• Save
Hp Fortify Mobile Application Security
Upcoming SlideShare
Loading in...5
×
 

Hp Fortify Mobile Application Security

on

  • 1,664 views

 

Statistics

Views

Total Views
1,664
Views on SlideShare
1,660
Embed Views
4

Actions

Likes
4
Downloads
0
Comments
0

1 Embed 4

http://www.linkedin.com 4

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Smartphones as pocket PCs and extend the desktop experienceThe desktop has migrated to the smartphone. Everyday desktop activities such as browsing, searching and consuming entertainment is now done on smartphones.Almost 70% use applications to extend their phone’s functionality
  • Smartphones have become the go-to computing device for both productivity and entertainment alike.Smart phones have become a combination of a Rolodex, PDA, camera, photo album, wallet, game controller, pager, camcorder, television, barcode scanner, GPS device, PC, FM radio, MP3 player, newspaper, book, calculator … in addition to your communication device.
  • It wasn’t long ago that being on the cutting edge of business meant having a website where customers could purchase your products, but that quickly changed. Soon, it wasn’t enough just to have an eCommerce presence: you had to offer an interactive and engaging customer experience (see Web 2.0).  Now the standard has shifted once again: in order to truly compete in the modern economy, your business needs to have a mobile storefront on smart phones and tablets. Without this mobile presence, you’ll lose business to competitors who have them.
  • Step one for addressing quality is focusing on application fundamentals. For every IT project, every new application rollout, application change or upgrade, you and your customer need to answer some basic questions: Will the application work in production? Will it scale and perform well under load? And will it be secure? To mitigate business risk, the answer to all three questions has to be “Yes.” HP quality, performance and security testing solutions make it easy to manage the quality management process from start to finish by providing the right tools to verify functionality from the end-user perspective, optimize performance by testing and diagnosing issues under emulated production loads and validate security.
  • Mobile applications rely on all of these elements. We have a server a client device a full time internet connection a custom operating system as well as a local database. These elements comprise a mobile system. Some of them are similar to the challenges of the past and some of them present new challenges unique to mobile
  • The client server model is nothing new. Mobile apps are an extension of RIA applications, in general we are dealing with highly customized UI’s for input of data. The general attack surface of this model is the same as always, the server. The server is likely a legacy web application that surfaced new APIs or used existing APIs to serve the new client. There is nothing fundamentally different about this
  • Step one for addressing quality is focusing on application fundamentals. For every IT project, every new application rollout, application change or upgrade, you and your customer need to answer some basic questions: Will the application work in production? Will it scale and perform well under load? And will it be secure? To mitigate business risk, the answer to all three questions has to be “Yes.” HP quality, performance and security testing solutions make it easy to manage the quality management process from start to finish by providing the right tools to verify functionality from the end-user perspective, optimize performance by testing and diagnosing issues under emulated production loads and validate security.
  • I’ll talk about the first 4 vulnerabilities: 3 Communications related vulns. And Insecure storageAnd Katrina will discuss insecure network communication, SQL injection, and overprivileged apps
  • Let’s take the IMDb app for example. This app has a feature where the user can get the showtimes for movies in the area. To do this, the app has a component, Showtime Search, that sends information and requests to the component, Results UI, which then updates the user’s screen. The display will either update with the latest showtimes or return that there are no shows available.
