SlideShare uma empresa Scribd logo

The real incident of stealing a droid app+data

Transferir como PPTX, PDF
Akash Mahajan
Akash Mahajan

This is a beginner level talk/lecture about how we managed to steal data, bypass security controls and steal the source code of an Android application which was supposed to be secure. Technically what we managed to do isn't ground breaking, but due to a combination of reasons we were able to radically change the security of the Android app for the better.

Tecnologia
1 de 18
The Real Incident of Stealing a Droid App & Data Akash Mahajan and Ankur Bhargava @ DroidCon Bangalore 2012
What we stole The Android Application Package File All the encrypted files found in the external storage © Akash Mahajan DroidCon Bangalore 2012 2
Not only we successfully the app + data we it on another device which was rooted © Akash Mahajan DroidCon Bangalore 2012 3
Them devs made it more secure? A device ID check was added We reversed the applications added our device ID and compiled it again. Able to execute again, yay! © Akash Mahajan DroidCon Bangalore 2012 4
THE DROID JOB A standard Chinese made Tablet running Android 4.0 (Indian Brand) The application contained encrypted data along with other resources. © Akash Mahajan DroidCon Bangalore 2012 5
We had written permission to steal! © Akash Mahajan DroidCon Bangalore 2012 6
All your data are belong to us All the encrypted data was with us We didn’t have the encryption key But we had the device with the key in internal storage © Akash Mahajan DroidCon Bangalore 2012 7
GONE IN 300 SECONDS Android Backup API using Android Debug Bridge because we had the package name. ADB pull command, YAY! > adb pull <remote> <local> © Akash Mahajan DroidCon Bangalore 2012 8
DISCLAIMER It is not Rocket Science Simple common security testing © Akash Mahajan DroidCon Bangalore 2012 9
The Simple Hack We knew find an exploit to root the device might take some time and skill Application written for the same version of Android will run in all devices © Akash Mahajan DroidCon Bangalore 2012 10
If the device having the application can’t be rooted, let us take the application to the rooted device. © Akash Mahajan DroidCon Bangalore 2012 11
The Simple Hack Once copied to the rooted device we could see what the application was doing using DDMS. Dalvik Debug Monitor Server provides among other things process information about apps running on a device connected in USB debug mode. © Akash Mahajan DroidCon Bangalore 2012 12
The key to everything In this particular case, the encryption key was required to decrypt the data. We didn’t have file permissions to reach the key. We decided not to go after the key. We weren’t being paid enough for that. © Akash Mahajan DroidCon Bangalore 2012 13
The Encryption Conundrum If you give away your device, the only way you can ensure safety of the data is by ensuring that the symmetric encryption key isn’t stolen. At any given point depending on the application the key might be available in memory, temp file/storage or on the chip itself. © Akash Mahajan DroidCon Bangalore 2012 14
The Encryption Conundrum But because the device is with the thieves, they have all the time in the world to find it. If nothing works, they can always break open the device and steal the key from the storage. © Akash Mahajan DroidCon Bangalore 2012 15
FREE CONSULTING /Checklist Disable USB debugging port Disable USB itself Don’t give internet access in the device. Obfuscate the source code. Provide a unique key for each device. © Akash Mahajan DroidCon Bangalore 2012 16
SUCCESS KIDZ Client felt assured about their device security Dev had a more secure solution We get to pretend that we are Android security experts. We are not, just love the challenge. © Akash Mahajan DroidCon Bangalore 2012 17
WANTED DROID CHORS @ankurbhargava87 @makash © Akash Mahajan DroidCon Bangalore 2012 18

Recomendados

From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps WhiteSource
 
DevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDDevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDFranklin Mosley
 
Tackling the Container Iceberg:How to approach security when most of your sof...
Tackling the Container Iceberg:How to approach security when most of your sof...Tackling the Container Iceberg:How to approach security when most of your sof...
Tackling the Container Iceberg:How to approach security when most of your sof...WhiteSource
 
Scale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration PipelineScale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration PipelineDevOps.com
 
Google Glass - An Intro presentation to conduct code lab events.
Google Glass - An Intro presentation to conduct code lab events.Google Glass - An Intro presentation to conduct code lab events.
Google Glass - An Intro presentation to conduct code lab events.getdinesh
 
Defining DevSecOps
Defining DevSecOpsDefining DevSecOps
Defining DevSecOpsUchit Vyas ☁
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineDevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineJames Wickett
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon
 

Recomendados

From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps WhiteSource
 
DevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDDevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDFranklin Mosley
 
Tackling the Container Iceberg:How to approach security when most of your sof...
Tackling the Container Iceberg:How to approach security when most of your sof...Tackling the Container Iceberg:How to approach security when most of your sof...
Tackling the Container Iceberg:How to approach security when most of your sof...WhiteSource
 
Scale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration PipelineScale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration PipelineDevOps.com
 
Google Glass - An Intro presentation to conduct code lab events.
Google Glass - An Intro presentation to conduct code lab events.Google Glass - An Intro presentation to conduct code lab events.
Google Glass - An Intro presentation to conduct code lab events.getdinesh
 
Defining DevSecOps
Defining DevSecOpsDefining DevSecOps
Defining DevSecOpsUchit Vyas ☁
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineDevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineJames Wickett
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthinkspa
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsMichael Man
 
Release Your Inner DevSecOp
Release Your Inner DevSecOpRelease Your Inner DevSecOp
Release Your Inner DevSecOpJames Wickett
 
Empowering Financial Institutions to Use Open Source With Confidence
Empowering Financial Institutions to Use Open Source With ConfidenceEmpowering Financial Institutions to Use Open Source With Confidence
Empowering Financial Institutions to Use Open Source With ConfidenceWhiteSource
 
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...SecureSoftwareDevOn SecureSoftwareDevOn
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsJames Wickett
 
(Isc)² secure johannesburg
(Isc)² secure johannesburg (Isc)² secure johannesburg
(Isc)² secure johannesburg Tunde Ogunkoya
 
Practical DevSecOps Using Security Instrumentation
Practical DevSecOps Using Security InstrumentationPractical DevSecOps Using Security Instrumentation
Practical DevSecOps Using Security InstrumentationVMware Tanzu
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactSBWebinars
 
Meningkatkan SOC dan Reusabillity Kode dengan Duo DI - Sidiq Permana (CIO Nus...
Meningkatkan SOC dan Reusabillity Kode dengan Duo DI - Sidiq Permana (CIO Nus...Meningkatkan SOC dan Reusabillity Kode dengan Duo DI - Sidiq Permana (CIO Nus...
Meningkatkan SOC dan Reusabillity Kode dengan Duo DI - Sidiq Permana (CIO Nus...DicodingEvent
 
10 Myth of DevSecOps
10 Myth of DevSecOps10 Myth of DevSecOps
10 Myth of DevSecOpsDevOps Indonesia
 
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskInnocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskWhiteSource
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"Aaron Rinehart
 
NewOps Days 2019: The New Ways of Chaos, Security, and DevOps
NewOps Days 2019: The New Ways of Chaos, Security, and DevOpsNewOps Days 2019: The New Ways of Chaos, Security, and DevOps
NewOps Days 2019: The New Ways of Chaos, Security, and DevOpsJames Wickett
 
DefCamp 2013 - Android hacking techniques
DefCamp 2013 - Android hacking techniquesDefCamp 2013 - Android hacking techniques
DefCamp 2013 - Android hacking techniquesDefCamp
 
Security in the FaaS Lane
Security in the FaaS LaneSecurity in the FaaS Lane
Security in the FaaS LaneJames Wickett
 
RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering
RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos EngineeringRSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering
RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos EngineeringAaron Rinehart
 
AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering Aaron Rinehart
 
DevSecOps Days SF at RSA Conference 2018
DevSecOps Days SF at RSA Conference 2018DevSecOps Days SF at RSA Conference 2018
DevSecOps Days SF at RSA Conference 2018DevSecOps Days
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016
Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016
Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016Rizal Aditya
 
Putting real feeling into Android Apps
Putting real feeling into Android AppsPutting real feeling into Android Apps
Putting real feeling into Android AppsPeter van der Linden
 

Mais conteúdo relacionado

Mais procurados

Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthinkspa
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsMichael Man
 
Release Your Inner DevSecOp
Release Your Inner DevSecOpRelease Your Inner DevSecOp
Release Your Inner DevSecOpJames Wickett
 
Empowering Financial Institutions to Use Open Source With Confidence
Empowering Financial Institutions to Use Open Source With ConfidenceEmpowering Financial Institutions to Use Open Source With Confidence
Empowering Financial Institutions to Use Open Source With ConfidenceWhiteSource
 
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...SecureSoftwareDevOn SecureSoftwareDevOn
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsJames Wickett
 
(Isc)² secure johannesburg
(Isc)² secure johannesburg (Isc)² secure johannesburg
(Isc)² secure johannesburg Tunde Ogunkoya
 
Practical DevSecOps Using Security Instrumentation
Practical DevSecOps Using Security InstrumentationPractical DevSecOps Using Security Instrumentation
Practical DevSecOps Using Security InstrumentationVMware Tanzu
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactSBWebinars
 
Meningkatkan SOC dan Reusabillity Kode dengan Duo DI - Sidiq Permana (CIO Nus...
Meningkatkan SOC dan Reusabillity Kode dengan Duo DI - Sidiq Permana (CIO Nus...Meningkatkan SOC dan Reusabillity Kode dengan Duo DI - Sidiq Permana (CIO Nus...
Meningkatkan SOC dan Reusabillity Kode dengan Duo DI - Sidiq Permana (CIO Nus...DicodingEvent
 
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskInnocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskWhiteSource
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"Aaron Rinehart
 
NewOps Days 2019: The New Ways of Chaos, Security, and DevOps
NewOps Days 2019: The New Ways of Chaos, Security, and DevOpsNewOps Days 2019: The New Ways of Chaos, Security, and DevOps
NewOps Days 2019: The New Ways of Chaos, Security, and DevOpsJames Wickett
 
DefCamp 2013 - Android hacking techniques
DefCamp 2013 - Android hacking techniquesDefCamp 2013 - Android hacking techniques
DefCamp 2013 - Android hacking techniquesDefCamp
 
Security in the FaaS Lane
Security in the FaaS LaneSecurity in the FaaS Lane
Security in the FaaS LaneJames Wickett
 
RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering
RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos EngineeringRSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering
RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos EngineeringAaron Rinehart
 
AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering Aaron Rinehart
 
DevSecOps Days SF at RSA Conference 2018
DevSecOps Days SF at RSA Conference 2018DevSecOps Days SF at RSA Conference 2018
DevSecOps Days SF at RSA Conference 2018DevSecOps Days
 

Mais procurados (20)

Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOps
 
Release Your Inner DevSecOp
Release Your Inner DevSecOpRelease Your Inner DevSecOp
Release Your Inner DevSecOp
 
Empowering Financial Institutions to Use Open Source With Confidence
Empowering Financial Institutions to Use Open Source With ConfidenceEmpowering Financial Institutions to Use Open Source With Confidence
Empowering Financial Institutions to Use Open Source With Confidence
 
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOps
 
(Isc)² secure johannesburg
(Isc)² secure johannesburg (Isc)² secure johannesburg
(Isc)² secure johannesburg
 
Practical DevSecOps Using Security Instrumentation
Practical DevSecOps Using Security InstrumentationPractical DevSecOps Using Security Instrumentation
Practical DevSecOps Using Security Instrumentation
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
 
Meningkatkan SOC dan Reusabillity Kode dengan Duo DI - Sidiq Permana (CIO Nus...
Meningkatkan SOC dan Reusabillity Kode dengan Duo DI - Sidiq Permana (CIO Nus...Meningkatkan SOC dan Reusabillity Kode dengan Duo DI - Sidiq Permana (CIO Nus...
Meningkatkan SOC dan Reusabillity Kode dengan Duo DI - Sidiq Permana (CIO Nus...
 
10 Myth of DevSecOps
10 Myth of DevSecOps10 Myth of DevSecOps
10 Myth of DevSecOps
 
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskInnocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
 
NewOps Days 2019: The New Ways of Chaos, Security, and DevOps
NewOps Days 2019: The New Ways of Chaos, Security, and DevOpsNewOps Days 2019: The New Ways of Chaos, Security, and DevOps
NewOps Days 2019: The New Ways of Chaos, Security, and DevOps
 
DefCamp 2013 - Android hacking techniques
DefCamp 2013 - Android hacking techniquesDefCamp 2013 - Android hacking techniques
DefCamp 2013 - Android hacking techniques
 
Security in the FaaS Lane
Security in the FaaS LaneSecurity in the FaaS Lane
Security in the FaaS Lane
 
RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering
RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos EngineeringRSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering
RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering
 
AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering
 
DevSecOps Days SF at RSA Conference 2018
DevSecOps Days SF at RSA Conference 2018DevSecOps Days SF at RSA Conference 2018
DevSecOps Days SF at RSA Conference 2018
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
 

Semelhante a The real incident of stealing a droid app+data

Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016
Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016
Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016Rizal Aditya
 
Putting real feeling into Android Apps
Putting real feeling into Android AppsPutting real feeling into Android Apps
Putting real feeling into Android AppsPeter van der Linden
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentestingMinali Arora
 
Securing Android Applications
Securing Android ApplicationsSecuring Android Applications
Securing Android ApplicationsInfosys
 
Getting started with android
Getting started with androidGetting started with android
Getting started with androidVandana Verma
 
Android_Studio_Structure.docx
Android_Studio_Structure.docxAndroid_Studio_Structure.docx
Android_Studio_Structure.docxKNANTHINIMCA
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsRon Munitz
 
From Reversing to Exploitation
From Reversing to ExploitationFrom Reversing to Exploitation
From Reversing to ExploitationSatria Ady Pradana
 
Securing User Data with SQLCipher
Securing User Data with SQLCipherSecuring User Data with SQLCipher
Securing User Data with SQLCipherCommonsWare
 
YuryMakedonov_TesTrek2013_AndroidTesting_12u_slides
YuryMakedonov_TesTrek2013_AndroidTesting_12u_slidesYuryMakedonov_TesTrek2013_AndroidTesting_12u_slides
YuryMakedonov_TesTrek2013_AndroidTesting_12u_slidesYury M
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsviaForensics
 
Secure Android Apps- nVisium Security
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium SecurityJack Mannino
 
Android installation & configuration, and create HelloWorld Project
Android installation & configuration, and create HelloWorld ProjectAndroid installation & configuration, and create HelloWorld Project
Android installation & configuration, and create HelloWorld ProjectRakesh Jha
 
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...tdc-globalcode
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Márcio Rosa
 
From Reversing to Exploitation: Android Application Security in Essence
From Reversing to Exploitation: Android Application Security in EssenceFrom Reversing to Exploitation: Android Application Security in Essence
From Reversing to Exploitation: Android Application Security in EssenceSatria Ady Pradana
 

Semelhante a The real incident of stealing a droid app+data (20)

Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016
Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016
Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016
 
Putting real feeling into Android Apps
Putting real feeling into Android AppsPutting real feeling into Android Apps
Putting real feeling into Android Apps
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentesting
 
Securing Android Applications
Securing Android ApplicationsSecuring Android Applications
Securing Android Applications
 
Getting started with android
Getting started with androidGetting started with android
Getting started with android
 
Android_Studio_Structure.docx
Android_Studio_Structure.docxAndroid_Studio_Structure.docx
Android_Studio_Structure.docx
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android Apps
 
From Reversing to Exploitation
From Reversing to ExploitationFrom Reversing to Exploitation
From Reversing to Exploitation
 
Securing User Data with SQLCipher
Securing User Data with SQLCipherSecuring User Data with SQLCipher
Securing User Data with SQLCipher
 
YuryMakedonov_TesTrek2013_AndroidTesting_12u_slides
YuryMakedonov_TesTrek2013_AndroidTesting_12u_slidesYuryMakedonov_TesTrek2013_AndroidTesting_12u_slides
YuryMakedonov_TesTrek2013_AndroidTesting_12u_slides
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
 
Secure Android Apps- nVisium Security
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium Security
 
Android installation & configuration, and create HelloWorld Project
Android installation & configuration, and create HelloWorld ProjectAndroid installation & configuration, and create HelloWorld Project
Android installation & configuration, and create HelloWorld Project
 
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
 
From Reversing to Exploitation: Android Application Security in Essence
From Reversing to Exploitation: Android Application Security in EssenceFrom Reversing to Exploitation: Android Application Security in Essence
From Reversing to Exploitation: Android Application Security in Essence
 
Android tio manual
Android tio manualAndroid tio manual
Android tio manual
 
Android tio manual
Android tio manualAndroid tio manual
Android tio manual
 

Mais de Akash Mahajan

On Writing Well - A talk given at WinjaBlogs Session
On Writing Well - A talk given at WinjaBlogs SessionOn Writing Well - A talk given at WinjaBlogs Session
On Writing Well - A talk given at WinjaBlogs SessionAkash Mahajan
 
App sec in the time of docker containers
App sec in the time of docker containersApp sec in the time of docker containers
App sec in the time of docker containersAkash Mahajan
 
Venom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoVenom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoAkash Mahajan
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Akash Mahajan
 
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-thereINCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-thereAkash Mahajan
 
Believe It Or Not SSL Attacks
Believe It Or Not SSL AttacksBelieve It Or Not SSL Attacks
Believe It Or Not SSL AttacksAkash Mahajan
 
I haz your mouse clicks and key strokes
I haz your mouse clicks and key strokesI haz your mouse clicks and key strokes
I haz your mouse clicks and key strokesAkash Mahajan
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingAkash Mahajan
 
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanSecure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanAkash Mahajan
 
Secure passwords-theory-and-practice
Secure passwords-theory-and-practiceSecure passwords-theory-and-practice
Secure passwords-theory-and-practiceAkash Mahajan
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanAkash Mahajan
 
Web application security
Web application securityWeb application security
Web application securityAkash Mahajan
 
Web application security
Web application securityWeb application security
Web application securityAkash Mahajan
 
Web application security
Web application securityWeb application security
Web application securityAkash Mahajan
 
Secure Programming In Php
Secure Programming In PhpSecure Programming In Php
Secure Programming In PhpAkash Mahajan
 

Mais de Akash Mahajan (17)

On Writing Well - A talk given at WinjaBlogs Session
On Writing Well - A talk given at WinjaBlogs SessionOn Writing Well - A talk given at WinjaBlogs Session
On Writing Well - A talk given at WinjaBlogs Session
 
App sec in the time of docker containers
App sec in the time of docker containersApp sec in the time of docker containers
App sec in the time of docker containers
 
Venom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoVenom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demo
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
 
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-thereINCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
 
Believe It Or Not SSL Attacks
Believe It Or Not SSL AttacksBelieve It Or Not SSL Attacks
Believe It Or Not SSL Attacks
 
I haz your mouse clicks and key strokes
I haz your mouse clicks and key strokesI haz your mouse clicks and key strokes
I haz your mouse clicks and key strokes
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
 
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanSecure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash Mahajan
 
Php security
Php securityPhp security
Php security
 
Secure passwords-theory-and-practice
Secure passwords-theory-and-practiceSecure passwords-theory-and-practice
Secure passwords-theory-and-practice
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
 
Web application security
Web application securityWeb application security
Web application security
 
Web application security
Web application securityWeb application security
Web application security
 
Web application security
Web application securityWeb application security
Web application security
 
Secure Programming In Php
Secure Programming In PhpSecure Programming In Php
Secure Programming In Php
 
Startups Security
Startups SecurityStartups Security
Startups Security
 

Último

Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 

Último (20)

Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 

The real incident of stealing a droid app+data

  • 1. The Real Incident of Stealing a Droid App & Data Akash Mahajan and Ankur Bhargava @ DroidCon Bangalore 2012
  • 2. What we stole The Android Application Package File All the encrypted files found in the external storage © Akash Mahajan DroidCon Bangalore 2012 2
  • 3. Not only we successfully the app + data we it on another device which was rooted © Akash Mahajan DroidCon Bangalore 2012 3
  • 4. Them devs made it more secure? A device ID check was added We reversed the applications added our device ID and compiled it again. Able to execute again, yay! © Akash Mahajan DroidCon Bangalore 2012 4
  • 5. THE DROID JOB A standard Chinese made Tablet running Android 4.0 (Indian Brand) The application contained encrypted data along with other resources. © Akash Mahajan DroidCon Bangalore 2012 5
  • 6. We had written permission to steal! © Akash Mahajan DroidCon Bangalore 2012 6
  • 7. All your data are belong to us All the encrypted data was with us We didn’t have the encryption key But we had the device with the key in internal storage © Akash Mahajan DroidCon Bangalore 2012 7
  • 8. GONE IN 300 SECONDS Android Backup API using Android Debug Bridge because we had the package name. ADB pull command, YAY! > adb pull <remote> <local> © Akash Mahajan DroidCon Bangalore 2012 8
  • 9. DISCLAIMER It is not Rocket Science Simple common security testing © Akash Mahajan DroidCon Bangalore 2012 9
  • 10. The Simple Hack We knew find an exploit to root the device might take some time and skill Application written for the same version of Android will run in all devices © Akash Mahajan DroidCon Bangalore 2012 10
  • 11. If the device having the application can’t be rooted, let us take the application to the rooted device. © Akash Mahajan DroidCon Bangalore 2012 11
  • 12. The Simple Hack Once copied to the rooted device we could see what the application was doing using DDMS. Dalvik Debug Monitor Server provides among other things process information about apps running on a device connected in USB debug mode. © Akash Mahajan DroidCon Bangalore 2012 12
  • 13. The key to everything In this particular case, the encryption key was required to decrypt the data. We didn’t have file permissions to reach the key. We decided not to go after the key. We weren’t being paid enough for that. © Akash Mahajan DroidCon Bangalore 2012 13
  • 14. The Encryption Conundrum If you give away your device, the only way you can ensure safety of the data is by ensuring that the symmetric encryption key isn’t stolen. At any given point depending on the application the key might be available in memory, temp file/storage or on the chip itself. © Akash Mahajan DroidCon Bangalore 2012 14
  • 15. The Encryption Conundrum But because the device is with the thieves, they have all the time in the world to find it. If nothing works, they can always break open the device and steal the key from the storage. © Akash Mahajan DroidCon Bangalore 2012 15
  • 16. FREE CONSULTING /Checklist Disable USB debugging port Disable USB itself Don’t give internet access in the device. Obfuscate the source code. Provide a unique key for each device. © Akash Mahajan DroidCon Bangalore 2012 16
  • 17. SUCCESS KIDZ Client felt assured about their device security Dev had a more secure solution We get to pretend that we are Android security experts. We are not, just love the challenge. © Akash Mahajan DroidCon Bangalore 2012 17
  • 18. WANTED DROID CHORS @ankurbhargava87 @makash © Akash Mahajan DroidCon Bangalore 2012 18