Protektoid will be there at the Nuit du hack XV as a speaker. The talk will be about introduction of the permission model implementation in Android, case studies and vulnerabilities in Marshmallow and Nougat
Protektoid attended the Nuit du hack last year as a sponsor of the Bug Bounty program (see here). This was a great opportunity and experience. We decided at first to renew this experience in 2017. However, we also submitted a talk proposal throught the Nuit Du Hack CFP, based on our research. This proposal was selected (see the resume on the Nuit du hack XV website) so we will in the end be there as a speaker. Thanks to the NDH XV organizers!!
You will find below more details about our talk and also some pre-announcements regarding the planed releases and others.
The talk title is "Android Permission assignment, from packages to processes". The exact title is "Android Permission assignment, from packages to processes: mismatch between Manifest, PackageManager, System information and Process concepts". It is a quite a long but also an explicit one: we will talk about the implementation of the permission concept and its limitations. We will (try to) stick to the term "limitation" as the "vulnerability" term may be contextual. But we hope our talk will let you make your own call regarding this.
Our talk will be structured as follow:
- short introduction to the Android Permission concept and the relation between Manifest, Package, Process (UID) and Group (GID)
- short demo that illustrates some of the limitations
- introduction to Android Open Source Project source code
- introduction to source code limitations and associated demos
- analysis of the current status (distribution of the inconsistencies on the APKs of different stores, limitations of the existing security apps)
What you can expect from the talk
We hope to see you there and for this reason, we will do our best to make our talk interactive, fun and interesting! Each demo will be associated to a question and a "price" contest, so come on and interact with us!
Apart from that, the goal of the talk is also to let any of attendees make their own opinion regarding Android security. As such, we will put the subjects of this talk in context in order to also let you debate with us about the consequences of the presented limitations.
Some pre-announcements related to this topic
Details about the Internet Firewall
The internet Firewall has been introduced in end-2017 but we were waiting for more live tests and feedbacks in order to communicate about it. Except to hear more about this feature soon!
Android bugs and Protektoid features
We have been interacting with the Android support for a few months now. As some of our feedbacks are still in process, we will keep them for later. However, you can expect us to implement some features in our next releases, in order to deal with some of the limitations we found. One of them will be about the detection of shared permissions not displayed on the system information (and the other security apps). Quite a topic!