Real-world cyber-attacks during testing and latest developments in Android security discussed at AMTSO Testing Town Hall

On November 11th 2020, AMTSO held its most recent Testing Town Hall where speakers from Google, SE Labs, ACFTI and MRG Effitas presented and discussed topics focused on the anti-malware and cybersecurity world. It was an opportunity for member and non-member vendors and testers to engage with the cybersecurity community and gain inside knowledge.

Sebastian Porst from Google presented what Android Security looked like in 2020 and how it will be updated in 2021. Porst pointed out that one component of measuring the success of Android security is comparing Pixel and iPhone exploitation prices. Since 2018, the price for someone to exploit an iPhone has been the same as the price for the same attack on a Pixel phone, which in the eyes of the Android security team is a huge tell in how protected their phones are compared with competitors. Android’s goals are to continue hardening their software from attacks, to be more transparent with their users so users can understand how they are protected, and enabling new use cases for their phones, i.e., how can Android users use their phones like never before in the past. Since 2019, Android has also developed what they call a “Jetpack Security Library” that makes cryptography APIs secure-by-default, and in the future, more devices will utilize this to keep data safe. Porst also went into detail about different Preloads at Android, and how they will update and evolve in relation to Uraniborg, App Vulnerabilities, APVI, and MBA Policies going forward. He also announced that Rust has been officially introduced to the Android build chain, which will replace the previously used C and C++ code and will reduce the amount of memory safety bugs.

Simon Edwards, the CEO of SE Labs in the UK, shared his experience of how it can look like when “When Security Testing Gets Real”. When SE Labs deals with a security breach, they attempt to reconstruct the attack as realistically as possible to try and recreate the attack through the hacker’s eyes. Through these steps of closely recreating the attack, SE Labs can figure out how a breach can occur and where a client is especially vulnerable. Edwards pointed out that making sure the system and all apps are up to date on their software is still a problem – and contributes largely to how and why clients may be vulnerable and attacked.

Ahmed Elmesiry, a Senior Lecturer in Forensics and Security at the University of South Wales, spoke about how his organization, the Association of Cyber Forensics and Threat Investigators, helps those in the cybersecurity field. Cyber Forensics and Threat Investigation involves examining fragmented incomplete knowledge when it comes to a cyber-attack, and reconstructing and aggregating complex scenarios involving time, uncertainty, causality, and alternative possibilities. Elmesiry explained that ACFTI is a nonprofit that promotes and supports the exchange of cybersecurity knowledge between specialists, academics, and corporate environments. Some of ACFTI’s goals are to connect cyber forensic and cybersecurity students with professionals in their field, provide networking opportunities for professionals and students, holding classes/developing an online curriculum to teach those who want to learn more about cyber forensics, and to help coordinate research with other practitioners. Elmesiry also spoke about how ACFTI would like to grant awards, scholarships, or sponsorships to underrepresented groups to join training or classes for cyber forensic and cybersecurity skills.

Next, Atilla Marosi-Bauer from MRG-Effitas presented about Vulnary, a new framework developed by Hacktivity Labs. Vulnary markets itself as a tool for clients to check for vulnerabilities in vendor software without having to pay a large price for it. It claims to be able to examine whether the developer of an application has made any mistakes leading to a vulnerability which could be exploited. Marosi-Bauer explained that Vulnary collects system logs then rebuilds processes using those logs and checks for insecure application behavior. Through these logs a report and proof of concept codes can be generated. Currently, Vulnary can detect DLL and COM Hijacks, Command Injections, and Local Privilege Escalation vulnerabilities. Marosi-Bauer also demoed Vulnary and showcased its uses to those listening in.

Slide decks and call recordings for this event are available to AMTSO members only. To find out more about becoming an AMTSO member, see our joining page. The next Testing Town Hall will be on January 13, 2021, and is open to all AMTSO members and the public. To register your interest in attending our next Testing Town Hall, please fill out the sign-up form or contact us at events@amtso.org.