  • This is an example of what the user might see when the message is sent. The user sees a list of the movie showtimes in the area.
  • The problem is that the IMDb is sending an Implicit intent to be resolved by the system - which means it can potentially be seen by any application. All a malicious app needs to do is declare that it can handle the same action as the Intent and it may receive the Intent.In the case of the IMDb app, the attacker can find that the user is 1) using the IMDb app and 2) looking for showtimes. If the Intent contains any additional data, the attacker can also steal that.Sidenote: Another example is a bus application that gives the user information on where the bus is and when it will arrive. In that app, an attacker can eavesdrop on the bus request and determine the user’s location. This is a clear privacy violation.
  • This attack exploits a vulnerability on the receiving side. The problem is that the developer is publically exposing the receiving component. To be able to receive the implicit Intent, the receiver component is also made public to all applications. This means that any application can send messages to the component either explicitly or implicitly. And thus it is vulnerable to an intent spoofing attack.In the IMDb example, a malicious app could inject an Intent into the results UI by sending an implicit or explicit Intent. If the malicious application sends the NoLocationError action, the receiver would report that no showtimes were found.
  • Instead of seeing a display like the one on the left (the showtimes of movies in the error), the user would see no information (on the right), resulting in a denial of service.Bus app: Going back to the bus application, an attacker can inject fake bus information into a vulnerable bus component, potentially making the user wait for a bus that never arrives.
  • Like the typical unauthorized intent receipt problem- malicious receipt could leak sensitive databut special in two ways Can be sent to all receivers -> can’t be limited by permissions -> accessible to any receiver, including malicious receivers Persists. And is expected to persist, but can be removed by malicious app
  • Like the typical unauthorized intent receipt problem- malicious receipt could leak sensitive databut special in two ways Can be sent to all receivers -> can’t be limited by permissions -> accessible to any receiver, including malicious receivers Persists. And is expected to persist, but can be removed by malicious app
  • 3. Even if new owner (or old owner) does a factory reset, it does not wipe the SC card.
  • Using wireshark, we sniffed http packets coming from the phone. We can see text and location in this example. BAD.
  • Using wireshark, we sniffed http packets coming from the phone. We can see text and location in this example. BAD.
  • Especially alarming because in a regular web app you can set a preference to use https, but in mobile app, you can’t.
  • Warning: SQL Lite methods vulnerable to full SQL injection include delete, execSQL, rawQuery, update, updateWithNoConflict
  • They may request a permission that sounds relevant to what they are doing. (When registering for an “android.net.wifi.STATE_CHANGE” Intent, they may unnecessarily request the ACCESS_WIFI_STATE permission. Will have an example later.)They may leave a permission in for testing and forget to delete it. (Or change the design to no longer require that permission and forget to delete it)They may confuse using a protected service with invoking another application to use that service (example later)Due to lack of specificity in Android documentation, some turn to message codes or code snippets. Unfortunately, we have seen some of these incorrectly assert that a permission is required.In a class with getters and setters, it may be that only the setters need permissions. However, we have seen developers add permission when only using the getters.
  • An application sends an Intent to the Camera application asking it to take a pictureA developer may mistakenly add the “android.permission.CAMERA” permissionIt is the Camera application that this permission not the calling applicationIn this exampleApp1 is sending an Intent to ask the Camera app to take a picture. It is the camera application that needs the permission, not App1.

Hp Fortify Mobile Application Security Hp Fortify Mobile Application Security Presentation Transcript

  • HP FortifyMobile ApplicationSecurityNameTitleEnterprise Security© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • The motivation© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • Rise of the mobile machines 700,000 Q4: Inflection Point Smartphones + Tablets > PCs 600,000 Global Shipments (MM) 500,000 400,000 300,000 200,000 2005 2006 2007 2008 2009 2010 2011 2012E 2013E 100,000 Desktop PCs Notebook PCs Smartphones Tablets Source: Morgan Stanley Research3 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • The smartphones as pocket PCs 81% 77% 68% 48% Browsed the Used a Used Watch internet search engine an app videos Smartphone activities within past week (excluding calls) Desktop Pocket PCs Source: The Mobile Movement Study, Google, April 20114 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • The Swiss army knife of computing Rolodex Game console Camera Television Calculator Laptop Email Book Internet GPS5 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • The evolution of the modern enterprise 1990s 2000s 2010s Webpage era Ecommerce era Mobile era6 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • Mobile represents a huge business opportunityPlease select the most important benefit that your organization ultimately expects to gain from current orfuture mobile solutions deployments (whether or not you are currently receiving those benefits) Improve/enhance worker productivity Increased sales/revenue Improve field service response time Improve competitive advantage/market share Provide ease of information access Improve customer service Decreased costs Offer employees more flexibility Enhance portability within the office or work environment Eliminate paperwork Speed the sales process Provide perception of an advanced company to… 0 5 10 15 20 25 30N = 600, Source: IDC’s mobile enterprise software survey, 20117 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • But security is a huge concernWhich of the following technologies have resulted in an increase in IT security management spending atyour organization within past 12 months? Mobility Virtualization Social Networking VoIP Unified Communications Green IT 0% 10% 20% 30% 40% 50% 60% 70% IDC Web Conference, 12 April 2012 Source: IDC Security as a Service Survey n-478 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • A treasure trove of private informationYour smartphone knowsyou better than you knowyourself … and cyber attackers are• Pins & passwords after your personal records• Contacts• Call history• Messages• Social networking• Visited web sites• Mobile banking• Personal videos• Family photos $• Documents9 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • Threats at all points Client Network Server • Insecure storage of • Insecure data transfer • Authentication credentials during installation or • Session Management • Improper use of execution of the • Cross-site Scripting configuration files application • SQL Injection • Use of insecure • Insecure transmission of data across the network. • Command Injection development libraries10 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • Types of mobile threats Data Communication Exploitation andMalware Loss and Theft Direct Attacks Interception MisconductSpyware, viruses, Data lost due to Eavesdropping on The inappropriate use Short messagetrojans, and worms misplaced or stolen communications, of a mobile device for service (SMS) and mobile devices including emails, texts, personal amusement browser exploits voice calls, etc., or monetary gain originating from or being sent to a mobile device11 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • The solution© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • What is mobile? Devices Connection Servers13 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • Same old client server model Client Network Server browser14 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • Mobile application concerns Does it work? Does it perform? Is it secure? • Does the application function • Will the application perform for • Is the application securely as the business intends? all users? coded? • Are all features there and • Does it meet SLAs in • Has the application been working? production? assessed for known threats?15 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • What you need to be concerned about Know where you are using credentials Know what sensitive data is in play Track these through the device, network, and backend server Test all those components16 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • HP Fortify mobile application security End to end mobile security: from the device, to the network to the backendFeatures: Benefits: server. Why it matters:• Secure the entire mobile • Ensure your Android and Apple iOS mobile devices • The mobile market is huge; global stack, from the mobile device to are always safe and secure mobile data traffic will increase 26-fold the server to the communications • Protect Android and iOS applications from between 2010 and 2015, and over 50% between the two advanced attacks by removing security of all Americans currently have a• Pinpoint with line of code precision vulnerabilities at the source, from software on the mobile phone (Arc Worldwide) the root cause of potential mobile device or backend server • Mobile applications are in their infancy vulnerabilities for any application • Increase development productivity by enabling in terms of security awareness developed for Apple iOS and security to be built into mobile applications, rather • Mobile payments will reach $240 Billion Google Android this year. Fraud becomes a concern if than added on after it is deployed into production• Complete static language support Mobile Security is not addressed • Spend valuable development resources and time for Objective C (any Apple mobile • In Q4 2011, iOS has 43% of the mobile innovating, instead of firefighting, troubleshooting, device, such as the iPhone or the market share, second to