Domain: oberheide.org
Stories and comments across the archive that link to oberheide.org.
Comments · 7
-
Oberheide not so positive on Android Bouncer
A quick look at Oberheide's site shows a talk from a week ago at Summer Con detailing problems with Google's 'Bouncer' system, designed to detect malicious apps before they enter the Android Market:
http://jon.oberheide.org/blog/2012/06/21/dissecting-the-android-bouncer/
http://jon.oberheide.org/files/summercon12-bouncer.pdf
The executive summary:
Bouncer doesn't have to be perfect to
be useful
â-- It will catch crappy malware
â-- It won't catch sophisticated malware
â-- Same as AV, IDS,
â-- How much does Bouncer raise the
bar?
â-- Currently: not much
â-- Future: hopefully more? -
Oberheide not so positive on Android Bouncer
A quick look at Oberheide's site shows a talk from a week ago at Summer Con detailing problems with Google's 'Bouncer' system, designed to detect malicious apps before they enter the Android Market:
http://jon.oberheide.org/blog/2012/06/21/dissecting-the-android-bouncer/
http://jon.oberheide.org/files/summercon12-bouncer.pdf
The executive summary:
Bouncer doesn't have to be perfect to
be useful
â-- It will catch crappy malware
â-- It won't catch sophisticated malware
â-- Same as AV, IDS,
â-- How much does Bouncer raise the
bar?
â-- Currently: not much
â-- Future: hopefully more? -
Re:Simple
You're thinking of Jon Oberheide's bug against Android, not Chrome. He's registered to go against Android today, but talking to him yesterday it sounds like the bug he reported to Google is the one he planned to use: http://jon.oberheide.org/blog/2011/03/07/how-i-almost-won-pwn2own-via-xss/
-
Re:Simple
Then the Chrome / Windows machine, which no one tried to attack (one person found an exploitable hole, but sold it to Google for $1,337 instead of entering it into the contest).
You're confusing Chrome and Android: http://jon.oberheide.org/blog/2011/03/07/how-i-almost-won-pwn2own-via-xss/
I talked to the guys who won yesterday, and one of the Team Anon guys who was originally signed up for Chrome. Some of them said their WebKit bugs affected Chrome, but no one had figured out how to break the Chrome sandbox. So, they just withdrew their names rather than waste everyone's time with an exploit they knew wouldn't work.
-
There is a way around the Market
It is scary that Google doen't provide an opt out option in the Market app. But there is a way out, at least if the Cyanogen mod is available for your phone: Install the Cyanogen mod without the proprietary Google bits (incudes Market app, Gmail app, text-to-speech etc). I just checked it. The vending apk that is responsible for the OTA removal/install functionality (according to http://jon.oberheide.org/blog/2010/06/25/remote-kill-and-install-on-google-android/) is not running on my N1. I get along pretty well without the Market. You can install your apps directly from some download site or you can install apktor which allows you to access public repositories.
-
vm migration security?
but is it secure yet?
-
Google Safe Browsing
this blog was posted to the full-disclosure list a couple days ago...has a lot more on the technical details of google's phishing protection and firefox:
http://jon.oberheide.org/blog/2006/11/13/google-sa fe-browsing/