Android e mobile security (for developers)

Size: px
Start display at page:

Download "Android e mobile security (for developers)"

Transcription

1 Android e mobile security (for developers) Igor Falcomatà CTO, Enforcer -Italy Day2012 Rome, 23 November 2012 Copyright The Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The Foundation

2 attività professionale: analisi delle vulnerabilità e penetration testing (~13 anni) security consulting formazione altro: sikurezza.org (F Er bz)lug free advertising > 2

3 3

4 Architetture: ARM, (MIPS, x86,..) Kernel Kernel Linux 2.6.x (Android 1, 2 e 3.x) Kernel Linux 3.0.x (Android 4.x) componenti e driver standard FS, processi, permessi, processi vulnerabilità standard ;) Componenti custom binder, ashmem, pmem, logger, wavelocks, OOM, alarm timers, paranoid network security, gpio,.. android e vendor custom hw driver nuove vulnerabilità da scoprire ;) 4

5 Sandbox (OS level) sandboxing con uid/gid linux + patch kernel (protected API) 1 processo = 1 applicazione = 1 VM (+ componenti OS) protected API per accesso all'hw: camera, gps, bluetooth, telefonia, SMS/MMS, connessioni di rete) root = root (full access) Librerie bionic libc (!= gnu libc,!posix) udev, WebKit, OpenGL, SQLite, crypto,.. (& bugs) Dalvik VM (!= JVM) Java Code -> dex bytecode custom Java libraries può lanciare codice nativo (syscall, ioctls,.. ) -> kernel 5

6 Sandbox (OS level) sandboxing con uid/gid linux + patch kernel (protected API) 1 processo = 1 applicazione = 1 VM (+ componenti OS) protected API per accesso all'hw: camera, gps, Like all features, the Like all security security bluetooth, telefonia, SMS/MMS, features, connessioni dithe rete) root = root (full access)sandbox Application Application Sandbox is is not not unbreakable. unbreakable. However, However, to to break break Librerie bionic libc (!= gnu libc,!posix) out of the Application Sandbox out of the Application Sandbox udev, WebKit, OpenGL, SQLite, crypto,.. (& bugs) in in aa properly properly configured configured device, device, Dalvikone VM (!= JVM) must compromise the one must compromise the Java Code -> dex bytecode security of custom Java libraries security of the the the the Linux Linux può lanciare codice nativo (syscall, ioctls,.. ) -> kernel kernel. kernel. 6

7 3G user 7

8 3rd party Mr. MobileMalicious 3G user 8

9 3rd party Mr. MobileMalicious vettori: chat link su social network MiTM / dns spoofing /.. 3G user exploit: sito malicious -> app (pwned) -> kernel (pwned) -> r00t!! 9

10 3rd party Mr. MobileMalicious classico client side attack : exploit app/lib (webkit,..) codice arbitrario exec -> kernel (syscall, ioctls,..) 3G user situazione no-win non ci interessa però...: root -> controllo completo accesso ai dati di ogni app 10

11 3rd party Mr. MobileMalicious 3G user 11

12 3rd party Mr. MobileMalicious 3G user 12

13 3rd party Mr. MobileMalicious root -> controllo completo dati personali posta, documenti, rubrica,calendario,.. 3G user intercettazioni audio, video, messaging, network,.. geolocalizzazione foto, social network,.. credenziali siti, posta, VPN,.. cloud storage 13

14 Mr. MobileMalicious 14

15 Bring Your 0wned Device Mr. MobileMalicious OOB covert channel (UMTS/GPRS/SMS/..) 15

16 16

17 17

18 Mr. WifiMiTM 18

19 Mr. WifiMiTM no HTTPS (ahi ahi ahi) MiTM Hot Spot Rogue APs 19

20 Mr. WifiMiTM 20

21 Mr. WifiMiTM 21

22 Mr. WifiMiTM MiTM (browser) no SSL? traffic mangling SSL? utente continua? game over 22

23 Mr. WifiMiTM MiTM (app) no SSL? traffic mangling SSL? app verifica cert? OK! app non verifica cert? game over 23

24 game over = traffic mangling sniffing Mr. WifiMiTM credenziali dati reverse engineering traffico/protocolli business logic analisi API/URL rogue/fake app HTML-like c.s. attacks injection JS & co. client side injection 24

25 https://threatpost.com/en_us/blogs/research-shows-serious-problems-android-app-ssl-implementations

26 https://threatpost.com/en_us/blogs/research-shows-serious-problems-android-app-ssl-implementations nel 2012?!?! 26

27 download.apk (install app) Mr. MobileMalicious 3G user 27

28 Mr. MobileMalicious.apk download market install adb pull 3G user estrazione dex2jar, apk-extractor,.. analisi risorse, manifest,.. decompilazione jd-gui, ypjd,.. 28

29 Mr. MobileMalicious 3G user 29

30 Mr. MobileMalicious 3G user 30

31 Mr. MobileMalicious 3G user 31

32 Mr. MobileMalicious.apk analisi business logic broken/no auth broken/no session management credenziali/certificati URL/API privati 3G user HTTP/JSON/XMLRPC/WS/.. SQL Injections Path Traversal Broken/no auth/session m.... custom/altri protocolli reverse engineering vedi sopra 32

33 Mr. MobileMalicious 3G user 33

34 Mr. MobileMalicious 3G user 34

35 Mr. MobileMalicious 3G user 35

36 https://www.owasp.org/index.php/_mobile_security_project#tab=top_ten_mobile_risks 36

37 bonus track :) 37

38 bonus track :) 38

39 39

40 diffusione e geopardizzazione (AUGH!) sorgenti (AOSP), docs, SDK, NDK, emulatore,...apk decompilazione, reversing, debug aggiornamenti OS, app e market alternativi permessi delle applicazioni delegati agli utenti Linux Kernel, ~ Linux userspace e librerie (e bug) exploit mitigation techniques (fail) (< 2.3, < 4.0.3) OOB covert channel (umts/gprs, SMS,..) territori poco explorati: OS/lib custom, hw driver 40

41 dati personali (posta, documenti, rubrica, calendario,..) intercettazioni (audio, video, messaging, network,..) geolocalizzazione (foto, social network,..) credenziali (siti, posta, VPN,..) cloud storage HTML-like client side attacks EvilApp want to eat your soul.. Install? YES!!! BY0D (Bring Your 0wned Device) banking OTP ($$) NFC ($$) 41

42 url e web-services privati business logic esposta (client-side) -> device -> credenziali -> back-end -> device -> storage -> back-end credenziali e certificati hard-coded (.apk) no/lazy input validation no/broken authentication & session management the good ole web security vulns 42

43 Android e mobile security (for developers) Igor Falcomatà CTO, Enforcer -Italy Day2012 Rome, 23 November 2012 Domande? Copyright The Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The Foundation Webografia vedi:

Android e mobile security

Android e mobile security Android e mobile security relatore: Igor Falcomatà client side, server side, privacy do android malware writers dream of electric sheep? Linux Day 2012 Firenze free advertising > Android e mobile security:

More information

0wn1ng the Enterprise 2.0

0wn1ng the Enterprise 2.0 0wn1ng the Enterprise 2.0 relatore: Igor Falcomatà nuove tipologie di attacco alle reti aziendali nell'epoca dei social network e del web 2.0 Broadband Business Forum 25 nov 09 - Roma free advertising

More information

The Hacker's Corner. Privacy e sicurezza.. ..per giornalisti in rete. Igor Falcomatà koba@sikurezza.org

The Hacker's Corner. Privacy e sicurezza.. ..per giornalisti in rete. Igor Falcomatà koba@sikurezza.org The Hacker's Corner International Journalism Festival Perugia 2 maggio 2014 Privacy e sicurezza....per giornalisti in rete Igor Falcomatà koba@sikurezza.org Sempre più spesso emerge come i giornalisti

More information

Overview. The Android operating system is like a cake consisting of various layers.

Overview. The Android operating system is like a cake consisting of various layers. The Android Stack Overview The Android operating system is like a cake consisting of various layers. Each layer has its own characteristics and purpose but the layers are not always cleanly separated and

More information

Android Architecture. Alexandra Harrison & Jake Saxton

Android Architecture. Alexandra Harrison & Jake Saxton Android Architecture Alexandra Harrison & Jake Saxton Overview History of Android Architecture Five Layers Linux Kernel Android Runtime Libraries Application Framework Applications Summary History 2003

More information

Pentesting Android Apps. Sneha Rajguru (@Sneharajguru)

Pentesting Android Apps. Sneha Rajguru (@Sneharajguru) Pentesting Android Apps Sneha Rajguru (@Sneharajguru) About Me Penetration Tester Web, Mobile and Infrastructure applications, Secure coding ( part time do secure code analysis), CTF challenge writer (at

More information

Overview of CS 282 & Android

Overview of CS 282 & Android Overview of CS 282 & Android Douglas C. Schmidt d.schmidt@vanderbilt.edu www.dre.vanderbilt.edu/~schmidt Institute for Software Integrated Systems Vanderbilt University Nashville, Tennessee, USA CS 282

More information

Android Programming and Security

Android Programming and Security Android Programming and Security Dependable and Secure Systems Andrea Saracino andrea.saracino@iet.unipi.it Outlook (1) The Android Open Source Project Philosophy Players Outlook (2) Part I: Android System

More information

CompTIA Mobile App Security+ Certification Exam (Android Edition) Live exam ADR-001 Beta Exam AD1-001

CompTIA Mobile App Security+ Certification Exam (Android Edition) Live exam ADR-001 Beta Exam AD1-001 CompTIA Mobile App Security+ Certification Exam (Android Edition) Live exam ADR-001 Beta Exam AD1-001 INTRODUCTION This exam will certify that the successful candidate has the knowledge and skills required

More information

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus Mobile Application Hacking for Android and iphone 4-Day Hands-On Course Syllabus Android and iphone Mobile Application Hacking 4-Day Hands-On Course Course description This course will focus on the techniques

More information

Programming the Android Platform. Logistics

Programming the Android Platform. Logistics Programming the Android Platform CMSC498G Logistics Professor Adam Porter 4125 AVW aporter@cs.umd.edu Course meets W 3:00 3:50 in CSI 3118 1 Goals Learn more about Mobile devices Mobile device programming

More information

An Introduction to Android. Huang Xuguang Database Lab. Inha University 2009.11.2 Email: xuguanghuang@yahoo.cn

An Introduction to Android. Huang Xuguang Database Lab. Inha University 2009.11.2 Email: xuguanghuang@yahoo.cn An Introduction to Android Huang Xuguang Database Lab. Inha University 2009.11.2 Email: xuguanghuang@yahoo.cn Outline Background What is Android? Development for Android Background Internet users and Mobile

More information

Android Mobile Application Hacking Penetration Testing. 3-Day Hands-On Course. Course Syllabus

Android Mobile Application Hacking Penetration Testing. 3-Day Hands-On Course. Course Syllabus Android Mobile Application Hacking Penetration Testing 3-Day Hands-On Course Course Syllabus Android mobile application hacking 3-day hands on course Course description This course will focus on the techniques

More information

An Introduction to Android

An Introduction to Android An Introduction to Android Michalis Katsarakis M.Sc. Student katsarakis@csd.uoc.gr Tutorial: hy439 & hy539 16 October 2012 http://www.csd.uoc.gr/~hy439/ Outline Background What is Android Android as a

More information

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK John T Lounsbury Vice President Professional Services, Asia Pacific INTEGRALIS Session ID: MBS-W01 Session Classification: Advanced

More information

Running Android Applications on BlackBerry 10 developer.blackberry.com/android

Running Android Applications on BlackBerry 10 developer.blackberry.com/android Running Android Applications on BlackBerry 10 developer.blackberry.com/android James Dreher Application Development Consultant BlackBerry Developer Relations Overview BB Runtime for Android Apps Upcoming

More information

Hacking your Droid ADITYA GUPTA

Hacking your Droid ADITYA GUPTA Hacking your Droid ADITYA GUPTA adityagupta1991 [at] gmail [dot] com facebook[dot]com/aditya1391 Twitter : @adi1391 INTRODUCTION After the recent developments in the smart phones, they are no longer used

More information

ANDROID OPERATING SYSTEM

ANDROID OPERATING SYSTEM ANDROID OPERATING SYSTEM Himanshi Grover,Devesh Agrawal IT Department, Dronacharya College Of Engg Gurgaon,Haryana,India Abstract - Android has become need rather than luxury these days. The computing

More information

Introduction to Android

Introduction to Android Introduction to Android Poll How many have an Android phone? How many have downloaded & installed the Android SDK? How many have developed an Android application? How many have deployed an Android application

More information

Advanced ANDROID & ios Hands-on Exploitation

Advanced ANDROID & ios Hands-on Exploitation Advanced ANDROID & ios Hands-on Exploitation By Attify Trainers Aditya Gupta Prerequisite The participants are expected to have a basic knowledge of Mobile Operating Systems. Knowledge of programming languages

More information

A Look at a Modern Mobile Security Model:

A Look at a Modern Mobile Security Model: A Look at a Modern Mobile Security Model: Google's Android Platform Jon Oberheide University of Michigan March 18, 2009 Introduction Jon Oberheide Security researcher and PhD candidate Advisor: Farnam

More information

Software development. Development requirements. Java. Android SDK. Eclipse IDE (optional)

Software development. Development requirements. Java. Android SDK. Eclipse IDE (optional) Android Programming Software development Development requirements Java Android SDK Eclipse IDE (optional) Software development IDE and Tools Android SDK Class Library Developer Tools dx Dalvik Cross-Assembler

More information

Reversing Android Malware

Reversing Android Malware Reversing Android Malware The Honeynet Project 10 th Annual Workshop ESIEA PARIS.FR 2011-03-21 MAHMUD AB RAHMAN (MyCERT, CyberSecurity Malaysia) Copyright 2011 CyberSecurity Malaysia MYSELF Mahmud Ab Rahman

More information

ITG Software Engineering

ITG Software Engineering Basic Android Development Course ID: Page 1 Last Updated 12/15/2014 Basic Android Development ITG Software Engineering Course Overview: This 5 day course gives students the fundamental basics of Android

More information

Example of Standard API

Example of Standard API 16 Example of Standard API System Call Implementation Typically, a number associated with each system call System call interface maintains a table indexed according to these numbers The system call interface

More information

Basic Trends of Modern Software Development

Basic Trends of Modern Software Development DITF LDI Lietišķo datorsistēmu programmatūras profesora grupa e-business Solutions Basic Trends of Modern Software Development Mobile Development Trends Need an App... 3 4 Popular Devices in Latvia

More information

QUIRE: : Lightweight Provenance for Smart Phone Operating Systems

QUIRE: : Lightweight Provenance for Smart Phone Operating Systems QUIRE: : Lightweight Provenance for Smart Phone Operating Systems Dan S. Wallach Rice University Joint work with Mike Dietz, Yuliy Pisetsky, Shashi Shekhar, and Anhei Shu Android's security is awesome

More information

Lecture 17: Mobile Computing Platforms: Android. Mythili Vutukuru CS 653 Spring 2014 March 24, Monday

Lecture 17: Mobile Computing Platforms: Android. Mythili Vutukuru CS 653 Spring 2014 March 24, Monday Lecture 17: Mobile Computing Platforms: Android Mythili Vutukuru CS 653 Spring 2014 March 24, Monday Mobile applications vs. traditional applications Traditional model of computing: an OS (Linux / Windows),

More information

Pentesting Mobile Applications

Pentesting Mobile Applications WEB 应 用 安 全 和 数 据 库 安 全 的 领 航 者! 安 恒 信 息 技 术 有 限 公 司 Pentesting Mobile Applications www.dbappsecurity.com.cn Who am I l Frank Fan: CTO of DBAPPSecurity Graduated from California State University as a Computer

More information

An Introduction to Android Application Development. Serdar Akın, Haluk Tüfekçi

An Introduction to Android Application Development. Serdar Akın, Haluk Tüfekçi An Introduction to Android Application Serdar Akın, Haluk Tüfekçi ARDIC ARGE http://www.ardictech.com April 2011 Environment Programming Languages Java (Officially supported) C (Android NDK Needed) C++

More information

AppUse - Android Pentest Platform Unified

AppUse - Android Pentest Platform Unified AppUse - Android Pentest Platform Unified Standalone Environment AppUse is designed to be a weaponized environment for Android application penetration testing. It is a unique, free, and rich platform aimed

More information

OWASP NZ Day 2011 Testing Mobile Applications

OWASP NZ Day 2011 Testing Mobile Applications OWASP NZ Day 2011 Testing Mobile Applications Presenter: Nick von Dadelszen Date: 7 th July 2011 Company: Lateral Security (IT) Services Limited Company overview Company Lateral Security (IT) Services

More information

Android Basics. Xin Yang 2016-05-06

Android Basics. Xin Yang 2016-05-06 Android Basics Xin Yang 2016-05-06 1 Outline of Lectures Lecture 1 (45mins) Android Basics Programming environment Components of an Android app Activity, lifecycle, intent Android anatomy Lecture 2 (45mins)

More information

Smartphone Security 20-00-0615-pr. Sven Bugiel

Smartphone Security 20-00-0615-pr. Sven Bugiel Smartphone Security 20-00-0615-pr Sven Bugiel Organizational: Teams 2-3 Students per team Register your team by email to me Names, Student IDs, and email addresses of all team members Preferred and backup

More information

Introduction to Android

Introduction to Android Introduction to Android 26 October 2015 Lecture 1 26 October 2015 SE 435: Development in the Android Environment 1 Topics for Today What is Android? Terminology and Technical Terms Ownership, Distribution,

More information

The OWASP Foundation http://www.owasp.org

The OWASP Foundation http://www.owasp.org Android reverse engineering: understanding third-party applications OWASP EU Tour 2013 June 5, 2013. Bucharest (Romania) Vicente Aguilera Díaz OWASP Spain Chapter Leader Co-founder of Internet Security

More information

Deep Inside Android. OpenExpo 2008 - Zurich September 25 th, 2008. Gilles Printemps - Senior Architect. Copyright 2007 Esmertec AG.

Deep Inside Android. OpenExpo 2008 - Zurich September 25 th, 2008. Gilles Printemps - Senior Architect. Copyright 2007 Esmertec AG. Deep Inside Android OpenExpo 2008 - Zurich September 25 th, 2008 Copyright 2007 Esmertec AG Jan 2007 Gilles Printemps - Senior Architect Agenda What is Android? The Android platform Anatomy of an Android

More information

Corso: Supporting and Troubleshooting Windows 10 Codice PCSNET: MW10-3 Cod. Vendor: 10982 Durata: 5

Corso: Supporting and Troubleshooting Windows 10 Codice PCSNET: MW10-3 Cod. Vendor: 10982 Durata: 5 Corso: Supporting and Troubleshooting Windows 10 Codice PCSNET: MW10-3 Cod. Vendor: 10982 Durata: 5 Obiettivi Al termine del corso i partecipanti saranno in grado di: Descrivere i processi coinvolti nella

More information

Source code security testing

Source code security testing Source code security testing Simone Riccetti EMEA PSS Security Services All information represents IBM's current intent, is subject to change or withdrawal without notice, and represents only IBM ISS goals

More information

Penetration Testing for iphone Applications Part 1

Penetration Testing for iphone Applications Part 1 Penetration Testing for iphone Applications Part 1 This article focuses specifically on the techniques and tools that will help security professionals understand penetration testing methods for iphone

More information

Android. Lecture 1. Learning Android Marko Gargenta. Tuesday, February 26, 13

Android. Lecture 1. Learning Android Marko Gargenta. Tuesday, February 26, 13 Android Lecture 1 Learning Android Marko Gargenta Final Project Jan/Feb: ARM March: Android Apr: Final project Complexity Sense the world Analysis Service delivery Hands-on A fun project built-up through

More information

Mobile Devices - An Introduction to the Android Operating Environment. Design, Architecture, and Performance Implications

