The Research Blog

Fracking With Hybrid Mobile Applications

Dave Hartley's presentation explores the security implications of hybrid mobile applications across multiple platforms. The talk examines how hybrid apps combine web and native application features using frameworks like PhoneGap. It highlights security risks introduced by WebView and cross-platform development approaches that allow web code to access local device resources.

Native Bridge's Over Troubled Water

Mobile security research by Dave Hartley explored vulnerabilities in mobile advertising networks across multiple platforms. The study investigated cross-platform exploitation potential in Windows Phone, Android, Blackberry, and iOS operating systems. Findings focused on identifying security issues within popular mobile ad networks.

Putting JavaScript Bridges into (Android) Context

This article explores techniques for obtaining Android Context in WebView JavaScript-to-Java bridge vulnerabilities. Multiple methods for retrieving Context are investigated using reflection and Java Native Interface (JNI) techniques. The research demonstrates approaches to accessing system resources and package information during post-exploitation scenarios in Android applications.

  • 5 Jun 2014

Continued Adventures with iOS UIWebViews

This article explores security vulnerabilities in iOS UIWebViews, specifically focusing on custom NSURLProtocol implementations. The research demonstrates how attackers can bypass naive security checks by manipulating HTTP headers and using techniques like XMLHttpRequest to access restricted resources. A proof-of-concept JavaScript payload is presented to illustrate potential exploitation methods for file access and data exfiltration.

  • 2 Jun 2014

HackFu Venue 2014 - Clue Four

The fourth clue for HackFu 2014.

  • 27 May 2014

HackFu Venue 2014 - Clue Three

The blog post presents the third puzzle clue for HackFu 2014, featuring two cryptic images. The images appear to be part of a challenge or puzzle for participants to solve. Minimal context is provided, leaving the puzzle's details intentionally mysterious.

Poor Man's Static Analysis - BSides London 2014

A presentation at BSides London 2014 explored using Clang for developing static analysis tools to assist manual code review. The research demonstrated tracing control flow in Google Chrome's DOM event dispatch mechanisms. The approach focused on creating custom static analysis techniques for examining complex software codebases.

  • 20 May 2014

HackFu Venue 2014 - Clue Two

HackFu 2014's second clue reveals a Western-themed hacking event set in the fictional town of Hacksville. A cryptic image is provided as part of the location discovery challenge. Participants are invited to solve puzzles in a cowboy-inspired adventure.

  • 13 May 2014

HackFu Venue 2014 - Clue One

HackFu 2014 launched an interactive puzzle challenge to reveal its secret event venue location. Participants must solve weekly Only Connect-style puzzles that progressively disclose clues about the event's location. The first person to correctly identify the venue will win a prize.

  • 12 May 2014

HackLab 2014 - Builders are better Breakers

A hardware design project at HackLab 2014 explored electronics and embedded programming to enhance security testing skills. Team members experimented with various electronic components, protocols, and design challenges through hands-on learning. The project aimed to provide practical experience in understanding system design from a builder's perspective.

HackLab 2014 - Hard disk drives? Squishy disk drives!

A technical investigation examined the security of hardware-encrypted hard drives by exploring potential vulnerabilities in ATA disk protection passwords and microcontroller access. The study focused on self-encrypting drives from Samsung, Intel, and Seagate, analyzing firmware update utilities and potential attack vectors for accessing drive encryption keys. Multiple approaches were pursued to understand the practical security limitations of hardware-encrypted storage devices.

  • 12 May 2014

HackLab 2014 - The JaegerBomber

An experimental project called the JagerBomber attempted to create a quadcopter controlled by an Android phone using OTG functionality and an Arduino. The team aimed to develop a drone capable of navigating and potentially delivering alcohol, but technical challenges prevented a successful launch. The project explored Android's capabilities for serial communication and drone control, demonstrating complex technical integration challenges.