Archive for the 'security' Category

WebView Unbundling

Tuesday, October 28th, 2014

There’s an interesting post on ars technica on "Unwrapping Lollipop" talking to "high ranking members of the Android team" about changes to the OS. It includes a very useful breakdown of what’s now in the Android OS, what’s in Play services and what’s distributed via the Play Store.
 
Of particular interest is that WebView has been […]

Android Binder Subversion

Monday, October 20th, 2014

Some of the vulnerabilities in Android allow code to be run as root. Alternatively, if users root their device malware can already run as root. However, what can such code then do?
Nitay Artenstein and Idan Revivo of Checkpoint Research have a new presentation and white paper on how intercepting IPC, via the Android Binder, can […]

Android Device Churn

Tuesday, October 7th, 2014

Bidouille has some great charts showing how Android version distribution has changed over time. They are based on values taken, over time, from Google’s own Android dashboard. However, remember there’s possibility that these charts might not represent the actual distribution of devices as not all devices (or users) access the Play Store.
 
What with few manufacturers […]

CERT Vulnerable Android App Naming and Shaming

Friday, October 3rd, 2014

I have previously written (here, here, here, and here) about Android apps that fail to validate SSL certificates. CERT has started to name and shame libraries and apps that their Tapioca tool has detected to be vulnerable to Man In The Middle (MITM) SSL attacks. There’s a blog post on how they have automated the […]

Another Android WebView Vulnerability

Thursday, October 2nd, 2014

Another day, another Android WebView vulnerability. This time it’s related to users that have enabled accessibility on their phones. This exposes two Javascript objects allowing remote code execution.
You might think this problem has low risk as not many people would enable accessibility features that are intended to assist users with disabilities. However, even I have […]

Same Origin Bypass and Android Apps

Tuesday, September 30th, 2014

There has recently been a high profile ‘Same Origin Bypass’ security issue regarding the Android browser, prior to Android 4.4 KitKat, that allows a client session on one site to affect a client session on another. TrendLabs have just posted some information that shows that this vulnerability has wider reach than first thought. Like me, […]

Mitigating Tap Jacking

Tuesday, August 26th, 2014

You might have heard very recent press saying it’s possible to hack into apps such as GMail. The source of this is a presentation from the 23rd USENIX Security Symposium on Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks.
While the use of shared memory to discover app use […]

Listening in on Android Apps

Thursday, August 21st, 2014

FireEye has a new post on Android man in the middle (MITM) vulnerabilities on Android. While it covers Android, the coding flaws are just as applicable to iOS. FireEye found that 68% of 1000 most downloaded apps had one of three SSL vulnerabilities. For the avoidance of doubt, these are vulnerabilities introduced through app coding, […]