Android at iPad) and Java, the programming and fixing vulnerabilities 47% (NPD) language of Android17 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • Mobile product support Comprehensive mobile support • Four mobile platforms and operating systems • Mobile assessment services for the device, network and server • Mobile security research group to stay abreast of the latest mobile security threats18 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • Mobile assessments Type What’s Included: Why Use Full • Server – All, Auto/Manual/Source Initial releases and (Hybrid Assessment) • Client – All, Auto/Manual/Source annual/periodic/compliance • Network – All, Auto/Manual assessments. Mini Hybrid • Client – Filesystem Analysis, no source code analysis, Minor releases. Supplemental to (1 Day Assessment) no malware analysis previous full assessment. • Network – Basic Traffic Analysis, no data obfuscation analysis • Server – Basic Automated Scan, no source code review, no logic testing, no advanced injection Malware Assessment Malware Only Assessment – Check for malicious code on Internal commercial applications client-side as well as for suspicious network traffic, e.g. developed by third-parties outside data transmitting to unknown hosts corporate control. E.g. Pandora, WSJ19 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • Process integrationIntegrating security into your established SDLC process Security Foundations – Mobile Applications Architecture Plan Requirements Build Test Production & Design Mobile Security Application Specific Threat Modeling and Mobile Secure Mobile Application Security Assessment Development Analysis Coding Training (Static, Dynamic, Server, Network, Client) Standards Threat Modeling CBT for Developers Mobile Secure Mobile Firewall Mobile Application Coding Standards Security Process Wiki Mobile Risk Dictionary Design Static Analysis Mobile Security Policies20 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • Summary: mobile application securityComprehensive mobile application security solutions That proactively identifies and eliminates risk in any mobile 1 application, built for any platform or operating system: Apple iOS, Google Android, Microsoft Windows Phone and RIM Blackberry 2 To ensure that all mobile applications are trustworthy, in compliance with any security mandates and safe for consumers and enterprises to use Securing the whole mobile technology stack: from the user and device 3 to the network communications to the backend servers 4 Available on-premise or on-demand, and with professional services21 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 7 Ways to Hang Yourself withAndroid© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • Google Android Vulnerabilities 1 Intent hijacking 2 Intent spoofing 3 Sticky broadcast tampering 4 Insecure storage 5 Insecure network communication 6 SQL injection 7 Promiscuous privileges23 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • Google Android Vulnerabilities Sticky Insecure Insecure Promiscuous Intent hijacking Intent spoofing broadcast network SQL injection storage privileges tampering communicationDescription: Malicious app intercepts an intent bound for another app, which can compromise data or alter behavior Cause: Implicit intents (do not require strong permissions to receive) Fix: Explicit intents and require special receiver permissions 24 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • Google Android Vulnerabilities Sticky Insecure Insecure PromiscuousIntent hijacking Intent spoofing broadcast network SQL injection storage privileges tampering communication IMDb App Showtime Handles Actions: Results UI Search willUpdateShowtimes, showtimesNoLocationError Implicit Intent Action: willUpdateShowtimes 25 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • Google Android Vulnerabilities Sticky Insecure Insecure PromiscuousIntent hijacking Intent spoofing broadcast network SQL injection storage privileges tampering communication 26 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • Google Android Vulnerabilities Sticky Insecure Insecure PromiscuousIntent hijacking Intent spoofing broadcast network SQL injection storage privileges tampering communication IMDb App Showtime Handles Actions: Results UI Search willUpdateShowtimes, showtimesNoLocationError Implicit Intent Action: willUpdateShowtimes Eavesdropping App Malicious Handles Actions: Receiver willUpdateShowtimes, showtimesNoLocationError 27 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • Google Android Vulnerabilities Sticky Insecure Insecure Promiscuous Intent hijacking Intent spoofing broadcast network SQL injection storage privileges tampering communicationDescription: Malicious app spoofs a legitimate intent, which can inject data or alterbehavior Cause: Public components (necessary to receive implicit intents) Fix: Use explicit intents and receiver permissions Only perform sensitive operations in private components 28 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • Google Android Vulnerabilities Sticky Insecure Insecure PromiscuousIntent hijacking Intent spoofing broadcast network SQL injection storage privileges tampering communication Spoofing App Results UI Action: showtimesNoLocationError IMDb App Showtime Results UI Handles Actions: Search willUpdateShowtimes, showtimesNoLocationError 29 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • Google Android Vulnerabilities Sticky Insecure Insecure PromiscuousIntent hijacking Intent spoofing broadcast network SQL injection storage privileges tampering communication 30 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • Google Android Vulnerabilities Sticky Insecure Insecure Promiscuous Intent hijacking Intent spoofing broadcast network SQL injection storage privileges tampering communicationDescription: Persistent intents used by legitimate apps can be accessed and removed by malicious apps Cause: BROADCAST_STICKY allows to full access to any sticky broadcasts Fix: Use explicit, non-sticky broadcasts protected by receiver permissions 31 