Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Black Hat USA
July 31 - August 5, 2021
Las Vegas, NV, USA
November 4 - October 30, 2021
Toronto, ON, Canada
Black Hat Europe
November 8-11, 2021
Virtual Event
12:00 PM
Black Hat Staff
Black Hat Staff
Event Updates

Black Hat Asia 2017:
Securing Mobile Devices

Opportunities for phishing, ransomware, cryptocurrency mining and other attacks are endless. Understanding mechanisms for compromising Android and iOS systems is crucial to detecting and preventing security breaches.

The increasing use of mobile devices for sensitive transactions creates new vulnerabilities and modes of collecting and exploiting personal information. From mobile phone banking to email and social media interaction, opportunities for phishing, ransomware, cryptocurrency mining and other attacks are endless. Understanding mechanisms for compromising Android and iOS systems is crucial to detecting and preventing security breaches. Check out the Briefings & Training below for an immersive view of mobile device security flaws and how to defend against them:

Fried Apples: Jailbreak DIY provides steps for building a jailbreak chain including the basic architecture, processes and vulnerabilities. iPhone jailbreaks can be particularly susceptible to manipulation and malware attacks. This Briefing provides the details to the initial arbitrary code execution, sandbox bypassing, kernel address leaking, and persistent code signing bypass to build your own jailbreak. Establish your utility and explore new mitigation tactics and security enhancements added in iOS 10 through this Briefing.

iOS 10 security enhancements include a new notification when users connect to open Wi-Fi networks. Remotely Compromising iOS via Wi-Fi and Escaping the Sandbox describes exactly how iOS devices can be remotely compromised over Wi-Fi without user interaction or complicity. iOS Wi-Fi attacks bypass all built in mitigations and sandboxes. Researchers present the routes to arbitrary code execution outside of the iOS sandbox and discuss a security monitoring framework for safeguarding operating systems.

Android devices are equally vulnerable to maneuvering. Anti-Plugin: Don't Let Your App Play as an Android Plugin details the Android Plugin Technology which allows users to launch multiple instances of an app but simultaneously allows stored data to be stolen by malicious host and plugin apps. Researchers of this Briefing chronicle the attack method to highlight advanced mitigation tactics and opportunities for reducing exploitability of this feature.

Arm yourself with the latest techniques and InfoSec discoveries. Check out our Trainings and our Briefings and Register today for Black Hat Asia at Marina Bay Sands in Singapore, March 28-31.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Data Breaches Affect the Enterprise
Data breaches continue to cause negative outcomes for companies worldwide. However, many organizations report that major impacts have declined significantly compared with a year ago, suggesting that many have gotten better at containing breach fallout. Download Dark Reading's Report "How Data Breaches Affect the Enterprise" to delve more into this timely topic.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-11-26
This affects all versions of package html-to-csv. When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or generate a malicious link or execute commands via C...
PUBLISHED: 2021-11-26
@joeattardi/emoji-button is a Vanilla JavaScript emoji picker component. In affected versions there are two vectors for XSS attacks: a URL for a custom emoji, and an i18n string. In both of these cases, a value can be crafted such that it can insert a `script` tag into the page and execute malicious...
PUBLISHED: 2021-11-26
Backstage is an open platform for building developer portals. In affected versions the auth-backend plugin allows a malicious actor to trick another user into visiting a vulnerable URL that executes an XSS attack. This attack can potentially allow the attacker to exfiltrate access tokens or other se...
PUBLISHED: 2021-11-26
There is a Potential Zip Slip Vulnerability and OS Command Injection Vulnerability on the management system of baserCMS. Users with permissions to upload files may upload crafted zip files which may execute arbitrary commands on the host operating system. This is a vulnerability that needs to be add...
PUBLISHED: 2021-11-26
BaserCMS is an open source content management system with a focus on Japanese language support. In affected versions users with upload privilege may upload crafted zip files capable of path traversal on the host operating system. This is a vulnerability that needs to be addressed when the management...