Inside Android's SafetyNet Attestation - BlackHatEU17 slides

During BlackHat EU 2017, myself and Collin Mulliner presented on Android SafetyNet Attestation. The presentation covered what SafetyNet is, why would Android developers use attestation, some of the checks it does and certain weaknesses it currently has. I have blogged on this topic several times. So, here are the slides. Let me know if you have any questions, would be happy to answer. »

Mobile OS version adoption

While trying to understand adoption patterns of new mobile OS versions, I decided to plot data from the Android Dashboard and Apple’s pie-chart, with help from the Wayback Machine. I’ll try to keep the charts updated going forwards. Feel free to hover; they are interactive. The charts confirm our common knowledge: new Android versions take long to reach a reasonably good share of the userbase compared to new iOS versions where 70% adoption is reached within a month. »

Library injection for debuggable Android apps

TLDR: released a script which can be used to inject native libraries like Frida into debuggable Android apps on non-rooted devices. As discussed on a previous blogpost, security testers can use Frida to review the internals of Android apps on non-rooted Android devices, as long as they inject the library into the app via application repackaging. Some time ago, Tim asked the following on twitter: So Frida does require root? »

Using Frida on Android without root

Frida is a great toolkit by @oleavr, used to build tools for dynamic instrumentation of apps in userspace. It is often used, like Substrate, Xposed and similar frameworks, during security reviews of mobile applications. Typically rooted Android devices are used during such reviews. There are several reasons for this, but the most important is that the frida-server binary, which executes on the device, requires root privileges to attach to (ptrace) the target application, in order to inject the Frida gadget library into the memory space of the process. »

Pinning - not as simple as it sounds

Two weeks ago I presented (once more) on the topic of pinning, this time focusing on bugs seen in real-world Android applications implementing pinning. The presentation also covered CVE-2016-2402 in some detail, Android’s Network Security Configuration and a few other relevant topics. The conference was Android Security Symposium - a great security event, hosted in an awesome venue within Vienna University of Technology. So, here are the slides and here is the video. »