Android key attestation provides a way for a device's secure hardware to verify that cryptographic material is in secure hardware, protected against compromise of the Android OS. If you've ever encountered a password-less authentication flow (e.g., WebAuthN) in a banking app on your Android device you have most likely utilized this feature. However, the entry point for this research involved the investigation of an implementation to combat bot fraud/abuse. This presentation will take attendees on a deep dive into the Android Keystore, Android key attestation, and a litany of PKI vulnerabilities we discovered in an Android key attestation implementation, which includes the discovery of a systemic issue in Google's open source library for parsing Android key attestation X.509 certificate chains. As part of this talk, we will cover how we discovered/exploited these vulnerabilities to circumvent our target's bot protections and present tooling to enable researchers to test their own Android key attestation implementations. To beat the bots, you have to be the bots! By: Alex Gonzalez | Senior Red Team Engineer, Amazon Presentation Materials Available at: https://ift.tt/69tSQnU
source https://www.youtube.com/watch?v=RUHDSokGhLE
-
Germany recalled its ambassador to Russia for a week of consultations in Berlin following an alleged hacker attack on Chancellor Olaf Scho...
-
Android’s May 2024 security update patches 38 vulnerabilities, including a critical bug in the System component. The post Android Update ...
No comments:
Post a Comment