...stuff I do and things I like...

Together with my former colleagues Ravi, Patrick, Jean-Pierre from TU Berlin / SecT I have been working on an enhancement for mobile phones in order to protect SMS messages especially mTANs against trojans.

We investigated several ways to improve mTAN security and finally came to the conclusion that we just need to change the SMS routing on the mobile phone itself.

Basically we remove SMS messages that contain mTANs from the normal delivery queue and only deliver them to a special application. This way no other program (including trojans) can access the SMS message.

We implemented and tested our idea on Android. The paper SMS-based One-Time Passwords: Attacks and Defense will be presented at DIMVA 2013 in July in Berlin, Germany.

A demo video of the prototype is shown below:

Conferences

NoSuchCon finally released their agenda.They have an interesting lineup but no mobile talk.

SourceDublin Android application reverse engineering & defensesi by Patrick Schulz & Felix Matenaar.

SummerCon has posted it's schedule. I'll present some work I've done on Dynamic Dalvik Instrumentation.

REcon has stared to post talks. Reversing HLR, HSS and SPR: rooting the heart of the Network and Mobile cores from Huawei to Ericsson by Philippe Langlois. Reversing and Auditing Android's Proprietary Bits by Joshua J. Drake.

Shakacon Deviant Ollam - Android Phones Can Do That?!? Custom Tweaking for Power Security Users. Max Sobell - Android 4.0: Ice Cream "Sudo Make Me a" Sandwich. Andreas Kutz - Pentesting iOS Apps - Runtime Analysis & Manipulation.

Some interesting upcoming talks! I guess everybody else an their moms are waiting to hear back from the Black Hat USA CfP.


SyScan'13 review

SyScan was a totally awesome event. Really good talks and lots of them. My favorite talk was: Bochspwn: Exploiting Kernel Race Conditions Found via Memory Access Patterns by Mateusz Jurczyk and Gynvael Coldwind.

News

ACLU Files FTC Complaint Over Android Smartphone Security this story is a little older already but insecurity of old Android devices is a pressing issue.

Links

Changing the IMEI, Provider, Model, and Phone Number in the Android emulator

Finding Similarities and Differences at DEX Level

Securing Two-factor Authentication for Smartphones in a Usable Way by Adding a Connected Token Two-factor authentication for smartphones is easy to break and can be secured by using a smart watch which acts as a connected token. Matthias Lange (Technische Universität Berlin

Android Apps: What are they doing with your precious Internet? The majority of Android apps are not malicious, but use internet access in ways that are not compatible with the user's interests. Amy Tang (University of California Berkeley), Ashwin Rao (INRIA), Justine Sherry (University of California Berkeley), Dave Choffnes (University of Washington)