TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH...
Transcript of TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH...
![Page 1: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/1.jpg)
Slide # 1TEAM JOCH vs. Android - ShmooCon 2011
TEAM JOCH vs. Android:
The Ultimate Showdown
![Page 2: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/2.jpg)
Slide # 2TEAM JOCH vs. Android - ShmooCon 2011
TEAM JOCH
Jon Oberheide + Zach Lanier=
TEAM JOCH
![Page 3: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/3.jpg)
Slide # 3TEAM JOCH vs. Android - ShmooCon 2011
Agenda
• Android Security Overview
• Kernel Security
• Platform Security
• Application Security
![Page 4: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/4.jpg)
TEAM JOCH vs. Android - ShmooCon 2011
Android Overview
• Base platform• ARM core• Linux 2.6.3x kernel
• Native Libraries• libc, WebKit, etc
• Dalvik VM• Register-based VM• Runs dex bytecode
• Applications• Developed in Java• Runs on Dalvik VM• Linux process 1-1
![Page 5: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/5.jpg)
TEAM JOCH vs. Android - ShmooCon 2011
Hardware Features
● ARM11 TrustZone?● Unused!
● ARM11 Jazelle JVM?● Unused!
● ARMv6 eXecute-Never (XN)?● Unused!
![Page 6: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/6.jpg)
TEAM JOCH vs. Android - ShmooCon 2011
Linux Environment
Executable stack/heap!
Non-randomized mmap/brk!Mobile ASLR sucks,
where's my 64-bit CPUs?!?
![Page 7: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/7.jpg)
TEAM JOCH vs. Android - ShmooCon 2011
Permission-Based Model
● Apps explicitly request pre-defined permissions
● Examples:● Cellular: calls, SMS, MMS● Network, bluetooth, wifi● Hardware settings: vibrate,
backlight, etc● Location: coarse/fine● App data: contacts, calendar
![Page 8: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/8.jpg)
TEAM JOCH vs. Android - ShmooCon 2011
App Sandboxing
● “Sandboxed” by standard UNIX uid/gid● generated unique per app at install
● High-level permissions restricted by Android runtime framework
![Page 9: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/9.jpg)
TEAM JOCH vs. Android - ShmooCon 2011
App Distribution
● Application signing● No CAs● Self-signed by developers
● Android Market● $25 signup, anyone can publish● Anonymous sign-up possible
![Page 10: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/10.jpg)
Slide # 10TEAM JOCH vs. Android - ShmooCon 2011
Agenda
• Android Security Overview
• Kernel Security
• Platform Security
• Application Security
![Page 11: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/11.jpg)
Slide # 11TEAM JOCH vs. Android - ShmooCon 2011
The Linux Kernel
• Linux kernel = swiss cheese– Jailbreaks, aka local privesc, are plentiful– Mostly thanks to stealth/743C
• Shameless plug!– If you care about kernel exploitation, come to:
![Page 12: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/12.jpg)
Slide # 12TEAM JOCH vs. Android - ShmooCon 2011
Android Native Code
• Dalvik VM != sandbox– Not limited to executing dex bytecode– Can pop out of the VM to execute native code
– Any 3rd party app can root your phone by exploiting a kernel vulnerability via native code
• Native code packaged within APKs– Android should do some code signing like iPhone– But it doesn't, so why limit execution of native code to
build-time packaged modules?
![Page 13: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/13.jpg)
Slide # 13TEAM JOCH vs. Android - ShmooCon 2011
RootStrap
• Getting root is easy, but how do it most effectively as an attacker
• Enter, RootStrap– Silent runtime fetching
and execution of remote ARM payloads
– Not really a bot..more of a general purpose distributed computing platform ;-)
![Page 14: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/14.jpg)
Slide # 14TEAM JOCH vs. Android - ShmooCon 2011
Native ARM Code Delivery
• Fetch index file– Lists available exploits and module names
• Yank down ARM modules– Dumped to Android app private storage
– eg. /data/data/org.rootstrap/files, not ./libs
• Load via JNI and execute each payload– System.load(“.../files/root1.so”);
– result = root1();
![Page 15: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/15.jpg)
Slide # 15TEAM JOCH vs. Android - ShmooCon 2011
How to Build a Mobile Botnet
• Build some fun legit-looking games / apps – Include RootStrap functionality– Periodically phone home to check for new payloads
• As soon as new kernel vuln discovered, push out exploit payload– Before providers push out OTA patch– Trivial to win that race, slow OTA updates
• Rootkit a bunch of phones!
![Page 16: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/16.jpg)
Slide # 16TEAM JOCH vs. Android - ShmooCon 2011
A Wolf in Vampire's Clothing?
• RootStrap app is boring and not sneaky– No one would intentionally download it– Need something legit looking to get a large
install base
• Hmm...what to do, what to do...
![Page 17: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/17.jpg)
Slide # 17TEAM JOCH vs. Android - ShmooCon 2011
Fake Twilight Eclipse App
![Page 18: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/18.jpg)
Slide # 18TEAM JOCH vs. Android - ShmooCon 2011
Andy and Jaime Don't Like It :-(
• Still, 200+ downloads
in under 24 hours
• With a legit-looking
app/game, you could
collect quite an install
base for RootStrap
![Page 19: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/19.jpg)
Slide # 19TEAM JOCH vs. Android - ShmooCon 2011
Android Remote Kill
• BZZZ!
• WAT?
VM
HUH?
![Page 20: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/20.jpg)
Slide # 20TEAM JOCH vs. Android - ShmooCon 2011
Android Remote Kill/Install
• Android has remote kill/wipe functionality built-in– Google can remotely remove installed apps
from any Android device– GTalkService persistent connection– REMOVE_ASSET remote intent invocation
• Also, remote installation functionality
![Page 21: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/21.jpg)
Slide # 21TEAM JOCH vs. Android - ShmooCon 2011
Kernel Security Wrap-up
• No excuses Google, it's 2011!– Harden your kernel / toolchain– Signed code restrictions a la iPhone
• Supporting native code makes it worse– Packaging/install time: ok– Runtime native code delivery: not ok
![Page 22: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/22.jpg)
Slide # 22TEAM JOCH vs. Android - ShmooCon 2011
Agenda
• Android Security Overview
• Kernel Security
• Platform Security
• Application Security
![Page 23: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/23.jpg)
Slide # 23TEAM JOCH vs. Android - ShmooCon 2011
Platform Security
• There's a lot of “platform goo” in the middle between the kernel and applications
• What to attack?– Not kernel, not apps!– How about permissions framework?
• Permissions approval process– Intended to warn the user about potentially unsafe
actions an app can perform
![Page 24: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/24.jpg)
Slide # 24TEAM JOCH vs. Android - ShmooCon 2011
Perceived App Install Process
BROWSE INSTALL APPROVE? INSTALLED!
![Page 25: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/25.jpg)
Slide # 25TEAM JOCH vs. Android - ShmooCon 2011
ACTUAL Market Flow
• Google is a sneaky panda!– You don't actually download / install the app
through the market application
• When you click install in market app– Google servers push an out-of-band message
down to you via persistent data connection
– Triggers INSTALL_ASSET intent to start install– Intent handler fetches APK and installs
![Page 26: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/26.jpg)
Slide # 26TEAM JOCH vs. Android - ShmooCon 2011
Dex Bytecode RE
![Page 27: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/27.jpg)
Slide # 27TEAM JOCH vs. Android - ShmooCon 2011
GTalkService Connection
• Persistent data connection– Speaks XMPP– Same connection now used for
C2DM push service
• It's SSL, but...• If you MITM or C2DM spoof
– Remote intent / app install
• If you pop GTalkService servers– Push down code to all Android phones in the world
![Page 28: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/28.jpg)
Slide # 28TEAM JOCH vs. Android - ShmooCon 2011
Gap in Responsibility
• Market app performs permission approval
• But GTalkService triggers actual install
• There's a disconnect here...
![Page 29: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/29.jpg)
Slide # 29TEAM JOCH vs. Android - ShmooCon 2011
Market App Requests
• What does the market app POST to the market server?
• Can we spoof the same request and trigger an INSTALL_ASSET message and subsequent install?
![Page 30: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/30.jpg)
Slide # 30TEAM JOCH vs. Android - ShmooCon 2011
Base64 Encoded Protobuf Payload
![Page 31: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/31.jpg)
Slide # 31TEAM JOCH vs. Android - ShmooCon 2011
Raw Protobuf Decoded
![Page 32: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/32.jpg)
Slide # 32TEAM JOCH vs. Android - ShmooCon 2011
RE'ed Protobuf Specification
app/asset ID
auth token
install requestmessage
![Page 33: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/33.jpg)
Slide # 33TEAM JOCH vs. Android - ShmooCon 2011
Elements of a Install Request
• We have the format of the request now!• Need to populate it with:
– Lots of miscellaneous fields...– App ID: target app to be installed
• Can be derived from dissecting market requests
– Auth token: the hard part?• Turns out we can steal it from Android's AccountManager!
![Page 34: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/34.jpg)
Slide # 34TEAM JOCH vs. Android - ShmooCon 2011
Bypassing Permissions Approval
• Steal the “android” service token used by market from the AccountManager
• Construct protobuf request to market servers for invoking an application installer
• INSTALL_ASSET is pushed and app installed without any user prompt / permission approval
• PoC disguised as an Angry Birds expansion app
![Page 35: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/35.jpg)
Slide # 35TEAM JOCH vs. Android - ShmooCon 2011
Angry Birds Bonus Levels
![Page 36: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/36.jpg)
Slide # 36TEAM JOCH vs. Android - ShmooCon 2011
Fake Toll Fraud App
![Page 37: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/37.jpg)
Slide # 37TEAM JOCH vs. Android - ShmooCon 2011
Platform Security Wrapup
• Vulnerability status:– Donut: fixed– Froyo: fixed
– Eclair: no confirmation yet, may be vulnerable
• Platform complexity leads to vulns– Round-about market / GtalkService procedure– “server-initiated” flag fix worth investigation
![Page 38: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/38.jpg)
Slide # 38TEAM JOCH vs. Android - ShmooCon 2011
Agenda
• Android Security Overview
• Kernel Security
• Platform Security
• Application Security
![Page 39: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/39.jpg)
TEAM JOCH vs. Android - ShmooCon 2011
Broad Observations
![Page 40: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/40.jpg)
TEAM JOCH vs. Android - ShmooCon 2011
• The Web pushed content to the browser– Centralization of apps & data– Always a push for MORE (ActiveX,
applets, Flash)
• Now, everyone gets their own app!– Code (not HTML) gets pushed to the
endpoint– XKCD Viewer
Broad Observations
![Page 41: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/41.jpg)
TEAM JOCH vs. Android - ShmooCon 2011
• AuthC/AuthZ– Carrier Applications
• “we trust you because you’re on our network”
– Third-party Applications• SOMETIMES better than carrier apps
– Incomplete support of open standards
• Client-side data trust issues– admin=1
Broad Observations
![Page 42: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/42.jpg)
TEAM JOCH vs. Android - ShmooCon 2011
• HyperGlobalMegaCloudDataMeshStore– Many Apps for syncing data between
device and CLOUD• Full AuthC and AuthZ bugs
Broad Observations
![Page 43: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/43.jpg)
TEAM JOCH vs. Android - ShmooCon 2011
Testing Techniques
![Page 44: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/44.jpg)
TEAM JOCH vs. Android - ShmooCon 2011
• White Box Source Code Review– Sometimes, it’s trivial to get app source
code
• Black Box– Acquiring Application Binaries– Reverse Engineering
• Disassembly/Decompilation
– Network Analysis• Protocol Analysis, fuzzing
– MITM
Testing Techniques
![Page 45: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/45.jpg)
TEAM JOCH vs. Android - ShmooCon 2011
Testing Techniques
![Page 46: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/46.jpg)
TEAM JOCH vs. Android - ShmooCon 2011
Testing Techniques
![Page 47: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/47.jpg)
TEAM JOCH vs. Android - ShmooCon 2011
Testing Techniques
![Page 48: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/48.jpg)
TEAM JOCH vs. Android - ShmooCon 2011
• Not everyone can be a Binary RE ninja– ...and project timelines don’t allow for
on-the-job training :-)
• Sometimes the easiest way to understand an application is to look at its TRAFFIC
• You need to be come the MITM– Just like WAPT, and Burp, WebScarab,
etc.48
Testing Techniques
![Page 49: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/49.jpg)
TEAM JOCH vs. Android - ShmooCon 2011
• MAPT MITM Challenges!– Run the app in an emulator (boring)– Connect the phone to your own WAP
• Uplink your WAP to your laptop with Internet sharing enabled
– Run Wireshark
– WiFi not always an option• Handset might not support WiFi• Application might require carrier network
– Change server.carrier.com to testsite.com
49
Testing Techniques
![Page 50: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/50.jpg)
TEAM JOCH vs. Android - ShmooCon 2011
Intrepidus Group, Inc. © 201050
• MAPT MITM Challenges!– Wireshark lets you see traffic– SYN TCP 80? Easy.– SYN TCP 443? A little harder.– SYN TCP 9999? Ok...
• Binary data?! Huh?
– UDP DST Port 4717?!?• I quit!
Testing Techniques
![Page 51: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/51.jpg)
TEAM JOCH vs. Android - ShmooCon 2011
Case Studies
![Page 52: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/52.jpg)
TEAM JOCH vs. Android - ShmooCon 201121
• Foursquare client for Android
• Originally written in Java, like most Android applications– Source available
under Apache 2.0 license
21
Case Study: FoursquareCase Study: Foursquare
![Page 53: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/53.jpg)
TEAM JOCH vs. Android - ShmooCon 20112121
• Foursquare API supports Basic Auth and OAuth…– OAuth includes signatures for
transactions, helps prevent replay attacks, etc.
– Guess which one foursquared uses
Case Study: Foursquare
![Page 54: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/54.jpg)
TEAM JOCH vs. Android - ShmooCon 20112121
• That’s right. HTTP Basic Auth…over plaintext transport
• There’s a CWE for that!– CWE-311: Missing Encryption of
Sensitive Data (including credentials)
Case Study: Foursquare
![Page 55: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/55.jpg)
TEAM JOCH vs. Android - ShmooCon 20112121
• Why is this a problem?– EVERYONE uses Foursquare
• Well, maybe not you, but everyone else!
– Most applications “prefer” WiFi to cell radio=> trivial interception of creds
• Funny enough, Foursquared has OAuth support– But it’s not actually used
Case Study: Foursquare
![Page 56: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/56.jpg)
TEAM JOCH vs. Android - ShmooCon 201125
• Multi-platform application for storing and retrieving music, videos, documents, and more– Android, BREW, Blackberry, and fat web
browser
• Proprietary, binary-only
25
Case Study: Storage Application
![Page 57: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/57.jpg)
TEAM JOCH vs. Android - ShmooCon 20112525
• Simple crash in storage quota viewer– Divide-by-zero error leads to DoS– Attacker must successfully intercept and
modify server response for this to happen
• A bit more difficult since this tends to occur over the carrier’s network, but WiFi is still an option
Case Study: Storage Application
![Page 58: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/58.jpg)
TEAM JOCH vs. Android - ShmooCon 20112525
Case Study: Storage Application
![Page 59: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/59.jpg)
TEAM JOCH vs. Android - ShmooCon 20112525
• Diddling with “Digital Rights Management”– App supports sharing of video, audio,
image content with your contacts– Enforces “DRM” on “protected” files
• Often copyrighted or premium content
– Enforcement occurs based on the value of an attribute in the file’s XML manifest
• Yes, Virginia, that is under the user’s control
Case Study: Storage Application
![Page 60: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/60.jpg)
TEAM JOCH vs. Android - ShmooCon 20112525
Case Study: Storage Application
![Page 61: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/61.jpg)
TEAM JOCH vs. Android - ShmooCon 20112525
Case Study: Storage Application
![Page 62: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/62.jpg)
TEAM JOCH vs. Android - ShmooCon 20112525
Case Study: Storage Application
![Page 63: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/63.jpg)
TEAM JOCH vs. Android - ShmooCon 20112525
Becomes…
Case Study: Storage Application
![Page 64: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/64.jpg)
TEAM JOCH vs. Android - ShmooCon 20112525
Case Study: Storage Application
![Page 65: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/65.jpg)
TEAM JOCH vs. Android - ShmooCon 20112525
• The “DRM” is basically enforced within the client, predicated on the response from the server– And that response can be intercepted
and modified => “DRM” bypass
• CWE-807: Reliance on Untrusted Inputs in a Security Decision– I like CWE, btw
Case Study: Storage Application
![Page 66: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/66.jpg)
TEAM JOCH vs. Android - ShmooCon 2011
• Cross-platform framework for HTML/JS “applications”– WinMo, Android, etc.
66
Case Study: App Framework
![Page 67: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/67.jpg)
TEAM JOCH vs. Android - ShmooCon 2011 67
• Custom permissions restricted us from sending messages (Intents) to the runtime
Case Study: App Framework
![Page 68: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/68.jpg)
TEAM JOCH vs. Android - ShmooCon 2011 68
• But, other (malicious) apps can clobber widget content!– CWE-276: Incorrect Default Permissions– So we wrote a malicious app to do just
that
Case Study: App Framework
![Page 69: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/69.jpg)
TEAM JOCH vs. Android - ShmooCon 2011 69
Case Study: App Framework
![Page 70: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/70.jpg)
TEAM JOCH vs. Android - ShmooCon 2011 70
Case Study: App Framework
![Page 71: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/71.jpg)
Slide # 71TEAM JOCH vs. Android - ShmooCon 2011
Lookout Mobile
• Lookout Mobile security app– Over 4 million users– Scanning, backup, lost device tracking, etc
![Page 72: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/72.jpg)
Slide # 72TEAM JOCH vs. Android - ShmooCon 2011
Lookout: World-Writable Files
• Lookout installs with a world-writable config file and database– Independently discovered by Tavis Ormandy
• Disable, lockout device, etc from any unprivileged app
![Page 73: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/73.jpg)
Slide # 73TEAM JOCH vs. Android - ShmooCon 2011
• Tavis took it to the next level:– Backed up a custom shared lib,
“liblookout.so” from a user-controlled directory
– Restored into Lookout app's data/lib directory, overwriting legit “liblookout.so”
– Security app → less secure phone
Lookout: 0wned by Tavis
![Page 74: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/74.jpg)
TEAM JOCH vs. Android - ShmooCon 20112525
• Lack of guidance, standards, practices makes developers reinvent the wheel– Or just make them think they need to
• Neglecting the security lessons learned with “traditional” and web applications– Client-side trust– Access control issues– …and all of the other “basic” problems and
mistakes of yore
Application Security Wrapup
![Page 75: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/75.jpg)
Slide # 75TEAM JOCH vs. Android - ShmooCon 2011
Final Scorecard
• TEAM JOCH vs. Android kernel?– TEAM JOCH!
• TEAM JOCH vs. Android platform?– TEAM JOCH!
• TEAM JOCH vs. Android apps?– TEAM JOCH!
![Page 76: TEAM JOCH vs. Android - Jon Oberheide · TEAM JOCH vs. Android - ShmooCon 2011 Slide # 2 TEAM JOCH Jon Oberheide + Zach Lanier = TEAM JOCH. TEAM JOCH vs ... TEAM JOCH vs. Android](https://reader031.fdocuments.net/reader031/viewer/2022022521/5b2754957f8b9a12158b49f7/html5/thumbnails/76.jpg)
Slide # 76TEAM JOCH vs. Android - ShmooCon 2011
Q&A
Jon Oberheide
Duo Security
QUESTIONS?
Zach Lanier
Intrepidus Group