The real incident of stealing android app data

•Download as PPTX, PDF•

0 likes•416 views

This is a beginner level talk/lecture about how we managed to steal data, bypass security controls and steal the source code of an Android application which was supposed to be secure. Technically what we managed to do isn't ground breaking, but due to a combination of reasons we were able to radically change the security of the Android app for the better.

Technology

The Real Incident of
Stealing
a Droid App & Data

Akash Mahajan and Ankur Bhargava @ DroidCon Bangalore 2012

What we stole

The Android Application Package File

All the encrypted files found in the
external storage

© Akash Mahajan DroidCon Bangalore 2012 2

Not only we successfully
the app + data we
it on another
device which was rooted

© Akash Mahajan DroidCon Bangalore 2012 3

Them devs made it more secure?

A device ID check was added

We reversed the applications added our
device ID and compiled it again.

Able to execute again, yay!

© Akash Mahajan DroidCon Bangalore 2012 4

We had written
permission to
steal!

© Akash Mahajan DroidCon Bangalore 2012 6

All your data are belong to us

All the encrypted data was with us

We didn’t have the encryption key

But we had the device with the key in
internal storage

© Akash Mahajan DroidCon Bangalore 2012 7

GONE IN 300 SECONDS

Android Backup API using Android Debug
Bridge because we had the package name.

ADB pull command, YAY!

> adb pull <remote> <local>

© Akash Mahajan DroidCon Bangalore 2012 8

DISCLAIMER

It is not Rocket
Science

Simple common
security testing
© Akash Mahajan DroidCon Bangalore 2012 9

The Simple Hack

We knew find an exploit to root the device
might take some time and skill

Application written for the same version of
Android will run in all devices

© Akash Mahajan DroidCon Bangalore 2012 10

If the device having the
application can’t be
rooted, let us take the
application to the rooted
device.
© Akash Mahajan DroidCon Bangalore 2012 11

The Simple Hack

Once copied to the rooted device we could see
what the application was doing using DDMS.

Dalvik Debug Monitor Server provides among
other things process information about apps
running on a device connected in USB debug
mode.

© Akash Mahajan DroidCon Bangalore 2012 12

The key to everything
In this particular case, the encryption key was
required to decrypt the data.

We didn’t have file permissions to reach the key.

We decided not to go after the key. We weren’t
being paid enough for that.

© Akash Mahajan DroidCon Bangalore 2012 13

The Encryption Conundrum

If you give away your device, the only way you
can ensure safety of the data is by ensuring that
the symmetric encryption key isn’t stolen.

At any given point depending on the application
the key might be available in memory, temp
file/storage or on the chip itself.

© Akash Mahajan DroidCon Bangalore 2012 14

The Encryption Conundrum

But because the device is with the thieves, they
have all the time in the world to find it.

If nothing works, they can always break open
the device and steal the key from the storage.

© Akash Mahajan DroidCon Bangalore 2012 15

FREE CONSULTING /Checklist

Disable USB debugging port

Disable USB itself

Don’t give internet access in the device.

Obfuscate the source code.

Provide a unique key for each device.
© Akash Mahajan DroidCon Bangalore 2012 16

SUCCESS KIDZ

Client felt assured about their device security

Dev had a more secure solution

We get to pretend that we are Android security
experts. We are not, just love the challenge.

© Akash Mahajan DroidCon Bangalore 2012 17

WANTED
DROID CHORS

@ankurbhargava87 @makash

© Akash Mahajan DroidCon Bangalore 2012 18

Your organization has already embraced the DevOps methodology? That’s a great start. But what about security? It’s a fact - many organizations fear that adding security to their DevOps practices will severely slow down their development processes. But this doesn’t need to be the case. Tune in to hear Jeff Martin, Senior Director of Product at WhiteSource and Anders Wallgren, VP of Technology Strategy at Cloudbees, as they discuss: - Why traditional DevOps has shifted, and what this will mean - Who should own security in the age of DevOps - Which tools and strategies are needed to implement continuous security throughout the DevOps pipeline

DevSecOps: A New Hope for Security in CI/CD

Franklin Mosley

Organizations today are utilizing DevOps to accelerate the software development and deployment pace with the goal of releasing better quality software more reliably. But as more high profile data breaches occur they help to awaken interest in how to integrate security into this practice without inhibiting the DevOps agility. Let's face it, attacks on web applications have become a menace, and the volume of data breaches caused by them is rapidly rising each year. Rogue actors are taking advantage of the weaknesses in our software and processes. How do we strike back against this? Enter a new hope: DevSecOps! DevSecOps is the solution that is talked about, but not always understood. In this talk, we discuss: * What is DevSecOps * Changing the security mindset * The Do's and Don'ts for success

Tackling the Container Iceberg:How to approach security when most of your sof...

WhiteSource

Container images are based on many direct and indirect open source dependencies, which most developers are not aware of. What are the security implications of only seeing the tip of the iceberg? What are the challenges one faces when relying so heavily on open source? And how can teams overcome these? Join Codefresh and WhiteSource, as they embark on a journey to tackle: The container iceberg - learn what are your blind spots The main security challenges when using open source in containerized applications The role of automation in open source security in containers A live demo showing how WhiteSource & Codefresh can allow you to automate open source security in containers throughout the DevOps pipeline

Scale DevSecOps with your Continuous Integration Pipeline

DevOps.com

Hear from AppSec and Development leaders on how they apply the principles of DevOps to deliver secure products and services to customers. Learn how you can scale your DevSecOps initiatives to reduce time-to-deployment and lower costs as you deliver secure software. During this webinar, you will learn about the latest tools and techniques that will enable your development teams to embed security scanning into your IDE as you are coding, returning most scans in seconds – all while integrating into your CI pipeline. Our speaker will provide: An overview of Veracode Greenlight and its integrations with developer tools; A summary of recent Greenlight use cases and successes; Examples of how Greenlight integrates into your CI pipeline

Google Glass - An Intro presentation to conduct code lab events.

getdinesh

This document provides an overview of Google Glass and how to develop applications for it. It discusses what Glass is, what its capabilities are like integrated display, camera, and battery. It then explains the application model and user experience, covering gestures and the timeline card. The document dives into developing applications using the Mirror API and Glass Development Kit (GDK), including required tools, testing environments, code snippets, and steps to create a sample compass app. It addresses implementing voice commands and handling gestures within a GDK application.

Defining DevSecOps

Uchit Vyas ☁

Today everybody wants to deploy the app and infrastructure faster without any disputes. An Even, Agile framework can help to deploy faster in real-time. But Continuous Innovation may conflict with stability and security. Without security at every stage, DevOps merely introduces vulnerabilities into application quickly. To resolve such conflict, the gap in recursive feedback loops need to be eliminated. Mostly, teams are not effectively working in a collaboration and interacting with each other smoothly. This results in gaps and produce problems with code development and quality, meaning slower delivery plans and serious vulnerabilities that create security risk at most. Fortunately, these shortcomings can be addressed very well, as developers/testers are set to launch off into the DevSecOps world or via adopting rugged DevOps model.

DevSecOps Singapore 2017 - Security in the Delivery Pipeline

James Wickett

DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape

DevSecCon

Cameron Townshend from Sonatype discusses securing software supply chains and the need for DevSecOps. He notes that 52% of Fortune 500 companies from 2000 are no longer around and that businesses are under attack. Townshend advocates treating software development like a manufacturing process by carefully vetting all components for quality and security. He highlights statistics showing the prevalence of vulnerabilities and breaches related to open source components. Townshend argues that organizations must automate security checks and remediation to keep pace with adversaries exploiting vulnerabilities within days.

This document discusses Android key management and cryptography. It covers symmetric and asymmetric encryption algorithms like AES and RSA. It describes using the Android Keystore to securely store cryptographic keys and how PBKDF2 can be used to derive keys from passwords. It also demonstrates how apps can be reversed to extract hardcoded keys and discusses more secure alternatives like storing keys on a server.

DevSecOps The Evolution of DevOps

Michael Man

Release Your Inner DevSecOp

James Wickett

DevSecOps brings security to the DevOps party and it is completely changing the security playbook. This talk will cover 10 practices and patterns we have implemented that bring DevSecOps value to everyone involved. This talk will be loaded with examples that will be usable for developers, security and operations teams and you can take home next week to put into practice. Shannon Lietz, Intuit James WIckett, Signal Sciences RSA Conference 2019

Empowering Financial Institutions to Use Open Source With Confidence

WhiteSource

The days when financial institutions relied solemnly on proprietary code are over. Today, even the largest financial services firms have realized the benefits of using open source technology to build powerful, innovative applications at a reduced time-to-market. However, the financial services industry faces strict regulatory requirements that present it with a unique set of challenges, especially when it comes to open source usage (both consumption and contribution). FINOS is a non-profit organization whose purpose is to accelerate collaboration and innovation in financial services through the adoption of open source software, standards and best practices. Together with WhiteSource, they are able to provide a safe environment for developers to use open source components freely and fearlessly. Join FINOS and WhiteSource as they discuss: The challenges of open source usage The state of open source vulnerabilities management How FINOS uses WhiteSource to ensure the security and IP compliance of FINOS-produced open source software

Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...

SecureSoftwareDevOn SecureSoftwareDevOn

The New Security Playbook: DevSecOps

James Wickett

(Isc)² secure johannesburg

Tunde Ogunkoya

This talk focussed on the challenges facing the DevOps community from the “developers culture perspective” and the consequences of the perceived disinterest in inculcating a complete 360 degrees’ risk mitigation framework in DevOps practices. The talk touched on the legal +Security+Operational Risk of using Open Source in their SDLC, the need for internal customized Open Source policy and a two-step approach to resolve these risks

Practical DevSecOps Using Security Instrumentation

VMware Tanzu

Maturing DevSecOps: From Easy to High Impact

SBWebinars

Digital Transformation and DevSecOps are the buzzwords du jour. Increasingly, organizations embrace the notion that if you implement DevOps, you must transform security as well. Failing to do so would either leave you insecure or make your security controls negate the speed you aimed to achieve in the first place. So doing DevSecOps is good... but what does it actually mean? This talk unravels what it looks like with practical, good (and bad) examples of companies who are: Securing DevOps technologies - by either adapting or building new solutions that address the new security concerns Securing DevOps methodologies - changing when and how security controls interact with the application and the development process Adapting to a DevOps philosophy of shared ownership for security In the end, you'll have the tools you need to plan your interpretation of DevSecOps, choose the practices and tooling you need to support it, and ensure that Security leadership is playing an important role in making it a real thing in your organization.

Meningkatkan SOC dan Reusabillity Kode dengan Duo DI - Sidiq Permana (CIO Nus...

DicodingEvent

This document discusses dependency injection (DI) and dependency inversion as techniques for improving software design. It explains that DI provides objects their dependencies rather than having them instantiate dependencies directly. This loosens coupling between objects. Dependency inversion defines objects by their abstractions rather than concretions, making objects more adaptable to change. The document provides examples of implementing DI using libraries like Koin and discusses how DI and dependency inversion together can improve software qualities like reusability and maintainability.

10 Myth of DevSecOps

DevOps Indonesia

1) The document discusses 10 common myths about DevSecOps, including that DevSecOps is not just DevOps, that organizations do not need to be agile to implement DevSecOps, and that DevSecOps is not just about speed and deploying anywhere. 2) It notes that implementing DevSecOps successfully requires having a culture of automation, measurement, and sharing. Organizations also need to learn about continuous integration/continuous delivery as DevSecOps cannot be implemented without DevOps. 3) The presentation concludes by emphasizing the importance of collaboration, noting the quote "Alone we are smart, together we are brilliant."

Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk

WhiteSource

Have you considered what truly separates accidental vulnerabilities in open source from intentionally malicious releases? Although often grouped together as "vulnerabilities", malicious open source components are very different, right from their very creation through to the way you mitigate and remediate them as an end user. The past 12 months saw a record-breaking time for detection of malicious components in the world's most popular package registries. Join Rhys Arkins, Director of Product at WhiteSource, as he will discuss: The key differences between accidental vulnerabilities and malicious releases, How to manage the risk for each type of vulnerability, Lessons learned from the most interesting malicious packages spotted during 2019.

VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"

Aaron Rinehart

This document provides an overview of a presentation on chaos engineering and security chaos engineering. The presentation covers United Health Group's journey to rugged DevOps, combating complexity in software, and approaches to chaos engineering and security chaos engineering. Specific topics discussed include automated security configuration and validation using Chef and Inspec, using Gauntlt for automated vulnerability scanning, lessons learned from DevOps transformations, and examples of chaos engineering experiments and game days.

NewOps Days 2019: The New Ways of Chaos, Security, and DevOps

James Wickett

DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new an ethos for security. This is good, however moving security and devops closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And where does= chaos engineering fit in? This talk highlights security's place in DevOps and how topics ranging from empathy to chaos to system safety fit in organizations today. The hope is to uncover a new playbook for devs, ops, and security to work together.

DefCamp 2013 - Android hacking techniques

DefCamp

The document discusses various Android hacking techniques, including repackaging APK files for white hat, grey hat, and black hat purposes. It describes how to decompile, modify, and repackage an APK to add new functionality or permissions. Grey hat techniques involve adding advertising SDKs while black hat repackaging may include stealing sensitive user data or code. The document also describes exploiting vulnerabilities in the Applovin advertising framework update process to replace legitimate updates with malicious versions.

Security in the FaaS Lane

James Wickett

RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering

Aaron Rinehart

Navigating the Unknowable: Resilience through Security Chaos Engineering When applied to Cyber Security, Chaos Engineering is advancing our ability to reveal objective information about the effectiveness of operational security measures proactively through empirical experimentation. In this session we will introduce the core concepts behind this new technique and how you can get started in building and applying it.

AllTheTalks Security Chaos Engineering

Aaron Rinehart

In this session Aaron will uncover the importance of using Chaos Engineering in developing a learning culture in a DevSecOps world. Aaron will walk us through how to get started with Chaos Engineering for security and how it can be practically applied to enhance system performance, resilience and security. Security focused Chaos Engineering allows engineering teams to derive new information about the state of security within their distributed systems that was previously unknown. This new technique of instrumentation attempts to proactively inject security turbulent conditions or faults into our systems to determine the conditions by which our security will fail so that we can fix it before it causes customer pain. During this session we will cover some key concepts in Safety & Resilience Engineering and how new techniques such as Chaos Engineering are making a difference in improving our ability to learn from incidents proactively before they become destructive.

DevSecOps Days SF at RSA Conference 2018

DevSecOps Days

Benefits of DevSecOps

Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS

Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016

Rizal Aditya

Putting real feeling into Android Apps

Peter van der Linden

What's hot

Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...

Consulthinkspa

DevSecOps The Evolution of DevOps

Michael Man

Release Your Inner DevSecOp

James Wickett

Empowering Financial Institutions to Use Open Source With Confidence

WhiteSource

Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...

SecureSoftwareDevOn SecureSoftwareDevOn

The New Security Playbook: DevSecOps

James Wickett

(Isc)² secure johannesburg

Tunde Ogunkoya

Practical DevSecOps Using Security Instrumentation

VMware Tanzu

Maturing DevSecOps: From Easy to High Impact

SBWebinars

Meningkatkan SOC dan Reusabillity Kode dengan Duo DI - Sidiq Permana (CIO Nus...

DicodingEvent

10 Myth of DevSecOps

DevOps Indonesia

Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk

WhiteSource

VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"

Aaron Rinehart

NewOps Days 2019: The New Ways of Chaos, Security, and DevOps

James Wickett

DefCamp 2013 - Android hacking techniques

DefCamp

Security in the FaaS Lane

James Wickett

RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering

Aaron Rinehart

AllTheTalks Security Chaos Engineering

Aaron Rinehart

DevSecOps Days SF at RSA Conference 2018

DevSecOps Days

Benefits of DevSecOps

Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS

What's hot (20)

Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...

DevSecOps The Evolution of DevOps

Release Your Inner DevSecOp

Empowering Financial Institutions to Use Open Source With Confidence

Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...

The New Security Playbook: DevSecOps

(Isc)² secure johannesburg

Practical DevSecOps Using Security Instrumentation

Maturing DevSecOps: From Easy to High Impact

Meningkatkan SOC dan Reusabillity Kode dengan Duo DI - Sidiq Permana (CIO Nus...

10 Myth of DevSecOps

Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk

VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"

NewOps Days 2019: The New Ways of Chaos, Security, and DevOps

DefCamp 2013 - Android hacking techniques

Security in the FaaS Lane

RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering

AllTheTalks Security Chaos Engineering

DevSecOps Days SF at RSA Conference 2018

Benefits of DevSecOps

Similar to The real incident of stealing android app data

Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016

Rizal Aditya

Putting real feeling into Android Apps

Peter van der Linden

Android security and penetration testing | DIVA | Yogesh Ojha

Yogesh Ojha

This document provides an overview of Android security and penetration testing. It discusses the Android runtime environment and application fundamentals. It then examines the contents of an Android APK file, including the AndroidManifest.xml and code files. The document outlines the Android sandbox security model and various tools for decompiling and analyzing APKs. It introduces the DIVA vulnerable Android app and demonstrates several common security issues like insecure data storage, input validation problems, and ways to capture network traffic.

Getting started with Android pentesting

Minali Arora

Minali Arora is a cyber security professional with 6 years of experience in application and network pentesting, bash scripting, and red teaming. She is also a part-time bug bounty hunter and blogger. The document discusses Android security architecture, testing methodologies, common vulnerabilities, and security tips for developers. It covers topics such as Android security model, application components, static and dynamic testing tools, and the OWASP top 10.

Securing Android Applications

Infosys

This document provides an overview and agenda for securing Android applications. It discusses working with the Android SDK and emulator, setting up the vulnerable GoatDroid application, analyzing application memory and traffic, reverse engineering Android apps, and analyzing SQLite databases. It also demonstrates analyzing the GoatDroid and ExploitMe applications using tools like Burp Suite, SQLite Browser, and Agnitio. The document contains information on Android architecture, developing for Android, common vulnerabilities, and techniques for auditing Android security.

Getting started with android

Vandana Verma

Minali Arora is a cyber security professional with 6 years of experience in application and network pentesting, bash scripting, and red teaming. She also works as a part-time bug bounty hunter and blogger. The document discusses Android security architecture, which uses UID separation and sandboxing to isolate apps from each other. It describes tools used for static and dynamic Android application testing such as apktool, dex2jar, and Drozer. Common vulnerabilities found include OTP bypass, authentication bypass, and privilege escalation. The document provides tips for developers to store data safely, enforce secure communication, and implement least privilege permissions.

Android_Studio_Structure.docx

KNANTHINIMCA

Java is used for Android application development because it was chosen as the primary development language for the Android platform. Developers write Java code that interacts with the Android API and compiles into DEX code to run on the Dalvik Virtual Machine. The key components of an Android application are activities, services, broadcast receivers, and content providers which are declared in the AndroidManifest.xml file. The application code, resources, and manifest are bundled into an APK file that can be installed and run on Android devices.

Building Custom Android Malware BruCON 2013

Stephan Chenette

An expert in custom Android malware for penetration testing discussed building custom malware to bypass security controls. The speaker outlined their methodology which included researching existing malware techniques, probing the environment, uploading unmodified malware, and creating altered versions to evade detection. The talk covered functionality like autostarting, collecting device data, and communicating with command and control servers. Various scenarios were proposed like using vulnerable libraries or requesting all permissions to test security controls.

MobSecCon 2015 - Dynamic Analysis of Android Apps

Ron Munitz

From Reversing to Exploitation

Satria Ady Pradana

Securing User Data with SQLCipher

CommonsWare

This document provides an overview and summary of a workshop on securing user data with SQLCipher. The workshop covers who is at risk of having their device data compromised, techniques for offense and defense including full-disk encryption and SQLCipher, hands-on exercises for integrating SQLCipher, and encrypting shared preferences, files, and communications. It also discusses strategies for passphrase entry and multi-factor authentication to improve security.

YuryMakedonov_TesTrek2013_AndroidTesting_12u_slides

Yury M

This document provides an outline for a workshop on testing Android applications. The workshop is intended for testers with experience testing other types of applications who are new to mobile. The outline includes an introduction to the presenter's background in testing including an Android to-do list app. It also covers general testing approaches, installation of Android apps, fragmentation issues, accessing app data, tools for testing, and sources of additional test ideas.

Droidcon it-2014-marco-grassi-viaforensics

viaForensics

Marco Grassi gives a presentation on reverse engineering, penetration testing, and hardening Android apps. The presentation covers techniques for reverse engineering APKs, dealing with obfuscation, tamper detection, securing network communications, attacks on IPC, and more advanced topics like runtime manipulation. Real-world examples are provided to demonstrate vulnerabilities found in apps and how they can be exploited.

Secure Android Apps- nVisium Security

Jack Mannino

The document provides an overview of securing Android applications according to the OWASP (Open Web Application Security Project) approach. It discusses the OWASP Mobile Security Project, performs a crash course on Android architecture and essentials, demonstrates threat modeling for Android apps, reviews the top 10 mobile risks and associated controls from OWASP, and provides resources for further information.

Android installation & configuration, and create HelloWorld Project

Rakesh Jha

TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...

tdc-globalcode

Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...

Márcio Rosa

Android_Malware_IOAsis_2014_Analysis.pdf

jjb117343

From Reversing to Exploitation: Android Application Security in Essence

Satria Ady Pradana

This document discusses techniques for analyzing and exploiting Android applications. It begins by explaining why security is important given people's growing dependency on digital technology and mobile devices. It then discusses decompiling APK files and using tools like Apktool, Dex2Jar, and decompilers to view an app's code. The document also covers using proxies like Burp Suite and Frida to intercept network traffic and manipulate app behavior at runtime. The goal is usually to obtain sensitive data, bypass restrictions, or modify the app. Examples of scenarios explored include tampering with network requests, bypassing security checks, and decrypting encrypted data.

Android tio manual

iamkimberlybruno

The document provides instructions for installing the Android SDK which includes installing Java, setting up the Eclipse folder, installing the Android SDK installer, replacing the android-sdk folder, running Eclipse IDE, detecting API levels, and creating a new virtual device. The key steps are installing Java, copying the Eclipse folder, running the Android SDK installer, replacing the android-sdk folder, launching Eclipse IDE, using the SDK manager to detect API levels, and creating a new virtual device using the AVD manager.

Similar to The real incident of stealing android app data (20)

Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016

Putting real feeling into Android Apps

Android security and penetration testing | DIVA | Yogesh Ojha

Getting started with Android pentesting

Securing Android Applications

Getting started with android

Android_Studio_Structure.docx

Building Custom Android Malware BruCON 2013

MobSecCon 2015 - Dynamic Analysis of Android Apps

From Reversing to Exploitation

Securing User Data with SQLCipher

YuryMakedonov_TesTrek2013_AndroidTesting_12u_slides

Droidcon it-2014-marco-grassi-viaforensics

Secure Android Apps- nVisium Security

Android installation & configuration, and create HelloWorld Project

TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...

Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...

Android_Malware_IOAsis_2014_Analysis.pdf

From Reversing to Exploitation: Android Application Security in Essence

Android tio manual

Recently uploaded

Astute Business Solutions | Oracle Cloud Partner |

AstuteBusiness

Generating privacy-protected synthetic data using Secludy and Milvus

Zilliz

During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.

Main news related to the CCS TSI 2023 (2023/1695)

Jakub Marek

An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers. The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 . The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .

5th LF Energy Power Grid Model Meet-up Slides

DanBrown980551

5th Power Grid Model Meet-up It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology. Power Grid Model The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services. Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability. Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization. What to expect For the upcoming meetup we are organizing, we have an exciting lineup of activities planned: -Insightful presentations covering two practical applications of the Power Grid Model. -An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024. -An interactive brainstorming session to discuss and propose new feature requests. -An opportunity to connect with fellow Power Grid Model enthusiasts and users.

Harnessing the Power of NLP and Knowledge Graphs for Opioid Research

Neo4j

Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...

saastr

"Choosing proper type of scaling", Olena Syrota

Fwdays

June Patch Tuesday

Ivanti

Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.

Mutation Testing for Task-Oriented Chatbots

Pablo Gómez Abajo

Conversational agents, or chatbots, are increasingly used to access all sorts of services using natural language. While open-domain chatbots - like ChatGPT - can converse on any topic, task-oriented chatbots - the focus of this paper - are designed for specific tasks, like booking a flight, obtaining customer support, or setting an appointment. Like any other software, task-oriented chatbots need to be properly tested, usually by defining and executing test scenarios (i.e., sequences of user-chatbot interactions). However, there is currently a lack of methods to quantify the completeness and strength of such test scenarios, which can lead to low-quality tests, and hence to buggy chatbots. To fill this gap, we propose adapting mutation testing (MuT) for task-oriented chatbots. To this end, we introduce a set of mutation operators that emulate faults in chatbot designs, an architecture that enables MuT on chatbots built using heterogeneous technologies, and a practical realisation as an Eclipse plugin. Moreover, we evaluate the applicability, effectiveness and efficiency of our approach on open-source chatbots, with promising results.

Columbus Data & Analytics Wednesdays - June 2024

Jason Packer

Nordic Marketo Engage User Group_June 13_ 2024.pptx

MichaelKnudsen27

Dandelion Hashtable: beyond billion requests per second on a commodity server

Antonios Katsarakis

This slide deck presents DLHT, a concurrent in-memory hashtable. Despite efforts to optimize hashtables, that go as far as sacrificing core functionality, state-of-the-art designs still incur multiple memory accesses per request and block request processing in three cases. First, most hashtables block while waiting for data to be retrieved from memory. Second, open-addressing designs, which represent the current state-of-the-art, either cannot free index slots on deletes or must block all requests to do so. Third, index resizes block every request until all objects are copied to the new index. Defying folklore wisdom, DLHT forgoes open-addressing and adopts a fully-featured and memory-aware closed-addressing design based on bounded cache-line-chaining. This design offers lock-free index operations and deletes that free slots instantly, (2) completes most requests with a single memory access, (3) utilizes software prefetching to hide memory latencies, and (4) employs a novel non-blocking and parallel resizing. In a commodity server and a memory-resident workload, DLHT surpasses 1.6B requests per second and provides 3.5x (12x) the throughput of the state-of-the-art closed-addressing (open-addressing) resizable hashtable on Gets (Deletes).

GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph

Neo4j

Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors

DianaGray10

Join us to learn how UiPath Apps can directly and easily interact with prebuilt connectors via Integration Service--including Salesforce, ServiceNow, Open GenAI, and more. The best part is you can achieve this without building a custom workflow! Say goodbye to the hassle of using separate automations to call APIs. By seamlessly integrating within App Studio, you can now easily streamline your workflow, while gaining direct access to our Connector Catalog of popular applications. We’ll discuss and demo the benefits of UiPath Apps and connectors including: Creating a compelling user experience for any software, without the limitations of APIs. Accelerating the app creation process, saving time and effort Enjoying high-performance CRUD (create, read, update, delete) operations, for seamless data management. Speakers: Russell Alfeche, Technology Leader, RPA at qBotic and UiPath MVP Charlie Greenberg, host

Introduction of Cybersecurity with OSS at Code Europe 2024

Hiroshi SHIBATA

I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems. The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS. Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application. I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.

Principle of conventional tomography-Bibash Shahi ppt..pptx

BibashShahi

9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...

saastr

Monitoring and Managing Anomaly Detection on OpenShift.pdf

Tosin Akinosho

Monitoring and Managing Anomaly Detection on OpenShift Overview Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices. Key Topics Covered 1. Introduction to Anomaly Detection - Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems. 2. Understanding Edge (IoT) - Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source. 3. What is ArgoCD? - Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices. 4. Deployment Using ArgoCD for Edge Devices - Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD. 5. Introduction to Apache Kafka and S3 - Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions. 6. Viewing Kafka Messages in the Data Lake - Learn how to view and analyze Kafka messages stored in a data lake for better insights. 7. What is Prometheus? - Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices. 8. Monitoring Application Metrics with Prometheus - Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system. 9. What is Camel K? - Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes. 10. Configuring Camel K Integrations for Data Pipelines - Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow. 11. What is a Jupyter Notebook? - Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text. 12. Jupyter Notebooks with Code Examples - Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.

What is an RPA CoE? Session 1 – CoE Vision

DianaGray10

AppSec PNW: Android and iOS Application Security with MobSF

Ajin Abraham

Mobile Security Framework - MobSF is a free and open source automated mobile application security testing environment designed to help security engineers, researchers, developers, and penetration testers to identify security vulnerabilities, malicious behaviours and privacy concerns in mobile applications using static and dynamic analysis. It supports all the popular mobile application binaries and source code formats built for Android and iOS devices. In addition to automated security assessment, it also offers an interactive testing environment to build and execute scenario based test/fuzz cases against the application. This talk covers: Using MobSF for static analysis of mobile applications. Interactive dynamic security assessment of Android and iOS applications. Solving Mobile app CTF challenges. Reverse engineering and runtime analysis of Mobile malware. How to shift left and integrate MobSF/mobsfscan SAST and DAST in your build pipeline.

Recently uploaded (20)

Astute Business Solutions | Oracle Cloud Partner |

Generating privacy-protected synthetic data using Secludy and Milvus

Main news related to the CCS TSI 2023 (2023/1695)

5th LF Energy Power Grid Model Meet-up Slides

Harnessing the Power of NLP and Knowledge Graphs for Opioid Research

Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...

"Choosing proper type of scaling", Olena Syrota

June Patch Tuesday

Mutation Testing for Task-Oriented Chatbots

Columbus Data & Analytics Wednesdays - June 2024

Nordic Marketo Engage User Group_June 13_ 2024.pptx

Dandelion Hashtable: beyond billion requests per second on a commodity server

GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph

Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors

Introduction of Cybersecurity with OSS at Code Europe 2024

Principle of conventional tomography-Bibash Shahi ppt..pptx

9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...

Monitoring and Managing Anomaly Detection on OpenShift.pdf

What is an RPA CoE? Session 1 – CoE Vision

AppSec PNW: Android and iOS Application Security with MobSF

The real incident of stealing android app data

1. The Real Incident of Stealing a Droid App & Data Akash Mahajan and Ankur Bhargava @ DroidCon Bangalore 2012

2. What we stole The Android Application Package File All the encrypted files found in the external storage © Akash Mahajan DroidCon Bangalore 2012 2

3. Not only we successfully the app + data we it on another device which was rooted © Akash Mahajan DroidCon Bangalore 2012 3

4. Them devs made it more secure? A device ID check was added We reversed the applications added our device ID and compiled it again. Able to execute again, yay! © Akash Mahajan DroidCon Bangalore 2012 4

5. THE DROID JOB A standard Chinese made Tablet running Android 4.0 (Indian Brand) The application contained encrypted data along with other resources. © Akash Mahajan DroidCon Bangalore 2012 5

7. All your data are belong to us All the encrypted data was with us We didn’t have the encryption key But we had the device with the key in internal storage © Akash Mahajan DroidCon Bangalore 2012 7

8. GONE IN 300 SECONDS Android Backup API using Android Debug Bridge because we had the package name. ADB pull command, YAY! > adb pull <remote> <local> © Akash Mahajan DroidCon Bangalore 2012 8

10. The Simple Hack We knew find an exploit to root the device might take some time and skill Application written for the same version of Android will run in all devices © Akash Mahajan DroidCon Bangalore 2012 10

11. If the device having the application can’t be rooted, let us take the application to the rooted device. © Akash Mahajan DroidCon Bangalore 2012 11

12. The Simple Hack Once copied to the rooted device we could see what the application was doing using DDMS. Dalvik Debug Monitor Server provides among other things process information about apps running on a device connected in USB debug mode. © Akash Mahajan DroidCon Bangalore 2012 12

13. The key to everything In this particular case, the encryption key was required to decrypt the data. We didn’t have file permissions to reach the key. We decided not to go after the key. We weren’t being paid enough for that. © Akash Mahajan DroidCon Bangalore 2012 13

14. The Encryption Conundrum If you give away your device, the only way you can ensure safety of the data is by ensuring that the symmetric encryption key isn’t stolen. At any given point depending on the application the key might be available in memory, temp file/storage or on the chip itself. © Akash Mahajan DroidCon Bangalore 2012 14

15. The Encryption Conundrum But because the device is with the thieves, they have all the time in the world to find it. If nothing works, they can always break open the device and steal the key from the storage. © Akash Mahajan DroidCon Bangalore 2012 15

16. FREE CONSULTING /Checklist Disable USB debugging port Disable USB itself Don’t give internet access in the device. Obfuscate the source code. Provide a unique key for each device. © Akash Mahajan DroidCon Bangalore 2012 16

17. SUCCESS KIDZ Client felt assured about their device security Dev had a more secure solution We get to pretend that we are Android security experts. We are not, just love the challenge. © Akash Mahajan DroidCon Bangalore 2012 17

The real incident of stealing android app data

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to The real incident of stealing android app data

Similar to The real incident of stealing android app data (20)

Recently uploaded

Recently uploaded (20)

The real incident of stealing android app data