Daniel Bradberry

Fri, 19th September 2014

Speaker Bio 1:
Daniel @dbradberry - @mwrdrozer has been coding for nigh on 20 years. Having been somewhat of a garden programmer he has developed for a whole host of different platforms, including desktop apps, web and mobile.

Having originally learnt about information security the hard way, Daniel now heads up security tools development at MWR InfoSecurity, building tools for security assessment and assurance.

Learning Objectives:

Daniel will explain:

  • Top vulnerabilities in Android apps.
  • How to find common vulnerabilities in Android apps with drozer.
  • How to use drozer when red teaming, to gain a foothold through an Android device.

Resources and materials:

Questions and answers

Max, Concise Courses:
15:15 There are going to be a lot of people watching this now and later that are going to be encouraged by this exciting area. From an educational standpoint how would you suggest that people get involved with this type of research?

Daniel Bradberry:
There are a lot of good resources online [for example] on GooglePlus [see resources above] there is an Android Security group on there with some very smart people doing some great research. They link to a lot of very interesting resources about things that you can look at and play with.

Also, on the MWR Labs website, if you download Drozer, [see resources above] it comes with a manual that takes you through pretty much the entire demo of what I have just given, so you can do it yourself without having to remember all of the commands.

Max, Concise Courses:
16:10 There is a free version and a fee version right? How much does the paid version cost?

Daniel Bradberry:
The premium is very affordable. At the moment it is £350 [Approx $560] per license per year. That [the premium version] gives you a very smart graphical interface on top of the command line that helps you to visualize everything you are seeing and how it all relates together.

Max, Concise Courses:
16:40 Will Drozer help with HashMaps?

Daniel Bradberry:
Drozer can understand HashMaps, it’s not typically something you see another app exporting, but if you were to come to across one it would definitely allow you to interact with it. It’s not something that we can have come across in an Android test.

Max, Concise Courses:
17:05 Are there any apps that you see as being particular vulnerable, are there any patterns there?

Daniel Bradberry:
We see a whole sleuth of different kinds of vulnerabilities. Android apps have been particularly bad, they are just starting to get their act together and [we area seeing] new phones coming out more secured. One of the advisories we published in the middle of last year was on the Samsung Galaxy S2, and we could access all of the user’s personal information from Drozer with no permissions!

Max, Concise Courses:
18:50 Is KitKat as an Operating System more secure or is it really the Apps themselves that causes malware?

Daniel Bradberry:
The Android security model itself is very good and has been particularly good for a long time. It is mostly third party apps that we see introducing these kinds of vulnerabilities and the device drivers added by the OEM’s to support their hardware. KitKat introduces some things that might help that risk because we are starting to see SE Android’s coming on the market which have much better protection against the ‘run of the mill’ vulnerabilities you have been able to see in the past.