AndroBugs Framework: An Android Application Security Vulnerability Scanner

Presented at Black Hat Europe 2015, Unknown date/time (Unknown duration).

Android developers sometimes make coding mistakes with some of these mistakes leading to serious security vulnerabilities. However, it cannot be expected that every Android developer will first check the official Android Developer documents or have a mobile or web security background. Therefore, an Android analysis security system that can verify vulnerabilities before releasing Android applications on Google Play becomes crucial. AndroBugs Framework is a free Android vulnerability analysis system that helps developers or hackers find potential security vulnerabilities. In the Android system, each application's security is maintained by creating a different Linux user and group for each App to distinguish permissions. Valid security vulnerability occurs when a malicious App is able to steal the privacy information inside a legitimate App by exploiting the vulnerabilities in the legitimate App or intercepting the network packet (e.g. MITM attack) under the non-rooted phones. It is normally not considered as a valid vulnerability if hackers must have "root" permission (e.g. Xposed Framework) or have physical access to the phone (e.g. "adb backup" security issue) to exploit the vulnerabilities.This presentation will demonstrate how AndroBugs Framework can help find valid vulnerabilities and help Android developers reduce the risk of having their applications exploited or hacked. Additionally, this system can also be used to efficiently and instantly find all the possible and potential security vulnerabilities in millions of Android apps. Using AndroBugs Framework, security vulnerabilities have been found in Android applications or SDKs developed by companies such as Facebook, Twitter, Microsoft, Yahoo!, Google Android, Huawei, Evernote, Alibaba, AT&T, and Sina Weibo, which have later been acknowledged by those companies in their Hall of Fame. Vulnerabilities in Android products by some of the famous companies will also be disclosed in this presentation and used as real cases to introduce the vulnerability vectors implemented in AndroBugs Framework.

Presenters:

  • Yu-Cheng Lin - MediaTek
    Yu-Cheng Lin (a.k.a AndroBugs) received his Master of Science degree from National Tsing Hua University in Taiwan. He is currently working as a Software Engineer at a smartphone security team in MediaTek. He is enthusiastic about Android Security and anything related to mobile security. He has discovered and reported many valid Android application security vulnerabilities to some high-profile companies, such as Google Android, Twitter, Facebook, AT&T, Qualcomm, Alibaba, etc. and was acknowledged by these companies in their Hall of Fame.

Links:

Similar Presentations: