https://koz.io/ Recent content on Yiannis Kozyrakis ~ blog Hugo -- gohugo.io en-us All rights reserved - 2016 Sat, 09 Apr 2022 10:15:16 +0100 https://koz.io/author/ikoz/ Sat, 09 Apr 2022 10:15:16 +0100 https://koz.io/author/ikoz/ Bio Since August 2022, working as a security engineer at Meta - focusing on mobile security. Before that, since 2018 I was a Security Research Engineer at Synopsys, focusing on static analysis. As part of this work, I have been investigating security issues in frameworks and libraries developed in various languages, creating SAST rules for identifying them at scale. I’ve created workflows and infrastructure for others to contribute checkers and models efficiently. https://koz.io/android-safetynet-blackhat/ Fri, 08 Dec 2017 17:23:33 +0000 https://koz.io/android-safetynet-blackhat/ During BlackHat EU 2017, myself and Collin Mulliner presented on Android SafetyNet Attestation. The presentation covered what SafetyNet is, why would Android developers use attestation, some of the checks it does and certain weaknesses it currently has. I have blogged on this topic several times. So, here are the slides. Let me know if you have any questions, would be happy to answer. https://koz.io/mobile-os-version-adoption/ Wed, 23 Aug 2017 23:40:24 +0100 https://koz.io/mobile-os-version-adoption/ While trying to understand adoption patterns of new mobile OS versions, I decided to plot data from the Android Dashboard and Apple’s pie-chart, with help from the Wayback Machine. I’ll try to keep the charts updated going forwards. Feel free to hover; they are interactive. The charts confirm our common knowledge: new Android versions take long to reach a reasonably good share of the userbase compared to new iOS versions where 70% adoption is reached within a month. https://koz.io/library-injection-for-debuggable-android-apps/ Sun, 09 Jul 2017 16:00:00 +0000 https://koz.io/library-injection-for-debuggable-android-apps/ TLDR: released a script which can be used to inject native libraries like Frida into debuggable Android apps on non-rooted devices. As discussed on a previous blogpost, security testers can use Frida to review the internals of Android apps on non-rooted Android devices, as long as they inject the library into the app via application repackaging. Some time ago, Tim asked the following on twitter: So Frida does require root? https://koz.io/using-frida-on-android-without-root/ Wed, 12 Apr 2017 10:30:00 +0000 https://koz.io/using-frida-on-android-without-root/ Frida is a great toolkit by @oleavr, used to build tools for dynamic instrumentation of apps in userspace. It is often used, like Substrate, Xposed and similar frameworks, during security reviews of mobile applications. Typically rooted Android devices are used during such reviews. There are several reasons for this, but the most important is that the frida-server binary, which executes on the device, requires root privileges to attach to (ptrace) the target application, in order to inject the Frida gadget library into the memory space of the process. https://koz.io/android-pinning-bugs/ Wed, 22 Mar 2017 17:23:33 +0000 https://koz.io/android-pinning-bugs/ Two weeks ago I presented (once more) on the topic of pinning, this time focusing on bugs seen in real-world Android applications implementing pinning. The presentation also covered CVE-2016-2402 in some detail, Android’s Network Security Configuration and a few other relevant topics. The conference was Android Security Symposium - a great security event, hosted in an awesome venue within Vienna University of Technology. So, here are the slides and here is the video. https://koz.io/inside-safetynet-3/ Sun, 13 Nov 2016 14:46:02 +0000 https://koz.io/inside-safetynet-3/ This post is part of a series: Inside SafetyNet part 1 (Oct 2015) Inside SafetyNet part 2 (Feb 2016) Inside SafetyNet part 3 (Nov 2016) How to implement Attestation securely using server-side checks (my blog, Cigital blog) SafetyNet Playground (POC server-side implementation) Play Store - Android source - PHP source It’s been more than 8 months since my last blog post on Android’s SafetyNet. In that post I was describing an end-of-2015 version of the system (version code 2495818). https://koz.io/ghost-to-hugo/ Mon, 07 Nov 2016 11:02:19 +0000 https://koz.io/ghost-to-hugo/ This weekend I migrated my blog from Ghost to Hugo. Ghost is great, but I couldn’t justify running a DigitalOcean droplet just for hosting a blog, maintaining it and updating Ghost all the time. Static pages work just fine. So, after looking around at several static site generators I decided to use Hugo. Here is what I did to migrate: Created a new hugo site on my local system. Got a JSON backup of my Ghost content using the export tool. https://koz.io/hiding-root-with-suhide/ Tue, 30 Aug 2016 18:37:13 +0100 https://koz.io/hiding-root-with-suhide/ Update: This post was written after he release of suhide v0.01 and documents that version. Scroll further down for some notes on the newer suhide v0.12. ChainFire recently released suhide, a new “root hiding” mod for SuperSU. It is claimed to beat SafetyNet - and it does, for now - no configuration necessary. Here is some proof, using our SafetyNet Playground app: So how does it do it? suhide.zip is flashed to the device through Android recovery. https://koz.io/certificate-pinning-owasp-appseceu16/ Tue, 09 Aug 2016 16:56:56 +0100 https://koz.io/certificate-pinning-owasp-appseceu16/ As you might have guessed from previous posts on the topic, I’ve been researching certificate pinning implementations in mobile apps for the last couple of years. Two months ago I presented a talk on certificate pinning at OWASP AppSecEU16 conference in Rome, Italy. The conference was pretty fun, met so many interesting people. So, here are the slides and the video. The official abstract: Pinning Certificates (“Cert Pinning”) trends perennially, coming to the fore with each new SSL hack. https://koz.io/pinning-cve-2016-2402/ Thu, 31 Mar 2016 10:30:00 +0100 https://koz.io/pinning-cve-2016-2402/ Two weeks ago I published details of an attack method that can be used to bypass various implementations of certificate pinning in Android or generally Java applications. Several applications and frameworks are still vulnerable to the attack, among them every Java or Android application using a version of the popular OkHttp networking library before versions 3.1.2 and 2.7.4. [The OkHttp issue is tracked as CVE-2016-2402] Brief overview Certificate pinning is a control used to mitigate Man-In-The-Middle attacks by privileged attackers. https://koz.io/inside-safetynet-2/ Sun, 20 Mar 2016 14:46:02 +0000 https://koz.io/inside-safetynet-2/ This post is part of a series: Inside SafetyNet part 1 (Oct 2015) Inside SafetyNet part 2 (Feb 2016) Inside SafetyNet part 3 (Nov 2016) How to implement Attestation securely using server-side checks (my blog, Cigital blog) SafetyNet Playground (POC server-side implementation) Play Store - Android source - PHP source It’s been six months since my last blog post on Android’s SafetyNet. I was then examining a mid-July 2015 version of the system. https://koz.io/network-security-policy-configuration-for-android-apps/ Mon, 15 Feb 2016 15:00:00 +0000 https://koz.io/network-security-policy-configuration-for-android-apps/ android.security.net.config Capabilities Permit clear-text traffic HSTS enforcement Certificate Pinning Custom Trust Anchors Android engineers have recently been busy building out AndroidNSSP (Android Network Security Provider): a system that application developers will be able to use in order control aspects of the network security policy of their application. It’s been long overdue, and there are various bits and pieces still missing; however important parts were merged to AOSP master about a month ago. https://koz.io/using-safetynet-securely-in-your-android-app/ Mon, 12 Oct 2015 09:52:01 +0100 https://koz.io/using-safetynet-securely-in-your-android-app/ In a previous blogpost, I described how Google Play’s SafetyNet service is structured, from a technical perspective, diving deep into details and the checks it perfoms on the device. Recap: Google Play’s SafetyNet service allows your application to gain information about the ‘CTS compatibility’ status of the device you are running on. You can think of CTS compatibility as a mix of rooting detection, device tampering detection and active MitM detection. https://koz.io/inside-safetynet/ Thu, 17 Sep 2015 16:16:17 +0100 https://koz.io/inside-safetynet/ This post is part of a series: Inside SafetyNet part 1 (Oct 2015) Inside SafetyNet part 2 (Feb 2016) Inside SafetyNet part 3 (Nov 2016) How to implement Attestation securely using server-side checks (my blog, Cigital blog) SafetyNet Playground (POC server-side implementation) Play Store - Android source - PHP source What is SafetyNet The Android Pay application got released a few days ago. Some people using rooted devices discovered that it refused to work. https://koz.io/on-proguard-log-removal/ Thu, 02 Jul 2015 14:49:00 +0100 https://koz.io/on-proguard-log-removal/ A couple of days ago the following two tweets appeared on my twitter feed: I had no idea you could remove code using proguard. neat. http://t.co/7ljGEv2vpx — Joshua J. Drake (@jduck) June 29, 2015 @jduck yep, I use this to remove debug code at run time — Justin Case (@jcase) June 29, 2015 These tweets reminded me of something: If you’re an Android developer and you want to use ProGuard’s code removal feature to remove your logs and use method renaming at the same time, be careful. https://koz.io/android-m-and-the-war-on-cleartext-traffic/ Wed, 17 Jun 2015 23:35:06 +0100 https://koz.io/android-m-and-the-war-on-cleartext-traffic/ A week ago, during WWDC, Apple announced App Transport Security (ATS) for iOS 9. This feature will allow app developers to specify which domains their app needs to communicate with over HTTPS. In principle, for those domains, cleartext traffic will be automatically blocked by the system. What about Android? Google has not yet announced it officially, but the next Android version (codenamed Android M) has a “similar” feature. The code that includes this has actually been around for a while before Apple’s WWDC conference, but no-one seems to have picked it up. https://koz.io/android-substrate-c-hooking/ Mon, 01 Jun 2015 14:22:23 +0100 https://koz.io/android-substrate-c-hooking/ Substrate is one of the best dynamic instrumentation frameworks. It is very flexible and allows you to easily hook various Java, Objective-C or native C/C++ of your Android or iOS apps. It can even hook non-exported functions, but that’s a matter for another blog post. I use Substrate quite a lot during mobile app security testing, along with various other tools. This post is the second of a two part walkthrough on hooking C code on iOS and Android platforms using Substrate. https://koz.io/same-origin-policy-and-android-webview/ Fri, 15 May 2015 16:53:02 +0100 https://koz.io/same-origin-policy-and-android-webview/ First of all, let me say that all that follows is public knowledge and is somewhat described in the Android docs. However, I haven’t seen much discussion, so I thought it’s a good idea to write a blog post. ####Same Origin Policy When a page is loaded into a WebView to be displayed, all code in this page runs “in the context” of that page (its origin). The Same Origin Policy (SOP) is a mechanism that restricts javascript running in the context of one origin to access objects from another origin.