Announcement

Collapse
No announcement yet.

Nikita Kurtin - Defaults - the faults. Bypassing android permissions from all protection levels.

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Nikita Kurtin - Defaults - the faults. Bypassing android permissions from all protection levels.

    Nikita Kurtin - Defaults - the faults. Bypassing android permissions from all protection levels.


    Nikita Kurtin, Hacker

    Presentation Title: Defaults - the faults. Bypassing android permissions from all protection levels.

    Presentation description: Bypassing Permission mechanism using Default services in Android.
    Length of presentation: (45 minutes)
    Demo, Exploit

    Exploring in depth the android permission mechanism, through different protection levels.

    Step by step exploitations techniques that affect more than 98% of all Android devices including the last official release (Android 12).

    In this talk I reveal a few different techniques that I uncovered in my research, which can allow hackers to bypass permissions from all protection levels in any Android device, which is more than 3 billion active devices according to the google official stats.

    These vulnerabilities enable the hacker to bypass the security measures of android, by abusing default (built in) services and get access to abilities and resources which are protected by permission mechanism.

    Some vulnerabilities are partially fixed, others won't be fixed as google considers as intended behavior.

    In this talk I'll survey the different vulnerabilities, and deep dive into a few of different exploitations.

    Finally, I'll demonstrate how those techniques can be combined together to create real life implications and to use for: Ransomware, Clickjacking, Uninstalling other apps and more, completely undetected by security measures.


    SPEAKER BIO(S)
    By day - senior research developer
    By night - street workout athlete
    Sometimes vice versa ;-)
    Favorite quote: "Between dream and reality, there is only you."

    You can see CVE on my name here:
    https://source.android.com/security/...knowledgements

    https://stackoverflow.com/users/3219...in?tab=profile

    REFERENCES:
    https://developer.android.com/about/dashboards
    https://developer.android.com/guide/topics/permissions
    https://blog.dscout.com/mobile-touches

    And honestly a lot of trials and errors.
    Last edited by number6; July 2, 2022, 01:09.
Working...
X