Mobile Devices - An Introduction to the Android Operating Environment. Design, Architecture, and Performance Implications Mobile Devices - An Introduction to the Android Operating Environment Design, Architecture, and Performance Implications Dominique A. Heger DHTechnologies (DHT) dheger@dhtusa.com 1.0 Introduction With

More information

The Android Platform

The Android Platform The Android Platform F. Mallet Frederic.Mallet@unice.fr Université Nice Sophia Antipolis A software stack for mobile devices The Android Platform OS kernel, system libraries, application frameworks & key

More information

imaginea white paper

imaginea white paper white paper Building Mobile Android Applications Even though Android was created for handsets, there is a great opportunity for developing other innovative devices on the Android platform with significant

More information

Android Security. Device Management and Security. by Stephan Linzner & Benjamin Reimold

Android Security. Device Management and Security. by Stephan Linzner & Benjamin Reimold Android Security Device Management and Security by Stephan Linzner & Benjamin Reimold Introducing Stephan Linzner Benjamin Reimold Consultant, Software Engineer Mobile Developer Founder of Stuttgart GTUG

More information

Getting started with Android and App Engine

Getting started with Android and App Engine Getting started with Android and App Engine About us Tim Roes Software Developer (Mobile/Web Solutions) at inovex GmbH www.timroes.de www.timroes.de/+ About us Daniel Bälz Student/Android Developer at

More information

Creating and Using Databases for Android Applications

Creating and Using Databases for Android Applications Creating and Using Databases for Android Applications Sunguk Lee * 1 Research Institute of Industrial Science and Technology Pohang, Korea sunguk@rist.re.kr *Correspondent Author: Sunguk Lee* (sunguk@rist.re.kr)

More information

Malware Analysis for Android Operating

Malware Analysis for Android Operating Malware Analysis for Android Operating Kriti Sharma, Trushank Dand, Tae Oh and William Stackpole Abstract The number of mobile devices has dramatically increased in the last decade. As the mobile devices

More information

A Look through the Android Stack

A Look through the Android Stack A Look through the Android Stack A Look through the Android Stack Free Electrons Maxime Ripard Free Electrons Embedded Linux Developers c Copyright 2004-2012, Free Electrons. Creative Commons BY-SA 3.0

More information

ANDROID SECURITY ATTACKS AND DEFENSES ABHISHEK DUBEY I ANMOL MISRA. ( r öc) CRC Press VV J Taylor & Francis Group ^ "^ Boca Raton London New York

ANDROID SECURITY ATTACKS AND DEFENSES ABHISHEK DUBEY I ANMOL MISRA. ( r öc) CRC Press VV J Taylor & Francis Group ^ ^ Boca Raton London New York ANDROID SECURITY ATTACKS AND DEFENSES ABHISHEK DUBEY I ANMOL MISRA ( r öc) CRC Press VV J Taylor & Francis Group ^ "^ Boca Raton London New York CRC Press is an imprint of the Taylor & Francis Croup, an

More information

ANDROID BASED MOBILE APPLICATION DEVELOPMENT and its SECURITY

ANDROID BASED MOBILE APPLICATION DEVELOPMENT and its SECURITY ANDROID BASED MOBILE APPLICATION DEVELOPMENT and its SECURITY Suhas Holla #1, Mahima M Katti #2 # Department of Information Science & Engg, R V College of Engineering Bangalore, India Abstract In the advancing

More information

The Case for SE Android. Stephen Smalley sds@tycho.nsa.gov Trust Mechanisms (R2X) National Security Agency

The Case for SE Android. Stephen Smalley sds@tycho.nsa.gov Trust Mechanisms (R2X) National Security Agency The Case for SE Android Stephen Smalley sds@tycho.nsa.gov Trust Mechanisms (R2X) National Security Agency 1 Android: What is it? Linux-based software stack for mobile devices. Very divergent from typical

More information

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org

More information

Mobile Vulnerability Assessment: There's an App for That!

Mobile Vulnerability Assessment: There's an App for That! Mobile Vulnerability Assessment: There's an App for That! SEPTEMBER 12 14, 2012 GRAND HYATT, SAN FRANCISCO Truth, Lies and Decisions Moving Forward in an Insecure World Jon Oberheide CTO, Duo Security

More information

Blackbox Android. Breaking Enterprise Class Applications and Secure Containers. Marc Blanchou Mathew Solnik 10/13/2011. https://www.isecpartners.

Blackbox Android. Breaking Enterprise Class Applications and Secure Containers. Marc Blanchou Mathew Solnik 10/13/2011. https://www.isecpartners. Blackbox Android Breaking Enterprise Class Applications and Secure Containers Marc Blanchou Mathew Solnik 10/13/2011 https://www.isecpartners.com Agenda Background Enterprise Class Applications Threats

More information

Analysis of advanced issues in mobile security in android operating system

Analysis of advanced issues in mobile security in android operating system Available online atwww.scholarsresearchlibrary.com Archives of Applied Science Research, 2015, 7 (2):34-38 (http://scholarsresearchlibrary.com/archive.html) ISSN 0975-508X CODEN (USA) AASRC9 Analysis of

More information

CompTIA Mobile App Security+ Certification Exam (ios Edition) Live exam IOS-001 Beta Exam IO1-001

