Android WebLogin: Google's Skeleton Key

Presented at DEF CON 21 (2013), Aug. 3, 2013, 1 p.m. (20 minutes).

Millions of businesses worldwide trust in Google Apps to run their organization's domain. The life-blood of these organizations is routinely stored with Google accounts and accessed with mobile devices. This talk explores how an adversary can parlay the compromise of a single Android device into a complete Google apps domain takeover. The attack vectors explored in this talk make use of various design considerations made by Google to enhance the user-experience and can be equally utilized with malware or physical device access.

Several iterations of malicious Android applications were created using these techniques. The apps were then analyzed with multiple Android Anti-Virus products and subsequently published in Google's Play Store. The PoC iterations and analysis results provide some insight into the state of Google's Bouncer and Android malware analysis at the end-point.

The final part of the talk is aimed at identifying best practices to minimize risk as well as guidelines for recovering from security incident.


Presenters:

  • Craig Young - VERT Security Researcher, Tripwire
    Craig Young (@CraigTweets) is a computer security researcher with Tripwire's Vulnerability and Exposures Research Team (VERT). He has identified and responsibly disclosed dozens of vulnerabilities in products from Google, Amazon, IBM, NETGEAR, and others. His research has resulted in numerous CVE assignments and recognition in the Google Application Security Hall of Fame. His BSides SF talk on Google's 2-step verification system provided the impetus for Google to deploy security fixes which make millions of Google users safer.

Links:

Similar Presentations: