Overview
Explore the critical security vulnerabilities in Android authentication protocols through this Black Hat conference talk. Delve into the risks associated with authenticator management in Android apps, focusing on potential leakage through backup channels. Examine how most apps store credentials in persistent storage, relying on Android OS for protection, and learn why this approach can be problematic. Discover how backup apps on Google Play may inadvertently expose sensitive data to malicious apps with basic permissions. Follow the speaker's systematic investigation of this overlooked attack vector, including the development of a proof-of-concept app called AuthSniffer. Understand the widespread nature of this threat, affecting 68.4% of top-ranked apps with authentication schemes. Gain insights into various authentication types, backup mechanisms, and potential mitigation strategies for developers. This comprehensive analysis aims to raise awareness about the importance of secure authenticator management in Android app development and protocol design.
Syllabus
Introduction
Applications
Native vs Web
Agenda
Web Authentication
Summary
Types of Authenticator
Basic Authentication
Single SIA
Android Account Manager
Demo
Protocol Security
Infrastructure Security
Internal Storage
Adulation Mechanism
Backup Function
ADB Based Backup
ADB Based Backup Implementation
Backup Data
Authentication Protocol
Helium
Reverse Engineering
Helium Interface
Broadcast Password
Exception
Cover
Evaluation
WebBased Backup
Evolution Evaluation
Case Study
Mitigation
Developers
Conclusion
Taught by
Black Hat