Bluebox Labs has updated the original Heartbleed Scanner application to determine if your Android applications or your Android OS are vulnerable to the Heartbleed bug. We updated the scanning portions to verify if any discovered OpenSSL library has heartbeats enabled (the main source of the bug) in a vulnerable fashion. The application scanning portion will […] Read more
Another SSL vulnerability has been disclosed and released to the public. This one is referenced as CVE-2014-0160 or as it is commonly be called the Heartbleed bug due the leaking of information from heartbeat messages an SSL/TLS connection produces. We won’t go into the details of the bug, but if you are interested, the website […] Read more
Have you ever purchased a phone off the Internet thinking it was legitimate – only to find out it was counterfeit? It happens more often than you may think. Earlier this year, we purchased a Samsung phone online and gave it to a couple of our developers for testing. The phone looked completely legitimate; from […] Read more
Android is an open source mobile platform for devices such as smartphone and tablets. Approximately 99% of Android devices are ARM-based, but other architectures such as x86 are available. This article is focused on the ARM architecture. Android has been released with a ready-to-use SDK emulator for easy app development. The SDK emulator enables developers […] Read more
Bluebox CTO, Jeff Forristal’s presentation entitled “Android: One Root to Own Them All” about his research that uncovered the Android Master Key is now available. Forristal_Blackhat-US2013__final Below is the abstract of Jeff’s presentation. This presentation is a case study showcasing the technical details of Android security bug 8219321, disclosed to Google in February 2013. The […] Read more
Recently Jay Freeman, aka Saurik, released an excellent technical analysis entitled “Android Bug Superior to Master Key.” His analysis covers additional exploit vectors not previously discussed that are contained in the Android Open Source Project (AOSP) patch for bug #9695860 (the same patch that covers the exploit vector highlighted by the Android Security Squad). This commentary in response to […] Read more
Bluebox Security Scanner Update Now Available During our initial discussions around the “master key” vulnerability a couple of weeks ago, we mentioned our early work with Google as part of our “responsible disclosure”to them. Our insight enabled Google to implement checks for pre-existing and new apps in the Play Store that are exploiting devices using the vulnerabilities we […] Read more
We have released a free app to help consumers and enterprises manage the risk around the “Master Key” vulnerability I blogged about last week. The Bluebox Security Scanner app produced by our research team allows you to directly check if your Android device has been patched for this vulnerability without the hassle of having to contact the device manufacturer […] Read more
The Bluebox Security research team – Bluebox Labs – recently discovered a vulnerability in Android’s security model that allows a hacker to modify APK code without breaking an application’s cryptographic signature, to turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user. The implications are […] Read more
Thanks to the BerlinSides team for putting together yet another strong conference. Our presentation on “Android Reverse Engineering and Defenses“ was just one of many worth checking out. We had a number of requests for copies so we wanted to post it here on our blog. Here is the abstract for the presentation. We also used […] Read more
Securing Mobile Data Wherever It Goes