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • Google Android Vulnerabilities Sticky Insecure Insecure PromiscuousIntent hijacking Intent spoofing broadcast network SQL injection storage privileges tampering communication Sticky broadcasts Malicious App (intents): Requests SB BROADCAST_STIC 1 KY Permission SB 2 ? Victim App Receiver (expects SB2) SB 3 32 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • Google Android Vulnerabilities Sticky Insecure Insecure Promiscuous Intent hijacking Intent spoofing broadcast network SQL injection storage privileges tampering communicationDescription: Local storage is accessible to attackers, which can compromise sensitivedata Cause: Local files are world-readable and persist Fix: SQLite or internal storage for private data Encrypt the data (keep keys off the SD) 33 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • Google Android Vulnerabilities Sticky Insecure Insecure PromiscuousIntent hijacking Intent spoofing broadcast network SQL injection storage privileges tampering communication Kindle app saves e-books (.mbp and .prc) in a folder on the SD card • Depending on DRM, accessible to other apps • Saves covers of books (privacy violation) • Folder is retained after uninstall of app 34 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • Google Android Vulnerabilities Sticky Insecure Insecure Promiscuous Intent hijacking Intent spoofing broadcast network SQL injection storage privileges tampering communicationDescription: Data sent over unencrypted channels can be intercepted by attackers sniffing network Cause: Non-HTTPS WebView connections Fix: Ensure sensitive data only sent over encrypted channels 35 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • Google Android Vulnerabilities Sticky Insecure Insecure PromiscuousIntent hijacking Intent spoofing broadcast network SQL injection storage privileges tampering communication Twitter: Tweets are sent in the clear https://freedom-to-tinker.com/blog/dwallach/things-overheard-wifi-my-android-smartphone 36 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • Google Android Vulnerabilities Sticky Insecure Insecure PromiscuousIntent hijacking Intent spoofing broadcast network SQL injection storage privileges tampering communication Facebook: Despite ‘fully encrypted’ option on the Web, mobile app sends in the clear 37 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • Google Android Vulnerabilities Sticky Insecure Insecure Promiscuous Intent hijacking Intent spoofing broadcast network SQL injection storage privileges tampering communicationDescription: Allows malicious users to alter or view (query string injection) database records Cause: Untrusted data used to construct a SQL query or clause Fix: Parameterized queries 38 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • Google Android Vulnerabilities Sticky Insecure Insecure PromiscuousIntent hijacking Intent spoofing broadcast network SQL injection storage privileges tampering communication c = invoicesDB.query( Uri.parse(invoices), columns, "productCategory = " + productCategory + " and customerID = " + customerID + "", null, null, null, "" + sortColumn + "", null ); 39 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • Google Android Vulnerabilities Sticky Insecure Insecure PromiscuousIntent hijacking Intent spoofing broadcast network SQL injection storage privileges tampering communication productCategory = Fax Machines customerID = 12345678 sortColumn = price Select * from invoices where productCategory = ‘ Fax Machines and customerID = 12345678 order by price 40 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • Google Android Vulnerabilities Sticky Insecure Insecure PromiscuousIntent hijacking Intent spoofing broadcast network SQL injection storage privileges tampering communication productCategory = Fax Machines or productCategory = " customerID = 12345678 sortColumn = " order by ‘price select * from invoices where productCategory = Fax Machines or productCategory = “ ‘ and customerID = ‘ 12345678 order by ‘ " order by price 41 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • Google Android Vulnerabilities Sticky Insecure Insecure PromiscuousIntent hijacking Intent spoofing broadcast network SQL injection storage privileges tampering communication c = invoicesDB.query( Uri.parse(invoices), columns, "productCategory = ? and customerID = ?", {productCategory, customerID}, null, null, "sortColumn = ?", sortColumn ); 42 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • Google Android Vulnerabilities Sticky Insecure Insecure Promiscuous Intent hijacking Intent spoofing broadcast network SQL injection storage privileges tampering communicationDescription: Requesting unneeded permits privilege escalation attacks and desensitize users Cause: Deputies, Artifacts from testing, Confusion (inaccurate/incomplete resources) Fix: Identify unnecessary permissions 43 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • Google Android Vulnerabilities Sticky Insecure Insecure PromiscuousIntent hijacking Intent spoofing broadcast network SQL injection storage privileges tampering communication User App Camera App Does NOT need CAMERA Needs CAMERA permission permission Takes Wants Picture Picture Implicit Intent Handles Action: Action: IMAGE_CAPTURE IMAGE_CAPTURE 44 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • Google Android Vulnerabilities Sticky Insecure Insecure PromiscuousIntent hijacking Intent spoofing broadcast network SQL injection storage privileges tampering communication Third hit on Google search Not true for android.net.wifi.STATE_CHANGE http://stackoverflow.com/questions/2676044/broadcast-intent-when-network-state-has-changend 45 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • Empirical Results: DEFCON ‘11 Vulnerability Type % of apps with > 1 1. Intent Hijacking 50% 2. Intent Spoofing 40% 3. Sticky Broadcast Tampering 6% 4. Insecure Storage 28% 5. Insecure Communication N/A 6. SQL Injection 17% 7. Promiscuous Privileges 31%46 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • Thank You© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.