As previously announced during our Ruxcon presentation, we’re now releasing Introspy for Android. The final version of the tool was demonstrated at the iSEC Open Forum here in San Francisco.

Blackbox Android Pentesting

Similarly to the iOS version that was released a few months ago, Introspy for Android is a tool designed to help penetration testers understand what an Android application does at runtime, and to greatly facilitate the process of reviewing the application’s security mechanisms.

The tool can easily be installed on a rooted device running Cydia Substrate and provides a GUI interface to configure hooks, filters and options. See the project page as well the slides we presented at the Open Forum for more information about what the tool does and how it works.

Source code and pre-compiled packages are available on the project’s source repository on Github.

Advancements in password cracking and frequent theft of password databases endanger single-factor password authentication systems. Password managers are one of the only tools available that can help users remember unique high-entropy passwords, and other secrets such as credit card numbers, for a large number of applications. Can password managers deliver on security promises, or do they introduce their own security vulnerabilities? This paper examines popular browser-based password managers and presents common security flaws that could be exploited to remotely extract a user’s password.

Previous research on password managers has focused on the cryptographic protections of the passwords themselves in particular environments such as mobile devices. This research instead focuses on browser specific integrations and mechanisms to remotely compromise credentials. Four of the most popular password managers were examined: LastPass, OneLastPass, 1Password, and MaskMe.

This research shows that the examined password managers made design decisions that greatly increase the chance of users unknowingly exposing their passwords through application-level flaws. Many of the flaws relate to the browser-integrated password managers that don’t follow the same-origin policy that is crucial to browser security. In the case of password managers, this means that passwords could be filled into unintended credential forms, making password theft easier.

Check out the full paper here.

Update: Introspy for Android is now available; we’ve also updated the slides with additional information regarding the tool.

The slides for the Introspy: Security Profiling for Blackbox iOS and Android presentation from Ruxcon 2013 are now available.

The presentation was given by Marc Blanchou and Alban Diquet, and introduces a tool designed to facilitate the black-box testing of iOS and Android applications.

• Slides can be downloaded here
• Introspy’s project page is available here

Only the iOS version is currently available; we will update this blog post as soon as we release the Android tool.

Over the past year, iSEC Partners has worked with the Open Technology Fund on several of their supported projects. OTF funds projects that develop open and accessible technologies promoting human rights and open societies. Some of the projects they support that we’ve been able to work on are Open Whisper Systems’ RedPhone and TextSecure, Commotion, and GlobaLeaks, among others.

We consider ourselves very fortunate to be able to work on projects that are both very technically interesting and helping make the world a better place. Projects that OTF supports are used ‘in the field’ documenting human rights abuses abroad, provide secure and encrypted communication platforms, and help document Internet interference and censorship. An extension of our Liberation Technology Auditing Cheatsheet, this work is directly in line with our efforts to make the entire Internet a more secure place.

In conjunction with these audits, we’ve also helped OTF perform a review of their audit process. The goal of this review was to take a look at the breadth, scope, and coverage of security audits performed on OTF funded applications to date. We aimed to identify the strengths and shortcomings in OTF’s current process and provide recommendations to improve the breadth of coverage and to derive greater value in the future. Applicable to both OTF and other funding agencies in the Liberation Technology and Civil Society communities, we hope this work inspires more development and more integration between security professionals and project teams. OTF has published this review over on their website where you can take a look.