Overview
Explore the Android FakeID vulnerability in this 30-minute Black Hat conference talk. Delve into the technical root cause of a flaw in Android application handling that allows malicious apps to bypass the normal sandbox and gain special security privileges without user notification. Learn how this vulnerability, present in Android devices since January 2010, can lead to data theft, password recovery, and potential device compromise. Discover the intricacies of PKI basics, self-signed certificates, and certificate chains. Follow along as the presenter demonstrates live exploit examples, including the installation and execution of a malicious app. Gain insights into security hygiene practices and learn about a free security scanning tool to assess your device's vulnerability risk.
Syllabus
Introduction
PKI Basics
SelfSigned Certificates
Root Certificate Authority
Certificate Chain
OSP Code
Cryptographic Relationship
Selfsigned cert
What can you do
What we did
What we found
How to build an exploit
Onlive example
Live example
Evil app
Evil app installation
Evil app execution
Backchannel payload
App installation
Drozer
Example
What to do
Free BlueBox Security Scanner
Security Hygiene
Outro
Taught by
Black Hat