[XDA:DevCon2013] ExploitingAndroid slides and notes - Security Discussion

My first public presentation, discussing the pros and cons of Android security vulnerabilities, along with disclosing the LGInstallServices and Android's BackupManagerService vulnerabilities.
Slides in PDF, notes will come as soon as I clean them up.

Thanks. It is very helpful.

Very nice!

awesome!

Related

[APP] DroidReader 0.5 (11. April 2010), a PDF reader app

Hi,
this is my first Android App, so please bear with me if there are still errors. It was a major task to start Android programming with such a tough idea, but well, I did not say I started programming with this app
DroidReader is a PDF Reader Application. It uses native code in the background, to be specific, it uses the MuPDF rendering software/library. I'm aware of existing closed source PDF readers and some approaches to do it all in Java. So this should be different as for now.
DroidReader is Free and Open Source Software (licence is GPL v3).
The App and its sources are available at Google Code:
http : // code.google.com / p / droidreader
The App is now (since v0.3) also available via SlideME.
(I'm sorry, I can't post a full link as of now, as I'm still a "new user" on this forum, despite reading it since years... so please remove the spaces for now, I think I'll get that settled soon.)
Note for users: This application needs a file manager in order to open PDF files. Generally, you should be able to use a file manager of your choice and just click on the PDF. If you want to use the "Open" menu item, then a filemanager that understands the openintent.org's PICK_FILE intent is needed, e.g. the OI File Manager.
This App needs at minimum the Android 1.5 platform.
Changelog:
v0.5: rewiring of code, noticeable to end user: smaller install footprint, better cmap handling, small changes & bug fixes
v0.4: support for automatic tilesize calculation, now it should work on bigger screens, too. Also there is now a configuration dialog that allows to specify the default zoom level.
v0.3: added an "about" dialog
v0.2: lots of improvements, UI slightly modified for easier navigation, zoom&rotation fully implemented, ability to open password-protected PDFs, CJK support, lots of bugfixes
v0.1: initial version, still very rough and not all that shiny and thus not yet in the Market. Download available on the project's homepage.
Please note that any comments are very welcome! You can comment in this thread (and I will try to answer any questions ASAP) or on the mailing list (see the project's home page).
Similar approach in another project
Hi again, I just became aware of a similar project (well, as I said: I did this to learn Android programming as well, so this doesn't mean my time was wasted). I hope that we can combine our efforts soon. It is also at Google Code (and I still cannot post Links) and it is called "Android PDF Viewer", and has a short Acronym which appears as project name in URLs: APV. It also uses the MuPDF library and is also GPLv3. Just for your information.
To have an android PDF reader with the capability to make annotation and highlights is the most important thing. Apple has that software called "iannotate" and it manages it perfect. Android should have one. Is ther any expert working on this?
Best reader for Pandigital Novel
DroidReader is the best PDF reader I've found for use on the Pandigital Novel (hacked). All the others require one to drag your finger to move from page to page. That isn't as handy as the next and previous buttons. Adobe's reader is useless because it doesn't let you jump to a page.
I wish you'd enhance DroidReader to remember the last page in a PDF. I've also found some pdfs it won't open, but Android PDF Viewer will. The problem with Android PDF Viewer is that it is SLOW (unless I'm using a different one than you are referring to). It is so slow that it is unusable on the Novel.
Thank you for the feedback. I think I can manage to finally hack a bit further on this and your suggestion is certainly among the easier things still in the pipeline. I got a bit distracted recently, but I'm still motivated to further improve Droidreader. Being distracted, I am also not very up-to-date as to what's the fastest PDF reader available... I think in about two weeks, some development efforts should been done... I'll update this thread then!

Help Wanted: Developer for Android/LEAP Motion Keyboard App

Hi folks,
I'm designing a keyboard application for the LEAP motion gesture recognition device, which ships in about 5 weeks, and since it looks like "table mode" (LEAP functioning in a horizontal orientation) won't be available for launch, I'm modifying the basic ASETNIOP concept (a chorded keyboard) substantially to work better as a "floating" keyboard. The new concept also works well with tablets, so I've decided that it could really benefit from the simultaneous launch of an Android application for smartphones and tablets. I don't think that it would be particularly complicated to code (I've already put together javascript demos without too much trouble), but since I'm wrapped up in my LEAP application, I won't be able to work on making an Android version. I'm looking for someone with the skills to develop the Android app; you'd be keeping the lion's share of the Android revenue plus a portion of the LEAP sales.
If you think you might be interested, drop me a line via the asetniop website and I'll send an NDA over so we can discuss the details of the concept a bit more (it's substantially different from ASETNIOP; the new concept is intended as a visual rather than a touch-based solution) and you can see if you'd like to get on board.
Thanks!
Is this useful? Maybe you can contact author if he is interested..
ASETNIOP said:
Hi folks,
I'm designing a keyboard application for the LEAP motion gesture recognition device, which ships in about 5 weeks, and since it looks like "table mode" (LEAP functioning in a horizontal orientation) won't be available for launch, I'm modifying the basic ASETNIOP concept (a chorded keyboard) substantially to work better as a "floating" keyboard. The new concept also works well with tablets, so I've decided that it could really benefit from the simultaneous launch of an Android application for smartphones and tablets. I don't think that it would be particularly complicated to code (I've already put together javascript demos without too much trouble), but since I'm wrapped up in my LEAP application, I won't be able to work on making an Android version. I'm looking for someone with the skills to develop the Android app; you'd be keeping the lion's share of the Android revenue plus a portion of the LEAP sales.
If you think you might be interested, drop me a line via the asetniop website and I'll send an NDA over so we can discuss the details of the concept a bit more (it's substantially different from ASETNIOP; the new concept is intended as a visual rather than a touch-based solution) and you can see if you'd like to get on board.
Thanks!
Click to expand...
Click to collapse
ASETNIOP said:
Hi folks,
I'm designing a keyboard application for the LEAP motion gesture recognition device, which ships in about 5 weeks, and since it looks like "table mode" (LEAP functioning in a horizontal orientation) won't be available for launch, I'm modifying the basic ASETNIOP concept (a chorded keyboard) substantially to work better as a "floating" keyboard. The new concept also works well with tablets, so I've decided that it could really benefit from the simultaneous launch of an Android application for smartphones and tablets. I don't think that it would be particularly complicated to code (I've already put together javascript demos without too much trouble), but since I'm wrapped up in my LEAP application, I won't be able to work on making an Android version. I'm looking for someone with the skills to develop the Android app; you'd be keeping the lion's share of the Android revenue plus a portion of the LEAP sales.
If you think you might be interested, drop me a line via the asetniop website and I'll send an NDA over so we can discuss the details of the concept a bit more (it's substantially different from ASETNIOP; the new concept is intended as a visual rather than a touch-based solution) and you can see if you'd like to get on board.
Thanks!
Click to expand...
Click to collapse
Please refer all job offers to the job board.
Thanks

[APP][4.0+] Kaqaz Note Manager 1.2.0

What is Kaqaz?
Kaqaz is a modern note manager published by Sialan Lab.
It's using C++, Qt5 framework and Qml technology. It's open source and released under the GPLv3 License.
Kaqaz designed for tablets and large phones (>5 inch). But it works on other devices.
This is important for us to know your feedbacks. If it's good or not good, please tell us why?
The focus of Kaqaz is on a better user interface so that the user can feel a different experience with it. Kaqaz has tried to provide faster access bars and present a convenient interface for the users to have an enjoyable time while working on it. Kaqaz is a free and open source software written under GPLv3 license.
Note: To synchronize your notes with your other devices such as your laptop, you can download the desktop version. This application supports Windows, Linux, Mac and Android at the moment. iOS , ubuntu touch and Windows phone versions of this application will be published soon.
Kaqaz Theory
Kaqaz is not just an application. It is more like a theory; a theory on which much time has been spent in Sialan Lab to be designed and implemented.
Theory of Kaqaz states that imagine you have a lot of blank papers before you. You can write anything on them you would like without any concerns about how it is going to be kept or what will happen to them. You stick a label on them and then attach as many files as you’d like to them.
Do not worry about where or how it is going to be put and kept and clear your mind from all such concerns. Turn over the present paper and go to next one and only think about writing. Write on and on and fill in thousands of papers with a distress-free mind. A thousand is a small number for Kaqaz.
During all this time Kaqaz saves and keeps all your writings in its storage (cache).
Say goodbye to crowded lists of hundreds of writings. You can read and edit your writings whenever you want. Just ask Kaqaz what you want.
If you are looking for a specific word, say it to Kaqaz via the search tool. If you are looking for a specific label, choose the label from the sidebar and if you are looking for some writings modified on a specific date, type the date on the history tool.
Surely many more new, smart and advanced tools will be published for expressing your demands to Kaqaz. But for now we are at the beginning and only these tools are presented.
Kaqaz tries to sugar-coat writing for you through its simple theory and simplicity of user interface. It tries to make you concentrate only on writing so as to motivate you to write more.
The goal of Kaqaz is to inspire people to write diaries, short stories, daily notes, purchase lists, information, etc. as easily and best as possible and more importantly to enjoy writing.
Kaqaz attempts to support the habit of writing and motivate the users to write in today’s mechanized world.
We hope to develop and strengthen the theory of Kaqaz by relying on your support in order to satisfy you even more, leading to a development in the field of Note Manager Applications.
Features:
Notes management by means of labels and categories
Sorting notes by day
A user-interface different from other applications
Advance and Smart searching in notes
To-Do papers
Backing up notes
Encrypted synchronization via Dropbox among all your devices
Supporting left-to-right and right-to-left languages
Sharing papers with other applications
Assigning password for protecting notes
Attach map and weather to note informations automatically
Attaching photos, audio files and folders to any note
Search on papers by location
Capability of running and sync data on all operating systems (Android, Windows, Linux, Mac and soon other operating systems)
Kaqaz is a free software.
You can find kaqaz source code on Github

