20140610 net tuesday - 行動裝置安全
DESCRIPTION
TRANSCRIPT
- 1. (Allen Own)
- 2. Who Am I (Allen Own) [email protected] DEVCORE ! HITCON CHROOT NISRA 100
- 3. ! ! EC-Council Certied Ethical Hacker Computer Hacking Forensic Investigator
- 4. 4
- 5.
- 6.
- 7. http://www.ickr.com/photos/seychelles88/361496560/
- 8. Feature Phone
- 9. Personal Digital Assistant (PDA)
- 10. Smartphone PDA
- 11. 3G
- 12. CPU2GHz GPUPowerVR / Adreno 1GB ~ 3GB 3GHSDPA WiMaxLTE BluetoothWi-Fi IRNFC ! GPS
- 13. CPU2GHz GPUPowerVR / Adreno 1GB ~ 3GB 3GHSDPA WiMaxLTE BluetoothWi-Fi IRNFC ! GPS
- 14.
- 15. Apple iOS Google Android Windows Phone
- 16. iPhone 2007 Apple !
- 17. Apple App Store
- 18. Apple App Store App Store 90 50,000,000,000
- 19. Android
- 20. Android Google 2007 2008 G1 2011 ! Google
- 21. 27
- 22. Google Play
- 23. Google Play Google Market Google Play 2010 100 (2013 7 ) 50,000,000,000
- 24.
- 25. Windows Phone
- 26. Windows Phone 8 WP8 Windows Mobile Xbox Live
- 27. Windows Phone Store
- 28. Windows Phone Store XAMLC#VB.NET ! 20
- 29. Android RIM http://www.comscore.com/Press_Events/ Press_Releases/2011/4/ comScore_Reports_February_2011_U.S._Mobile_Sub scriber_Market_Share/(language)/eng-US
- 30.
- 31. Apple iPad Google Android Microsoft Windows
- 32.
- 33. Apple iPad
- 34. Android
- 35. Windows
- 36.
- 37.
- 38. Personal Information Management (PIM)
- 39. http://www.flickr.com/photos/vsy/4996102088/
- 40. http://www.flickr.com/photos/marypcb/4930362870/
- 41. http://www.flickr.com/photos/purpleslog/183842413/
- 42. http://www.flickr.com/photos/dedi/3388471972/
- 43. http://www.flickr.com/photos/helenzhang/4814946755/
- 44.
- 45. https://www.mint.com/
- 46. 2012 DIGICERT 6 http://www.ithome.com.tw/itadm/article.php?c=66928 http://www.btimes.com.my/Current_News/BTIMES/articles/digicert/Article/
- 47.
- 48.
- 49. !
- 50. http://www.flickr.com/photos/monacho/3420112384
- 51. https://basecamp.com/mobile
- 52. iPhone VoIP
- 53.
- 54. App 200 http://iservice.libertytimes.com.tw/3c/news.php?no=12190&type=5 App http://news.networkmagazine.com.tw/classification/security/ 2013/12/26/62134/ PChome http://www.appledaily.com.tw/realtimenews/article/new/ 20140210/341223/
- 55. 4 http://www.informationsecurity.com.tw/article/article_detail.aspx? tv=71&aid=7649 5 http://udn.com/NEWS/BREAKINGNEWS/ BREAKINGNEWS6/8528942.shtmL HP90% Apple iOS http://news.networkmagazine.com.tw/classification/security/ 2013/11/19/60303/
- 56. SamsungMotorolaLGASUS Netflix http://www.computerworld.com/s/article/9246764/ Pre_installed_malware_found_on_new_Android_phones
- 57. 2013 19.04% Android http://blog.trendmicro.com/trendlabs-security-intelligence/looking-forward-into-2014-what-2013s-mobile-threats-mean-moving-forward/
- 58. 90% Apple iOS (HP)2,000 50600 iOS9/10 http://news.networkmagazine.com.tw/classication/security/2013/11/19/60303/
- 59. 90% Apple iOS HP97% 86% (SQL Injection) HP86% (Cross-Site Scripting, XSS) http://news.networkmagazine.com.tw/classication/security/2013/11/19/60303/
- 60.
- 61. CPU2GHz GPUPowerVR / Adreno 1GB ~ 3GB 3GHSDPA WiMaxLTE BluetoothWi-Fi IRNFC ! GPS
- 62. -> -> -> GPS -> -> ->
- 63.
- 64. 0-Day Botnet
- 65.
- 66.
- 67. 3G !
- 68.
- 69.
- 70. Android Architecture
- 71. Android Architecture
- 72. Kernel CVE-2012-0056 gain privileges by modify process memory (/proc/pid/mem) CVE-2013-2094 gain privileges via a crafted perf_event_open system call CVE-2013-1773 gain privileges or cause a denial of service (system crash) via buffer overflow in the VFAT
- 73. Android Architecture
- 74. [WebKit] Use-After-Free Remote Code Execution ref: http://packetstormsecurity.com/les/cve/CVE-2010-1807
- 75. Android Architecture
- 76. Android Master Key Debacle ref: http://nakedsecurity.sophos.com/2013/07/10/anatomy-of-a-security-hole-googles-android-master-key-debacle-explained/
- 77. 802.1X Password Exploit ref: http://blog.mywarwithentropy.com/2012/02/8021x-password-exploit-on-many-htc.html
- 78. Android Architecture
- 79. ADB-Savvy Thieves
- 80. Android Architecture
- 81. Insecure Data Storage App App Shared Preferences File Database Content Provider External Storage (ex. SDCard)
- 82. Skype ref: http://www.androidpolice.com/2011/04/14/exclusive-vulnerability-in-skype- for-android-is-exposing-your-name-phone-number-chat-logs-and-a-lot-more/
- 83. # ls -l /data/data/com.skype.merlin_mecha/files/shared.xml -rw-rw-rw- app_152 app_152 56136 2011-04-13 00:07 shared.xml # grep Default /data/data/com.skype.merlin_mecha/files/shared.xml jcaseap ! # ls -l /data/data/com.skype.merlin_mecha/files/jcaseap -rw-rw-rw- app_152 app_152 331776 2011-04-13 00:08 main.db -rw-rw-rw- app_152 app_152 119528 2011-04-13 00:08 main.db-journal -rw-rw-rw- app_152 app_152 40960 2011-04-11 14:05 keyval.db -rw-rw-rw- app_152 app_152 3522 2011-04-12 23:39 config.xml drwxrwxrwx app_152 app_152 2011-04-11 14:05 voicemail -rw-rw-rw- app_152 app_152 0 2011-04-11 14:05 config.lck -rw-rw-rw- app_152 app_152 61440 2011-04-13 00:08 bistats.db drwxrwxrwx app_152 app_152 2011-04-12 21:49 chatsync -rw-rw-rw- app_152 app_152 12824 2011-04-11 14:05 keyval.db-journal -rw-rw-rw- app_152 app_152 33344 2011-04-13 00:08 bistats.db-journal
- 84. Client Side Injection App App
- 85. Demo Facebook
- 86.
- 87. SDLC
- 88. Security Development Life Cycle (SDLC)
- 89. Black-Box Test White-Box Test Code Review
- 90. App SQL Injection
- 91. Android
- 92. Q & A