These Aren't the Permissions You're Looking For

Presented at DEF CON 18 (2010), July 31, 2010, 3 p.m. (50 minutes)

The rise of the robot revolution is among us. In the past year Android has stepped up to become a leader in the world of mobile platforms. As of early may the platform has surpassed the iPhone in market share at 28%. Third party trackers for the Android Market have reported upwards of 50,000 apps available now. The Android security model relies heavily on its sandboxed processes and requested application permissions. It survived the recent pwn2own slay fest unscathed, but this does not mean it is safe by any means. We aim to explore novel techniques for attacks based around abuse of the permission system. Both in performing operations sans appropriate permissions, as well as abusing granted permissions outside of their scope. We'll be demonstrating various ways to hijack input, steal sensitive information, and many other ways to break the rules put in place by our new robot overlords.


Presenters:

  • Tim Wyatt - Principal Software Engineer, Lookout Mobile Securit
    Tim Wyatt is a software engineer whose 16-year career has focused on development of security products and products with critical security requirements. Most recently, this has led him to focus on security in the mobile space at Lookout Mobile Security. Prior to Lookout, Tim was a lead engineer for the Symantec (formerly Vontu) Network Data Loss Prevention Suite
  • David Richardson, Sr. - Software Engineer, Lookout Mobile Security
    David Richardson, Sr. is a Senior Software Engineer at Lookout Mobile Security. He writes security software for mobile phones including Android, Windows Mobile, BlackBerry and iPhone. He was the President of the University of Southern California ACM in 2008-2009 and received an award for "Outstanding Service In Computer Science" - whatever that means. His interests are primarily in Application Development and User Experience. In his free time he enjoys not knowing how to ride a bicycle.
  • Anthony Lineberry - Security Researcher, Lookout Mobile Security
    Anthony Lineberry is a security researcher from Los Angeles who has been active in the security community for many years, specializing in reverse engineering code, researching vulnerabilities, and advanced exploitation development. He has written an open source kernel from scratch, helped with the first iPhone jailbreak, and feels uncomfortable speaking in the 3rd person. Professionally his experience includes working as a security researcher for McAfee, NeuralIQ, and currently with Lookout. He has spoken previously at SCaLE and BlackHat EU/US.

Links:

Similar Presentations: