Level: Technical


It is safe to assume that when buying an iOS device, it is a device made by Apple, running software which was either written or vetted by Apple. Their model is very clearly that of proprietary software that runs exclusively on their hardware, and therefore every person that buys a new iPhone will have the same out-of-the-box experience: what’s installed, what security features are in place, and so on.

This assumption is not true with Android. While all Android devices will have the same core taken from the Android Open Source Project, each manufacturer and vendor can customise this as much as they like to present a different UI or implement different core features. Additionally, the vendor has full control over which applications come pre-installed with their devices, and which of them have system-level (think something akin to root) privileges. These can be minor changes that are very close to what you might call “”stock Android”” or they can have significant changes.

From a security point of view, this makes reviewing entire Android devices an interesting prospect. Mobile testing of specific applications obviously only affects those users that have installed them, and these assessments are closer to a traditional web application or thick client test. However, assessing the complete device opens up the investigation to the inner workings of Android, how applications talk to each other, and depending on what default applications are included out-the-box what vulnerabilities might exist before the user has installed their first app.

In this beginner-friendly talk, we will explore the findings of a recent pentest engagement targeting several production Android devices, with a focus on issues that could affect the user’s privacy. Through improper use of the Android permission model, the vendor unwittingly allowed any application to capture a photograph of the user, start a voice recording, and even modify authentication factors without proper authorisation. We will cover the basics surrounding Android app components’ permission model, demonstrate how a malicious app could abuse overly lax permissions, and talk about how the vendor could have implemented their functonality without exposing the user to every application on the device.

Milosz Gaczkowski is a mobile security specialist at WithSecure, having previously spent entirely too much time working in academia. His current work revolves around Mobile Device Management solutions, Android device security audits, advisory consultancy, and complaining about password managers. Outside of technical work, his primary interests are in education and the culture of education.


[Slides (PDF)] [Recording (MP4)]

Comments are closed.