Android apps are very insecure—-80% of the ones I’ve tested have serious vulnerabilities. It’s simple to test for common vulnerabilities with a few free tools: Android Studio, Genymotion, Burp, and apktool. Students must bring laptops. Macs work best, but PCs can also be used. Linux works better than Windows. Students will set up their laptops, find vulnerabilities in real apps, and exploit them. We will test for insecure network transmission, insecure local storage, and insecure logging. But the most common problem is failure to verify app signatures, so that apps can be modified and Trojan code can be added. Students will do that to a real financial app, creating a proof-of-concept that leaks out private data such as username and password.

Bio: Sam Bowne has been teaching computer networking and security classes at CCSF since 2000. He has given talks at DEFCON, HOPE, BayThreat, LayerOne, and Toorcon, and taught classes and many other schools and teaching conferences. Credentials: B.S., PhD, CISSP, CEH, CWNA, CCENT, etc.

Back to Circle City Con 2015 Videos list