Blackbox Android App Analysis with Introspy
13 Dec 2013 - Marc Blanchou & Alban Diquet
As previously announced during our Ruxcon presentation, we’re
now releasing Introspy for Android. The final version of the tool
was demonstrated at the iSEC Open Forum here in San Francisco.
Blackbox Android Pentesting
Similarly to the iOS version that was released a few months
ago, Introspy for Android is a tool designed to help penetration testers
understand what an Android application does at runtime, and to greatly
facilitate the process of reviewing the application’s security mechanisms.
The tool can easily be installed on a rooted device running Cydia
Substrate and provides a GUI interface to configure hooks, filters and
options. See the project page as well the
slides we presented at the Open Forum for more information
about what the tool does and how it works.
Source code and pre-compiled packages are available on the project’s source
repository on Github.
Browser Extension Password Managers
05 Nov 2013 - Paul Youn
Advancements in password cracking and frequent theft of password databases
endanger single-factor password authentication systems. Password managers
are one of the only tools available that can help users remember unique
high-entropy passwords, and other secrets such as credit card numbers, for
a large number of applications. Can password managers deliver on security
promises, or do they introduce their own security vulnerabilities? This
paper examines popular browser-based password managers and presents common
security flaws that could be exploited to remotely extract a user’s
Previous research on password managers has focused on the cryptographic
protections of the passwords themselves in particular environments such as
This research instead focuses on browser specific integrations and mechanisms
to remotely compromise credentials. Four of the
most popular password managers were examined: LastPass, OneLastPass, 1Password, and MaskMe.
This research shows that the examined password managers made design decisions
that greatly increase the chance of users unknowingly exposing their passwords
through application-level flaws. Many of the flaws relate to the
browser-integrated password managers that don’t follow the same-origin policy
that is crucial to browser security. In the case of password managers, this
means that passwords could be filled into unintended credential forms, making
password theft easier.
Check out the full paper
Ruxcon 2013 - Introspy Presentation Slides
27 Oct 2013 - Alban Diquet
Update: Introspy for Android is now available; we’ve also
updated the slides with additional information regarding
The slides for the Introspy: Security Profiling for Blackbox iOS and
Android presentation from Ruxcon 2013 are now available.
The presentation was given by Marc Blanchou and Alban Diquet, and introduces a
tool designed to facilitate the black-box testing of iOS and Android
- Slides can be downloaded here
- Introspy’s project page is available here
Only the iOS version is currently available; we will update this blog post as
soon as we release the Android tool.
Working with the Open Technology Fund
14 Oct 2013 - Tom Ritter
Over the past year, iSEC Partners has worked with the Open Technology
Fund on several of their supported projects.
OTF funds projects that develop open and accessible technologies promoting
human rights and open societies. Some of the projects they support that we’ve
been able to work on are Open Whisper Systems’
RedPhone and TextSecure, Commotion, and
GlobaLeaks, among others.
We consider ourselves very fortunate to be able to work on projects that are
both very technically interesting and helping make the world a better place.
Projects that OTF supports are used ‘in the field’ documenting human rights
abuses abroad, provide secure and encrypted communication platforms, and help
document Internet interference and censorship. An extension of our Liberation
this work is directly in line with our efforts to make the entire Internet a
more secure place.
In conjunction with these audits, we’ve also helped OTF perform a review of
their audit process. The goal of this review was to take a look at the
breadth, scope, and coverage of security audits performed on OTF funded
applications to date. We aimed to identify the strengths and shortcomings in
OTF’s current process and provide recommendations to improve the breadth of
coverage and to derive greater value in the future. Applicable to both OTF and
other funding agencies in the Liberation Technology and Civil Society
communities, we hope this work inspires more development and more integration
between security professionals and project teams. OTF has published this
review over on their
where you can take a look.
iOS Secure State Preservation
18 Sep 2013 - Tom Daniels
iOS 6 introduced the concept of application state preservation. The purpose of
state preservation is to hide unexpected application termination from users.
Regardless of why the application was terminated (e.g., the user explicitly
kills the app or the system terminates it to free up memory for the foreground
application), state preservation allows users to return directly to the last
point of use within the app to provide as smooth a user experience as possible.
This is achieved by serializing the state of your app’s view controllers and
views when it is backgrounded and storing them to disk.
For a detailed explanation of the preservation and restoration process, refer
to Apple’s State Preservation and Restoration Programming
Developers need to be careful when persisting view states, as there is the
potential to expose sensitive application information since the serialized data
is in plaintext. Therefore, any data that should remain private needs to be
appropriately protected from offline recovery. As such, iSEC created a sample
application that implements a more secure process for state
preservation and restoration by encrypting objects before encoding and writing
them to disk. The goal was to provide developers with a reference for securely
implementing state preservation so they can protect their application data while
still providing users with an uninterrupted experience.
The NSCoder subclasses for key-based encoding, NSKeyedArchiver and
NSKeyedUnarchiver, define delegate protocols that allow applications to
customize the encoding and decoding processes, including manipulation of the
objects to be (de)serialized. By using a custom class that implements these
delegate protocols we can serialize objects, encrypt them with a key from the
Keychain, and then pass them back off to UIKit for preservation. When the app is
relaunched the data is decrypted and deserialized before being reinstantiated by
the view controller. Through implementing the delegate protocol, developers can
take fine grained control over which objects are encrypted or simply encrypt all
Check out the project page on GitHub and try out secure state
preservation in your apps!