Well, where should I start? Looking back at my blog archives I’ve realized 2014 “year of the mobile apps” - at least for me. I was heavily involved in analyzing mobile applications: Android and iOS. For the first time in my whole infosec career path I was disassembling iOS applications and doing stuff (binary analysis) I was used to (some years ago). Besides doing a lot of mobile apps analysis, I was pretty much involved in structuring and hacking data. Even though I think I’ll go nuts once I read/hear “BIG data” one more time, I think data analysis is a field I’d like to get deeper into. Visualizing and making it understandable for everyday Joe would make the whole topic more fancy. But let’s stick to 2014 and break down the topics I’ve dealt with in last 12 months…


Regarding the Android stuff I must say one can automate a lot of things nowadays. If going straightforward you’ll be following in most cases the same procedure and applying several steps. For the same reason I’ve released ADUS, the Android debug utility suite. It helped me a lot automating things and concentrate on the code and applications behaviour. Besides that I’ve found some cool Python frameworks out there helping me out with the analysis stuff:


Oh… and speaking of Python: I have to mention IPython, espcially IPython Notebook. I have discovered a new way of interacting with data, analyzing and finally visualizing it. Pandas has tons of useful functions to structure, manipulate or plot your data. And besides that I’ve “re-discovered” SQLite as a every-day DB for storing all kind of information. Using Python along with SQLAlchemy will make you the “God of Big Data” :) But for now you can call me “Mr. SQL” :p My SQL and IPython skills can be admired in my 24h Android sniffing post and not only.

{% img https://camo.githubusercontent.com/aae0f057432f2f608ceec8bdabac32cd94876708/68747470733a2f2f7261772e6769746875622e636f6d2f636174686572696e656465766c696e2f69707974686f6e2d73716c2f6d61737465722f6578616d706c65732f777269746572732e706e67 ipython %}

Data viz

If you go through my blog posts you’ll notice a lot of graphics and diagrams. I like to visualize even simple things like network packets. netgrafio is a project I’m really proud of. Visualizing network traffic shouldn’t be seen as some kind of voodoo and has been done before netgrafio. However I liked the idea of implementing a more generic solution without any complex GUIs and just using a browser and web technologies. The project itself is in no way “dead” and will be updated by some new stuff as soon as I get more time to implement it. I’m certainly searching for skilled Javascript devlopers to help me with the GUI and the JS stuff. Just add your pull requests here.

{% img https://camo.githubusercontent.com/8e14c1276f0df3cf71ee81674b8fa38daf077dbc/687474703a2f2f646c2e646f726e65612e6e752f696d672f6e657467726166696f2f6e657467726166696f2d6d6f64756c652d616e616c797369732e706e67 netgrafio %}

Security Threats

Let’s now talk about the #infosec community. In 2014 there have been some topics worth to be mentioned (just the main ones): Heartbleed, Shellshock, SSL/TSL Poodle. Do you know what they have in common? Fancy names, a good PR machine and fancy logos. In the case of the Heartbleed vulnerability, they had:

Bug hunters seem to know how to promote their findings and catch everybodys attention. Don’t get me wrong but I don’t think CVE-2014-0160 would have been so interesting without all the PR engine behind it. And what about the lessons learned? I know crypto is hard, but the coding might be even harder. We have learned we should not trust any piece of software. Every single piece of code might be buggy or even contain critical vulnerabilities we aren’t yet aware of. Individual audits and full disclosure might be a step towards better application security. Also have a look at these security reports:

Annual security reports