App Attack: Surviving the Mobile Application Explosion

Presented at DEF CON 18 (2010), July 31, 2010, 11 a.m. (50 minutes).

The mobile app revolution is upon us. Applications on your smartphone know more about you than anyone or anything else in the world. Apps know where you are, who you talk to, and what you're doing on the web; they have access to your financial accounts, can trigger charges to your phone bill, and much more. Have you ever wondered what smartphone apps are actually doing under the hood? We built the largest-ever mobile application security dataset to find out. Mobile apps have grown tremendously both in numbers and capabilities over the past few years with hundreds of thousands of apps and billions of downloads. Such a wealth of data and functionality on each phone and a massive proliferation of apps that can access them are driving a new wave of security implications. Over the course of several months, we gathered both application binaries and meta-data about applications on the most popular smartphone platforms and built tools to analyze the data en masse. The results were surprising. Not only do users have very little insight into what happens in their apps, neither do the developers of the applications themselves. In this talk we're going to share the results of our research, demonstrate a new class of mobile application vulnerability, show how we can quickly find out if anyone in the wild is exploiting it, and discuss the future of mobile application security and mobile malware.

Presenters:

  • Kevin Mahaffey - CTO, Lookout (formerly Flexilis)
    Kevin Mahaffey is the CTO of Lookout, which he co-founded in 2007. He started programming when he was 8 years old and it has been a love affair ever since. When not at the office, Kevin can be found hacking in various coffee shops around San Francisco. Kevin is a frequent speaker on security, mobile, and other topics, having recently spoken at Blackhat, Defcon, Yahoo Security Week, and Microsoft's Bluehat Conference. Kevin studied Electrical Engineering at the University of Southern California and enjoys photography, snowboarding, unit tests, clean code, and building things that make people happy.
  • John Hering - CEO, Lookout (formerly Flexilis)
    John Hering, co-founder of Lookout Mobile Security, specializes in mobile security research and development with a focus on intelligence and emerging threats. Past projects include the "BlueSniper" project, which resulted in a world-record-setting attack of a Bluetooth-enabled mobile device from a distance of over 1.12 miles. John has presented at leading security conferences such as Black Hat and DEFCON and his research has been featured in major publications such as The New York Times, Wired Magazine, and The Wall Street Journal. John studied Policy, Planning, and Development at the University of Southern California and has extensive experience with information security, policy, and wireless communications technologies.

Links:

Similar Presentations: