Earlier this year, we submitted a bug to Google for the Google Authenticator app on Android. Basically, the bug we submitted is that the secret key (the private code that when combined with an accurate source of time creates the one-time-use codes for use with Google’s open-sourced two factor authentication) is stored in the clear on Android devices. Google’s response was that this was behaving by design, and that not the system controls around the filesystem are sufficient to protect this information. We humbly disagree. Rooted devices get around these system controls that protect these secret keys. So would any malware that performed a privilege escalation exploit. And most importantly, backups of the phone (using a tool such as Titanium Backup) contains these secret[…]
There are quite a few tools readily known to the Android reversing community. The primary one is most likely smali/baksmali. It’s an open source tool which will decompile/compile an android dex format which is used by dalvik the native Android VM, into a format known as smali, which is very similar to an assembly language. A lot of people even like dex2jar, which further enhances the experience and takes a broken down apk, and pulls out the compiled dex classes. With dex2jar you can further that and attempt to get some readable jar files. If you wanted to make it even simpler you continue with that jar and use something like JD-GUI to read those jars back into native java code and be off running. For the lazy, there’s also the apktool which does most of the above for you in a simple one-stop-shop.
These are all great tools, but what else is out there? That’s what I’ll be covering in the next few articles. Today I’d like to point your attention to JEB (http://java-decompiler.com). I discovered this back in February when it made its first public release. At the time, I was knee deep in doing Android Application Security Assessments as part of our IPA process. I was still primarily using the tools mentioned above, so it was nice not only to find something different (it doesn’t use the open source smali as the decompiler), and it’s a nice all-in-one solution for exploring the code, as well as analyzing it.
On Saturday I was saved by a second factor of authentication. I was playing the new SimCity game on my home computer in the basement, when my gaming session (surprisingly, it was playable that day) was abruptly terminated because my account had been logged on in a different location. Seeing as how I only had one computer with the Origin software installed, I was surprised by this, so I restarted the game. It told me that I was logged on somewhere else, and if I logged on it would log me off the other location. “Sure, sure, whatever.” A minute or two later, the same thing happens. Then I realize what’s going on. I’ll admit, my Origin.com password was horrible. It was four characters[…]
Last week at the RSA Conference I had the opportunity to attend the “Mobile Security Battle Royale“, featuring a great panel of experts on mobile phone security. Moderated by Zach Lanier, the panel featured Tiago Assumpção and Collin Mulliner paired off against Charlie Miller and Dino Dai Zovi (co-authors of iOS Hacker’s Handbook). As many great panels typically do, this panel featured no slides and no set talking points. Instead, Zach asked the panel some great questions to just get the ball rolling, and the panel started firing off great quotes left and right. I got busy live-tweeting the session and got (and re-tweeted) a few great quotes from many of the panel members which I have embedded below. One of the recurring themes was “which is[…]
I saw this article come across my news feed today, and I thought to myself “what a great idea for an article!” The title is The Petraeus Affair: Human Nature Beats IT Security Every Time. I was thinking the article was going to be how General Petraeus and Paula Broadwell out-foxed the IT security measures in place at their various organizations to engage in (what they thought was) clandestine electronic communication. I figured the CIA would block access to GMail for security reasons, and yet these individuals were so determined to communicate they would have found a way. After all, most security controls can only defend against those willing to play by the rules. Reading the article disappointed me because it[…]
An attack on the South Carolina Department of Revenue exposed 3.6 million social security numbers, and about 387,000 credit and debit card numbers of South Carolina residents. Data breaches like this are so common, they are barely newsworthy… and we certainly try not to cover every single data breach event on this blog. However, today’s followup to the story is what made it interesting. Governor Nikki Haley went on the record in a press conference trying to defend their lack of good practices. I’ve embedded the video below and hopefully it will start at the good part, 12:43 into the video: This is a really good example of sending the wrong kind of message. I understand her desire to defend[…]