We gave a talk about CodeInspect at the CARO 2015 workshop in Hamburg. The slides and the live-demo (video) are available here: https://goo.gl/LblcR5
The main elements of the CodeInspect demo are:
- Jimple manipulation
- Interactive debugging
- Hyperlinks in XML files (e.g., layout.xml or AndroidManifest.xml)
- Java Source Code Enhancement
If you are interested in further videos about CodeInspect, you can find them here: http://sseblog.ec-spride.de/2014/12/codeinspect/
Are you interested in call graph generation for static analysis and machine-driven soundness proof?
If you are interested in becoming a research assistant in our group have a look at the proposal.
CodeInspect will be presented at the 7th edition of DroidCon in Berlin. Droidcon is a global developer conference series and a network focusing on the best of Android. Our talk “DISMANTLING DROIDS FOR BREAKFAST – THE CURRENT STATE OF APP REVERSE ENGINEERING” is aimed at Software Engineers as well as Security Experts.
Looking forward for an interesting conference with lot’s of “droid-talks”.
We are currently looking for a research assistant who supports us in designing an eclipse plugin to represent Clafer models. These models aim to guide the user on how to use cryptographic components appropriate.
Have a look to the attached proposal and contact us!
The OCAP has published its Phase 2 report on its security analysis of the TrueCrypt code base. It appears like they discovered no major issues. In the meantime we are making good progress on the creation of our own in-depth security analysis of TrueCrypt for the BSI. We hope to be able to make this one public, too, at some point.
Only two weeks left to submit to our workshop on Agile Secure Software Development. Better get started on your paper now!
Earlier this year, we reported on the Korean threat we identified in collaboration with McAfee Mobile Research. We have now released a technical report describing in detail the Android/BadAccents malware. Furthermore, we also describe a new tapjacking attack (also reported earlier this year) the malware exploited.
The technical report also describes the fix we submitted to the Android Security Team in January this year. Until now (approximately 4 month later), the official AOSP still doesn’t include the fix, meaning likely all Android versions are still vulnerable. Unfortunately, there is no real protection-mechanism for the user against this attack. A general recommendation from our side is the installation of apps from the official app stores and the usage of anti-virus applications (many AV vendors already detect this malware family).
The major German news station heute.de is reporting on our tool Harvester and on time bombs in app in general. Read the German article here.
In the meantime we are doing our best to get both CodeInspect and Harvester ready for roll-out. Stay tuned for more.
Since Google Code is shutting down, TamiFlex has found a new home on Github. We have tried our best to move the entire webpage and infrastructure there. Please let us know in case you find anything missing.