Bypassing Android security via backups (PSK recovery)

In my recent Android trainings and the Android security talk I gave at AppForum 2014 I was asked to provide a sort of a demo that can be easily replicated to explain the importance of maintaining a proper security posture. So I created a script that ‘recovers’ PSKs from the device and displays them.

Before moving on, a brief disclaimer: Android (or iOS, or Windows) are pretty secure, it is up to the user how much of this security is traded for convenience (or ignorance).

(more…)

Advertisements

Android multiuser model architecture and related security threats

Android-HolesI have recently bumped into a very interesting research article called “A Systematic Security Evaluation of Android’s
Multi-User Framework” and want to leave here a digest and some of my analysis in the aspect of Enterprise use. I recommend reading the paper for more details, it’s only 10 pages. The more I learn of Android, the more it reminds me of a cheese grater (other OSes are no better). This doesn’t include any of Android L enhancements, as those are not officially released yet.

(more…)