[Owasp-turkey] Android trojan steals keystrokes using phone movements

Bedirhan Urgun bedirhanurgun at gmail.com
Thu Apr 26 05:57:29 UTC 2012


Kendi bahsettikleri
onlemlere<http://www.cse.psu.edu/%7Eszhu/papers/taplogger.pdf>baktim;

*1.
Sensors, such as accelerometer and orientation sensors, should all be
considered as sensitive to user’s privacy and need gaining security
permissions to access.*

2.
*from the perspective of a user, several approaches can all increase the
difficulties of attacks launched by TapLogger, such as changing the
password frequently, choosing password with numbers difficult to infer, and
increasing the length of PIN numbers.*

Ilk onlemin pek ise yaramayacagindan bahsetmisler. Accelerometer ve
orientation sensor'ler icin ne tur Android permission'lari olabilirdi,
hayal edelim:

android.permission.ACCELEROMETER_SENSOR
*Accelerometer sensor, cihazinin 3 boyut boyunca anlik ivmesini izlemeye
yarar. Bu izni alan uygulamalar cihazinizin 3 boyutta olan hareketlerinin
hiz degisimlerini algilayabilir ve sifrelerinizi calabilir.*

android.permission.ORIENTATION_SENSOR
*Orientation sensor, cihazinin 3 boyuttaki hareket degisikliklerini ve
tiplerini izlemeye yarar. Bu izni alan uygulamalar cihazinizin 3 boyutta
olan hareket degisimlerini algilayabilir ve sifrelerinizi calabilir.*

:)

hadi android.permission.INTERNET, android.permission.RECEIVE_SMS anlarim,
kullanici biraz cekinir filan. Yukaridakileri kullanmayan oyun vardir tabi
ama yani, cok azdir herhalde?

Bence bir uygulama daha yazmali ve bu uygulama onboard goruntulenen
tuslarin (pin unlock, telefon rakam tuslari, v.b.) yerlerini randomize
etmeli :)
Hatta bu sekilde sifre/hassas bilgi alan uygulamalar da best practice icin
bu tuslari farkli yerlerde gostermeli, tabi mumkunse... Bu guvenli Android
gelistirme ipuclari dokumanina girebilir aslinda...

bedirhan

25 Nisan 2012 21:25 tarihinde Musa Ulker <musaulker at gmail.com> yazdı:

> Computer scientists have devised an attack that logs phone numbers, Social
> Security IDs, and personal identification numbers entered into smartphones
> by monitoring the devices' integrated motion sensors.
>
> TapLogger, as their proof-of-concept application for phones running
> Google's Android operating system is called, masquerades as a benign game
> that challenges the end user to identify identical icons from a collection
> of similar-looking images. In the background, the trojan monitors readings
> returned by the phone's built-in accelerometer, gyroscope, and orientation
> sensors to infer phone numbers and other digits entered into the device.
> This then surreptitiously uploads them to a computer under the control of
> the attackers.
>
> http://arstechnica.com/business/news/2012/04/android-trojan-steals-keystrokes-using-phone-movements.ars
>
> --
> M.Musa Ülker
>
> _______________________________________________
> Owasp-turkey mailing list
> Owasp-turkey at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-turkey
>
>


-- 
Bedirhan Urgun
http://www.webguvenligi.org
http://www.owasp.org/index.php/Turkey

Türkçe Web Uygulama Güvenliği E-Posta Listesine üye olmak için:
https://lists.owasp.org/mailman/listinfo/owasp-turkey
-------------- sonraki b�l�m --------------
Bir HTML eklentisi temizlendi...
URL: <http://lists.owasp.org/pipermail/owasp-turkey/attachments/20120426/2141dfaa/attachment.html>


More information about the Owasp-turkey mailing list