeks while traveling:
This is the real reason for the Galaxy Note 7 recall

While searching for the link to the recall:

Links

Kwetza: Infecting Android Applications

Pork Explosion Unleashed - Manufacturer Backdoor in the Foxconn Android bootloader

Decap of a SIM card

Android Qualcomm GPS/GNSS Man-In-The-Middle

KNOXout - Bypassing Samsung KNOX

Android CVE PoCs for the October bulletin

Osmocom 3G circuit switched voice support with IuCS and Iuh

Multiple Backdoors found in D-Link DWR-932 B LTE Router

BlackBerry axes smartphone business

How to keep your Android phone safe from prying eyes

Xiny Android trojan evolves to root phones and infect system processes

IMSI Catcher Report Calls for Transparency, Proportionality, and Minimization Policies

The Messenger Shoots Back: Network Operator Based IMSI Catcher Detection

How to wipe your phone (or tablet) for resale

attack against compromised Apple accounts to perform SMS spamming

Android Premium SMS Warning Message Manipulation

Nexus Support Lifecycle

Google has less control over Pixel devices than people claimed. HTC still signs the bootchain.

Talk is Cheap, Show Me the Code - How we rooted 10 million phones with one exploit

The new Android system permissions model analysis and early warning (in Chinese)

Android full-disk encryption: a security assessment

Android cryptfs.bt for 101editor

iOS9 iCloud backup retrieval proof of concept

Mobile Security News Update September 2016

Tue, 20 Sep 2016 13:47:00 GMT

Conferences

Black Hat EU

Android Premium SMS Warning Message Manipulation

The most interesting read this week was The bumpy road towards iPhone 5c NAND mirroring a paper by Sergei Skorobogatov. In this paper he shows how to implement a NAND mirroring attack against an iPhone 5C. The basic idea behind this attack is erase the PIN failure counter between each set of tries to avoid the artificial brute force delay and to avoid data deletion after N failed PINs. The paper goes into great detail on various problems he encountered while implementing the attack. I highly recommend reading this paper. The picture below is taken from this paper.

Google's Project Zero now has an Android "Prize" for achieving RCE on a Nexus device with only knowing it's email address or phone number. Apparently you can't use a BTS (via @jduck) for this attack. Overall this looks interesting, I wonder if anybody is going to claim the money soon. Announcement: Project Zero Prize.

Links

iCloud, iHack, iSpam

tool to inspect, dump, modify, search and inject libraries into Android processes.

How My Rogue Android App Could Monitor & Brute-force Your App's Sensitive Metadata

APK Signature Scheme v2

Just One Photo Can Silently Hack Millions Of Androids

Parse the Qualcomm DIAG format and convert 2G, 3G and 4G radio messages to Osmocom GSMTAP for analysis in wireshark and other utilities.

PEGASUS iOS Kernel Vulnerability Explained

Undocumented Patched Vulnerability in Nexus 5X Allowed for Memory Dumping via USB

VB2016 preview: Mobile Applications: a Backdoor into Internet of Things?

Hiding root with suhide

Xiaomi Can Silently Install Any App On Your Android Phone Using A Backdoor

Reverse Engineering Xiaomi's Analytics app

A Case of Misplaced Trust: How a Third-Party App Store Abuses Apple's Developer Enterprise Program to Serve Adware

File-Based Encryption in Android 7

Linux Security Summit Videos

Harvesting Inconsistent Security Configurations in Custom Android ROMs via Differential Analysis

suhide v0.51 released

Introducing BLESuite and BLE-Replay: Python Tools for Rapid Assessment of Bluetooth Low Energy Peripherals

Samsung Android Security Updates - September

A Survey on Android ELF Malware

Keeping Android safe: Security enhancements in Nougat

Nexus Device Downloads

Mobile Security News Update August 2016

Tue, 30 Aug 2016 13:30:00 GMT

Conferences

Black Hat EU

DerbyCon

AppSec USA

Apple now has a bug bounty program. Details were presented at Black Hat in Ivan Krstic's talk BEHIND THE SCENES OF IOS SECURITY. Also see Starting this fall, Apple will pay up to $200,000 for iOS and iCloud bugs (via Ars).

Motorola confirms that it will not commit to monthly security patches. This is pretty bad since I actually liked their Pure Edition devices (devices that basically are just AOSP).

Protecting Android with more Linux kernel defenses. They added some features from Grsecurity. This makes me happy.

Google's Android has gotten so out of control that $55 billion Salesforce had to take drastic measures, basically Salesforce in the close future will only support specific Samsung Galaxy and Nexus devices. This is an interesting way to deal with the very diverse Android ecosystem.

Pegasus Spyware / Trident for iOS was based on 3 vulnerabilities unsurprisingly a WebKit memory corruption, a Kernel info leak, and a kernel memory corruption. The spyware was capable of accessing text messages, iMessages, calls, emails, logs, and more from apps including Gmail, Facebook, Skype, WhatsApp, Viber, Facetime, Calendar, Line, Mail.Ru, WeChat, Surespot, Tango, Telegram, and others. (Source: Lookout Technical Report).

Oversec.io seems to implement our idea of mobile OTR on top of any messenger app. Oversec still looks very beta and I haven't tried it out. If anybody has tried it I would like to hear about it.

Pictures of the month:
(source: @raviborgaonkari)

(source: @marcwrogers)

Links

Technical Analysis of Pegasus Spyware

Chainfire suhide tries to hide your Android root access

Android: protecting the kernel

Wie das BKA Telegram-Accounts von Terrorverdaechtigen knackt

Hackers accessed Telegram messaging accounts in Iran - researchers

Stumping the Mobile Chipset (Qualrooter)

Analysis of multiple vulnerabilities in different open source BTS products

gpapi (node lib for talking to Play Store)

Demystifying the Secure Enclave Processor

CopperheadOS ART no longer attempts to use executable code from /data/dalvik-cache, only boot.art

The slide and exploit of: A Way of Breaking Chrome's Sandbox in Android

Adaptive Kernel Live Patching: An Open Collaborative Effort to Ameliorate Android N-day Root Exploits

iOS 10 - Kernel Heap Revisited

Hacking Soft Tokens (Android)

Understanding Dalvik Static Fields part 2 of 2

Attacking BaseStations

GODLESS Mobile Malware Uses Multiple Exploits to Root Devices (android)

Android Binder Firewall

ARM is bought by SoftBank

iREVERSE ENGINEERING AND EXPLOITING SAMSUNG'S SHANNON BASEBAND

LTE security, protocol exploits and location tracking experimentation with low-cost software radio

BtleJuice: The Bluetooth Smart MitM Framework

CuckooDroid: Automated Android Malware Analysis

Stagefright: An Android Exploitation Case Study

Tracking the Trackers: The most advanced rogue systems exploiting the SS7 Network today

SS7 Security : Putting the pieces together

ARMv8 Shellcodes from A to Z

Mobile Security News Update July 2016

Tue, 12 Jul 2016 23:21:00 GMT

Conferences

SummerCon

Breaking Band reverse engineering and exploiting the shannon baseband

Another month has passed and I'm super late again on this blog post.

HushCon EAST badges were super awesome (picture below) did some hacking on them with Trammell Hudson: Hushcon 2016 pagers.

The wait is over, here is the final blog post including source code on Qualcomm's TrustZone: Extracting Qualcomm's KeyMaster Keys - Breaking Android Full Disk Encryption Source extractKeyMaster

The Android Security Bulletin July 2016 fixes a really large number of bugs, including a Remote code execution vulnerability in Bluetooth and Remote code execution vulnerability in OpenSSL & BoringSSL. It is really good to see stuff being fixed and talked about in the open.

Summary on Pokemon GO's permission to your Google Account by the guys from Trail of Bits.

Funny picture of the month:

Links

Vodafone Global Infrastructure Map

VIDEO: Forcing A Targeted LTE Cellphone Into An Eavesdropping Network

Android changes for NDK developers

Need Android APK samples? `wget -r http://dlapk.etcandroid.com/apk/ ` and wait a few hours... Or until two people do it and server melts...

Android Anti-Hooking Techniques in Java

Tools for analyzing hexagon code

Hacking Team / Crisis Android samples

HARDWARE-ASSISTED ROOTKITS & INSTRUMENTATION: ARM Edition

GODLESS Mobile Malware Uses Multiple Exploits to Root Devices

Silent OS 3.0 adds cellular IDS for weak nw encryption.

Most mobile apps dedicate at least 10% of their traffic to online tracking

Strongdb is a gdb plugin that is written in Python, to help with debugging Android Native program.The main code uses gdb Python API

Accessing local variables in ProGuarded Android apps

GOOGLE'S ANDROID REWARDS PROGRAM PAYS OUT HALF MILLION IN FIRST YEAR

This is an all-in-one Java deobfuscator which will deobfuscate code obfuscated by most obfuscators available on the market.

Listening through a Vibration Motor

Fingerprint Unlock Security: iOS vs. Google Android (Part I)

Fingerprint Unlock Security: iOS vs. Google Android (Part II)

A cross-platform protocol library to communicate with iOS devices.

Android Anti-Emulator, originally presented at HitCon 2013: "Dex Education 201: Anti-Emulation"

An Online Analysis System for Packed Android Malware

Android Trojan "Hellfire" modified system binaries, boot image, init.rc, SE policy rules, dm_verify, etc.

recover deleted information from sqlite files.

TrustZone Kernel Privilege Escalation (CVE-2016-2431)

A dynamic binary instrumentation kit targeting on Android(Lollipop) 5.0 and above.

(In-) Security of Security Applications

Hacking smartphones via voice commands hidden in YouTube videos

Bugs in BMWs ConnectedDrive (exploitable via SMS)

Remote Code Execution in Xiaomi MIUI Analytics

Breaking Into the KeyStore: A Practical Forgery Attack Against Android KeyStore

A Way of Breaking Chrome's Sandbox in Android

Changes to Trusted Certificate Authorities in Android Nougat

Introducing OpenCellular: An open source wireless access platform

Android Kernel CVE POCs CVE-2016-3797

Android Kernel CVE POCs CVE-2016-3794

Proof of concept XOR canary support for LLVM

Advanced Android Root : How To Bypass PXN

PoC for CVE-2016-2434

From HummingBad to Worse NEW DETAILS AND AN IN-DEPTH ANALYSIS OF THE HUMMINGBAD ANDROID MALWARE CAMPAIGN

This Android Hacking Group is making $500,000 per day

open source 3gpp lte implementation

Lawsuit reveals Silent Circle's Blackphone business is a complete and utter mess

DIFFDroid :Dynamic Analysis for Android

Inside SafetyNet - part 2

Mobile Security News Update June 2016

Mon, 06 Jun 2016 17:51:00 GMT

Conferences

goatattack send pictures of goats to your friends

Shakacon

Defcon still doesn't have the agenda or accepted talks up.

The Qualcomm Mobile Security Summit was super awesome once again. Good talks, interesting hallway conversations and always good to see friends.

SektionEins (Stefan Esser) release a jailbreak and anomaly detection app for iOS and eventually got band from the AppStore by Apple. The speculation is that Apple wants to hide the fact that certain sandbox and security features don't work as advertised and thus his App got band. The app likely wasn't band just because it can detect a jailbreak since like every app does exactly this, including apps like WhatsApp. There are also several process list viewers for iOS.

I finally could checkout a Blackberry PRIV. The actual hardware looks pretty sweet. I got a quick demo of the security and privacy features added by RIM, specially DTEK. I really liked the device security/privacy status overview, every phone should have that.

Qualcomm KeyMaster keys etracted from TrustZone waiting for the writeup. The previous blog posts where super good already, but this one should be really interesting.

Links

Android Banking Trojan SpyLocker Targets More Banks in Europe

How to lock the samsung download mode using an undocumented feature of aboot

Android-Security-Reference

Script to enumerate JNI methods in ELF files.

Sixty Percent of Enterprise Android Phones Affected by Critical QSEE Vulnerability

A study on obfuscation techniques for Android malware

Android dex file extractor, anti-bangbang (Bangcle)

Fridump: Dumping memory from iOS, Android and other applications using Frida

Android: How to run your script/binary from adb in the application sandbox

CopperheadOS online store now available

Android Spyware Targets Security Job Seekers in Saudi Arabia

Sirin Labs shows off $14K, super private Solarin smartphone, on sale June 1

KeenTeam/KeenLab Blog

MopEye: Monitoring Per-app Network Performance with Zero Measurement Traffic

How to not break LTE crypto

Secure Containers in Android: the Samsung KNOX Case Study

AOSP: recovery: Add support to brick a device.

Security in cellular-radio access networks

Mobile Security News Update May 2016

Fri, 06 May 2016 02:15:00 GMT

Conferences

This was a long break, I was covered in work and had other things to do. But I'm not giving up this blog. Sadly I missed a bunch of conferences earlier this year. Especially CanSecWest and Troopers/TelSecDay. TelSecDay looked really awesome this year! Sad to have missed it.

Work with me and other awesome people at Square we are looking for a bunch of different mobile security related people. Android and iOS!

For those who are interested in TrustZone or TrustZone implementations check out: War of the Worlds - Hijacking the Linux Kernel from QSEE This blog has a lot of awesome research on TrustZone and Qualcomm's implementation.

60 Minutes: shows how easily your phone can be hacked. As I said earlier on Twitter, this is as good as it gets on TV. All of the people on the show are pros (know all of them personally!). Of course if you are an expert yourself you will complain about anything shown on TV ;-)

Dilbert gets it:

Related to the iPhone will be bricked if the clock is set back too far.

Links

AppMon, GreaseMonkey for Android and iOS

Mobile Security Bullshit Bingo

CVE-2015-1805 root tool, Android Sony

Hacking Samsung Galaxy via Modem interface exposed via USB

Overly restrictive SELinux filesystem permissions in Android N

Android IOMX getConfig/getParameter Information Disclosure

Metaphor - Stagefright with ASLR bypass

Brussels police were forced to use WhatsApp during attacks

eMMC backdoor leading to bootloader unlock on Samsung Galaxy Devices

Android rooting bug opens Nexus phones to "permanent device compromise"

You can install a GSM network with a single command now - $sudo apt-get install gsm-network

Android Installer Hijacking Vulnerability Could Expose Android Users to Malware

How to Build Your Own Rogue GSM BTS for Fun and Profit (using a BladeF)

Multiple vulnerabilities found in Quanta LTE routers (backdoor, backdoor accounts, RCE, weak WPS ...)

Nexus Security Bulletin-April 2016

Android Security Bulletin-May 2016

Dalvik Virtual Execution with SmaliVM

Releasing the Fairphone 2 Open Operating System

Calling all Mobile Researchers!

Analysis of CVE-2016-2414 - Out-of-Bound Write Denial of Service Vulnerability in Android Minikin Library

[CVE-2016-2443] Qualcomm MSM debug fs kernel arbitrary write (Nexus 5, Nexus 7 2013 and maybe other models)

Android is moving to enforcing storage verification at runtime (via @copperheadsec)

Modem interface exposed via USB (samsung)

Hey your parcel looks bad - Fuzzing and Exploiting parcel-ization vulnerabilities in Android

iovyroot - (temp) root tool

Linux Kernel Exploitation on Android

ss7MAPer - A SS7 pen testing toolkit

Beating Expectations: Android Security Patching for PRIV

Pwn a Nexus device with a single vulnerability

Exploring the Physical Address Space on iOS

Mobile Security News Update March 2016

Tue, 08 Mar 2016 21:43:00 GMT

Conferences

BlackBerry powered by Android Security Bulletin - March 2016

Looks like I will go to very few conferences this year.

We finally published our paper on Android application analysis support using intelligent GUI stimulation. The work CuriousDroid: Automated User Interface Interaction for Android Application Analysis Sandboxes uses / enhances Andrubis.

Excellent post on Apple vs FBI by Dan Guido: Apple can comply with the FBI court order

Links

Nexus Security Bulletin - March 2016

Attack on Zygote: a new twist in the evolution of mobile threats

How to FBI-proof your iPhone

Reverse Engineering Samsung S6 Modem

Security Analysis of Wearable Fitness Devices (Fitbit)

Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems

GPS hacking (PART 1)

How does Dalvik handle 'this' registers?

Pirated iOS App Store's Client Successfully Evaded Apple iOS Code Review

FileSystem Monitor Tool For iOS and Android

Scammers use mobile POS terminals to scan people cards via NFC (paypass,paywave etc) technology without them knowing

Android: Calling getpidcon for One Way Binder Transactions Returns Wrong Security Context

Network Security Policy configuration for Android apps

[Xposed module] Disable device compatibility check

The ARMv8-A architecture and its ongoing development

Android Secure Coding

Decoding Syscalls in ARM64

Adafruit Bluefruit LE Sniffer – Bluetooth Low Energy (BLE 4.0)

Mobile Security News Update February 2016

Tue, 09 Feb 2016 17:46:00 GMT

Conferences:

New Dexguard String decoder for JEB 1.5. Tested on GFE 3.1.3. This release auto parse decoder function.

Mobile Pwn0rama the SyScan version of mobile pwn2own. Very cool!

CopperheadOS beta released for Nexus 5, 9, and 5X. I need to buy a new phone to try this out. For those who don't know about CopperheadOS, it is a hardened Android. I was waiting for something like this for a long time. Not as a user more like somebody should really do this. Anyway, looks pretty cool.

Last weekend I published a write-up on CVE-2016-0728 vs Android. The TL;DR is that this vulnerability was totally over hyped for Android. There is no practical impact for the Android platform.

Links:

Android privilege escalation to mediaserver from zero permissions

On SMS logins: an example from Telegram in Iran

URL filtering in kernel land: what could possibly go wrong?

NexMon enables the monitor mode of the bcm4339 Wi-Fi chip on the Nexus 5.

diff of the wifi driver source that nicely shows the bug

Samsung has DBI tool for Android based on Capstone

Android Wifi kernel RC details

FlashFire updated to v0.26 - brings Marshmallow support. Can flash your monthly Nexus OTA and keep root

A Pattern for Remote Code Execution using Arbitrary File Writes and MultiDex Applications

PoC code for android RCE with multidex and ZIP files

Set of scripts to automate AOSP compatible vendor blobs generation from factory images

A few notes on usefully exploiting libstagefright on Android 5.x

LTE security and protocol exploits

Dextra for #OAT/#ART/#DEX reversing: now with better disasm,bug fixes.

check the BootUnlocker source for oneplus for details

RCE in Open Mobile API

Deoptimize odex from oat.

Android sensord Local Root Exploit

Android ADB Debug Server Remote Payload Execution

HummingBad: A Persistent Mobile Chain Attack

ARTDroid: Simple and easy to use library to intercept virtual-method calls under the Android ART runtime.

CVE-2016-0728 vs Android

Sat, 06 Feb 2016 19:09:00 GMT

CVE-2016-0728 has made some headlines in the security world since it is a relatively easy to exploit Linux local privilege escalation vulnerability. Perception Point (the company who found the vulnerability) claimed that approximately 66% of all Android devices are vulnerable to this issue, if this is true that would have quite some impact on Android users. Perception Point did not evaluate if the vulnerability is actually present and exploitable on the Android platform. A lot of people, including myself, were very curious about the impact of this bug on Android. Here is a write-up of my investigation of the impact of CVE-2016-0728 on the Android world. TL;DR impact almost none! (please continue reading).

When I first heard about this vulnerability I modified the PoC and tried to validate the presence of the vulnerability using various Android devices. I could not find any device that contained the vulnerability. I had access to several Nexus devices and number of Samsung devices. After failing blindly I started investigating the details. I also asked friends who do a lot of Android work to see if they had tried and/or made it work. Nobody was able to find a device that was actual vulnerable. I only found one person who claimed to gotten the exploit working on LG device. According to his post it takes more than 6 hours to trigger the vulnerability and only one out of three tries he got it working. This alone gives you a good indication on the impact on this vulnerability. The battery of most phones will run out in less than 6 hours due to running an application that constantly hits the kernel.

Here a technical rundown of why this vulnerability is not an issue for the vast majority of Android devices.

Mitigating Factors

Kernel Version

The vulnerability supposingly was introduced with Kernel version 3.8 and later. A lot of Android 5.0 devices run a 3.4 Kernel.

Kernel Configuration

CONFIG_KEYS:
The code containing the vulnerability is part of the key retention service of the Linux kernel. The service is only present if the kernel was built with CONFIG_KEYS enabled. Looking at the default AOSP kernel config you can see that CONFIG_KEYS is not enabled. Android devices that are based on the AOSP kernel config do not contain the vulnerable code, as a result they are not affected by this vulnerability. Further, not all versions of the key retention service contained the vulnerable code, this again reduces the number of affected devices. When looking at the overall device population the presence of the key retention service provides an upper bound for the number of affected devices.

We can also use the Android Census to identify which devices and firmware versions use kernels with CONFIG_KEYS enabled. If CONFIG_KEYS is enabled, the /proc/keys directory will be present. Based on this data, only 125 out of the 480 unique Android installations examined have /proc/keys and therefore, CONFIG_KEYS enabled in their kernels.

KALLSYMS:
A portable and automated exploit (based on the PoC) would require access to /proc/kallsyms to acquire memory addresses of kernel code. Recent Android versions zero out the actual memory addresses when kallsyms is read by a non uid=0 process.

SELinux

Android 4.4 (KitKat) and later include SELinux, but Android 5.0 (Lollipop) notably requires SELinux to be in enforcing mode instead of permissive as was the case in Android 4.4. SELinux on Android reduces the attack surface of the Linux kernel by restricting the use of a number of kernel services to trusted applications. In this case, the SELinux policy in the Android Open Source Project (AOSP) and on Nexus devices restricts access to kernel keyring objects from the untrusted_app domain and this prevents apps from the Play Store or other sources from triggering or exploiting the vulnerability. For example, when an app tries to execute the keyctl system call to create or access a keyring object, the system call is denied and an SELinux kernel error is logged to the system log:

[ 3683.432511] type=1400 audit(1453676165.345:15): avc: denied 
{ search } for pid=7848 comm="PoCtest" 
scontext=u:r:untrusted_app:s0:c512,c768 
tcontext=u:r:untrusted_app:s0:c512,c768 tclass=key permissive=0

The public PoC exploit uses SysV IPC (msgget) to allocate the memory chunk that is passed to the vulnerable code. The SELinux policy on Android 5.0 and upwards blocks SysV IPC and thus blocks the method of obtaining a usable memory chunk that is used by the PoC exploit. Below is the output of SELinux blocking the call to msgget taken from the Linux kernel ring buffer on a Android 5.0 device. I tested the this on a Nexus 5x running Android 6 and on a Nexus 7 running Android 5.0running the PoC from an adb shell, system log output below:

<4>[59201.392059] type=1400 audit(1453400116.210:13): avc: 
denied { create } for pid=21470 comm="PoCtest" 
scontext=u:r:shell:s0 tcontext=u:r:shell:s0 tclass=msgq

The PoC can be adapted to use a different method for allocating memory rather than SysV IPC msgget, but historically Android malware only uses of-the-shelf exploits, if they use any vulnerability at all.

The Android device ecosystem, however, is much more varied and diverse than the stock AOSP tree and Nexus devices that follow it very closely. In particular, SEAndroid policies in the wild often add more types, domains, type transitions, and rules to the AOSP SELinux policies. Using the Android Census we find 160 sepolicies have key rules from untrusted_app.

Results

There are several limiting factors that make this vulnerability a non issue for Android:

SELinux policies from Android 5.0 and later block access to the vulnerable kernel code
Kernel versions used by various Android devices are either too old or don't use CONFIG_KEYS
The exploit requires 30 minutes to run on a 3.0 Ghz Intel i7 and according to XDA developers it took several tries and a runtime of 6 hours to get this working on an Android device

The conclusion I draw is that this vulnerability will not pose a serious risk to the Android ecosystem due to the mitigating factors described above. Maybe individual devices do contain the vulnerability but the worst case scenario is that the owner of the device will use the bug to root his own device. Given he is very patient and can live without using his device for 6 hours or more. One thing that is certain is that the percentage given by Perception Point is absolutely not true and should not haven been repeated by everyone who reported on this.

Acknowledgments:

This blog post is based on discussions I had with various people, most notably Dino Dai Zovi and Janek Klawe. Vlad Tsyrklevich deserves massive credit for his Android Census database, a super valuable source for this kind of research.
Links:

ANALYSIS AND EXPLOITATION OF A LINUX KERNEL VULNERABILITY (CVE-2016-0728)

Adrian Ludwig's (head of Android security) statement about this vulnerability

XDA Developers post on this topic

PoC exploit tailored for Android (source + makefile)

AOSP Kernel Config

Android Census

Mobile Security News Update January 2016

Mon, 18 Jan 2016 15:43:00 GMT

Conferences:

Updated Android malware steals voice two factor authentication

I guess it is still too early in the year for conference programs. ShmooCon just concluded, Infiltrate doesn't have any mobile talks, and SyScan didn't post accepted talks yet. This weekend I attended the first BSidesNYC. The conference was pretty good, some expected and some unexpected good talks. The conference venue was pretty nice and spacious. I will go again.

If you are into NFC research checkout: ChameleonMini - A Versatile NFC Card Emulator a new kickstarter project. The guys who run it definitely know what they are doing.

Links:

Phone Hackers: Britain's Secret Surveillance

Android-based Smart TVs Hit By Backdoor Spread Via Malicious App

Create an anonymous Signal phone number w/ Android

Covert Communication in Mobile Applications

Vulnerability in Blackphone Puts Devices at Risk for Takeover

spectrum monitoring system for GSM providers

Nexus Security Bulletin - January 2016

(Un)Trusted Execution Environments

Parsing iOS Frequent Locations

A Forensic Analysis of Tinder (iOS)

How to Bypass Factory Reset Protection on your Nexus 6P, 5X, 5, & 6

[CVE-2015-7292] Amazon Fire Phone kernel stack based buffer overflow

Mediatek/Obi nerfed ALL property space security any user can control any property, even ro ones

CopperheadOS's OpenBSD malloc port uncovered a use-after-free in Android's fancy new over-the-air update sorcery

Added support to crack Android FDE (Samsung DEK) to oclHashcat v2.10! 171kH/s @ 290x, 217.7 kH/s @ 980Ti

DIVA (Damn insecure and vulnerable App) for Android

A pattern based Dalvik deobfuscator which uses limited execution to improve semantic analysis

slides

Experimental version of QEMU with basic support for ARM TrustZone (security extensions)

How to NOT disable SELinux on Android

Mobile Security News Update December 2015

Thu, 24 Dec 2015 11:35:00 GMT

I've gotten a little lazy with this blog but I promise I will post more often in 2016.

Conferences

As I said before, I'm neither attending 32c3 nor Shmoocon. I'll be attending BSides NYC tho.

Google suspended Android-vts the only up to date Android device vulnerability scanner. No idea if Google would allow it back after fixing the issues. On the other side I rather have a tool that can find a large number vulnerabilities rather than having a crippled version in the Play Store.

Jobs

Palo Alto Networks - Mobile Malware Research Engineer

Square

Links

Grab'n Run, a simple and effective Java Library for Android projects to secure dynamic code loading.

Exploring Android's SELinux Kernel Policy

(In)secure iOS Mobile Banking Apps - 2015 Edition

Samsung patched the Pwn2Own baseband bug within 1 month

Android-classyshark for looking at Android APKs/decompiling

This tool is used to extract dex files from oat file.

Android Data Residue Vulnerability

New Android 'enjarify' Decompile Tool

Droid Turbo Bootloader Unlock on now with SunShine 3.2 Beta

Windows Phone Internals

Huawei is disclosing 'Security Advisory' for baseband bugs

Google can remotely bypass the passcode of at least 74% of Android devices if ordered

Hacking Team - how they infected your Android device by 0days

Unblocking Stolen Mobile Devices Using SS7-MAP Vulnerabilities: Exploiting the Relationship between IMEI and IMSI for EIR Access

POC for CVE-2015-6620, AMessage unmarshal arbitrary write

iOS Trojan 'TinyV' Attacks Jailbroken Devices

Attacking Bound Services on Android

BytecodeViewer - A Java Reverse Engineering Suite. GUI Java And APK Decompiler, Editor, Debugger And More

Using "system" privileges by abusing mobile remote support tools

List of Android apps to detect fake mobile towers

Defeating iOS Jailbreak detection for Mobile Application Testing

Abusing Android ClipData

50 smartphone users in Singapore hit by malware targeting mobile banking customers

BareDroid allows for bare-metal analysis on Android devices.

Apparently if install an accessibility service, FDE password is reset to default on Android 5.x+.

Capstone Engine on Android

Mobile Security News Update November 2015

Thu, 19 Nov 2015 01:56:00 GMT

Conferences

upcoming: 32C3 (December), ShmooCon (January)
CFPs

SyScan 360

$10 Android Phone Walmart has a $10 Android phone. It is an LG device with Android 4.4 specs. I agree with Patrick McCanna on Smartphones @ featurephone prices will be a significant milestone towards monetizing mobile hacking. These prices really mean everybody is going to have a smartphone. Like everybody. I ordered two of those to play with.

Mobile pwn2own: two interesting results. (1) baseband of a Samsung S6 Edge, the payload was able to redirect incoming calls. This was done by my buddies Nico Golde and Daniel Komaromy. Here a picture of their setup. Story by various sites: 1, 2 (German), 3. (2) drive by APK install on Nexus 6 without user interaction by Guang Gong. tweets: 1 2 (with picture).

LTE Security: pretty interesting talk and paper about LTE design and implementation vulnerabilities. slides white paper. Blogpost by the same people: Practical attacks against 4G (LTE) access network protocols. One thing I didn't notice is how cheap LTE research is already. Their setup is just over $1000, which seems rather cheap for LTE.

Jobs

Square

the GSMA is looking for a Cyber Security Director

Links

FakeDebuggerd.D, AFAIK the first Android Trojan infecting system binaries just like traditional virus

Qualcomm LTE base station

Samsung Mobile Security Blog

32c3 again has a GSM network

Remote Code Execution as System User on Android 5 Samsung Devices abusing WifiCredService (Hotspot 2.0)

Hey @sprint @sprintcare, what's up with sprint installing MDM profile on a new iPhone 6s at the store?

A vulnerability known as Wormhole affects the Baidu Moplus SDK and potentially exposes more than 100 Million users to cyber attacks.

VTS for Android

Hack The Galaxy: Hunting Bugs in the Samsung Galaxy S6 Edge

The Zerodium 1 Million $ iOS 0day bounty was claimed on Nov. 2

ZipFury: Yet another Zip arbitrary file write with system privileges (Samsung Android)

SafetyNet doesn't detect a device as rooted if using the new system-less SuperSU

Characterizing SEAndroid Policies in the Wild

SEAL: SEAndroid Analytics Library for live device analysis

Long Term Exploitation - LTE security

Nexus 6P has two levels of bootloader unlocking

Xposed now for Android 6.0

Copperhead CTO: Nexus Phones Already More Secure Than BlackBerry Priv

AndroBugs Framework is an efficient Android vulnerability scanner that helps developers or hackers find potential security vulnerabilities in Android applications. No need to install on Windows.

android app capable of "self-compilation, mutation and viral spreading" (paper)

code

When providing a native mobile app ruins the security of your existing web solution

Why Does My Android Phone Have eFuses And Why Should I Care About Them?

AFL on Android

As Of Android 6.0, OEMs Will Be Required To Provide Secure Factory Reset On Their Devices (If They Haven't Already)

Nexus Security Bulletin November 2015

Remote attestation for TEEs and Verified Boot will be possible on Android N

the Ubuntu phone as security issues

ARMageddon: Last-Level Cache Attacks on Mobile Devices

GOOGLE AOSP EMAIL APP HTML INJECTION

The Terminator to Android Hardening Services

Android developer hotlinks an image on some guy's server, DDoS's it. He has no idea who to contact.

ARMv8 has unprivileged cache flush instructions.

Mount Android phones on Linux with adb. No root required.

BlackBerry's PaX / grsecurity configuration

MalwAirDrop: Compromising iDevices via AirDrop

Android now has Signal too

don't jailbreak your iPhone (or else forensics)

... encrypted com app security scorecard ...

Mobile Security News Update October 2015 part II

Fri, 23 Oct 2015 03:19:00 GMT

Conferences

ekoparty

Hackito Ergo Sum

The RIM BlackBerry PRIV looks like a real interesting device. The PRIV seems to focus on security. The website claims a hardend linux kernel, and indeed they seem to run a grsec kernel as you can see in this picture (lower left corner) posted on the Crackberry forum. Some comments about this in this series of tweets.

There is a new security news outlet with focus on the consumer angle it is called The Parallax. It is super new and does not have many articles yet. But I think the consumer focus could be interesting.

Job Section (just because I know about a bunch of stuff)

Intern at Siemens with focus on Mobile Security

Button Inc

Square

Links

Pangu iOS 9 jailbreak

Cryptfs Password Manager with Android 6 support

Android banking Trojan delivers customized phishing pages straight from the cloud

OpenKeychain Audit

The AuditDroid Project is a fully functional and self-contained environment for learning about Android security

Android Vulnerability Test Suite - now detects CVE-2015-6602

Attackers with brief physical access can enable WiFi MITM on Android 6.0

A "shim" for loading native jni files for Android active debugging

Androguard: A simple step by step guide

Interesting Twitter thread about HTC and Security updates for Android including the HTC USA President

Same Sh*t Different Android Browser

Nexus 5X and Nexus 6P review: The true flagships of the Android ecosystem

A Look at Marshmallow Root & Verity Complications

SELinux in Android Lollipop and Marshmallow

Current State of Android Privilege Escalation

AOSP 4.4.4 ROM for grouper (Nexus7) with DexHunter automatic unpacker built in

Android Xposed Module to bypass SSL certificate validation (Certificate Pinning).

Using Android's tamper detection securely in your app

An Xposed and adbi based module which is capable of hooking both Java and Native methods targeting Android OS.

microG GmsCore is a FLOSS (Free/Libre Open Source Software) framework to allow applications designed for Google Play Services to run on systems, where Play Services is not available.

Nexus Security Bulletin—October 2015

The Nexus 5X And 6P Have Software-Accelerated Encryption, But The Nexus Team Says It's Better Than Hardware Encryption

Reverse Shell Over SMS (Exploiting CVE-2015-5897)

Nexus 6P has a hardware fuse that blows irreversibly when bootloader unlocked.

BoringSSL runs Android M and other stuff...

YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs

Mobile Security News Update October 2015

Sun, 04 Oct 2015 21:38:00 GMT

Conferences

HP / ZDI will not run Mobile Pwn2Own at PacSec (in Japan) due to export restrictions. Source Dragos Ruiu. This is unfortunate.

Personal note: Since September I'm working for Square doing mobile security engineering. This blog will only be temporarily affected by the job switch as I get settled I will return to more then one post per month.

Links

Motorola Marketed The Moto E 2015 On Promise Of Updates, Is Now Apparently Ending Them After 219 Days

ANDROID PAY: PROXY NO MORE

iOS 9 code vulnerability lets hackers steal thousands of dollars worth of in-app purchases

XcodeGhost Source

AndFix is a library that offer hot-fix for Android App.

Announcing Android Vulnerability Test Suite

PoC code for 32 bit Android OS - ping pong root

Android 5.x Lockscreen Bypass (CVE-2015-3860)

Defeating SSL Pinning in Coin's Android Application

Assessing Android Applications Using Command-Line Fu (slides)

The Latest on Stagefright: CVE-2015-1538 Exploit is Now Available for Testing Purposes

SunShine - The #1 Bootloader Unlock tool For Your HTC or Motorola Smartphone!

DexHunter

SafetyNet Helper wraps the Google Play Services SafetyNet.API and verifies Safety Net API response with the Android Device Verification API.

SafetyNet: Google's tamper detection

Zimperium zLabs is Raising the Volume: New Vulnerability Processing MP3/MP4 Media.

baksmali 2.1

The Nexus 5X And 6P Have Software-Accelerated Encryption, But The Nexus Team Says It's Better Than Hardware Encryption

Android Now Shows Your Device's "Android Security Patch Level" In Marshmallow

The road to efficient Android fuzzing

An IDA Pro based Dex Dumper plugin

Kernel Vulnerabilities in the Samsung S4

Mobile Security Challenge Organized by Alibaba

Ruminations on App CVEs

Spoofing and intercepting SIM commands through STK framework (Android 5.1 and below) (CVE-2015-3843)

DexHook

Android M Begins Locking Down Floating Apps, Requires Users To Grant Special Permission To Draw On Other Apps

Hack Brief: Upgrade to iOS 9 to Avoid a Bluetooth iPhone Attack

Android Security Symposium - all slides online

Unbillable: Exploiting Android In App Purchases by Alfredo Ramirez at Derbycon 2015

The problems with JNI obfuscation in the Android Operating System by Rick Ramgattie at Derbycon 2015

Mobile Security News Update September 2015

Tue, 01 Sep 2015 16:46:00 GMT

Conferences

CFPs

Unfortunately I had to cancel my talk at Android Security Symposium in Vienna due to a scheduling conflict. It is a real bummer but I can't do anything about it. The replacement talk is done by my friend and research buddy Matthias he is doing a talk on one of our previous mitigation projects.

The iOS KeyRaider malware looks rather interesting. It combines a lot of different functionality. Such as steeling AppStore credentials and a ransomware module. This malware again only targets jailbroken iOS devices, users specifically had to download apps from third-party Cydia repositories. So this is not a general threat but a threat to people who jailbreak their device. If you jailbreak you likely have a very specific need and you hopefully know what you are doing. If not, just don't jailbreak your device (no matter what OS is runs).

I just found this recently published paper titled: Header Enrichment or ISP Enrichment? Emerging Privacy Threats in Mobile Networks. The paper studies HTTP header modifications and injection that is done by mobile network operators. The paper more or less is a direct follow up to my paper on the same subject titled: Privacy Leaks in Mobile Phone Internet Access. Their paper looks at what happens to smart phones that actually use HTTP (my work was mostly focused on phones that used the WAP technology - even though WAP was translated to HTTP to access regular web pages). Anyway their paper provides a good insight in what is happening. If you run a website that get a lot of mobile traffic you should look if you see some of the HTTP headers that are injected by the mobile carriers.

Links

QARK - Quick Android Review Kit

PoCForCVE-2015-1528

Android Cross-Reference covers every single Android release (all 133) ever made

Android linux kernel privilege escalation (CVE-2014-4323)

Effectively bypassing kptr_restrict on Android

Offensive and Defensive Android Reverse Engineering by Tim, Jon, and Caleb

Remote Code Execution in Dolphin Browser for Android

Changes made to AOSP from m-preview-1 to m-preview-2

Tim Strazzere: So I'm guessing @YotaPhone never expected to send updates? Since the OTA keys are the compromised, test-keys

Very interesting blog post from the T-Mobile USA CEO. He basically says their are going after people who modify their phones to get free tethering.

World Writable Code Is Bad, MMMMKAY

Ask Us Almost Anything about Android Security, Privacy or Malware with beaups, Tim "diff" Strazzere, Joshua "jduck" Drake, and Jon "jcase" Sawyer

Android 6.0 with Runtime Permissions

android_run_root_shell

Video of jduck's Black Hat talk: Stagefright: Scary Code in the Heart of Android

A rather short updates this time. Until next time!

Mobile Security News Update August 2015

Tue, 18 Aug 2015 18:16:00 GMT

Finally I have time to write a new blog post again. The last couple of weeks have been super busy for me. I had to finish a project, prepare a talk about it, and give a bunch of talks at various places in July and August.

Conferences

Smartwatches

fun

Stagefright

Who would have known?

NPR

complete

fixed

here

wikipedia page for Stagefright_(bug)

StageFright, Telegram Stage-Left & WhatsApp Stage-Right

Links

disarm - Quick & (very) dirty command line instruction lookup for ARM64

JEB Plugin for decrypt DexGuard encrypted Strings.

Android linux kernel privilege escalation vulnerability and exploit (CVE-2014-4322)

Fuzzing utility which enables sending arbitrary SCMs to TrustZone

Full TrustZone exploit for MSM8974

Android Security Toolkit

First public Android Security Bulletin

Locker: an Android ransomware full of surprises

Remote Exploitation of an Unaltered Passenger Vehicle

D-Bus

Exploring Qualcomm's TrustZone implementation

HTC "zerodays" from our Defcon workshop

Qualcomm LPE vuln from our #defcon workshop

Black Hat slides are online now

New acquisition method based on firmware update protocols for Android smartphones

Boxify: Full-fledged App Sandboxing for Stock Android

Android Market Downloaders

ONE CLASS TO RULE THEM ALL 0-DAY DESERIALIZATION VULNERABILITIES IN ANDROID

Universal Android rooting

Faux Disk Encryption - Realities of Secure Storage on Mobile Devices

Koodous

Windows Phone PIN cracking

Hardening Android's Bionic libc

How to use old GSM protocols/encodings to know if a user is Online on the GSM Network AKA PingSMS 2.0

imgtool

Android M: A Security Research Perspective (Part 1)

SnooperStopper: Automatically prompts you to change FDE password if lockscreen PIN/password is changed (needs root)

HackingTeam's Android Exploit < nice review by Tencent Sec Response Center.

PGP on Android using GPG applet on Yubikey, via NFC. Useful to PGP while mobile without storing priv key on dev.

Android Vulnerability that Can Lead to Exposure of Device Memory Content

dexposed

Xposed for lollipop (5.0) now allows hooking native methods, also arm64 and x86

A Program Analysis Toolkit for Android

Could it be true that Android 5.1.1_r5 enables both dm-verity *and* HW accelerated FDE? Great success if so.

Password storage in Android M

lecture: Advanced interconnect attacks Chasing GRX and SS7 vulns

Hacking Team took a bunch of my Stuff :-(

Tue, 21 Jul 2015 19:28:00 GMT

Everybody heard that Hacking Team got hacked 1, 2, 3, 4 While I think this is pretty great since they are kinda known to be scumbags since they sell to repressive governments I found out about not so great things around this hack. Actually I didn't find out myself put was pointed to it by other people on Twitter (1) , via email, and personal (thanks Michael Weissbacher!).

Basically I was told that Hacking Team used a bunch of my Android tools to build their monitoring software for Android.

What got me really upset is this email:


I was analysing recent leak of hacking team from italy, and saw you supply the core android audiocapture for hijack voice calls on android. Have you updated it to new devices like lollypop?

This person thinks that I wrote the Android voice call interception for Hacking Team. This is obviously not the case! Hacking Team took my ADBI framework and tools to build their software around it. The software this specific email is talking about is hackedteam/core-android-audiocapture (the link goes to the hackedteam GitHub repository). You can see that they kept even the original filenames (e.g. libt.c) that was part of my original ADBI release.

The reason why someone might think I wrote those tools for Hacking Team are pretty obvious once you take a look at the leaked code. Take, for example, the libt.c file from the HackedTeam repository. Hacking Team left all the copyright information (my name, website, and email address) in those files.

In addition to my ADBI framework Hacking Team also used my SMS fuzzer injector that I wrote in 2009 while working on the SMS fuzzing project together with Charlie Miller. Their Android fuzzer also made use of my ADBI framework.

Conclusions:

I did not write any of those tools for Hacking Team.

prevent

Below some links to the Hackedteam GitHub repository and the link to my ADBI repository. You can clearly see that it is based on my software.

Links:

github.com/crmulliner/adbi

hackedteam/core-android-audiocapture

hackedteam/fuzzer-android/tree/master/sms_fuzzer_injectors/Lg

github.com/hackedteam

Comments welcome via email to: collin AT mulliner.org

Mobile Security News Update June 2015 (part 2)

Tue, 23 Jun 2015 20:47:00 GMT

Conferences

Untether TaiG Jailbreak Tool for iOS 8.3

Breakpoint

All other conferences still have their CFPs open and didn't post any talks yet. The BreakPoint schedule is also not final yet.

I wanted to point to something that apparently not many people know about: Pangu jailbreak installs unlicensed code on millions of devices. Pangu has their own statement about this. The Wikipedia page about Pangu Team states that they didn't have to sign an NDA for the training and therefore can use the vulnerability. Stefan's point is not about the vulnerability but about his code. All in all I can't verify all claims but I would say I know Stefan well enough to say that he would not make this up simple because he doesn't need to. He is very well known anyway so this is not a publicity issue for him. I 100% agree with Stefan's point of view about denying people from speaking at conferences if they are known to take credit or sell code they don't own or have a license for. I encourage everybody to read up on this and to read statements made by BOTH sides. Please share your opinion with people who run conferences.

Android now has a bug bounty program, or as the call it Android Security Rewards Program. Pretty cool, I wonder if they get more submissions because of this.

Apple tries to kill plain-text connections "If you're developing a new app, you should use HTTPS exclusively.". This feature is called App Transport Security (ATS) and in the current iOS 9 version it can still be disabled. See: Configuring App Transport Security Exceptions in iOS 9 and OSX 10.11.

Android has had a similar feature for some time. Android M introduces a new Manifest option to declare if an app uses clear text traffic or not. Deepening on this option the framework can deny clear text traffic from the app. A decent writeup on this topic is here: Android M and the war on clear text traffic.

Links

Hacking and Securing iOS Applications in Chinese

Remotely Abusing Android - Ryan Welton (slides)

dexstrings Extracting the strings from the .dex files with meaning.

A Pattern for Remote Code Execution using Arbitrary File Writes and MultiDex Applications

Digging for Android Kernel Bugs (slides)

Man in the (Android) Middleware (slides)

byeselinux: Android kernel module to bypass SELinux at boot. Made for XZDualRecovery (Xperia) and Lollipop firmwares.

Complex Method of Obfuscation Found in Dropper RealShell

The dextra utility began its life as an alternative to the AOSP's dexdump and dx ...

ARM Trusted Firmware - version 1.1

Reversing DexGuard's String Encryption

Integrating PaX into Android

Yet Another Mediatek Backdoor (by @jcase)

How to Root 10 Million Phones with One Exploit by Keen Team (slides)

Understanding Android's Application Update Cycles

Firefox OS on Android Devices

Android Activity Security

Fitness Tracker: Hack In Progress (slides)

Fuzzing Objects d’ART — Hack In The Box 2015 Amsterdam

Mobile Security News Update June 2015

Mon, 08 Jun 2015 22:55:00 GMT

Conferences

Enjarify is a tool for translating Dalvik bytecode to equivalent Java bytecode. This allows Java analysis tools to analyze Android applications.

This year Black Hat US really has a large number of mobile related talks!

There is not too much to talk about otherwise. I still have to read all the stuff about Android M, some stuff is covered in the links section below. Make sure to checkout some of the HITB Amsterdam 2015 slides. Some good stuff in there for us mobile sec people.

I was really amazed how much publicity the iOS messaging crash got. Yes, it was easy to trigger. But yes, this kind of stuff happened before.

Links

iOS 8.3 Mail.app inject kit

Keystore redesign in Android M

010Editor script for extracting multiple dex files from anything - works for (system)

Android 'M' Permissions and Legacy Applications

CVE-2015-2231 CVE-2015-2232

Android key blob decryptor

How to recognize your app is being uninstalled (Android)

PaX/Grsecurity patch for Nexus7, which the original version is 3.4 kernel based with a bunch of backport features and fixes.

A Large-Scale Study of Mobile Web App Security

(Mobile Pwn2Own) Google Android Bluetooth Forced Pairing Vulnerability

HITB Amsterdam 2015 slides

A Simple Text Can Crash Messages on Any iPhone It's Sent To

Security Analysis of Android Factory Resets

Xamarin for Android <5.1 DLL Hijack Vulnerability

Mobile Security News Update May 2015 part 2

Mon, 18 May 2015 17:46:00 GMT

Conferences

Android Security Symposium

Some of the upcoming conferences I covered in earlier month (e.g. HITB Amsterdam).

CFPs

Breakpoint

SEC-T

44con

iPhone: I bought an iPhone 5c (as a tryout device) like two weeks ago. I used to have a iPhone 3G back in 2009. I'm pretty happy with it, usability is great and the radio/antenna seems way better then the one in the Nexus 5. One thing I noticed is that most major apps are much better on the iPhone. There are exceptions like Dropbox. The Dropbox client is missing features compared with the android version. I'm missing the text editor! Also inter-app communication is really a weakness of iOS and a strength of Android. Other annoying stuff: I can't set Chrome to be the default browser. I can't have Signal as the default SMS app. One of the most annoying things are notifications. Many apps don't support privacy friendly notifications on the lock screen. I want to see if there are new emails in an account but I don't want the sender, subject, or content to be shown. The same is true with a lot of apps. It is either no notification or notification with content. Not happy with this! But I'm a big fan of handover.

I total I'm still happy with my tryout iPhone 5c. Let's see how long.

Mobile Killswitch: The mobile killswitch now has it's first possibility for abuse: So this killswitch tech in mobile phones now, kinda scary, especially when I can lock you out from your phone from an app w/ no root by @jcase.

Links

Security Conference Calendar

SyScan 2015

System -> root backdoor in ZTE devices

The state of ASLR on Android

Hardware-accelerated disk encryption in Android 5.1

student project

Android anti-root detection Proof of Concept

Ping Pong Root for S6

bypassing ZTE zMax Write protection

Darshak

Times 'a Ticking... to Forensicate the Apple Watch!

Tricking Android Smart Lock with Bluetooth

An NFC PGP SmartCard For Android

Simple framework to extract "actionable" data from Android malware (C&Cs, phone numbers etc.)

How to Get a BaseStation

iOS release dates

The definitive guide to Phreak Boxes

Open source Android Forensics app and framework

Our Android Malware Summary for the Year 2014

Mobile Security News Update May 2015

Wed, 06 May 2015 05:01:00 GMT

This is actually a delayed April update!

Conferences

CircleCityCon

ShakaCon

PhDays

In the last weeks I went to RSA Conference to hangout with a few people. I met the good guys from NowSecure and Zimperium as well as the fellows of DuoSecurity.

The week after I attended Qualcomm Mobile Security Summit 2015. Again this was a super interesting mobile security focused event, most likely the best one of the year. Good talks and good people. There is no general posting of slides but some presenters published their slide deck. Tim and jcase posted their slides here: Android APP Protection. It was good to meet some guys from @K33nTeam. Their presentation was pretty good too.

If you are interested in learning about Android security take Jduck's and Zach's training at DerbyCon. They know what they are talking about.

This picture is sadly very true. I really dislike the trend going towards big smartphones or phablets.

Nexus 5 issue after a long and painful struggle including factory resetting my Nexus 5 and downgrading it to Android 5.0.1 I gave up and determined that it must be a hardware fault. Most likely the power button. I also found out (via @mweissbacher) that the warranty of our Nexus 5 devices ran out in January :-(

I determined that the only decent device to buy right now is a Moto X in the Pure Edition. The pure edition is basically AOSP like shipped with the Nexus devices. So if you are looking for a normal sized smartphone that runs stock Android this might be a device for you. Motorola even states on their site that the pure edition receives more regular updates then carrier branded devices. Most likely also more frequent updates then devices that run a heavily modified Android version (shipped by most other manufacturers).

News and Links

Repository to train/learn memory corruption on the ARM platform

HOW TO CRACK MIFARE CLASSIC CARDS

hack

https://www.rsaconference.com/writable/presentations/file_upload/br-w01-but-it_s-an-app-play-store-download-research-exposes-mobile-app-flaws.pdf

Android drive-by download

ADB backup on Android version 4.0.4 allows for file overwrite via modified tar headers.

ApkDetecter

New Root Method for LG Devices

Generic Android Deobfuscator

Android vmlinux loader

Android wpa_supplicant WLAN Direct remote buffer overflow

HOW I FORCED AN ANDROID VULNERABILITY INTO BYPASSING MDM RESTRICTIONS + DIY MALWARE ANALYSIS

DEX Parser (Python)

The nightmare behind the cross platform mobile apps dream

Developer Chainfire Publishes Preview Release Of FlashFire, A 'Spiritual Successor' To Mobile ODIN

Instrumenting Android Applications with Frida

Amazon Fire Phone Source Code Notice

SunShine 3.1 is out, HTC m9 s-off support, as well as experimental simunlock for HTC GSM devices (no CDMA, no m9)

DuoSecurity supports the Apple Watch for their push authentication app on iOS

Mobile Security News Update March 2015

Tue, 31 Mar 2015 22:53:00 GMT

Back from CanSec! Here the mobile update for March (barely made it!).

Conferences

RSA Conference

Black Hat Mobile Security Summit

CFPs

PHDays

BeaCon 2015

Usenix WOOT'15

Android 5.1 / Nexus 5 issues: I recently updated to Android 5.1 (so did my friend Michael). Now we both have massive stability issues with our phones. Michael actually doesn't have stability issues his phone refuses to boot up. It boots until the first colored dots appear and then reboots again. The reason for this bootloop are unknown. Some people say this is due to issues with the phones power button. Michael indeed had some power button issues before the bootloop happened. My phone just started to randomly reboot. The issue seems known (search for Android 5.1 random reboot and you will find many reports).

Official Chinese translation of The Android Hacker's Handbook available on April 10th.

Dimple is a small NFC sticker with four or two buttons for Android devices. You are the one who chooses the button functionality. It makes doing everyday tasks quicker and saves your precious time. <-- from their website. This is basically a set of actual buttons (as in hardware) that you can stick on your Android. The buttons likely just activate a RFID tag that is picked up by your phone that then will perform some action. Very simple technology. Should be farely easy to hack (without physically pressing the button). Let's see, maybe I will order a sample just for fun. I have a pending Android NFC blog post anyway (but not time).

Links

Paper: a time line of mobile botnets

Android Installer Hijacking Vulnerability Could Expose Android Users to Malware

Android NFC malware (MIFARE)

NFC Ultralight Toolkit

CoreTelephony: Impact: A remote attacker can cause a device to unexpectedly restart Description: A null pointer dereference issue existed in CoreTelephony's handling of Class 0 SMS messages. This issue was addressed through improved message validation.

Redheads should have emoji, too!

CVE-2014-7911

CVE-2014-4322

Amazon Gift Card Malware Spreading via SMS

Droidsec/wiki

Fuzzing Android's media framework

tools

WRANGLING DALVIK: MEMORY MANAGEMENT IN ANDROID (PART 1 OF 2)

HideAndroidEmulator

(Mobile Pwn2Own) Google Android DHCP Parsing Remote Code Execution Vulnerability

Creating Better User Experiences on Google Play

Android for Work: Demystified

Android Browser Kitkat Content Spoofing Vulnerability

PENTAGON PERSONNEL NOW TALKING ON 'NSA-PROOF' SMARTPHONES

the NSA didn't stop the purchase since they already know how to p0wn those pones

The nightmare behind the cross platform mobile apps dream

Hiding Behind ART

DABiD The Powerful Interactive Android Debugger For Android Malware Analysis

Mobile Security News Update February 2015 part 2

Fri, 27 Feb 2015 18:13:00 GMT

Conferences

CFPs

My good friend Nick has started a campaign to support Android users in risk and will provide free iPhones to them

Nice captures of what happens with the cellular service when the President is around: 1 2.

Inside a StingRay. Matt Blaze would take your spare StingRay base unit.

The Gemalto hack by GSHQ/NSA makes a lot of sense and is pretty interesting. Stories by Wired and The Register.

Links

How Safe is Your Child's Tablet: A review of the nine most popular models

Jduck's Android cluster toolkit

Daniel's iOS pentesting and research toolkit

PowerSpy: Location Tracking using Mobile Device Power Analysis

Mobile Internet traffic hijacking via GTP and GRX

Vulnerabilities of GPRS

Python Protocol Simulator for SIM related protocols

RIM helps Google to fix Android security

Postdoctoral position in Mobile Malware Analysis

Is your phone spying on you?

An Exploration of ARM TrustZone

Apktool 2.0.0

Disassembling MobiCore Trustlets

Qualcomm TrustZone Integer Signedness bug

Mobile Security News Update February 2015

Wed, 11 Feb 2015 02:05:00 GMT

Conferences

TelcoSecDay @ Troopers

Hack in the Box Amsterdam

TelcoSecDay @ Troopers looks pretty awesome. Too bad that I can't go because of the 100% overlap with CanSec. Sadly this seems to be a new trend that a number of top conferences overlap or are so close to each other that it is impossible to attend both.

Somebody is selling fake versions of the Android Hacker's Handbook on Amazon. Indicators are missing pictures or the white book backside (original one is black).

We recently presented BabelCrypt at Financial Crypto. I would love to see a usable implementation of this. Unfortunately I don't have the time to make this happen. I would pay money for this app.

Links

Google Play Store X-Frame-Options (XFO) Gaps Enable Android Remote Code Execution (RCE)

Beemer, Open Thyself! - Security vulnerabilities in BMW's ConnectedDrive

Google Android and iOS apps now in scope for vulnerability rewards from Google

OpenBTS and Metasploit integration

Blackphone p0wnd

AndroidCensus

Adrian Ludwig's response on WebView vulns

Native Android Runtime Emulation

Can you imagine Internet service provider hijack customers' traffic to replace APKs they're downloading? Well in CN everything is possible.

giefroot: A tool to root your device using CVE-2014-7911 (by Keen Team) and CVE-2014-4322

CVE-2014-7911 - A Deep Dive Analysis of Android System Service Vulnerability and Exploitationa

Mobile Security News Update January 2015

Tue, 20 Jan 2015 17:14:00 GMT

Conferences

SyScan

Collection of Android Security Resources

This year's SyScan unfortunatelly is the last one. Very sad to see this conference go away. SyScan was the first industry conference I spoke at!

There is a new mobile specific venu Black Hat Mobile Security Summit taking place in London in June.

The problem with unpatched bugs in Android continues: Google No Longer Provides Patches for WebView Jelly Bean and Prior. This is really one of the major issues of Android security in my opinion. In 2013 I was working on a system that helps to address this issue. Details can be found here: 1 2.

Links

Android Drawer

Android app with full control over your Google account

CodeInspect says Hello World: A new Reverse-Engineering Tool for Android and Java Bytecode

fotabinder mediatek exploit for MTK devices (Made for the Hummer phone, hence the offensive app name)

HeadsUp for WhatsApp

Mobile Security News Update New Year's 2015 Edition

Fri, 02 Jan 2015 15:02:00 GMT

Conferences

Verizon's New, Encrypted Calling App Plays Nice With the NSA

31c3 Review

The Chaos Communication Congress was super fun again (no big surprise!). It was really good to see everybody again at the end of the year. As the congress is getting bigger and bigger every year it is hard to see people more once and I even missed a bunch of you guys! The talks were pretty good this year and I saw quite a few of them. Here a short overview of the mobile related talks that I actually saw live at the conference. Recordings are available: here Slides of most talks are linked in the schedule: here.

The SS7 talks were super interesting. I actually only saw 2 of the 3 talks on SS7 but I'll watch the third one once I get home. The summary of all the talks is: once you get access to SS7 you can easily track phones as often shown on TV shows. Commercial products exist to do this via SS7 (but depending on the manufacturer you cannot use it against every country). SS7-based tracking can be implemented in various ways as Karsten Nohl showed. Very interesting is the fact that IMSI Catchers can benefit from SS7 access as it can be used to access to encryption keys. This basically allows building 3G IMSI catchers. Karsten Nohl showed this live on stage (he intercepted a SMS). SS7 access can be used to steal SMS messages by redirecting the delivery path in the HLR. All in all you can conclude that organizations with SS7 access can do a lot of interesting/bad things. Luckily all the German operators already block many of the security critical SS7 messages from entering their network. SRLabs also released and Android application that analyzes the debug messages from Qualcomm-based phones to determine if your phone is in an unfriendly cellular environment. The tool is called SnoopSnitch.

Slides: 1 2

I also really enjoyed the talk from Sylvain Munaut about GMR-based Sat-Phones (specifically the technology used by Thuraya). He presented the progress of the Osmocom project's implementation of an open GMR stack. One interesting detail was that you can break the GMR crypto within 500msec using a known plain text attack against the control traffic.

Slides: 1

The talk about pagers based on the Iridium satellite network was similar interesting. The presenters build an SDR-based Iridium receiver and sniffed some paging traffic as the satellite beam covers a large region they were able to receive quite a lot of interesting messages. Yes, the traffic is not encrypted! Their code is available here.

Slides: 1

The guys from @scadasl totally rocked the 31c3 as they also gave a lighting talk on their 4G modem research. No slides unfortunately.

The talk Ich sehe, also bin ich ... Du about biometrics vs. cameras by Starbug also looked into smartphone screen reflections in your eye. He showed that you can partially determine what your screen shows and what area you touched with your finger.

The guys from the 31c3 GSM network where playing with the Alert system while I was visiting them in their NOC. One of the results is this:

Presidential Alert!! (All newer phones have this feature and you cannot turn it off) #osmocom #31c3 pic.twitter.com/dFJu19F5he
— tobias engel (@2b_as) December 29, 2014

Links

Cuckoo Sandbox for Android

Security Analysis of commonly used Android Browsers

Mobile Security News Update December 2014

Wed, 10 Dec 2014 16:59:00 GMT

Conferences

Kiwicon

31C3

Smartphones (Android) with pre-loaded malware

31C3 has an impressive number of good mobile security related talks, in addition to a lot of other good looking security talks. This will be good!

We recently finished a research project on end-to-end encryption for mobile messaging apps. The idea was to have a universal "plugin" that encrypts messages before they are handed over to the messaging app. This way you can use any messaging app with the add-on of end-to-end encryption (providing the other end has the same tool installed too). The result was BabelCrypt: The Universal Encryption Layer for Mobile Messaging Applications a joint project with my co-researchers and interns at NEU SecLab. The paper is going to be published in January 2015. A pre-print is available here: BabelCrypt.

News / Links

Word on the street is that all the cool kids are getting pagers again!

Mobile Security News Update November 2014

Sun, 23 Nov 2014 23:44:00 GMT

I'm still waiting for the 31C3 program to be released, but since I was reviewing the security submissions I can tell you that there will be a bunch of good mobile security related talks this year. As usual I will be in Hamburg to attend CCC.

So far there are no upcoming conferences that have released their program yet.

I've recently updated to Android 5.0. Overall I think it turned out quite nice. The changes related to notifications suck really badly. Apparently you cannot turn off audio and vibration but still get the visual notification (LED). I really liked the old way to set notifications: ring/vibrate/off. The extended battery time everybody is talking about I don't recognize (Nexus 5). The more tight integration with googles services sucks too. Why does it need to show my google account logo on the top right of my status bar? This is useful for what?

Links and Stories:

Android Device Inventory

Owning a computer via 4G modem an SMS

RED ALERT: Dangerous Exploit Poses Major Threat To All Android Users

Android IMSI Catcher Detector

Lollipop stops Chromium bugs from endangering Android

Android bugs:

broadAnyWhere

CVE-2014-7911: Android <5.0 Privilege Escalation using ObjectInputStream

Samsung Galaxy KNOX Android Browser RCE

Abusing Samsung KNOX to remotely install a malicious application: story of a half patched vulnerability

Mobile Security News Update October 2014

Thu, 23 Oct 2014 20:04:00 GMT

Time files, I've been super busy the last two month and will be busy until mid/end of November. I just relaized that I haven't posted anything in September at all.

Conferences

Hack.Lu

Hiding Android Applications in Images

There is again a new talk on SMS and MMS fuzzing. I really wonder what is going to be different from all the previous work?

Links

Why Samsung Knox isn't really a Fort Knox

Disable all Trusted CA CERTs on Android 4.x and later (requires root)

Android Vulnerabilities

About the Android Lollipop kill switch

Reverse engineering of a commercial spyware for ios and android

Mobile Security News Update August 2014

Sat, 30 Aug 2014 20:01:00 GMT

The Vegas week was as great as it can be as anybody knows who has this ongoing love hate relationship with the yearly pilgrimage.

The Blackphone kinda got rooted, ars on Blackphone root I had to laugh so hard when I saw Jon running around in his new t-shirt.

The SecurityCookies project was a lot of fun. I think people really liked it, likely Guillaume and I had the most fun. We will likely do this again at some point.

The iPhone is finally getting NFC iPhone 6 will reportedly feature NFC and Apple's own mobile payments platform. This should be a lot of fun cause everybody will scramble to actually build and deploy NFC now. I'm not really worried about NFC-payment insecurity but about all the other fun stuff that will be possible. Maybe I have to buy an iPhone 6 and continue my NFC work.

If I actually do get an iPhone I should also get the FLIR ONE an thermal camera case for iPhones. There are various articles about what you could do with this and I think this could be super interesting to play with.

My friend Ravi released darshak an Android app that notifies you if your phone receives silent SMS that are used for tracking your phone. It further displays current network security settings. This can be an indicator about your phone being connected to an IMSI-catcher. So far you need to have a Samsung Galaxy S3 to use this tool, but the S3 is fairly popular. I would like to see vendors providing information about phone network security parameters to the user.

Conferences

44con

SEC-T

BruCON

Links

Smartphone Kill Switch == magic smoke

Black Hat USA 2014 slides

Black Hat USA 2014 talk recordings

Smartphone 20 years ago

Linux Malware

your phone owns you

Google bans Disconnect from Play Store

August so far was my busiest month of the year, so I guess I missed a lot of what was going on.

Mobile Security News Update July 2014

Wed, 30 Jul 2014 18:43:00 GMT

Not much to say about conferences in this post since in early August everybody will be in Las Vegas. I'll post an update after the show is over.

The one thing I over read was the round tables that are going down at Black Hat. Specifically: EMBEDDED DEVICES ROUNDTABLE: EMBEDDING THE MODERN WORLD, WHERE DO WE GO FROM HERE? hosted by Don Bailey & Zach Lanier, MOBILE SECURITY ROUNDTABLE: WHAT DOES MOBILE SECURITY LOOK LIKE TODAY? WHAT WILL IT LOOK LIKE TOMORROW? hosted by Vincenzo Iozzo & Peiter Zatko and RESPONSIBLE DISCLOSURE ROUNDTABLE: YOU MAD BRO? hosted by Trey Ford look interesting.

There was a lot of fuzz about iOS backdoors. I didn't have time to go into all details but the basic facts seem to be that iOS has capabilities to exfiltrate data to paired computers. The danger seems to lie in that fact that you can steal/copy the paring from a computer. The initial slide deck from Jonathan Zdziarski are available here. There was a huge follow up discussion on twitter. Roundup from the Jonathan: 1 counter side from Violet Blue: 2 also see Dino Dai Zovi's post: 3

Links

RIM buys SecuSmart

Signal / RedPhone / TextSecure

Obfuscating Android Applications using O-LLVM and the NDK

HushSMS for Android

Blackphone firmware image

Mobile Security News Update June 2014

Tue, 24 Jun 2014 17:02:00 GMT

Conferences

SyScan 360

Mediatek-based phone reset after receiving a text message containing a =

So people are still building SMS and MMS fuzzers in 2014. I'm really interested to see what new techniques the ZDI guys came up with.

Links

Cabir (first mobile phone virus) turns 10 years this month

Towelroot

HTC Bootloader Unlock / S-OFF

Overview of Android's ART

Mobile Security News Update May 2014

Thu, 29 May 2014 18:27:00 GMT

Conferences

I'm really happy to see two talks accepted at Black Hat that investigate Mobile Device Management (MDM) systems and app wrapping security solutions. This should be quite interesting since this is more or less the state of the art when it comes to third-party mobile security applications.

Links

Linux & Android Debugging native debugging techniques

Blind Return Oriented Programming

I've been super busy in the last weeks mostly work and travel and more traveling coming up in a few days. Summer will be pretty awesome again. My talk on GUI security was accepted at Black Hat so did the talks of many of my friends. This should be a pretty epic year. Also I'm finally making it out to ToorCamp. More updates after I return from ASIA CCS.

Mobile Security News Update April 2014

Tue, 22 Apr 2014 19:38:00 GMT

Conferences

IEEE Security and Privacy

ReCon

Hack in the Box Amsterdam

HITB folks fix your website, finding talks and speakers is sooo hard I almost do not bother to do it - worst conference website I know!!

ASIA CCS

Heartbleed and Mobile

Checkout reverseheartbleed.com a heartbleed testing service for clients software (e.g., web browsers).

SMS bulk operators vulnerable to heartbleed, leak 2FA tokens see heise.de (in German)

Links

Samsung S5 fingerprint reader hacked

An Exploration of ARM TrustZone Technology

Personal notes

Duo Tech Talks

The Security of Things Forum

TOR Bleed

Thu, 17 Apr 2014 12:29:00 GMT

Update 2:

I scanned Tor starting Friday April 11th and ended Sunday April 13th. I stopped cause I got enough evidence on leaked plain text. I wasn't sure what to do with the data so I was sitting on it for a couple of days but than decided to just blog about it.

Update:

black list vulnerable nodes

Tuesday April 7th I started my own investigations of the Heartbleed issue. In this blog post I want to talk about one of the things I've been looking into that is the effect heartbleed has on TOR. TOR heavily uses SSL to encrypt traffic between the various TOR nodes. TOR was obviously vulnerable as reported by the TOR project.

For my investigation I pulled a list of about 5000 TOR nodes using dan.me.uk. Using one of the many proof-of-concept exploits I scanned the TOR nodes to determine if they are vulnerable. I found 1045 of the 5000 nodes to be vulnerable to the heartbleed bug, that is about 20%.

I briefly checked the leaked memory to determine if plain text is leaked that is related to TOR user traffic. Yes, TOR exitnodes that are vulnerable to heartbleed leak plain text user traffic. You can find anything ranging from hostnames, downloaded web content, to session IDs, etc.

The majority of the vulnerable TOR nodes are located in Germany, Russia, France, Netherlands, United Kingdom, and Japan. The TOR network has more than 5000 nodes so this is not a complete picture but it provides a good overview of the possible number of vulnerable exitnodes.

The heartbleed bug basically allows any one to obtain traffic coming in and out of TOR exitnodes (given that the actual connection that is run over TOR is not encrypted itself). Of course a malicious party could run a TOR exitnode and inspect all the traffic that passes thru it, but this requires running a TOR node in the first place. Using the heartbleed bug anyone can query vulnerable exitnodes to obtain TOR exit traffic.

There are a number of possible solutions for this problem. 1) update vulnerable TOR nodes (hopefully in progress), 2) create a blacklist of vulnerable TOR nodes and avoid them, 3) stop using TOR until all nodes are updated.

Further Steps:

Scan all TOR exitnodes to create a black list of vulnerable nodes so users can avoid them.

Notes:

One interesting thing I found is the large number of requests that seem to be originating from malware due to the domain names looking like the output of a DGA.

Links:

Heartbleed

Heartbleed disclosure timeline: who knew what and when

Android Hardening Tools

Wed, 26 Mar 2014 16:00:00 GMT

A few weeks ago I upgraded from a Galaxy Nexus to a Nexus 5. I therefore took the chance and investigated lightweight and practical device hardening tools. I didn't have anything specific in mind I just wanted to improve my overall situation. Here is what I came up with.

Basics:

Network:

App Security:

Rooting:

What's the security implication of having an unlocked boot loader?

All together I'm pretty happy with this limited set of security applications. If you think I'm missing something important please let me know.

Mobile Security News Update March 2014

Mon, 03 Mar 2014 19:04:00 GMT

Conferences

CFPs

TextSecure: secure and easy to use text (SMS) for Android (and soon iOS)

TextSecure

The New TextSecure: Privacy Beyond SMS

server

here

WebViews and Security on Android

WebView

A View to A Kill: WebView Exploitation

Dave Hartley's

very detailed blog post

WebView addJavaScriptInterface Saga

Links

TrustyCon

Apple's SSL/TLS Bug

DroidRay: A security evaluation system for customized android firmwares

Android OEMs exposing touchscreen input

Android platform fragmentation fragmentation inside HTC, ETOOMANYBROADCASTS

Mobile Security News Update for February 2014

Sat, 25 Jan 2014 21:19:00 GMT

This is an early update for February. Two reasons, I have stuff to write about right now, second I'm going to be super busy in February.

This year I attended ShmooCon for the first time. I liked it a lot and plan to go again. I didn't know ShmooCon was running for 10 years already. They seem to have a good grip on the conference and don't let it explode in size.

Conferences

Links

Oldboot: the first bootkit on Android

Android/ARM Elf Infector Proof Of Concept

[GERMANY ONLY]Get as many Big Macs as you like for free thanks to JB

The Google Play Store App Has A Hidden Debug Menu, And Here's How Rooted Users Can Access It

Python implementation of passcode hashing algorithm used on the Samsung Galaxy S4 GT-I9505 4.2.2

Android vulnerability allows data to be stolen from VPN connections

Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications

Android Emulator Detection by Observing Low-level Caching Behavior

There are a lot of interesting talks in the next month. I'm working on (and finished) some interesting projects that I can hopefully talk about soon.

Our Android book is finalized and thus should be available in April.

The Defcon CFP is already open so make sure you submit your talks early. Also checkout Area 41 a fine security conference in Switzerland, the CFP is still open.

This year I'm co-chairing ARES an academic security conference. Please consider submitting your papers.

If you are interested in NFC (Near Field Communication) check out the current draft of the Web NFC API. The standard defines how a "web page" can interact with NFC devices.

Mobile Security News Update January 2014

Sun, 05 Jan 2014 18:21:00 GMT

30C3 was awesome. A lot of good talks, many friendly people, and an awesome location. The recordings of all talks can be found here.

The slides and source for my talk Android DDI are available here: slides and source.

I was super busy so I guess I missed a lot that was going on in the 2nd half of December. I will start posting stuff again later this month.

I'm going to ShmooCon in mid January and to Troopers in March.

Advertisement: If you are a computer science student and are interested in security and want to spent some time in the US, please contact me. I'm always looking for motivated people to do research with.

Mobile Security News Update November 2013

Thu, 21 Nov 2013 18:57:00 GMT

Conferences

30c3

Bugs in Mobile Ad Libraries

News and Links

LastPass Android container PIN and auto-wipe security feature bypass (CVE-2013-5113/5114)

I bet I missed a lot of stuff that happened in the last weeks.

I'm going to be at 30c3 in Hamburg, Germany between Christmas an New Years.

Mobile Security News Update October 2013

Fri, 11 Oct 2013 16:06:00 GMT

September was a busy month, but the monthly update is back!

Conferences

HACK.LU

Nokia announces it's killing support for Symbian, MeeGo apps two years early

Missed conferences: ekopart 2013 they had a bunch of mobile (mostly Android) talks.

Links

Android malware threat is vastly exaggerated

Mobile Security News Update September 2013

Fri, 30 Aug 2013 16:25:00 GMT

Conferences:

Hack in the Box - Kuala Lumpur

BreackPoint Ruxcon

BruCON

Hackers2Hackers

Links:

A very rudimentary Android DEX file parser

An In-Depth Introduction to the Android Permission Model

darm - Efficient ARMv7 Disassembler

Android PRNG Stuff:

Some SecureRandom Thoughts

Google confirms critical Android crypto flaw used in $5,700 Bitcoin heist

OpenSSL PRNG Is Not Really Fork-safe

Predictability of Android OpenSSL's Pseudo Random Number Generator

Mobile Security News Update August 2013

Mon, 12 Aug 2013 21:14:00 GMT

Conferences:

SyScan 360

I'm going to speak at HITB in Kuala Lumpur in October. My talk will be about Dynamic Dalvik Instrumentation. I will release all my code after the talk.

CfP

30c3

Black Hat USA slides are available here.

News

Android secure random numbers are not random enough

Android malware via ad network

BlackBerry explores a sale of the company

Hacking Transcend WiFi SD Cards

This recycling bin is following you

Make sure to check out the first release of POC||GTFO

ReKey

Tue, 16 Jul 2013 10:18:00 GMT

today we finally release ReKey our hotpatching service for fixing Android's Master Key bug. We have a press release here.

ReKey was joint work of: Collin Mulliner, Jon Oberheide, William Robertson, and Engin Kirda.

more soon!

Mobile Security News Update June 2013 part 2

Tue, 25 Jun 2013 19:59:00 GMT

Conferences

CfP

Here my REcon review. I must say REcon became my favorite conference together with CanSecWest. There were to bunch of really cool talks. I always enjoy REcon talks out side of my main work area. One such talk was about old video game cabinet security: Just keep trying ! Unorthodox ways to hack an old-school hardware. I didn't find the link to the slides anymore. But pretty much 90% of the talks were good. REcon also had mobile talks. jduck's talk on Reversing and Auditing Android's Proprietary Bits was pretty good. I especially liked Wardriving from your pocket: Reversing the Broadcom chipset with Wireshark the talk was about reversing the Broadcom Wifi firmware to enable monitor mode. Their website is here: bcmon.blogspot.com. Super interesting as well was Hiding @ Depth Exploring & Subverting NAND Flash memory and Reversing HLR, HSS and SPR: rooting the heart of the Network and Mobile cores from Huawei to Ericsson. Altogether if you missed REcon you missed out!

Links

XDA-Developers

Slides on: Android Reversing and Defense

I actually decided to go to Defcon after all.

