Stagefright: Scary Code in the Heart of Android

DerbyCon V - Unity

Presented by: Joshua Drake
Date: Saturday September 26, 2015
Time: 10:00 - 10:50
Location: Track 1
Track: Break Me

With over a billion activated devices, Android holds strong as the market leading smartphone operating system. Under- neath the hood, it is primarily built on the tens of gigabytes of source code from the Android Open Source Project (AOSP). Thoroughly reviewing a code base of this size is arduous at best - arguably impossible. Several approaches exist to combat this problem. One such approach is identify- ing and focusing on a particularly dangerous area of code. This presentation centers around the speaker’s experience researching a particularly scary area of Android, the stagefright multimedia framework. By limiting his focus to a relatively small area of code that’s critically exposed on 95% of devices, Joshua discovered a multitude of implementation issues with impacts ranging from unassisted remote code execution down to simple denial of service. Apart from a full explanation of these vulnerabilities, this presentation also discusses; techniques used for discovery, Android OS internals, and the disclosure process. Finally, proof-of-concept code will be demonstrated. After attending this presentation, you will understand how to discover vulnerabilities in Android more effectively. Joshua will show you why this particular code is so scary, what has been done to help improve the overall security of the Android operating system, and what challenges lie ahead.

Joshua Drake


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats