The real incident of stealing android app data

•Transferir como PPTX, PDF•

0 gostou•416 visualizações

This is a beginner level talk/lecture about how we managed to steal data, bypass security controls and steal the source code of an Android application which was supposed to be secure. Technically what we managed to do isn't ground breaking, but due to a combination of reasons we were able to radically change the security of the Android app for the better.

Tecnologia

The Real Incident of
Stealing
a Droid App & Data

Akash Mahajan and Ankur Bhargava @ DroidCon Bangalore 2012

What we stole

The Android Application Package File

All the encrypted files found in the
external storage

© Akash Mahajan DroidCon Bangalore 2012 2

Not only we successfully
the app + data we
it on another
device which was rooted

© Akash Mahajan DroidCon Bangalore 2012 3

Them devs made it more secure?

A device ID check was added

We reversed the applications added our
device ID and compiled it again.

Able to execute again, yay!

© Akash Mahajan DroidCon Bangalore 2012 4

We had written
permission to
steal!

© Akash Mahajan DroidCon Bangalore 2012 6

All your data are belong to us

All the encrypted data was with us

We didn’t have the encryption key

But we had the device with the key in
internal storage

© Akash Mahajan DroidCon Bangalore 2012 7

GONE IN 300 SECONDS

Android Backup API using Android Debug
Bridge because we had the package name.

ADB pull command, YAY!

> adb pull <remote> <local>

© Akash Mahajan DroidCon Bangalore 2012 8

DISCLAIMER

It is not Rocket
Science

Simple common
security testing
© Akash Mahajan DroidCon Bangalore 2012 9

The Simple Hack

We knew find an exploit to root the device
might take some time and skill

Application written for the same version of
Android will run in all devices

© Akash Mahajan DroidCon Bangalore 2012 10

If the device having the
application can’t be
rooted, let us take the
application to the rooted
device.
© Akash Mahajan DroidCon Bangalore 2012 11

The Simple Hack

Once copied to the rooted device we could see
what the application was doing using DDMS.

Dalvik Debug Monitor Server provides among
other things process information about apps
running on a device connected in USB debug
mode.

© Akash Mahajan DroidCon Bangalore 2012 12

The key to everything
In this particular case, the encryption key was
required to decrypt the data.

We didn’t have file permissions to reach the key.

We decided not to go after the key. We weren’t
being paid enough for that.

© Akash Mahajan DroidCon Bangalore 2012 13

The Encryption Conundrum

If you give away your device, the only way you
can ensure safety of the data is by ensuring that
the symmetric encryption key isn’t stolen.

At any given point depending on the application
the key might be available in memory, temp
file/storage or on the chip itself.

© Akash Mahajan DroidCon Bangalore 2012 14

The Encryption Conundrum

But because the device is with the thieves, they
have all the time in the world to find it.

If nothing works, they can always break open
the device and steal the key from the storage.

© Akash Mahajan DroidCon Bangalore 2012 15

FREE CONSULTING /Checklist

Disable USB debugging port

Disable USB itself

Don’t give internet access in the device.

Obfuscate the source code.

Provide a unique key for each device.
© Akash Mahajan DroidCon Bangalore 2012 16

SUCCESS KIDZ

Client felt assured about their device security

Dev had a more secure solution

We get to pretend that we are Android security
experts. We are not, just love the challenge.

© Akash Mahajan DroidCon Bangalore 2012 17

WANTED
DROID CHORS

@ankurbhargava87 @makash

© Akash Mahajan DroidCon Bangalore 2012 18

Mais conteúdo relacionado

Mais procurados

Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...

Consulthinkspa

DevSecOps The Evolution of DevOps

Michael Man

DevSecOps brings security to the DevOps party and it is completely changing the security playbook. This talk will cover 10 practices and patterns we have implemented that bring DevSecOps value to everyone involved. This talk will be loaded with examples that will be usable for developers, security and operations teams and you can take home next week to put into practice. Shannon Lietz, Intuit James WIckett, Signal Sciences RSA Conference 2019

Release Your Inner DevSecOp

James Wickett

The days when financial institutions relied solemnly on proprietary code are over. Today, even the largest financial services firms have realized the benefits of using open source technology to build powerful, innovative applications at a reduced time-to-market. However, the financial services industry faces strict regulatory requirements that present it with a unique set of challenges, especially when it comes to open source usage (both consumption and contribution). FINOS is a non-profit organization whose purpose is to accelerate collaboration and innovation in financial services through the adoption of open source software, standards and best practices. Together with WhiteSource, they are able to provide a safe environment for developers to use open source components freely and fearlessly. Join FINOS and WhiteSource as they discuss: The challenges of open source usage The state of open source vulnerabilities management How FINOS uses WhiteSource to ensure the security and IP compliance of FINOS-produced open source software

Empowering Financial Institutions to Use Open Source With Confidence

WhiteSource

Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...

SecureSoftwareDevOn SecureSoftwareDevOn

The New Security Playbook: DevSecOps

James Wickett

This talk focussed on the challenges facing the DevOps community from the “developers culture perspective” and the consequences of the perceived disinterest in inculcating a complete 360 degrees’ risk mitigation framework in DevOps practices. The talk touched on the legal +Security+Operational Risk of using Open Source in their SDLC, the need for internal customized Open Source policy and a two-step approach to resolve these risks

(Isc)² secure johannesburg

Tunde Ogunkoya

Practical DevSecOps Using Security Instrumentation

VMware Tanzu

Digital Transformation and DevSecOps are the buzzwords du jour. Increasingly, organizations embrace the notion that if you implement DevOps, you must transform security as well. Failing to do so would either leave you insecure or make your security controls negate the speed you aimed to achieve in the first place. So doing DevSecOps is good... but what does it actually mean? This talk unravels what it looks like with practical, good (and bad) examples of companies who are: Securing DevOps technologies - by either adapting or building new solutions that address the new security concerns Securing DevOps methodologies - changing when and how security controls interact with the application and the development process Adapting to a DevOps philosophy of shared ownership for security In the end, you'll have the tools you need to plan your interpretation of DevSecOps, choose the practices and tooling you need to support it, and ensure that Security leadership is playing an important role in making it a real thing in your organization.

Maturing DevSecOps: From Easy to High Impact

SBWebinars

Clean code, dambaan semua developer. Tapi nyatanya, kode kita kerap memiliki keterkaitan yang sangat erat. Pusing kan. Bingung mau mecahin dan cara implementasi Separation of Concern? Apa selama ini kamu copy paste sana-sini yang penting bisa jalan aplikasinya? Solusinya ada Dependency Inversion dan Dependency Injection. Dua prinsip penting ini sama singkatannya tapi beda arti dan implementasinya. Jika disatukan, masalah-masalah di atas, tuntas! Implementasi Separation of Concerns dan Reusability (penggunaan ulang komponen) pun meningkat. Kualitas aplikasi dari segi struktur kode yang dibangun pun, demikian. Mari belajar implementasi keduanya dengan mudah. No pusing. No ribet. Langsung bisa kamu aplikasikan di kodemu. Poin-poin yang akan dibahas mencakup : Pengenalan dan implementasi Dependency Inversion Pengenalan dan Implementasi Dependency Injection dengan cara: 1. Manual; 2. Dagger; 3. Koin.

Meningkatkan SOC dan Reusabillity Kode dengan Duo DI - Sidiq Permana (CIO Nus...

DicodingEvent

10 Myth of DevSecOps

DevOps Indonesia

Have you considered what truly separates accidental vulnerabilities in open source from intentionally malicious releases? Although often grouped together as "vulnerabilities", malicious open source components are very different, right from their very creation through to the way you mitigate and remediate them as an end user. The past 12 months saw a record-breaking time for detection of malicious components in the world's most popular package registries. Join Rhys Arkins, Director of Product at WhiteSource, as he will discuss: The key differences between accidental vulnerabilities and malicious releases, How to manage the risk for each type of vulnerability, Lessons learned from the most interesting malicious packages spotted during 2019.

Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk

WhiteSource

This session will cover the foundations DevSecOps and the application of Chaos Engineering for Cyber Security. We will cover how the craft has evolved by sharing some lessons learned driving digital transformation at the largest healthcare company in the world, UnitedHealth Group. During the session we will talk about DevSecOps, Rugged DevOps, Open Source, and how we pioneered the application of Chaos Engineering to Cyber Security. We will cover how DevSecOps and Security Chaos Engineering allows for teams to proactively experiment on recurring failure patterns in order to derive new information about underlying problems that were previously unknown. The use of Chaos Engineering techniques in DevSecOps pipelines, allows incident response and engineering teams to derive new information about the state of security within the system that was previously unknown. As far as we know Chaos Engineering is one of the only proactive mechanisms for detecting systemic availability and security failures before they manifest into outages, incidents, and breaches. In other words, Security focused Chaos Engineering allows teams to proactively, safely discover system weakness before they disrupt business outcomes.

VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"

Aaron Rinehart

DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new an ethos for security. This is good, however moving security and devops closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And where does= chaos engineering fit in? This talk highlights security's place in DevOps and how topics ranging from empathy to chaos to system safety fit in organizations today. The hope is to uncover a new playbook for devs, ops, and security to work together.

NewOps Days 2019: The New Ways of Chaos, Security, and DevOps

James Wickett

DefCamp 2013 - Android hacking techniques

DefCamp

Security in the FaaS Lane

James Wickett

Navigating the Unknowable: Resilience through Security Chaos Engineering When applied to Cyber Security, Chaos Engineering is advancing our ability to reveal objective information about the effectiveness of operational security measures proactively through empirical experimentation. In this session we will introduce the core concepts behind this new technique and how you can get started in building and applying it.

RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering

Aaron Rinehart

In this session Aaron will uncover the importance of using Chaos Engineering in developing a learning culture in a DevSecOps world. Aaron will walk us through how to get started with Chaos Engineering for security and how it can be practically applied to enhance system performance, resilience and security. Security focused Chaos Engineering allows engineering teams to derive new information about the state of security within their distributed systems that was previously unknown. This new technique of instrumentation attempts to proactively inject security turbulent conditions or faults into our systems to determine the conditions by which our security will fail so that we can fix it before it causes customer pain. During this session we will cover some key concepts in Safety & Resilience Engineering and how new techniques such as Chaos Engineering are making a difference in improving our ability to learn from incidents proactively before they become destructive.

AllTheTalks Security Chaos Engineering

Aaron Rinehart

DevSecOps Days SF at RSA Conference 2018

DevSecOps Days

Benefits of DevSecOps

Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS

Mais procurados (20)

Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...

DevSecOps The Evolution of DevOps

Release Your Inner DevSecOp

Empowering Financial Institutions to Use Open Source With Confidence

Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...

The New Security Playbook: DevSecOps

(Isc)² secure johannesburg

Practical DevSecOps Using Security Instrumentation

Maturing DevSecOps: From Easy to High Impact

Meningkatkan SOC dan Reusabillity Kode dengan Duo DI - Sidiq Permana (CIO Nus...

10 Myth of DevSecOps

Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk

VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"

NewOps Days 2019: The New Ways of Chaos, Security, and DevOps

DefCamp 2013 - Android hacking techniques

Security in the FaaS Lane

RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering

AllTheTalks Security Chaos Engineering

DevSecOps Days SF at RSA Conference 2018

Benefits of DevSecOps

Semelhante a The real incident of stealing android app data

Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016

Rizal Aditya

Putting real feeling into Android Apps

Peter van der Linden

Android security and penetration testing | DIVA | Yogesh Ojha

Yogesh Ojha

Getting started with Android pentesting

Minali Arora

Securing Android Applications

Infosys

Getting started with android

Vandana Verma

Android_Studio_Structure.docx

KNANTHINIMCA

Building Custom Android Malware BruCON 2013

Stephan Chenette

MobSecCon 2015 - Dynamic Analysis of Android Apps

Ron Munitz

From Reversing to Exploitation

Satria Ady Pradana

Securing User Data with SQLCipher

CommonsWare

YuryMakedonov_TesTrek2013_AndroidTesting_12u_slides

Yury M

Droidcon it-2014-marco-grassi-viaforensics

viaForensics

Secure Android Apps- nVisium Security

Jack Mannino

Android installation & configuration, and create HelloWorld Project

Rakesh Jha

TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...

tdc-globalcode

Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...

Márcio Rosa

From Reversing to Exploitation: Android Application Security in Essence

Satria Ady Pradana

Android tio manual

iamkimberlybruno

Android tio manual

iamkimberlybruno

Semelhante a The real incident of stealing android app data (20)

Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016

Putting real feeling into Android Apps

Android security and penetration testing | DIVA | Yogesh Ojha

Getting started with Android pentesting

Securing Android Applications

Getting started with android

Android_Studio_Structure.docx

Building Custom Android Malware BruCON 2013

MobSecCon 2015 - Dynamic Analysis of Android Apps

From Reversing to Exploitation

Securing User Data with SQLCipher

YuryMakedonov_TesTrek2013_AndroidTesting_12u_slides

Droidcon it-2014-marco-grassi-viaforensics

Secure Android Apps- nVisium Security

Android installation & configuration, and create HelloWorld Project

TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...

Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...

From Reversing to Exploitation: Android Application Security in Essence

Android tio manual

Último

Slack Application Development 101 Slides

praypatel2

BooK Now Call us at +918448380779 to hire a gorgeous and seductive call girl for sex. Take a Delhi Escort Service. The help of our escort agency is mostly meant for men who want sexual Indian Escorts In Delhi NCR. It should be noted that any impersonator will get 100 attention from our Young Girls Escorts in Delhi. They will assume the position of reliable allies. VIP Call Girl With Original Photos Book Tonight +918448380779 Our Cheap Price 1 Hour not available 2 Hours 5000 Full Night 8000 TAG: Call Girls in Delhi, Noida, Gurgaon, Ghaziabad, Connaught Place, Greater Kailash Delhi, Lajpat Nagar Delhi, Mayur Vihar Delhi, Chanakyapuri Delhi, New Friends Colony Delhi, Majnu Ka Tilla, Karol Bagh, Malviya Nagar, Saket, Khan Market, Noida Sector 18, Noida Sector 76, Noida Sector 51, Gurgaon Mg Road, Iffco Chowk Gurgaon, Rajiv Chowk Gurgaon All Delhi Ncr Free Home Deliver

08448380779 Call Girls In Friends Colony Women Seeking Men

Delhi Call girls

Presentation on how to chat with PDF using ChatGPT code interpreter

naman860154

Automating Google Workspace (GWS) & more with Apps Script

wesley chun

What is a good lead in your organisation? Which leads are priority? What happens to leads? When sales and marketing give different answers to these questions, or perhaps aren't sure of the answers at all, frustrations build and opportunities are left on the table. Join us for an illuminating session with Cian McLoughlin, HubSpot Principal Customer Success Manager, as we look at that crucial piece of the customer journey in which leads are transferred from marketing to sales.

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

HampshireHUG

In an era where artificial intelligence (AI) stands at the forefront of business innovation, Information Architecture (IA) is at the core of functionality. See “There’s No AI Without IA” – (from 2016 but even more relevant today) Understanding and leveraging how Information Architecture (IA) supports AI synergies between knowledge engineering and prompt engineering is critical for senior leaders looking to successfully deploy AI for internal and externally facing knowledge processes. This webinar be a high-level overview of the methodologies that can elevate AI-driven knowledge processes supporting both employees and customers. Core Insights Include: Strategic Knowledge Engineering: Delve into how structuring AI's knowledge base is required to prevent hallucinations, enable contextual retrieval of accurate information. This will include discussion of gold standard libraries of use cases support testing various LLMs and structures and configurations of knowledge base. Precision in Prompt Engineering: Learn the art of crafting prompts that direct AI to deliver targeted, relevant responses, thereby optimizing customer experiences and business outcomes. Unified Approach for Enhanced AI Performance: Explore the intersection of knowledge and prompt engineering to develop AI systems that are not only more responsive but also aligned with overarching business strategies. Guiding Principles for Implementation: Equip yourself with best practices, ethical guidelines, and strategic considerations for embedding these technologies into your business ecosystem effectively. This webinar is designed to empower business and technology leaders with the knowledge to harness the full potential of AI, ensuring their organizations not only keep pace with digital transformation but lead the charge. Join us to map a roadmap to fully leverage Information Architecture (IA) and AI chart a course towards a future where AI is a key pillar of strategic innovation and business success.

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx

Earley Information Science

Explore 'The Codex of Business: Writing Software for Real-World Solutions,' a compelling SlideShare presentation that delves into digital transformation in healthcare. Discover through a detailed case study how Agile methodologies empower healthcare providers to develop, iterate, and refine digital solutions that address real-world challenges. Learn how strategic planning, user feedback, and continuous improvement drive success in deploying technologies that enhance patient care and operational efficiency. Ideal for healthcare professionals, IT specialists, and digital transformation advocates seeking actionable insights and practical examples of technology making a real difference.

The Codex of Business Writing Software for Real-World Solutions 2.pptx

Malak Abu Hammad

08448380779 Call Girls In Greater Kailash - I Women Seeking Men

Delhi Call girls

Finology Group – Insurtech Innovation Award 2024

The Digital Insurer

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Tata AIG General Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Imagine a world where information flows as swiftly as thought itself, making decision-making as fluid as the data driving it. Every moment is critical, and the right tools can significantly boost your organization’s performance. The power of real-time data automation through FME can turn this vision into reality. Aimed at professionals eager to leverage real-time data for enhanced decision-making and efficiency, this webinar will cover the essentials of real-time data and its significance. We’ll explore: FME’s role in real-time event processing, from data intake and analysis to transformation and reporting An overview of leveraging streams vs. automations FME’s impact across various industries highlighted by real-life case studies Live demonstrations on setting up FME workflows for real-time data Practical advice on getting started, best practices, and tips for effective implementation Join us to enhance your skills in real-time data automation with FME, and take your operational capabilities to the next level.

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

Safe Software

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Rafal Los

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

The presentation explores the development and application of artificial intelligence (AI) from its inception to its current status in the modern world. The term "artificial intelligence" was first coined by John McCarthy in 1956 to describe efforts to develop computer programs capable of performing tasks that typically require human intelligence. This concept was first introduced at a conference held at Dartmouth College, where programs demonstrated capabilities such as playing chess, proving theorems, and interpreting texts. In the early stages, Alan Turing contributed to the field by defining intelligence as the ability of a being to respond to certain questions intelligently, proposing what is now known as the Turing Test to evaluate the presence of intelligent behavior in machines. As the decades progressed, AI evolved significantly. The 1980s focused on machine learning, teaching computers to learn from data, leading to the development of models that could improve their performance based on their experiences. The 1990s and 2000s saw further advances in algorithms and computational power, which allowed for more sophisticated data analysis techniques, including data mining. By the 2010s, the proliferation of big data and the refinement of deep learning techniques enabled AI to become mainstream. Notable milestones included the success of Google's AlphaGo and advancements in autonomous vehicles by companies like Tesla and Waymo. A major theme of the presentation is the application of generative AI, which has been used for tasks such as natural language text generation, translation, and question answering. Generative AI uses large datasets to train models that can then produce new, coherent pieces of text or other media. The presentation also discusses the ethical implications and the need for regulation in AI, highlighting issues such as privacy, bias, and the potential for misuse. These concerns have prompted calls for comprehensive regulations to ensure the safe and equitable use of AI technologies. Artificial intelligence has also played a significant role in healthcare, particularly highlighted during the COVID-19 pandemic, where it was used in drug discovery, vaccine development, and analyzing the spread of the virus. The capabilities of AI in healthcare are vast, ranging from medical diagnostics to personalized medicine, demonstrating the technology's potential to revolutionize fields beyond just technical or consumer applications. In conclusion, AI continues to be a rapidly evolving field with significant implications for various aspects of society. The development from theoretical concepts to real-world applications illustrates both the potential benefits and the challenges that come with integrating advanced technologies into everyday life. The ongoing discussion about AI ethics and regulation underscores the importance of managing these technologies responsibly to maximize their their benefits while minimizing potential harms.

Artificial Intelligence: Facts and Myths

Joaquim Jorge

Histor y of HAM Radio presentation slide

vu2urc

With more memory available, system performance of three Dell devices increased, which can translate to a better user experience Conclusion When your system has plenty of RAM to meet your needs, you can efficiently access the applications and data you need to finish projects and to-do lists without sacrificing time and focus. Our test results show that with more memory available, three Dell PCs delivered better performance and took less time to complete the Procyon Office Productivity benchmark. These advantages translate to users being able to complete workflows more quickly and multitask more easily. Whether you need the mobility of the Latitude 5440, the creative capabilities of the Precision 3470, or the high performance of the OptiPlex Tower Plus 7010, configuring your system with more RAM can help keep processes running smoothly, enabling you to do more without compromising performance.

Boost PC performance: How more available memory can improve productivity

Principled Technologies

In this session, we will delve into strategic approaches for optimizing knowledge management within Microsoft 365, amidst the evolving landscape of Copilot. From leveraging automatic metadata classification and permission governance with SharePoint Premium, to unlocking Viva Engage for the cultivation of knowledge and communities, you will gain actionable insights to bolster your organization's knowledge-sharing initiatives. In this session, we will also explore how to facilitate solutions to enable your employees to find answers and expertise within Microsoft 365. You will leave equipped with practical techniques and a deeper understanding of how there is more to effective knowledge management than just enabling Copilot, but building actual solutions to prepare the knowledge that Copilot and your employees can use.

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Drew Madelung

Microsoft's Threat Matrix for Kubernetes helps organizations understand the attack surface a Kubernetes deployment introduces to their environments. This ensures that adequate detections and mitigations are in place. By covering over 40 different attacker techniques, defenders can learn about Kubernetes-specific mitigations and controls to deploy to their environments. In this session, we will explore the MS-TA9013 Host Path Mount technique, which is commonly used by attackers to perform privilege escalation in a Kubernetes cluster. Attendees will learn how attackers and defenders can: * Escape the container's host volume mount to gain persistence on an underlying node * Move laterally from the underlying node into the customer's cloud environment * Analyze Kubernetes audit logs to detect pods deployed with a hostPath mount * Deploy an admission controller that prevents new pods from using a hostPath mount

Breaking the Kubernetes Kill Chain: Host Path Mount

Puma Security, LLC

Real Time Object Detection Using Open CV

Khem

The real incident of stealing android app data

1. The Real Incident of Stealing a Droid App & Data Akash Mahajan and Ankur Bhargava @ DroidCon Bangalore 2012

2. What we stole The Android Application Package File All the encrypted files found in the external storage © Akash Mahajan DroidCon Bangalore 2012 2

3. Not only we successfully the app + data we it on another device which was rooted © Akash Mahajan DroidCon Bangalore 2012 3

4. Them devs made it more secure? A device ID check was added We reversed the applications added our device ID and compiled it again. Able to execute again, yay! © Akash Mahajan DroidCon Bangalore 2012 4

5. THE DROID JOB A standard Chinese made Tablet running Android 4.0 (Indian Brand) The application contained encrypted data along with other resources. © Akash Mahajan DroidCon Bangalore 2012 5

7. All your data are belong to us All the encrypted data was with us We didn’t have the encryption key But we had the device with the key in internal storage © Akash Mahajan DroidCon Bangalore 2012 7

8. GONE IN 300 SECONDS Android Backup API using Android Debug Bridge because we had the package name. ADB pull command, YAY! > adb pull <remote> <local> © Akash Mahajan DroidCon Bangalore 2012 8

10. The Simple Hack We knew find an exploit to root the device might take some time and skill Application written for the same version of Android will run in all devices © Akash Mahajan DroidCon Bangalore 2012 10

11. If the device having the application can’t be rooted, let us take the application to the rooted device. © Akash Mahajan DroidCon Bangalore 2012 11

12. The Simple Hack Once copied to the rooted device we could see what the application was doing using DDMS. Dalvik Debug Monitor Server provides among other things process information about apps running on a device connected in USB debug mode. © Akash Mahajan DroidCon Bangalore 2012 12

13. The key to everything In this particular case, the encryption key was required to decrypt the data. We didn’t have file permissions to reach the key. We decided not to go after the key. We weren’t being paid enough for that. © Akash Mahajan DroidCon Bangalore 2012 13

14. The Encryption Conundrum If you give away your device, the only way you can ensure safety of the data is by ensuring that the symmetric encryption key isn’t stolen. At any given point depending on the application the key might be available in memory, temp file/storage or on the chip itself. © Akash Mahajan DroidCon Bangalore 2012 14

15. The Encryption Conundrum But because the device is with the thieves, they have all the time in the world to find it. If nothing works, they can always break open the device and steal the key from the storage. © Akash Mahajan DroidCon Bangalore 2012 15

16. FREE CONSULTING /Checklist Disable USB debugging port Disable USB itself Don’t give internet access in the device. Obfuscate the source code. Provide a unique key for each device. © Akash Mahajan DroidCon Bangalore 2012 16

17. SUCCESS KIDZ Client felt assured about their device security Dev had a more secure solution We get to pretend that we are Android security experts. We are not, just love the challenge. © Akash Mahajan DroidCon Bangalore 2012 17

The real incident of stealing android app data

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a The real incident of stealing android app data

Semelhante a The real incident of stealing android app data (20)

Último

Último (20)

The real incident of stealing android app data