DeepSec 2013: Mobile Fail: Cracking open 'secure' Android containers

Speaker: Chris John Riley

“We’ve known for some time that physical access to a device means game over. In response, we’ve begun to rely more and more on “secure” container applications to keep our private and company data secret.

Whether you use LastPass to secure your passwords, or GOOD for Enterprise to make sure your company emails are safe and sound, this presentation will demonstrate that more often than not, the container isn’t as secure as you think.

In this presentation I will discuss specific design flaws in the security of “secure” Applications that promise to keep your data / password and even company email safe and sound should the device fall into the wrong hands.

Main category

Communication

Subcategory

Mobile device

Be surprised

I know what I'm looking for

Related videos

DEF CON 17: Hijacking web 2.0 sites with SSLstrip

DEF CON 17: Hijacking web 2.0 sites with SSLstrip

Many websites mix secure and insecure content on the same page this makes it possible to steal all the data entered on such a page easily, using Moxie Marlinspike’s new SSLstrip tool. I will give a brief explanation and demonstration of the technique.

BruCON 2010: Embedded system hacking and my plot to take over the world 1/4

BruCON 2010: Embedded system hacking and my plot to take over the world 1/4

This presentation analyzes common vulnerabilities in popular embedded systems that carry sensitive data every day.

25C3: Hacking the iPhone

25C3: Hacking the iPhone

This talk will summarize what we have learned about the internal architecture of the iPhone platform, its security, and the ways we have found to defeat these security measures.

Secure code reviews magic or art? A simplified approach to secure code reviews

Secure code reviews magic or art? A simplified approach to secure code reviews

This presentation will delve into the science and process behind secure code review and will continue to discuss a simplified approach to secure code review

Attacking SMS. It’s no longer your BFF

Attacking SMS. It’s no longer your BFF

This talk will conclude with a proof-of-concept web application demo that demonstrates the techniques and issues mentioned as well as thoughts for solving the next generation of spam.

Pyrit demonstration (GPU cracking)

Pyrit demonstration (GPU cracking)

Short demo using the passthrough option of Pyrit which eliminates the need for giant tables taking up all your hard drive space.

Black Hat USA 2010: Jackpotting automated teller machines redux 1/5

Black Hat USA 2010: Jackpotting automated teller machines redux 1/5

I will demonstrate both local and remote attacks on ATMs, and I will reveal a multi-platform ATM rootkit. Finally, I will discuss protection mechanisms that ATM manufacturers can implement to safeguard against these attacks.

DEF CON 17: MetaPhish

DEF CON 17: MetaPhish

This talk will focus on building a phishing framework on top of Metasploit that pentesters can use to automate phishing and increase their overall capabilities.

Printers gone wild!

Printers gone wild!

Ben Smith presents new malicious abuses of printers as well as some fun new uses for old attacks.

Embed trojan into a JPG Format

Embed trojan into a JPG Format

How NOT to Store Passwords!

How NOT to Store Passwords!

Tom Scott explains the insecure ways in which some websites deal with passwords.

DEF CON 13: Google hacking for penetration testers

DEF CON 13: Google hacking for penetration testers

Johnny Long reveals basic and advanced search techniques, basic and advanced hacking techniques, multi-engine attack query morphing, and zero-packet target foot printing and recon techniques.

29C3: We are all lawmakers!

29C3: We are all lawmakers!

In the Free City of Hamburg a coalition of hackers, activists and other players of civil society have drafted the most revolutionary Freedom of information law in the world.

OHM2013: SIM card exploitation

OHM2013: SIM card exploitation

This talk ends the myth of unbreakable SIM cards and illustrates that the SIM cards are plagued by implementation and configuration bugs.

DEF CON 17: Abusing Firefox Addons

DEF CON 17: Abusing Firefox Addons

This talk details how we have abused some of the most popular and recommended Firefox addons, with previously unreleased vulnerabilities. Demos will cover remote code execution, local file disclosure and other tailored Firefox Addon exploits.

DeepSec 2007: Browser hijacking

DeepSec 2007: Browser hijacking

This talk introduces Trabbler, the first highly versatile “cross site scripting Trojan”. In the talk, we will discuss Trabbler ́s architecture and code and give practical examples of its application.

DeepSec 2010: Android reverse engineering and forensics

DeepSec 2010: Android reverse engineering and forensics

The details of reversing software running on Android is a scarce. This talk will explore the filesystem, memory, and reverse engineering techniques in-depth.

OWASP AppSecUSA 2011:How NOT to implement cryptography for the OWASP Top 10 (Reloaded)

OWASP AppSecUSA 2011:How NOT to implement cryptography for the OWASP Top 10 (Reloaded)

The talk uses fresh examples of application cryptography successes and failures, and also incorporates the new OWASP ESAPI.

29C3 GSM: Cell phone network review

29C3 GSM: Cell phone network review

We will describe the process of setting up the test network we operate at 29C3, what legal and technical challenges we have faced, and we will describe the actual installation at the CCH.

Asymmetric Digital Warfare

Asymmetric Digital Warfare

This talk will is intended to understand where and how the digital conflicts are conducted today but we will dig deeply into the future.

DeepSec 2013: Cracking and analysing Apple iCloud protocols

DeepSec 2013: Cracking and analysing Apple iCloud protocols

Vladimir Katalov Vladimir Katalov presents the results of analysing the Apple iCloud protocol and its impact on iCloud services.

DEF CON 19: Defeating wired 802.1x with a transparent bridge using Linux

DEF CON 19: Defeating wired 802.1x with a transparent bridge using Linux

Using Linux and a device with 2 network cards, I will demonstrate how to configure an undetectable transparent bridge to inject a rogue device onto a wired network that is secured via 802.1x using an existing authorized connection.

22C3: Attacking the IPv6 protocol suite

22C3: Attacking the IPv6 protocol suite

After a short introduction on the differences of IPv4 to IPv6, the weaknesses in IPv6 will be shown. Highlight of the talk is the presentation of the THC-IPV6 Attack Toolkit.

DeepSec 2010: Debugging GSM

DeepSec 2010: Debugging GSM

The talk discusses a GSM debugging tool that consists entirely of open source software and open radio hardware. We will demonstrate how to record and decode GSM calls, even encrypted ones.

OWASP AppSecUSA 2011: Ghosts of XSS past, present and future

OWASP AppSecUSA 2011: Ghosts of XSS past, present and future

This talk will discuss the past methods used for XSS defence that were only partially effective. Learning from these lessons, will also discuss present day defensive methodologies that are effective, but place an undue burden on the developer.

24C3: Cybercrime 2.0

24C3: Cybercrime 2.0

The first part of the talk provides a brief history of Storm Worm focusing on the actual propagation phase. Afterwards we describe the network communication of the bot in detail and show how we can learn more about the botnet.

DeepSec 2013: Mobile Fail: Cracking open “secure” Android containers

DeepSec 2013: Mobile Fail: Cracking open “secure” Android containers

I will discuss specific design flaws in the security of “secure” Applications that promise to keep your data / password safe and sound should the device fall into the wrong hands.

Share This