CompTIA Mobile App Security+ Certification Exam (ios Edition) Live exam IOS-001 Beta Exam IO1-001 CompTIA Mobile App Security+ Certification Exam (ios Edition) Live exam IOS-001 Beta Exam IO1-001 INTRODUCTION This exam will certify that the successful candidate has the knowledge and skills required

More information

Graduate presentation for CSCI 5448. By Janakiram Vantipalli ( Janakiram.vantipalli@colorado.edu )

Graduate presentation for CSCI 5448. By Janakiram Vantipalli ( Janakiram.vantipalli@colorado.edu ) Graduate presentation for CSCI 5448 By Janakiram Vantipalli ( Janakiram.vantipalli@colorado.edu ) Content What is Android?? Versions and statistics Android Architecture Application Components Inter Application

More information

Android Application Development. Daniel Switkin Senior Software Engineer, Google Inc.

Android Application Development. Daniel Switkin Senior Software Engineer, Google Inc. Android Application Development Daniel Switkin Senior Software Engineer, Google Inc. Goal Get you an idea of how to start developing Android applications Introduce major Android application concepts Walk

More information

Building a Mobile App Security Risk Management Program. Copyright 2012, Security Risk Advisors, Inc. All Rights Reserved

Building a Mobile App Security Risk Management Program. Copyright 2012, Security Risk Advisors, Inc. All Rights Reserved Building a Mobile App Security Risk Management Program Your Presenters Who Are We? Chris Salerno, Consultant, Security Risk Advisors Lead consultant for mobile, network, web application penetration testing

More information

Università Degli Studi di Parma. Distributed Systems Group. Android Development. Lecture 1 Android SDK & Development Environment. Marco Picone - 2012

Università Degli Studi di Parma. Distributed Systems Group. Android Development. Lecture 1 Android SDK & Development Environment. Marco Picone - 2012 Android Development Lecture 1 Android SDK & Development Environment Università Degli Studi di Parma Lecture Summary - 2 The Android Platform Android Environment Setup SDK Eclipse & ADT SDK Manager Android

More information

Android for Java Developers OSCON 2010. Marko Gargenta Marakana

Android for Java Developers OSCON 2010. Marko Gargenta Marakana Android for Java Developers OSCON 2010 Marko Gargenta Marakana About Marko Gargenta Developed Android Bootcamp for Marakana. Trained over 1,000 developers on Android. Clients include Qualcomm, Sony-Ericsson,

More information

CERTIFIGATE. Front Door Access to Pwning hundreds of Millions of Androids. Avi Bashan. Ohad Bobrov

CERTIFIGATE. Front Door Access to Pwning hundreds of Millions of Androids. Avi Bashan. Ohad Bobrov CERTIFIGATE Front Door Access to Pwning hundreds of Millions of Androids Avi Bashan Ohad Bobrov 1 AG EN DA Mobile Threats and Research Motivation Mobile Remote Support Tool Overview Pwning Mobile Remote

More information

Introduction to Android

Introduction to Android Introduction to Android Ref: Wei-Meng Lee, BEGINNING ANDROID 4 APPLICATION DEVELOPMENT, Ch1, John Wiley & Sons, 2012 1. What is Android Android is a mobile operating system that is based on a modified

More information

Performance Analysis of Android Platform

Performance Analysis of Android Platform Performance Analysis of Android Platform Jawad Manzoor EMDC 21-Nov-2010 Table of Contents 1. Introduction... 3 2. Android Architecture... 3 3. Dalvik Virtual Machine... 4 3.1 Architecture of Dalvik VM...

More information

Android Malware for Pen-testing. IOAsis San Fransicso 2014

Android Malware for Pen-testing. IOAsis San Fransicso 2014 Android Malware for Pen-testing IOAsis San Fransicso 2014 Dr. Who? Robert Erbes Senior Security Consultant (not a doctor) Target Audience The Malicious Defender i.e., Someone who believes that the best

More information

Introduction to Android Android Architecture Software Development Purpose of the project Location Based Service (LBS) Android. Location class Google

Introduction to Android Android Architecture Software Development Purpose of the project Location Based Service (LBS) Android. Location class Google By: Mikias M. Seid Introduction to Android Android Architecture Software Development Purpose of the project Location Based Service (LBS) Android. Location class Google API and Map View Demo Future of the

More information

PROFILEDROID: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS XUETAO WEI LORENZO GOMEZ UNIVERSITY OF CALIFORNIA, RIVERSIDE PROFESSOR IULIAN NEAMTIU

PROFILEDROID: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS XUETAO WEI LORENZO GOMEZ UNIVERSITY OF CALIFORNIA, RIVERSIDE PROFESSOR IULIAN NEAMTIU PROFILEDROID: MULTI-LAYER PROFILING OF ANDROID APPLICATIONS XUETAO WEI LORENZO GOMEZ PROFESSOR IULIAN NEAMTIU PROFESSOR MICHALIS FALOUTSOS UNIVERSITY OF CALIFORNIA, RIVERSIDE WE DEPEND ON SMARTPHONES MORE

More information

Технологии Java. Android: Введение. Кузнецов Андрей Николаевич. Санкт-Петербургский Государственный Политехнический Университет

Технологии Java. Android: Введение. Кузнецов Андрей Николаевич. Санкт-Петербургский Государственный Политехнический Университет Технологии Java Android: Введение Санкт-Петербургский Государственный Политехнический Университет Кузнецов Андрей Николаевич 1 2 Архитектура ОС Android See http://www.android-app-market.com/android-architecture.html

More information

Introduction to Android: Hello, Android! 26 Mar 2010 CMPT166 Dr. Sean Ho Trinity Western University

Introduction to Android: Hello, Android! 26 Mar 2010 CMPT166 Dr. Sean Ho Trinity Western University Introduction to Android: Hello, Android! 26 Mar 2010 CMPT166 Dr. Sean Ho Trinity Western University Android OS Open-source mobile OS (mostly Apache licence) Developed by Google + Open Handset Alliance

More information

Developers. Saturday, June 30, 2012

Developers. Saturday, June 30, 2012 Developers 1 Security and Privacy in Android Apps Jon Larimer - Security Engineer, Android Team Kenny Root - Software Engineer, Android Team 2 Another privacy breach in the news... At least it wasn t your

More information

DEVELOPING MOBILE APPLICATIONS USING ANDROID

DEVELOPING MOBILE APPLICATIONS USING ANDROID ISSN 2229-5518 2300 DEVELOPING MOBILE APPLICATIONS USING ANDROID M.VARUN KUMAR, S.THIRUMALINI, S.RAJESH KUMAR, N.VANISRI, PULIDINDI VENUGOPAL School of Information Technology &VITBS VIT University,Vellore-632014

More information

Android (Basic + Advance) Application Development

Android (Basic + Advance) Application Development Android (Basic + Advance) Application Development You will learn how to create custom widgets, create animations, work with camera, use sensors, create and use advanced content providers and much more.

More information

Lecture Embedded System Security A. R. Sadeghi, @TU Darmstadt, 2011 2012 Introduction Mobile Security

Lecture Embedded System Security A. R. Sadeghi, @TU Darmstadt, 2011 2012 Introduction Mobile Security Smartphones and their applications have become an integral part of information society Security and privacy protection technology is an enabler for innovative business models Recent research on mobile

More information

ANDROID. Programming basics

ANDROID. Programming basics ANDROID Programming basics Overview Mobile Hardware History Android evolution Android smartphone overview Hardware components at high level Operative system Android App development Why Android Apps? History

More information

WebView addjavascriptinterface Remote Code Execution 23/09/2013

WebView addjavascriptinterface Remote Code Execution 23/09/2013 MWR InfoSecurity Advisory WebView addjavascriptinterface Remote Code Execution 23/09/2013 Package Name Date Affected Versions Google Android Webkit WebView 23/09/2013 All Android applications built with

More information

ANDROID INTRODUCTION TO ANDROID

ANDROID INTRODUCTION TO ANDROID ANDROID JAVA FUNDAMENTALS FOR ANDROID Introduction History Java Virtual Machine(JVM) JDK(Java Development Kit) JRE(Java Runtime Environment) Classes & Packages Java Basics Data Types Variables, Keywords,

More information

Android Development. Marc Mc Loughlin

Android Development. Marc Mc Loughlin Android Development Marc Mc Loughlin Android Development Android Developer Website:h:p://developer.android.com/ Dev Guide Reference Resources Video / Blog SeCng up the SDK h:p://developer.android.com/sdk/

More information

Defending Behind The Device Mobile Application Risks

Defending Behind The Device Mobile Application Risks Defending Behind The Device Mobile Application Risks Tyler Shields Product Manager and Strategist Veracode, Inc Session ID: MBS-301 Session Classification: Advanced Agenda The What The Problem Mobile Ecosystem

More information

IAIK. Motivation 2. Advanced Computer Networks 2015/2016. Johannes Feichtner johannes.feichtner@iaik.tugraz.at IAIK

IAIK. Motivation 2. Advanced Computer Networks 2015/2016. Johannes Feichtner johannes.feichtner@iaik.tugraz.at IAIK Motivation 2 Advanced Computer Networks 2015/2016 Johannes Feichtner johannes.feichtner@iaik.tugraz.at What you have heard last time Mobile devices: Short history, features Technical evolution, major OS,

More information

Cross-Platform Evaluation of Mobile App Hardening. Benjamin Adolphi

Cross-Platform Evaluation of Mobile App Hardening. Benjamin Adolphi Cross-Platform Evaluation of Mobile App Hardening Benjamin Adolphi Master s Thesis Master of Science in Information Security 30 ECTS Department of Computer Science and Media Technology Gjøvik University

More information

WEB CONTENT MANAGEMENT SYSTEM

WEB CONTENT MANAGEMENT SYSTEM WEB CONTENT MANAGEMENT SYSTEM February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in

More information

SYLLABUS MOBILE APPLICATION SECURITY AND PENETRATION TESTING. MASPT at a glance: v1.0 (28/01/2014) 10 highly practical modules

SYLLABUS MOBILE APPLICATION SECURITY AND PENETRATION TESTING. MASPT at a glance: v1.0 (28/01/2014) 10 highly practical modules Must have skills in any penetration tester's arsenal. MASPT at a glance: 10 highly practical modules 4 hours of video material 1200+ interactive slides 20 Applications to practice with Leads to emapt certification

More information

Module Title: Software Development A: Mobile Application Development

Module Title: Software Development A: Mobile Application Development Module Title: Software Development A: Mobile Application Development Module Code: SDA SDA prerequisites: CT1, HS1, MS001, CA Award of BSc. In Information Technology The Bachelor of Science in Information

More information

Advance Android Application Development (8W-A3D)

Advance Android Application Development (8W-A3D) Apps to be Developed/Build: Advance Android Application Development (8W-A3D) Basic Calculator App Multi-page Login App Custom Drop-down Menu Search App (in App Search) Employee Database App Audio Player

More information

Android Application Development

Android Application Development Android Application Development 3TECHSOFT INNOVATION*INTELLIGENCE*INFORMATION Effective from: JUNE 2013 Noida Office: A-385, Noida (UP)- 201301 Contact us: Email: hr@3techsoft.com Website: www.3techsoft.com

More information

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: 10.1.1 Security Note Published: 2013-06-21 SWD-20130621110651069 Contents 1 About this guide...4 2 What is BlackBerry Enterprise

More information

Building an Android client. Rohit Nayak Talentica Software

Building an Android client. Rohit Nayak Talentica Software Building an Android client Rohit Nayak Talentica Software Agenda iphone and the Mobile App Explosion How mobile apps differ Android philosophy Development Platform Core Android Concepts App Demo App Dissection

More information

Android Operating System:

Android Operating System: Android Operating System: An in depth introduction CS423 Project Mohammad Alian, Shuomeng Guang, Bo Teng Outline 1. What is Android 2. History 3. Android architecture 4. Android vs Linux 5. Process Management

More information

Programming with Android: System Architecture. Dipartimento di Scienze dell Informazione Università di Bologna

Programming with Android: System Architecture. Dipartimento di Scienze dell Informazione Università di Bologna Programming with Android: System Architecture Luca Bedogni Marco Di Felice Dipartimento di Scienze dell Informazione Università di Bologna Outline Android Architecture: An Overview Android Dalvik Java

More information

OMX, Android, GStreamer How do I decide what to use? 15 July 2011

OMX, Android, GStreamer How do I decide what to use? 15 July 2011 OMX, Android, GStreamer How do I decide what to use? 15 July 2011 When to use which framework? Android (easiest) Customer wants a full featured media player with minimal trouble and no prior knowledge

More information

Adobe Systems Incorporated

Adobe Systems Incorporated Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...

More information

Project X Mass interception of encrypted connections

Project X Mass interception of encrypted connections Project X Mass interception of encrypted connections What? SSL/TLS interception TOR interception ...a thorny path Common Issues Public Key Pinning avoids rogue CA to sign certs Common Issues Google and

More information

Reminders. Lab opens from today. Many students want to use the extra I/O pins on

Reminders. Lab opens from today. Many students want to use the extra I/O pins on Reminders Lab opens from today Wednesday 4:00-5:30pm, Friday 1:00-2:30pm Location: MK228 Each student checks out one sensor mote for your Lab 1 The TA will be there to help your lab work Many students

More information

Development. SriSeshaa Technologies. Table of Contents

Development. SriSeshaa Technologies. Table of Contents SriSeshaa Technologies Development Table of Contents SriSeshaa Android Development... 2 Introduction to Android... 3 SriSeshaa Capabilities... 3 SriSeshaa Android Case Studies... 5 Privacy Guard... 5 Backup

More information

Android Geek Night. Application framework

Android Geek Night. Application framework Android Geek Night Application framework Agenda 1. Presentation 1. Trifork 2. JAOO 2010 2. Google Android headlines 3. Introduction to an Android application 4. New project using ADT 5. Main building blocks

More information

Mobile Operating Systems. Week I

Mobile Operating Systems. Week I Mobile Operating Systems Week I Overview Introduction Mobile Operating System Structure Mobile Operating System Platforms Java ME Platform Palm OS Symbian OS Linux OS Windows Mobile OS BlackBerry OS iphone

More information

Introduction to Oracle Mobile Application Framework Raghu Srinivasan, Director Development Mobile and Cloud Development Tools Oracle

Introduction to Oracle Mobile Application Framework Raghu Srinivasan, Director Development Mobile and Cloud Development Tools Oracle Introduction to Oracle Mobile Application Framework Raghu Srinivasan, Director Development Mobile and Cloud Development Tools Oracle Safe Harbor Statement The following is intended to outline our general

More information

SAMSUNG SMARTTV: HOW-TO TO CREATING INSECURE DEVICE IN TODAY S WORLD. Sergey Belov

SAMSUNG SMARTTV: HOW-TO TO CREATING INSECURE DEVICE IN TODAY S WORLD. Sergey Belov Sergey Belov # whoami Penetration tester @ Digital Security Bug hunter Speaker Agenda SmartTV - what is it? Current state of research (in the world) Samsung Smart TV - series 2008-2014 Emulator vs real

More information