Developments on Android Security and Forensics

It has been a little while since I've had the chance to blog and a few things have been going on so I thought I'd sneak in an update.

While I was in the Caribbean, the annual Pwn2Own competition happened. There were several contestants lined up to exploit the Android device but in the end none of them stepped up. The first was security expert Jon Oberheide who I learned just before the competition had a working exploit, but unfortunately he informed Google who patched it before the event. Now that Jon has revealed details about how he almost won Pwn2Own everyone can see he was going to use a simple XSS in the Android Market! I discussed the same type of attack after my initial look at the Market security here and remember a lot of people dismissing it. Well, Jon actually went ahead and developed the attack, and it was a shame he didn't get to show off the fantastic work he had done at Pwn2Own. Google were fast to rectify as usual and their site was combed over for a new XSS before the competition with no luck. They have really enhanced the security since the first time I looked. Still, the case remains that users are one XSS flaw away from having software installed and run on their device!

I haven't published much new research recently in part because my free time has been spent developing the next version of an Android Forensics tool for a mobile forensics company. Due to NDAs and such I am not able to give details, but it is looking really good, and it is scary to see what data we can extract from Android phones!

Speaking of Android forensics, there is a new book coming out shortly by Andrew Hoog, CIO of viaForensics, about Android Security and Forensics. I've been lucky enough to get an early preview and it looks very good and very detailed, and the best resource on the subject I've seen to date. Some of my research is referenced a couple of times as well!