Smartphone Insecurity
-
Upload
georgia-weidman -
Category
Technology
-
view
481 -
download
0
Transcript of Smartphone Insecurity
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
Smartphone Insecurity
• Georgia Weidman
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
Agenda
Smartphone Security Basics
Common Attack Vectors and Examples
Mitigation Strategies
Common vulnerabilities in 3rd party apps
Attack strategies against apps
Secure coding practices for developing apps
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
What is a smartphone?
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
What is a smartphone?
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
What’s on your phone
Personal info
Work info
Location info
Account info
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
Do We Need Privacy? (SMS examples)
“Hi meet me for lunch”
“Meet me for lunch while my wife is out”
“Here is your bank account credentials”
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
Attacks on Privacy (Infrastructure)
Cell Network
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
Attacks on Privacy (Infrastructure)
Cell Network
Encryption??
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
Is GSM traffic encrypted?
SMSPDU:07914140540510F1040B915117344588F100000121037140044A0AE8329BFD4697D9EC37
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
Is GSM traffic encrypted?
SMSPDU:07914140540510F1040B915117344588F100000121037140044A0AE8329BFD4697D9EC37
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
Is GSM traffic encrypted?
Sending Number: 1-571-435-4881 Data: hellohello
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
2G(EDGE)
Bad crypto:
Up to the base station
Algorithms breakable
No authentication of base stations
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
Attacks on Privacy (Infrastructure)
Cell Network
Research by: Chris Pagent
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
Attacks on Privacy (Infrastructure)
Cell Network
Research by: Chris Pagent
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
Breaking 2G Crypto
Break session key to get on the network
A5/2 trivial to break
Karsten Nohl broke A5/1 in 2009 in minutes
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
Attacks on Privacy (Infrastructure)
Cell Network
Research by: Chris Pagent
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
Who cares about EDGE anyway?
Still deployed
By default phones will drop back to EDGE
Is anyone on EDGE right now?
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
Mitigation Strategies
Replace 2G
Option to turn off 2G on phones
Encrypt data on phones before sending
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
Attacks on Privacy (Platform)
=Attackers know how to attack these platforms
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
Rooting/Jailbreaking
Exploiting kernel/platform flaws
Client side attacks
Gain system level privileges similarly to PC platforms
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
JailbreakMe 3.0
iPhone jailbreak
Client side flaw in PDF (Mobile Safari)
Kernel exploit
Research by Comex
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
Rootstrap
Android app loads kernel exploits
Loads code dynamically
Runs native code
Packaged with interesting app
Research by: Jon Oberheide
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
DroidDream
Android app in the market
Rooted phones via kernel exploits
Stole information
Ran up charges
In the Wild
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
Payload example: SMS botnet
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
Payload example: SMS botnet
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
Payload example: SMS botnet
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
Payload example: SMS botnet
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
SMS PDU
SMSPDU:07914140540510F1040B915117344588F100000121037140044A0AE8329BFD4697D9EC37
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
How the Botnet Works
1. Bot Receives a Message
1. Bot Decodes User Data
1. Checks for Bot Key
1. Performs Functionality
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
How the Botnet Works
1. Bot Receives a Message
1. Bot Decodes User Data
1. Checks for Bot Key
1. Performs Functionality
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
How the Botnet Works
1. Bot Receives a Message
1. Bot Decodes User Data
1. Checks for Bot Key
1. Performs Functionality
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
How the Botnet Works
1. Bot Receives a Message
1. Bot Decodes User Data
1. Checks for Bot Key (Swallows Message)
1. Performs Functionality
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
How the Botnet Works
1. Bot Receives a Message
1. Bot Decodes User Data
1. Checks for Bot Key
1. Performs Functionality
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
Demo
Demo of Botnet Payload
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
Mitigations for Platform Attacks
Updating
Better sandboxing
Vigilance from users
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
App attacks on privacy
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
App Stores
iPhone
Expensive
Closed
Identity verified
Android
Cheap
Self Signed
Open
Anonymous
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
Android Permission Model
Specifically request permissions
Users must accept at install
Send SMS, Receive SMS, GPS location
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
App attacks on privacy
Is this system working? Are users making good decisions about apps?
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
Top Android App of All Time
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
Demo
Demo: App Abusing Permissions
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
App Attacks Mitigations
Oversight on apps
Analysis of permissions
User awareness
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
Vulnerabilities in Android Apps
No coding standards for Android apps
Badly coded apps
Data Leak
Permission Leak
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
Data Leak
Access to sensitive data
Insecure storage
sdcard
World readable
Stored in source code
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
Return to the Source
Free tools available
Complete source available
Don’t store secrets here
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
Demo
DEMO: Abusing bad storage practices
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
Mitigating this risk
Store sensitive data privately
Don’t use the sdcard
Don’t put secrets in source code
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
Permission leak through components
Other apps can call public components
That’s a reason Android is awesome
If not used safely, this can be dangerous
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
Demo
DEMO: Stealing permissions from exposed components
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
Mitigating This Risk
Require permissions to access components
Use custom permissions
Don’t have dangerous functionality accessible without user interaction
Click to edit the outline text format
Second Outline Level
Third Outline Level Fourth Outline
Level Fifth Outline
Level Sixth
Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelPresenter Title
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline LevelDate
Contact
Georgia Weidman
Security Consultant, Researcher, Trainer
Website: http://www.georgiaweidman.com
Slides: http://www.slideshare.net/georgiaweidman
Email:[email protected]
Twitter: @georgiaweidman