...stuff I do and things I like...

Conferences

Qualcomm Mobile Security Summit 2017 San Diego, May. All talks are on mobile security - super strong lineup!

AppSec EU May 11-12, Belfast. How to steal mobile wallet? - Mobile contactless payments apps attack and defense. Fixing Mobile AppSec: The OWASP Mobile Project.

MOSEC June Shanghai. Pwning Apple Watch. (program not complete yet!)

OffensiveCon is a new security conference in Berlin Germany focused on Offense. No details yet but they chose the right location for sure.

For everybody who didn't make it to the Android Security Symposium, they recorded the talks and the videos are available: here.

Google published a blog post and a detailed report on Android Security in 2016. The report covers everything from patching and update stats to high impact vulnerabilities. People posted a lot of summaries but you should really read it yourself if you work with Android.

Google pulls March security update for Nexus 6, after it breaks SafetyNet and Android Pay. This was pretty interesting, not the fact that they broke SafetyNet but that they broke it for their own devices (Nexus). This happened to some really small manufacturer before and if you have an idea of how SN works on the backend - it is clear what happened.

execute USSD codes in iOS 10.2.xx --bug-Impact: Tapping a tel link in a PDF document could trigger a call without prompting the user #lol

— Ravishankar Borgaonk (@raviborgaonkar) March 27, 2017

Android anti-debugging tricks can be patented? This is stupid in so many ways https://t.co/IjXfg45xoN

— Bernhard Mueller (@muellerberndt) March 25, 2017

Links

Anti Debugging fun Android Art

PageSwitch an exploit toolkit for the Nintendo switch

Ransomware scammers exploited Safari bug to extort porn-viewing iOS users

Increasing Android app security for freei (slides)

Looking Back at Android Security in 2016 by DuoSecurity

OWASP Mobile - Anti Reversing Checks

Android/Ztorg teardown - It detects the Android SDK emulator, but also emulators from Genymotion, Bluestacks and BuilDroid. It also detects tainted environments. Several of its checks will be difficult to bypass

Owning OnePlus 3/3T with a Malicious Charger

The updated iOS Security Guide now covers iOS 10

iOS 10.3 fixes a large number of Kernel and WebKit bugs

Statistical Deobfuscation for Android (I suppose this is for Dex code only)

Hacking Android Apps with Frida (part 2)

Nexus 5X Owners Say Device Boot-Looping Kills Phones; Getting Runaround From LG

This American Surveillance Tool Helped Russians Spy On Androids And iPhones

Apple cracking down on developers who use SDKs like Rollout to update apps without App Store approval (Apple going after hot-patching frameworks)

Attacking Nexus 9 with Malicious Headphones

GSMA Coordinated Vulnerability Disclosure Program

gdrive-appdata: Tries to fetch the contents of the appdata hidden folder from Google Drive.

Harald Welte about TelcoSecDay 2017 @ Troopers

NDK changes for API level 26

O-MG, the Developer Preview of Android O is here!

Android API Differences Report

Frustrated by robo callers & an AT&T subscriber? Get the AT&T call protect app

Samsung commits to monthly security updates for unlocked US smartphones

Android phone market stats

20 bestselling mobile phones of all time

Android Kernel CVE PoCs

Mobile Malware Masquerades as POS Management App

Judge an Android malware scanner by rednaga.io (@timstrazz and @caleb_fenton)

The Art Of Bootloader Unlocking: Exploiting Samsung S-Boot (video from nullcon talk)

Having fun with Secure Messengers and Android Weari (slides CansecWest 2017)

Pwning the NExus of Every Pixel (slides CanSecWest 2017)

Injecting Metasploit Payloads into Android Applications

Receive FREE SMS online (number in various countries)

TrustZone An Attackers Perspective (slides)

Reverse Engineering Samsung S6 SBOOT - Part I

Letter to the FCC on SS7 Security by Ron Wyden

FCC: Legacy Systems Risk Reductions (it's about ss7)