Skip to main content

Android Hacker’s Handbook Crowd Sourced Q & A Session

June 20, 2014

Recently I participated in a live crowd sourced question and answer session on a popular user-submitted content website. Along with my fellow authors of “Android Hacker’s Handbook”, we fielded questions from users about everything from our writing process to the most interesting mobile bug we’ve come across in our research. Because threats are constantly changing, I’ve found that participating in events like this helps keep all of us up-to-date with current trends and concerns within the mobile security world.

The session kicked off with us discussing what brought this group of authors together. It all started when Wiley, a publishing company, reached out to me through Charlie Miller. Later that year, at Black Hat 2012, I approached Georg Wicherski about collaborating on a book about Android security. Georg became the first of six total authors, including Zach Lanier, Collin Mulliner, Pau Oliva Fora and Stephen A. Ridley. Despite being in different time zones and all having many diverse ideas, we worked tirelessly to put this book together. Each author had their own independent chapters, which we then cross-reviewed to make sure the content flowed into a seamless book.

Next, the conversation moved into discussions around Android security. A question about the overall security of the main smartphone operating systems came up. I communicated that though the iPhone operating system, iOS, once had a commanding lead on its competitors, Android has caught up significantly in the past year. A participant brought up the idea that Blackberry is a dying operating system. Zack made the point that Blackberry is still heavily used in government services, and there is actually a growing adoption in other areas. Because of these facts, there is still a good chance that hackers will pay attention and attempt to attack this operating system.

One user inquired about our methods of keeping up with constantly changing information around Android security. While there are so many different outlets to gather updates, everyone agreed that the #droidsec IRC channel on Freenode is a good place for discussions. Beyond that, we stated that we follow the Android Security Discussions group on Google+, many different blogs and feeds and various individuals and companies on Twitter.

Conducting research for our book allowed us all to become intimately familiar with Android and learn about the myriad ways hackers may attempt to compromise mobile devices. Even before this book, we all had experience researching mobile security. One user asked a great question about the most interesting mobile bug we’ve found so far. Collin discussed a format string bug in the SMS parser of the HTC TouchFlo on Windows mobile. The bug would send a message that kicked TouchFlo into an endless loop until the user deleted the infected SMS message. Zach mentioned a recurring bug that leaks information through logs or poorly protected content providers. This bug has led to results such as the ability to remotely unlock and wipe a device that has the affected application installed. I shared an issue I came across with the TMobile HTC One that wouldn’t let the user disable USB debugging. Whenever the user connected a cable, it would re-enable USB debugging. This basically offered up free shell accounts for anyone with physical access to the mobile device.

Overall this session was a great way to directly interact with members of the rapidly changing security community. We enjoyed conversing with all of the participants and hope to have more of these interactions in the future!

Complete question and answer session can be found on Reddit: http://www.reddit.com/r/netsec/comments/27zdxc/android_hackers_handbook_ama/

Related Blogs

May 29, 2013

Building a Nexus 4 UART Debug Cable

Updated on 05/31/2013 to be a little bit safer. With Android devices, UART debug cables allow developers to view low level debugging information on...

See Details

September 30, 2014

Thoughts After a Month With Blackphone

About a month ago, I decided to order a Blackphone. The product web site makes some tall claims about security, even calling it "A secure smartphone."...

See Details

May 20, 2013

Pwn2Own 2013: Java 7 SE Memory Corruption

Back in March, during CanSecWest, the Zero Day Initiative (ZDI) team held their annual competition called Pwn2Own. This competition pits modern softwa...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Related Insights

February 01, 2017

Rethinking the Security Operations Model

Gain insight into how the global cyber security landscape in 2017 and beyond is re-shaping the way progressive enterprise security leaders think about...

See Details

February 19, 2010

Mitigate Risk, Prevent Attacks | Optiv

Yesterday, the Wall Street Journal published an article by Siobhan Gorman about hackers in Europe and China who successfully broke into computers at 2...

See Details

December 14, 2016

Applied Research

We work with you as your adjunct product and service security arm and an extension of your design and development team.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.