2014 - Personal review

Well, where should I start? Looking back at my blog archives I've realized 2014 "year of the mobile apps" - at least for me. I was heavily involved in analyzing mobile applications: Android and iOS. For the first time in my whole infosec career path I was disassembling iOS applications and doing stuff (binary analysis) I was used to (some years ago). Besides doing a lot of mobile apps analysis, I was pretty much involved in structuring and hacking data. Even though I think I'll go nuts once I read/hear "BIG data" one more time, I think data analysis is a field I'd like to get deeper into. Visualizing and making it understandable for everyday Joe would make the whole topic more fancy. But let's stick to 2014 and break down the topics I've dealt with in last 12 months...

Android

Regarding the Android stuff I must say one can automate a lot of things nowadays. If going straightforward you'll be following in most cases the same procedure and applying several steps. For the same reason I've released ADUS, the Android debug utility suite. It helped me a lot automating things and concentrate on the code and applications behaviour. Besides that I've found some cool Python frameworks out there helping me out with the analysis stuff:

  • AndroGuard
  • Drozer
  • DroidBox

Python

Oh... and speaking of Python: I have to mention IPython, espcially IPython Notebook. I have discovered a new way of interacting with data, analyzing and finally visualizing it. Pandas has tons of useful functions to structure, manipulate or plot your data. And besides that I've "re-discovered" SQLite as a every-day DB for storing all kind of information. Using Python along with SQLAlchemy will make you the "God of Big Data" :) But for now you can call me "Mr. SQL" :p My SQL and IPython skills can be admired in my 24h Android sniffing post and not only.

ipython

Data viz

If you go through my blog posts you'll notice a lot of graphics and diagrams. I like to visualize even simple things like network packets. netgrafio is a project I'm really proud of. Visualizing network traffic shouldn't be seen as some kind of voodoo and has been done before netgrafio. However I liked the idea of implementing a more generic solution without any complex GUIs and just using a browser and web technologies. The project itself is in no way "dead" and will be updated by some new stuff as soon as I get more time to implement it. I'm certainly searching for skilled Javascript devlopers to help me with the GUI and the JS stuff. Just add your pull requests here.

netgrafio

Security Threats

Let's now talk about the #infosec community. In 2014 there have been some topics worth to be mentioned (just the main ones): Heartbleed, Shellshock, SSL/TSL Poodle. Do you know what they have in common? Fancy names, a good PR machine and fancy logos. In the case of the Heartbleed vulnerability, they had:

  • a web-site
  • a fancy logo
  • a good time management before the vuln became public interest

Bug hunters seem to know how to promote their findings and catch everybodys attention. Don't get me wrong but I don't think CVE-2014-0160 would have been so interesting without all the PR engine behind it. And what about the lessons learned? I know crypto is hard, but the coding might be even harder. We have learned we should not trust any piece of software. Every single piece of code might be buggy or even contain critical vulnerabilities we aren't yet aware of. Individual audits and full disclosure might be a step towards better application security. Also have a look at these security reports:

Annual security reports


Prev: HowTo: Proxy Non-Proxy-Aware Android Applications through Burp
Next: A practical guide to Advanced Networking

comments powered by Disqus
Published:
2014-12-22 00:00
category:
Tag: