In an exclusive interview, Krishna Bahirwani speaks to Anto Joseph, Security Engineer, Citrix, discussing his new hacking tool and how it could be used to make Android more secure.
What is Android fuzzing?
Fuzzing is a technique used to find bugs in software by supplying it with malformed data and looking for an anomaly. Here, we apply this technique to Android, where we try to uncover security bugs in the system.
What happens once the application crashes? What kind of data can you get from the crash dump?
When a crash occurs, there is tombstone file which is created by the system which contains information about the crashed process like the terminated signal, the register states, stack trace for the calls etc. We collect these tombstone files and process it further to identify unique crashes and cue it for further analysis.
How is fuzzing different from brute forcing inputs?
brute-forcing inputs is mostly an attempt to bypass an authorization control, like a login screen for example. Fuzzing can be considered as a brute-force attempt to evaluate the security of the target system. Fuzzing can be applied to files, protocols, IPC etc
How is it relevant to the good guys?
In my experience, hackers have managed to fuzz almost everything, even a toaster if runs an OS. The question should be, Why not fuzz your own software to uncover security bugs, rather than a 3rd party. I would highly encourage developers to use fuzzing tools on the software they write and thereby securing their users.
How does your framework make fuzzing easier?
Mobile Security is in its early stages if you compare it with your standard desktop OS. So we are in need of tools that could be easily configured and used for security analysis. My fuzzing framework tries to solve the challenges involved in starting to fuzz the android system, the setup is extremely as easy as deploying a VM.
What is unique about your framework?
It is the first public generic fuzzing framework for Android. I am fortunate to be presenting this tool in an upcoming International Security Conference called HackInTheBox which happens in Amsterdam where the full source code will be released to the public. It's extremely easy to use and learn and adapt to your security needs. The primary technique used is file fuzzing and the system features a log collection module, advanced triaging and consolidation module. I will be further developing this framework with support for in-memory fuzzing, IPC fuzzing etc
How does making fuzzing easier make Android more secure?
When you fuzz a system, you come across crashes. The interesting once are caused as a result of memory corruption issues. Such issues could be exploited for code execution on systems. This means that malware, malicious hackers etc can have unauthorized access to your devices. Issues like the Stagefright bug, which was recently in the news a lot resulted from the same family of bugs. Thus, by reporting such bugs to Google, you are ultimately making the android platform secure for everyone and you could earn yourself a bug bounty in the process.
Anto Joseph will be conducting Android security training at Nullcon 2016 in Goa. For more information visit - http://nullcon.net/website/nullcon-2016/training.php
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
 "Anto Joseph")
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
)
){kind=small}
){kind=small}
)
)
)
)
)
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}