...stuff I do and things I like...

Tuesday, April 22 2014

Mobile Security News Update April 2014

    Infiltrate has Joshua J. Drake: Researching Android Device Security with the Help of a Droid Army

    IEEE Security and Privacy (academic) has a number of papers: Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating; The Peril of Fragmentation: Security Hazards in Android Device Driver Customizations; From Zygote to Morula: Fortifying Weakened ASLR on Android

    ReCon has The Making of the Kosher Phone by Assaf Nativ (CFP not complete yet)

    Hack in the Box Amsterdam has Shellcodes for ARM: Your Pills Don't Work on Me, x86; Exploring and Exploiting iOS Web Browsers; State of the ART: Exploring the New Android KitKat Runtime; On Her Majesty's Secret Service: GRX and a Spy Agency (HITB folks fix your website, finding talks and speakers is sooo hard I almost do not bother to do it - worst conference website I know!!)

    ASIA CCS (academic) has a number of papers: Timothy Vidas, Nicolas Christin: Evading Android Runtime Analysis via Sandbox Detection; Collin Mulliner, William Robertson, Engin Kirda: VirtualSwindle: An Automated Attack Against In-App Billing on Android; Min Zheng, Mingshen Sun, John C.S. Lui: DroidRay: A Security Evaluation System for Customized Android Firmwares; Wenbo Yang, Juanru Li, Yuanyuan Zhang, Yong Li, Junliang Shu, Dawu Gu: APKLancet: Tumor Payload Diagnosis and Purification for Android Applications

Heartbleed and Mobile
    Heartbleed and Android [1] I couldn't find any detailed discussion of Android itself or Android apps being vulnerable to the heartbleed attack. Sure some apps are linked against vulnerable versions of OpenSSL but I couldn't find any attack description. If you know anything specific please email me!

    Checkout reverseheartbleed.com a heartbleed testing service for clients software (e.g., web browsers).

    SMS bulk operators vulnerable to heartbleed, leak 2FA tokens see heise.de (in German)

Personal notes
    I'll be speaking at Duo Tech Talks in Ann Abor, MI (this will be a IoT related talk).

    I'm on a panel about Internet of Things security at The Security of Things Forum in Cambridge, MA.

    Mid-End of May I'll spent some time in the Bay Area for IEEE S&P, with plenty of time afterward to hangout.

    I'm also planning to go to ToorCamp, who else is going?