Skip navigation
About Duo
Blog
Careers   Now Hiring!
Admin Login

Categories & Archive

duo labs
Jon Oberheide

Android Vulnerabilities and SOURCE Barcelona

Zach Lanier and I will be teaching a two-day mobile security training course at SOURCE Barcelona this November. To drum up some interest, we've created a brief promo video demonstrating two Android vulnerabilities. If you're interested in mobile security, we encourage you to sign up for the course!

Enjoy!

The two Android vulnerabilities, which have been reported to Google but not yet patched, shown in this video are:

  • A permission escalation allowing the installation of applications with arbitrary permissions without user approval.
  • A privilege escalation targeting Android's Linux kernel that allows an unprivileged application to gain root access.
Zach and I will be covering these vulnerabilities and a wide range of other mobile security topics in our SOURCE Barcelona training course this November titled "TEAM JOCH Presents: Lessons In Mobile Penetration Testing".

More information about our mobile security training course at SOURCE Barcelona is available here: http://www.sourceconference.com/barcelona/training.asp

Transcript

A text transcript of the video follows:
Hey guys, it's Jon O. My buddy Zach and I going to be teaching a mobile security training course later this year at SOURCE Barcelona in November. So we thought we'd drop a few demo videos of some reported, yet unpatched, Android vulnerabilities to get you excited about our training course and hopefully to convince you to sign up for it.

So the first bug is a permission escalation vulnerability that affects all Android handsets in the world. This permission escalation allows an attacker to install additional arbitrary applications with arbitrary permissions without prompting the user to approve those permissions. For this demo, we use a simple proof of concept app that allows you to type in the name of any application package and install it without prompting the user for approval. By clicking the install button, I've covertly initiated the install of the Facebook application without approving any of the permissions requested by the Facebook app. An attacker can exploit this vulnerability to gain additional privileges after gaining code execution on the device. It's important to note that this attack can also be performed by compromising an existing application. This vulnerability is very similar in nature to my Angry Birds proof-of-concept app I released last year, but uses a different exploitation vector.

The second bug is a Linux kernel privilege escalation that affects a significant subset of Android devices. As you can see, this Nexus S is running a fully-patched stocked firmware and the latest Android kernel. If we jump over to our terminal application, we see that we're currently an unprivileged user with the uid of the terminal app. If we run out teamjoch exploit, our privileges are instantly escalated and we're presented with a root shell. An unprivileged application can exploit this vulnerability to escalate privileges and gain full control over the device.

So if you're interested in mobile security and want to learn more about these Android bugs and whole lot of other topics, make sure to sign up for our mobile security training course at SOURCE Barcelona. It will be two full days of Zach and I teaching about mobile security and we hope to see you there.