I'm a Mobile Security Researcher. Recently, i spoke at Clubhack, which is India's International Security conference. The topic i chose was "Hacking your Droid". If anyone is interested in the slides, here they are.
Also, if anyone is interested in developing something or contributing in some way, we could get in touch and share ideas and knowledge.
What i coded for the POC purpose, was a malware, which faked a legitimate tic tac toe app, which once installed in the user's phone did the following things :
1. Turn the Wifi/3g ON. 2. Send the IMEI and IMSI number. 3. Send the contacts. 4 .Send the call logs. 5. Send the text messages in inbox. 6. Get some specified files(this one works, only if root access is available)
All the 1-5 things could be done without even a root acess. What i wanted to show, is how vulnerable the Android users are.
The safeguards to this are only awareness and downloading apps only from trusted places.
If you want to be more careful enough, you could try reversing your app before use. :)
I am new on Android and is trying to find ways to learn more on its
security. I just came across this forum and your post is the first one
that attracted me. I hope you can give me some directions of where to
go to understand Androids security issue better. The questions in my
mind are:
1. Since Android uses sandbox that requires permission, it then put
the burden on the user to ensure permissions are correctly granted to
ensure security. However, many Android users may not be technology
savvy and usually would grant whatever permission the application
requested. This could be out of eagerness to try out a new application
or just no clue at all on what permission will or will not do harm. I
feel that there need to be a better way to protect the user and it
should be inherently safe regardless of the sophistication of the
user. Is there already some protection system or program available
that can do that? I know some company sells antivirus for Android etc
but to me those are just selling hope because there is no
understanding provided to regular user on how it actually managed to
provide the protection. There is always the fear that the antivirus
itself is the that can easily do harm if it somehow has ill intention,
or there is some malicious code siting even higher than the antivirus
and watching its every move.
2. I read of a German company creating a secured Android by creating
two partitions so that applications dont cross over. The company is
called Bizztrust and is reported in
http://thehackernews.com/2011/11/bizztrust-most-secure-android-phone.... . This to me sounds like sand box anyway. It also sounds like virtual
machine like VM Ware kind of arrangement. Is this the better way to
secure Android? If yes then can such arrangement implemented by user
or developer that is not associated to the phone manufacturer? Meaning
this can only be implemented at the manufacturer level?
3. I feel that to make the phone more secure it is better to learn how
others could compromise it. Your "Hacking your Droid" examples are
great ways to understand them. Is there any more such information out
there where I could pick up? I am new on this so I need to start from
simpler level, most sites I found requires quite some background
knowledge to understand. Hope you can guide me a bit.
PK
On Dec 18 2011, 10:45 pm, Aditya <adityagupta1...@gmail.com> wrote:
> I'm a Mobile Security Researcher. Recently, i spoke at Clubhack, which
> is India's International
> Security conference.
> The topic i chose was "Hacking your Droid".
> If anyone is interested in the slides, here they are.
> Also, if anyone is interested in developing something
> or contributing in some way, we could get in touch and share ideas and
> knowledge.
> What i coded for the POC purpose, was a malware, which faked a
> legitimate tic tac toe
> app, which once installed in the user's phone did the following
> things :
> 1. Turn the Wifi/3g ON.
> 2. Send the IMEI and IMSI number.
> 3. Send the contacts.
> 4 .Send the call logs.
> 5. Send the text messages in inbox.
> 6. Get some specified files(this one works, only if root access is
> available)
> All the 1-5 things could be done without even a root acess.
> What i wanted to show, is how vulnerable the Android users are.
> The safeguards to this are only awareness and downloading apps only
> from trusted places.
> If you want to be more careful enough, you could try reversing your
> app before use. :)
do i assume rightly that you didnīt declared the permissions to access
the api calls?
otherwise, i donīt get your point.
the user, which is thinking to download a tic tac toe game, will be
asked to grant the permissions (read contacts, access wifi state ...)
and has the option to deny the access to his data.
On Dec 18 2011, 3:45 pm, Aditya <adityagupta1...@gmail.com> wrote:
> I'm a Mobile Security Researcher. Recently, i spoke at Clubhack, which
> is India's International
> Security conference.
> The topic i chose was "Hacking your Droid".
> If anyone is interested in the slides, here they are.
> Also, if anyone is interested in developing something
> or contributing in some way, we could get in touch and share ideas and
> knowledge.
> What i coded for the POC purpose, was a malware, which faked a
> legitimate tic tac toe
> app, which once installed in the user's phone did the following
> things :
> 1. Turn the Wifi/3g ON.
> 2. Send the IMEI and IMSI number.
> 3. Send the contacts.
> 4 .Send the call logs.
> 5. Send the text messages in inbox.
> 6. Get some specified files(this one works, only if root access is
> available)
> All the 1-5 things could be done without even a root acess.
> What i wanted to show, is how vulnerable the Android users are.
> The safeguards to this are only awareness and downloading apps only
> from trusted places.
> If you want to be more careful enough, you could try reversing your
> app before use. :)
you have missed out "ded" as a reverse engineering tool.
and you dont mention important research in the field to circumvent and
reduce the damage caused by malware and root exploits.
-Earlence
On Jan 9, 1:47 am, andreasg <andr...@gawelczyk.net> wrote:
> do i assume rightly that you didnīt declared the permissions to access
> the api calls?
> otherwise, i donīt get your point.
> the user, which is thinking to download a tic tac toe game, will be
> asked to grant the permissions (read contacts, access wifi state ...)
> and has the option to deny the access to his data.
> On Dec 18 2011, 3:45 pm, Aditya <adityagupta1...@gmail.com> wrote:
> > Hello all,
> > I'm a Mobile Security Researcher. Recently, i spoke at Clubhack, which
> > is India's International
> > Security conference.
> > The topic i chose was "Hacking your Droid".
> > If anyone is interested in the slides, here they are.
> > Also, if anyone is interested in developing something
> > or contributing in some way, we could get in touch and share ideas and
> > knowledge.
> > What i coded for the POC purpose, was a malware, which faked a
> > legitimate tic tac toe
> > app, which once installed in the user's phone did the following
> > things :
> > 1. Turn the Wifi/3g ON.
> > 2. Send the IMEI and IMSI number.
> > 3. Send the contacts.
> > 4 .Send the call logs.
> > 5. Send the text messages in inbox.
> > 6. Get some specified files(this one works, only if root access is
> > available)
> > All the 1-5 things could be done without even a root acess.
> > What i wanted to show, is how vulnerable the Android users are.
> > The safeguards to this are only awareness and downloading apps only
> > from trusted places.
> > If you want to be more careful enough, you could try reversing your
> > app before use. :)
