Build an app that reveals security holes on Android Workshop Freek Kauffmann Paul Lammertsma
May 13, 2015
Build an app that reveals security holes on Android
Workshop
Freek Kauffmann Paul Lammertsma
1. Connect to the open wireless network
2. Android setting: allow non-market applications
3. Download AIDE from Google Play
Before we start
APPS!
Android
• What are the security principles of Android?– POSIX based (Linux)– User IDs and File Access– Permissions– Application signing (identifies developer)– Sandboxing (application isolation)
Android
• Implications of rooting your device? – You can modify the Operating System– You can replace all applications– Access all application data– Grant/revoke permissions– Send data to and from the phone
• Others (malicious software?) can do the same!*
Android
• Facebook SDK exploit (April, David Poll)– Logcat– Let’s hack this!
We’ll make an app that…
• Steals Facebook login from bonafide apps– Draw Something Free– Hootsuite– Facebook Marketplace (Oodle)– Soundhound– LauncherPro– Sleepy Jack– Airport City, Diamonds Blaze
and others by Game Insight
https://github.com/pflammertsma/FacebookThief.git
github
https://github.com/pflammertsma/FacebookThief.git
continues onnext slide…
Facebook Thief
Tap to enable the background service
Freek [email protected]
Paul [email protected]