Last year, a talk focused on . This year, two researchers have targeted all their firepower on the Android.
In this morning's presentation, Jon Oberheide, CTO of DUO Security, and Zach Lanier, a senior consultant with the Intrepidus Group who specializes in network and web application penetration testing, walked attendees at ShmooCon 2011 through a series of weaknesses they discovered in the device at the kernel, platform and application levels.
Among their findings:
Android gives third-party applications permissions that are easy to hijack, they said. Writing a proof-of-concept disguised as the increasingly popular game, they were able to bypass the permission approval process and steal the authentication token from the Android AccountManager.
The talk was a sequel of sorts to one Lanier and fellow Intrepidus researcher Mike Zusman gave at the last fall.