Android (and other) Security resources - Get your learning on

Linking to, hinting at, suggesting etc pirated material in this thread, or even this forum, will likely get you a ban from XDA. Some of these resources are not free, in fact some are expensive, but free or cheap alternatives are listed.
This is not an exhaustive list. It is missing things that should be here, even things I have written myself. Please let me know if you have something to add.
Please send me more material to post (no pirated stuff!)
Books:
Android Internals:ower User's View
Android Security Internals
Android Hacker's Handbook
Trainings:
Practical Android Exploitation by Jon 'jcase' Sawyer
RedNaga Training by Tim 'diff' Strazzere, Caleb Fenton and Jon 'jcase' Sawyer
Write Ups:
Foxconn Bootloader Backdoor (Pork Explosion) by Jon 'jcase' Sawyer
Analyzing the WeakSauce Exploit by Jonathan Levin
TrustNone TrustZone Exploit by @beaups
SamDuck Samsung emmc/Bootloader Exploit by @beaups
HTC Desire 310 root backdoor by Tim 'diff' Strazzere and Jon 'jcase' Sawyer
Tools:
Frida - Free
Smali/baksmali - Free
APKTool - Free
JEB - $$
IDA Pro - $$
Binary Ninja - $
Write Up:
bits-please.blogspot.com - @laginimaineb's blog.
Great stuff on TrustZone and more.
Wiki:
droidsec.org/wiki has a ton of resources for Android security.
Hardened Android:
https://github.com/copperhead
https://github.com/copperheados
Maybe interesting for you:
https://github.com/android-security
Pure AOSP 4.4 & 5.1 patched until 2016-10-01 android security patch level (3 or 4 commits missing on 4.4 because of some libpng changes, need to take another look on it).
Bunch of kernel CVE fixes http://forum.xda-developers.com/showpost.php?p=69382178&postcount=2
http://elinux.org/Android_Portal
It is a good website ...please check it out , thanks.
-thecoolster
Another series for Android Security
https://github.com/ashishb/android-security-awesome
Great post. Thanks for resources.
Awesome post! Thanks!
It's a shame that stuff like IDA Pro is so expensive, if it was more accesible a lot more people will use it and we would get more interesting stuff I think
What about
https://mobilesecuritywiki.com/
RusherDude said:
Awesome post! Thanks!
It's a shame that stuff like IDA Pro is so expensive, if it was more accesible a lot more people will use it and we would get more interesting stuff I think
Click to expand...
Click to collapse
IDA Pro has a demo, but you can also look at hopper and binary ninja, both priced far lower.
radare2 is also an option, ive not used it so i havent listed it
Thank you for the excellent post jcase!! I have been looking to further my understanding of android security concepts for quite some time now, but never find I have enough time to scour the web for the solid resources I need. I have been engrossed in your 'Practical Android Exploitation' pdf for the past hour now. I hope you know how much this community appreciates your contributions!
Edit: sorry for the misleading comment!~
Do you guys have any recommend info on reverse engineering, particularly ARM disassembly?
I'll be looking for resources myself but was wondering if you've come across any good info in that area.
Awesome thanks
Thanks for the info!
Matt07211 said:
Do you guys have any recommend info on reverse engineering, particularly ARM disassembly?
I'll be looking for resources myself but was wondering if you've come across any good info in that area.
Click to expand...
Click to collapse
This is a fun tool but not exactly reverse engineering.
https://retdec.com/decompilation/
The official ARM resources are good for basics
http://infocenter.arm.com/help/?topic=/com.arm.doc.dui0068b/CIHEDHIF.html
Here is some latest collection on - Awesome Android Security (Books, bug bounty, courses, tools, labs, talks, write-ups, cheat sheet, blogs). Might by helpful for someone.
github.com/saeidshirazi/awesome-android-security
^nice collection reference!

Android Notes app equivalent to iOS Notes?

Hello all!
I'm switching from Apple to de-googled Android due to privacy concerns - in doing so, I'm looking for an app equivalent to iOS' Notes app.
The iOS Notes app has features that I utilize almost on a daily basis:
Sharing/Collaboration with another user.
Pinning notes so they sit at the top of the list of notes.
Locking notes so that they cannot be accidentally deleted.
Searchable - will produce a list of all notes that have specific word(s) I search for.
*Bonus: It has a security feature. Whether setting a code on each note or on the app itself upon opening.
This is a de-googled device so I don't plan to use Google or Windows apps/services.
Any recommendations would be appreciated!
I use ColorNote to save bookmarks (can open them directly from there) and other references when not using word documents.
ColorNotes has a search feature although I haven't had a need to test it. Easy to cut&paste to and from. No ads. Can be backed up to the SD card and with a little ingenuity backed up to hdd, etc. If you do use it, save a installable copy just in case to future proof it.
I've used Apple but loathe those plain Janes.
Never used that Apple app though.
Note: Apple delayed their kiddy porn scan program for now because of the PR disaster it caused. Who the hell would trust a company that even considered putting ratoutware in their phones? Apple still might implement it next year.
Clearly they've been spending too much time in bed with the CCP

Categories

Resources