Mobile Security News Update June 2013

Wed, 12 Jun 2013 18:29:00 GMT

Conferences

Stuff

HushSMS ROOT Edition released

Waterboard: Advanced Forensic Logical Acquisition for iOS Devices

Runtime inspection for iOS apps

Exploiting Samsung Galaxy S4 Secure Boot

Android OEM applications insecurity and backdoors without permission

Is Blackberry Dead: intro to BB10 security

Anti Taint Droid

Countering SMS/mTAN Trojans

Wed, 08 May 2013 18:58:00 GMT

Together with my former colleagues Ravi, Patrick, Jean-Pierre from TU Berlin / SecT I have been working on an enhancement for mobile phones in order to protect SMS messages especially mTANs against trojans.

We investigated several ways to improve mTAN security and finally came to the conclusion that we just need to change the SMS routing on the mobile phone itself.

Basically we remove SMS messages that contain mTANs from the normal delivery queue and only deliver them to a special application. This way no other program (including trojans) can access the SMS message.

We implemented and tested our idea on Android. The paper SMS-based One-Time Passwords: Attacks and Defense will be presented at DIMVA 2013 in July in Berlin, Germany.

A demo video of the prototype is shown below:

Mobile Security News Update May 2013

Tue, 07 May 2013 17:11:00 GMT

Conferences

Some interesting upcoming talks! I guess everybody else an their moms are waiting to hear back from the Black Hat USA CfP.

SyScan'13 review

SyScan was a totally awesome event. Really good talks and lots of them. My favorite talk was: Bochspwn: Exploiting Kernel Race Conditions Found via Memory Access Patterns by Mateusz Jurczyk and Gynvael Coldwind.

News

ACLU Files FTC Complaint Over Android Smartphone Security

Links

Changing the IMEI, Provider, Model, and Phone Number in the Android emulator

Securing Two-factor Authentication for Smartphones in a Usable Way by Adding a Connected Token

Android Apps: What are they doing with your precious Internet?

Mobile Security News Update April 2013

Thu, 11 Apr 2013 21:50:00 GMT

Conferences:

HackCon

Call for Papers:

The 14th International Workshop on Information Security Applications (WISA2013)

News:

Unlocking the Motorola Bootloader

I have been super busy with work so I might missed a few things here and there. Right now I'm waiting to here back from SummerCon and Black Hat USA about talks I submitted. I'm still thinking about submitting to ReCON ;)

Mobile Security News Update March 2013 part 2

Thu, 14 Mar 2013 21:40:00 GMT

CanSecWest was pretty good this year. My favorite talks were (no order): Desktop Insecurity - Ilja van Sprundel & Shane "K2" Macaulay, Smart TV Security - SeungJin Lee, Godel's Gourd - Fuzzing for Logic Issues - Mike "dd" Eddington, and Reflecting on Reflection - Exploiting Reflection Vulnerabilities in Managed Languages - James Forshaw. I can't wait to get the slides.

Call for Papers:

Workshop on Offensive Technologies (WOOT)

SummerCon

BeaCon

I totally missed Black Hat Europe, it had some interesting talks: The M2M Risk Assessment Guide, A Cyber Fast Track Project - Don A. Bailey, Practical Attacks Against MDM Solutions - Daniel Brodie + Michael Shaulov, Off Grid Communications With Android- Meshing The Mobile World - Josh Thomas + Jeff Robble, Next Generation Mobile Rootkits - Thomas Roth.

An interesting looking paper from TROOPERS13 UI Redressing Attacks on Android Devices (apparently it was released at Black Hat Abu Dhabi last year).

News

Andy Rubin steps down as head of Android

A few android security issues

Under the Hood: Dalvik patch for Facebook for Android

Fun find by my former co-worker Matthias: Lost connection to Battery ... WTF!?!

Mobile Security Update March 2013

Mon, 04 Mar 2013 16:14:00 GMT

Review RSA

Mobile Security Battle Royale

Big Brother's Greek Tragedy State-Deployed Malware & Trojans

SC Magazine

Android certainly does support remote updates. But the problem really is that manufacturers and mobile carriers stop supporting devices after 12-18 month.

Conferences

Hack in the Box Amsterdam

New Conferences

NSC - NoSuchCon

News

HTC Settles Privacy Case Over Flaws in Phones

The Federal Trade Commission charged HTC with customizing the software on its Android- and Windows-based phones in ways that let third-party applications install software that could steal personal information, surreptitiously send text messages or enable the device's microphone to record the user's phone calls.

Personal note:

Android Hacker's Handbook

Mobile Security News Update February 2013

Thu, 31 Jan 2013 16:46:00 GMT

Conferences:

News:

The end of the line for Symbian

Android botnet abuses people's phones for SMS spam

Personal notes: I'm going to be in San Francisco during RSA, ping me if you want to chat. I'm also going to be at CanSecWest, just attending this year. Further I'm going to SyScan. I also plan to be around SourceBoston but unfortunately not attending (ticket prices vs. university etc, I'm not complaining).

Mobile Security News Update January 2013

Fri, 04 Jan 2013 14:45:00 GMT

Conferences:

Shmoocon 2013

All other upcoming conferences (SyScan, CanSecWest, SourceBoston, Infiltrate) haven't posted any talks yet.

My 29c3 conference review. The new location CCH in Hamburg is really nice. There is a lot of space and the space was used very well. Due to the space the conference was much more relaxed. This also counted for the talks. Most of the time everybody had a place to sit. One small downside of this years conference the schedule, sometimes three tech talks were running in parallel in different rooms. But all together I don't think anybody could complain about 29c3. For me personally one of the best congresses I ever attended. The recordings of the talks can be downloaded from here.

Happy New Year.

Mobile Security News Update December 2012

Wed, 12 Dec 2012 15:39:00 GMT

Conferences:

29c3

News:

Top Mobile Vulnerabilities And Exploits Of 2012

top list

Hacking Windows 8 Games

Random stuff:

Shipped-Roms.com

Android SMS Spoofer

Android DBI v0.2 (BreakPoint version)

Fri, 30 Nov 2012 21:32:00 GMT

I finally managed to release v0.2 of my Android DBI framework. The version I announced at BreakPoint and RuxCon.

New in this version: actually working Thumb support, nfc card emulation code for fuzzing.

Slides
collin_android_dbi_v02.zip

Happy hacking! Feedback is welcome!

Mobile Security News Update November 2012

Wed, 21 Nov 2012 22:23:00 GMT

The last weeks were pretty crazy for me in terms of work, but stuff got done so I have some new stuff to show next year.

Last month I've travelled to Melbourne Australia to speak at BreakPoint and RuxCon. This was my first time travelling to Australia and I must say it was good fun. BreakPoint was a good conference with some good talks and many interesting people. RuxCon was great fun too, good talks, nice friendly people. The trip was just too short.

Conferences

Black Hat Abu Dhabi

BayThreat

Nico's

Other upcoming conferences are: ShmooCon in February, CanSecWest in March, Infiltrate in April, and Source Boston also in April.

As I said, crazy weeks behind me. So I didn't see much of what happened in the mobile security space.

DIMVA 2013

Mon, 29 Oct 2012 14:46:00 GMT

I'm the Publicity Chair for the upcoming 10th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2013), thus I'm taking the liberty to announce the opening of our Call for Papers here. The conference is in July 2013 in Berlin, Germany. A good chance to travel to Berlin next summer.

DIMVA 2013 main site.
DIMVA 2013 CFP

Mobile Security News Update September 2012 part 2

Tue, 25 Sep 2012 15:18:00 GMT

First I want to talk about Ravi's awesome findings on USSD and TEL URIs (RFC 2806). Ravi was working on USSD security in general and found that on Android phones you can inject USSD codes into the phone dialer via the TEL URI handler without user interaction. Meaning you don't have to press the call button (aka the green button) to activate the USSD code. Using this he showed howto brick SIM cards and howto wipe Samsung made Android phones. The beauty about TEL URIs is that it is super easy to have them activated on a mobile phone. In 2010 I did a talk on this at CanSecWest (Random tales from a mobile phone hacker skip to the end of the talk for the TEL/SMS URI stuff). The basic technique used for this kind of attack are iframes but very well can be any other kind of URI activation method (redirects, img tag, etc.).

A video of Ravi's demo from Ekoparty is here Demo Dirty use of USSD Codes in Cellular Network en Ekoparty 2012.

Further infos:

RFC2806

iPhone/iOS auto dialer bug

This is a super fun bug class also a little bit sad that stuff like this works at all.

Second, more cool NFC/RFID mobile hacking from the good guys at Intrepidus. They investigated RFID based transit passed and wrote an Android application that can reset the pass. While the actual basic idea is not new I really like the phone as the attack tool since you always carry it around with you. Some guy could stand one the corner next to the subway entry and sell you the service of resetting your transit pass. Check out their writeup: UltraReset - Bypassing NFC access control with your smartphone

On the topic of NFC and security. The guy(s) behind RadioWarCN released an Android toolkit for messing with RFID/NFC tags. Check it out here: Radiowar Release NFC-WAR Preview. I didn't had the time to try it myself.

Conferences:

ToorCon

hwsec.net

That is it for now. I'm super busy working one a new Android security project. This will kick ass.

Mobile Security News Update September 2012

Mon, 10 Sep 2012 18:58:00 GMT

Conferences:

Links:

State of Mobile Security 2012

HushSMS got cracked again. Do I care? No! Should you? Yes! (read why)

Multiple Samsung (Android) Application Vulnerabilities

Mobile Security News Update August 2012 part

Mon, 20 Aug 2012 19:49:00 GMT

More conferences!

T2 does not seem to have any mobile stuff this year.

More upcoming CFPs should include ToorCon in San Diego but sadly it overlaps with BreakPoint. I would really like to go to ToorCon once.

It looks like I will come to NYC in November to give a talk at an event at NY-Poly. It is also likely that I will come to SF early in December.

News:

SMSZombie Malware Infecting Android Devices, Stealing Money

By now I arrived in Boston and started working at my new job at Northeastern University. So far I haven't done much in the city. I'm still looking for an apartment so if you have good pointers shoot me an email.

Mobile Security News Update August 2012

Tue, 07 Aug 2012 15:13:00 GMT

This really is the first update since May, wow I have been really busy.

Conferences:

Toorcamp

Nordic Security Conference

BruCON

BreakPoint

Source Seattle

Open CFPs: 29c3 this year in Hamburg not Berlin, a real bummer. hashdays in Lucerne, Switzerland.

General News:

supports

Black Berry

SecT

Personal news: I will move to Boston, MA in August to work as a Postdoctoral researcher at Northeastern University. I will continue doing mostly mobile security related work. Please ping me if you are doing similar work and are in the area. It seems like I know a bunch of people but don't actually know where they live.

I hope from now one to continue my biweekly mobile security news update.

Android DBI Framework Source!

Tue, 19 Jun 2012 10:04:00 GMT

I just uploaded my Android Dynamic Binary Instrumentation (DBI) framework. As I wrote before the framework is very simple. It supports hooking function entry points only. The source includes the shared library (.so) injector and the hooking/patching functionality. I also included one simple example instrument to sniff the UART communication between com.android.nfc and the NFC chip on a Galaxy Nexus.

I plan to further enhance this toolset and welcome everybody to submit patches. If there is a lot of interest I will move the source to a public archive like github.

The first release is available here: collin_android_dbi_v01.zip

To use this tool you need a Linux ARM gcc compiler such as included in the Android NDK.

Binary Instrumentation on Android

Mon, 11 Jun 2012 16:32:00 GMT

Last weekend I attended SummerCon in Brooklyn NYC and presented my take at doing binary instrumentation on Android. My way of doing instrumentation is very simple compared with other instrumentation frameworks but so far nobody build and released anything for Android / ARM so I had to build my own. Have said that I will for sure release my framework I just need a few days to do this! Please feel free to bug me about this!

So why did I start with binary instrumentation? Well I wanted to continue my NFC security research on Android. Since NFC involves extra hardware it also includes a bunch of native code and thus I started instrumenting that. The result so far was that I build an instrument that acts as an emulation layer inside com.android.nfc. This emulation layer allows me to inject payloads of RFID tags into the nfc process as if they where read from an actually tag. This is of course build for fuzzing ;-) I haven't done any real fuzzing using this so far because I just finished the tool before SummerCon. A demo video that shows tag read emulation can be seen here: nfcemuvideo.mp4

More updates on both subjects will follow soon!

SummerCon was totally awesome, many thanks to the organizers! The conference was small enough to speak to all presenters and to many of the attendees. I met like half of the US people I follow on twitter for the first time in person. How awesome is this!

Mobile Security News Update May 2012 part 2

Wed, 23 May 2012 09:58:00 GMT

Conferences:

Off-Path TCP Sequence Number Inference Attack

Papers:

Security week in Europe, we have: HITB in Amsterdam, Confidence in Krakow, BerlinSides in Berlin lets hope all the people who fly out for HITB and Confidence make it over to Berlin for the weekend.

Mobile Security News Update May 2012

Wed, 09 May 2012 10:45:00 GMT

Conferences:

Hack in The Box Amsterdam

SummerCon

Recon

Nordic Security Conference

So I will be going to SummerCon this year after all! I'm staying in NYC for a few days even after SummerCon. Ping me if you want to meet.

