Exploiting the Bells and Whistles: Uncovering OEM Vulnerabilities in Android
From BruCON 2017
In today’s day and age, there are literally hundreds of presentations, blogs, and trainings on how to hack an Android application. Unfortunately, most talks tend to fall short of addressing the big picture - the device as a whole. This hands-on workshop goes beyond teaching participants how to perform an application assessment. In this four-hour workshop, participants will learn the foundations of Android and its security model, basic application development, and ultimately progress into more advanced device security testing. The workshop’s goal is to help participants answer the question “What did the OEMs change, add, or remove?” and enable them to identify weaknesses on Android devices comfortably and efficiently.
The first half of the workshop will consist of learning about Android and it’s security basics, followed by a hands-on “mystery application” assessment to get everyone up to speed with the current Android testing tools and security landscape . Participants will pair-up and be provided with a testing device to use for the duration of the workshop. The first lab gives participants the foundation they need in order to be successful in the second half of the course.
The second half of the workshop will introduce participants to a new and modular testing framework to help them search for weaknesses across their Android device. Using the framework, students will hit the ground running and immediately use the techniques and tools learned in the first half of the workshop to begin discovering weaknesses on the device. Students will also use the framework to better understand even the smallest changes made by the OEM and other third parties. The workshop closes with a discussion of the weaknesses discovered and the techniques used to find them.
Attendees of the workshop are strongly encouraged to bring a laptop with VMWare installed in order to participate in the labs. The speakers will provide a fully functional testing virtual machine with the supplemental lab data. Although a basic understanding of Android is encouraged, it is not required to succeed in the workshop.