Other news:

20 years of SMS

Links:

R&D Into JTAG Process in Relation to Blackberry 8130

Some fun:

Free Apps Stealing your personal info

A tazer that looks like a cellphone

EOF

Mobile Security News Update April 2012

Thu, 12 Apr 2012 08:04:00 GMT

It has been a while but I was travelling a lot for work and fun so I really didn't have time.

Conferences:

Hackito Ergo Sum

SyScan Singapore

Upcoming in June without program yet: SummerCon in NYC (sadly I can't make it), Recon in Montreal (which I try to make).

On the academic front please consider submitting to WOOT one of my favorite workshops!

Mobile Security News Update February 2012 update

Fri, 10 Feb 2012 14:08:00 GMT

More conferences, and a lot of mobile stuff :-)

Source Boston

Black Hat Europe

Mobile Security News Update February 2012

Thu, 09 Feb 2012 14:38:00 GMT

Conferences:

SyScan Singapore

Database for Android Malware

Links:

Google Wallet PIN security cracked in seconds

Android.Bmaster: A Million-Dollar Mobile Botnet

An analysis of the GMR-1 and GMR-2 standards for satellite telephony. Really interesting work.

In other news. I'm done with my work in Berlin and looking to move to the US for a postdoc in the near future (location is not yet decided).

Mobile Security News Update January 2012 part 2

Mon, 16 Jan 2012 10:37:00 GMT

Conferences:

Shmoocon

Links: Infographics: Mobile Security Android vs. iOS

The video recordings from 28c3 are online. Check out Harald's talk Cellular protocol stacks for Internet, Luca's and Karsten's talk Defending mobile phones, Sylvain's talk Introducing Osmo-GMR.

Mobile Security News Update January 2012

Mon, 02 Jan 2012 20:41:00 GMT

so 2011 is history, it was a fun year for us mobile people. Many things happened many things got hacked - just great.

In the last few days I have been reading some of those security predictions for 2012 (this year!). Most of them 1 2 3 4 5 are kinda boring since these are things that are already happening. Never the less these will very likely become reality.

In the mobile area these seem to be:

Android as the target for mobile malware attacks. This is already happening as Android became the major smartphone platform last year.

Mobile Markets such as the AppStore and Android Market as a key issue problem solver in the mobile field.

More Monetization as mobile malware evolves we will see more monetization of it. This is especially interesting for everything that involves spending money using a smartphone. Not only SMS, but advertisement, in-App payment, the phone as a credit card, etc..

Happy mobile security research 2012 to everybody!

Mobile Security News Update December 2011 part 2

Tue, 20 Dec 2011 10:39:00 GMT

There was an awesome SMS bug in Windows Phone 7. This is exactly the bug class I have been looking into in the last two years. Too bad that I didn't have the time to look into Windows Phone 7.

Corrections to a news article about my research. NFC mobile threats on the horizon: What happens when we wave our wallets to pay? The article says ...malicious code could be 'injected' into the device.... I want to say that I never claimed I can do code injection through NFC. They probably misunderstood me when I said that this could be possible in the future.

It is really great to see how NFC security research is taking of this year. If I remember back to early 2008 when I did my research everybody was kinda laughing.

In other news mobile (in)security is further on the rise. So we all never loose our jobs!

Mobile Security News Update December 2011

Thu, 01 Dec 2011 10:49:00 GMT

Android root exploit for 2.3.5 and older by the Jons levitator.c

I don't get this whole Carrier IQ thing 1 2.

The people from the Intrepidus Group seem to really get into RFID and NFC. They just posted an article about using a USRP for NFC. Hopefully they release their code after they are done with their research.

In other news: I wont attend the CCC / 28c3 this year due to multiple reasons. I will stick around for the other events outside the congress. So ping we if you want to chat and/or have beers.

Mobile Security News Update November 2011

Fri, 18 Nov 2011 13:24:00 GMT

Security Mobile and RFID by Nick von Dadelszen at KiwiCon. Interesting talk on RFID attacks using the Nexus S. This does not cover NFC but is a good read. Unfortunately not many details in the slides.

Axelle Apvrille did some nice work on how to utilize OpenBTS for mobile malware analysis. Both, paper and slides, make a nice read.

Ruxcon is already on, I found one possibly interesting talk Mobile and Contactless Payment Security by Peter Fillmore. But since the con is not done yet slides are not available at the time.

SyScan Taipei has a bunch of mobile stuff. Charlie Miller on iOS code signing. Stefan Esser on iOS kernel exploitation. I'm waiting for slides as the con is just over today.

New Academic Workshop MoST on Mobile Security Technologies at IEEE S&P in May 2012.

Mobile Security News Update August 2011

Sat, 20 Aug 2011 10:58:00 GMT

I'm finally back from my two weeks in the US of A where I attended Black Hat and Defcon (19) in Vegas. This was very exhausting as always, no surprise there. But I must say the talk quality was not that high and again too many parallel tracks at Black Hat. As I see it now I will probably skip Black Hat and Defcon in the near future. After Vegas I travelled to USENIX Security in San Francisco to finally present our paper on SMS insecurity on feature phones. USENIX was quite okay - but I didn't get to enjoy it in full due to the one week of Las Vegas before :-/ To compensate for the stressful travel I attended the last two days of the CCCamp outside of Berlin. Also I only attended the lasts days the CCCamp rocked! Still one of the best events ever!

News:

So Palm is finally dead now that HP killed their WebOS devices. Although I've read something about HP wanting to continue with developing WebOS as a platform but this is kinda useless if they don't intend to sell devices running WebOS. Sad sad thing. Conferences:

Hack.lu

Hack in the Box Malaysia

hashdays

Thats this for now. I guess I missed a bunch of things during the last three weeks (two weeks of travel and one week of recovery!). If something major had happened in the mobile sec world I guess I would have heard about it ;-)

Mobile Security News Update July 2011 part 2

Mon, 18 Jul 2011 08:03:00 GMT

Not much to tell in this update since I was kinda busy with non work stuff ;-)

Conferences:

Chaos Communication Camp

Exploring Android Malware

BruCon

Links:

L4Android

L4OpenBSD

Mobile Security News Update July 2011

Mon, 11 Jul 2011 09:38:00 GMT

ZIMTO (Zeus in the Mobile) hits Android. This was long overdue since Android now more or less is the strongest smartphone platform. See Axelle Apvrille blog post on Zimto for Android.

Android malware is really a rising trend (no secret there) but the malware gets more and more interesting. Mark Balanz discovered a malware that acts as an SMS relay. Such malware has interesting possibilities to say the least.

JailBreakMe 3.0 was released a couple of days ago, again a nice user-level jailbreak for all iOS devices ;-) There is a nice article from the people of the intrepidus group on how the jailbreak works. Reversing Jailbreakme.com 4.3.3.

Conferences are all covered as far as I know.

Mobile Security News Update June 2011 part 2

Mon, 20 Jun 2011 07:40:00 GMT

Not too much happened or I just missed it because I'm way to busy these days. I'll just update my mobile conference monitor.

Conference:

Mobile Security News Update June 2011

Wed, 08 Jun 2011 12:43:00 GMT

There seems to be a massive rise in Android malware. Mostly modified versions of legit applications. Again one piece of malware [1] contains a root exploit - the one already used by DroidDream. Many of the new trojans will try sending SMS messages to premium numbers. Other SMS trojans are just funny [2] as they send jokes to every entry in the phonebook.

Conferences:

BlackHat USA

Brucon

NinjaCon / BSides vienna

ToorCon Seattle

An OpenBTS GSM replication jail for mobile malware by Axelle Apvrille Fortinet

Every since Google announced Google wallet I'm getting hammered with requests regarding NFC security. Funny part about that I just was getting back working on NFC security because of the Nexus S. First bug reports already filed ;-). Due to the new rising interest in NFC and NFC security I'll decided to give a NFC security talk at NinjaCon / BSides Vienna on June 18th.

Mobile Security News Update May 2011

Tue, 10 May 2011 10:10:00 GMT

So Foursquare has started to use NFC: Foursquare NFC checkin. This sounds like fun :-) I guess you can't seriously do harm but pranks sound possible.

Moxie is really cracking out cool Android stuff lately. He just released WhisperMonitor a personal firewall for Android.

Slides for the Android Attacks talk from Infiltrate. Really really good and complete talk on Android security.

Academic papers:

Usenix Security 2011

Conferences:

Android malware is on the rise by Timothy Armstrong and Denis Maslennikov

That is it for May I guess. Since I'll be either traveling or writing papers ;)

Mobile Security News Update April 2011 (part 2)

Tue, 26 Apr 2011 13:40:00 GMT

A nice blog post by Frank Rieger on the iPhone location logging: Was the iPhone location logging put in by quiet law-enforcement / intelligence agency request?

The talk A Million Little Tracking Devices by Don Bailey is really worth reading if you are in to GSM and GSM equipped hardware.

Whisper Systems (Moxie) released their Android FDE image for the Nexus One. Try it out and go full disk crypto on your Android phone. Whispercore.

News:

Skype for Android Leaks your Private Data

Conferences:

Recon

In other news. I'll be in SF for Oakland 2011. I'll be there a few days before the conference so ping me if you want to meet up.

Mobile Security News Update April 2011

Thu, 14 Apr 2011 07:39:00 GMT

Conferences:

SyScan Singapore

Hack in The Box Amsterdam

SourceBosten

The mTAN trojan problem finally spread over to Europe and Germany. This version is called SpyEye and comes as a developer signed Symbian application.

Nico and myself finally released our Tech Report on SMS filtering recommendations. It's available here: Countering SMS Attacks: Filter Recommendations. Feedback is welcome.

I guess I missed a bunch of stuff but right now I'm kinda busy with work ;-)

Mobile Security News Update March 2011 part 2

Thu, 17 Mar 2011 17:20:00 GMT

The BlackBerry pwnage seems to cause some trouble as RIM seems to not tell the truth (1 2) in their advisory. Lets see what happens here.

Finally the first Android mod with encrypted storage was released by Whisper Systems. This is really really cool. Now they just need to support more Android devices besides the Nexus S. But moxie told me they are adding support for more soon :-)

For those of you interested in NFC there are two interesting papers from this years NFC Conference 1) Security Vulnerabilities of the NDEF Signature Record Type 2) Practical Attacks on NFC Enabled Cell Phones.

Mobile Security News Update March 2011 (part 1 continued)

Wed, 02 Mar 2011 11:08:00 GMT

March looks busy for mobile security people ;-)

Android Malware becomes serious: The Mother Of All Android Malware Has Arrived: Stolen Apps Released To The Market That Root Your Phone, Steal Your Data, And Open Backdoor. This malware contains a root exploit. Yea, after you install the APK it roots your device.

Interesting papers (from ACM Hotmobile 2011)

MockDroid: trading privacy for application functionality on smart phones

Mobile Token-Based Authentication on a Budget

Mobile Security News Update March 2011

Tue, 01 Mar 2011 09:04:00 GMT

Very brief update, but I'm quite busy at the moment.

News:

Android Trojan found in alternative app markets

ZeuS in the Mobile is back

Conferences:

LEET'11

Why Mobile-to-Mobile Wireless Malware Won't Cause a Storm

Andbot: Towards Advanced Mobile Botnets

Mobile Security News Update February 2011 part 2

Mon, 21 Feb 2011 09:43:00 GMT

As I wrote in my last blog entry last week I attended the Mobile World Congress in Barcelona. Over all it was quite interesting, meeting old friends and people so far I knew only through email.

I also had a nice chat with Elinor Mills from CNET about Visa's NFC payment stuff at the Visa booth at MWC. Her article is here: Mobile phone e-wallets get closer to reality

In two weeks Nico and I am going to speak at CanSecWest about our feature phone SMS research. I'm really looking forward to Vancouver again.

Conferences:

New Age Attacks Against Apple's iOS (and Countermeasures)

iPhone and iPad Hacking

Project Ubertooth: Building a Better Bluetooth Adapter

SMS-o-Death

Here a collection of some ShmooCon 2011 video recordings.

Mobile Security News Update February 2011

Wed, 02 Feb 2011 11:23:00 GMT

Some comments on smartphone botnet C&C over SMS from Shmoocon 2011: this is basically a redo of my iBots paper. The only difference is the implementation for Android in place of our iPhone implementation.

Also from ShmooCon: Attacking 3G and 4G mobile telecommunications networks looks quite interesting.

Sadly I didn't find the slides for the other interesting talks, especially for TEAM JOCH and the mTan talk. Also what about the video streams from ShmooCon, were they recorded?

Interesting story: Would-Be Suicide Bomber Killed by Unexpected SMS From Mobile Carrier if this is true...

Mobile Security News Update January 2011 Part 2

Mon, 24 Jan 2011 11:08:00 GMT

Funny story on stealing SIM cards from traffic lights, Schneier has a few nice pointers on the story: here.

Don't Sacrifice Security on Mobile Devices by Chris Palmer (@ EFF) makes a nice read. Spontaneous idea: what about something like hardened android?

A story on mobile phone forensics.

A Android trojan with botnet-like features?

Conferences: