|
Chad Brubaker
@
ChadBrubaker5
|
|
Android Platform Security @google.
All opinions are my own and terrible.
|
|
|
99
Tweetovi
|
89
Pratim
|
177
Osobe koje vas prate
|
| Tweetovi |
|
Chad Brubaker
@ChadBrubaker5
|
28. sij |
|
I will say though, reachability analysis is required if you're looking at apps containing this code, a lot of apps still (unfortunately) include that but only use when they're debugging while building their app. Of course I have found people who forgot to turn that off...
|
||
|
|
||
|
Chad Brubaker
@ChadBrubaker5
|
28. sij |
|
The network security config APIs we designed were directly a result of terrible stack overflow advice.
|
||
|
|
||
|
Chad Brubaker
@ChadBrubaker5
|
24. sij |
|
Highly privileged components that can introspect everything and will definitely only be used for good was naive and a deeply limiting mistake the first time around. Let's not repeat that. twitter.com/chrisrohlf/sta…
|
||
|
|
||
|
Chad Brubaker
@ChadBrubaker5
|
21. sij |
|
developer.android.com/about/versions… is the detailed writeup, the hardware protections section starts to answer your question.
|
||
|
|
||
|
Chad Brubaker
@ChadBrubaker5
|
16. sij |
|
🤔 this https site seems modified I just can't put my finger on it.
Redirecting to rickroll is fun, but I've always loved replacing all the images with the smiley more. pic.twitter.com/MXj214Pu2q
|
||
|
|
||
|
Chad Brubaker
@ChadBrubaker5
|
16. sij |
|
And a MiTM test for cve-2020-0601 is added to nogotofail, in case you wanted a black box network testing tool it's over on github
|
||
|
|
||
|
Chad Brubaker
@ChadBrubaker5
|
15. sij |
|
Ofc I do mobile device security, where we assume attackers can get on path easily, but I wouldn't consider the mitm work I've done atp level, just a somewhat physical proximate attacker with basic skills.
|
||
|
|
||
|
Chad Brubaker
@ChadBrubaker5
|
15. sij |
|
Assuming that network mitms are limited to state level attackers is a stretch. If your devices are physically mobile (like laptops) you should assume getting on path is proximity + naming a wifi "starbucks" or similar common unauthed ssids that lots of devices have saved.
|
||
|
|
||
| Chad Brubaker proslijedio/la je tweet | ||
|
Lea Kissner
@LeaKissner
|
24. pro |
|
We talk about how security and privacy folks need to know how to say yes and how to say no, that if you say no all the time, folks don't listen.
We also need to talk about how S&P need to have the power to say no when needed. Because otherwise... approval is the only option.
|
||
|
|
||
| Chad Brubaker proslijedio/la je tweet | ||
|
Dino A. Dai Zovi
@dinodaizovi
|
21. pro |
|
No, they are not. twitter.com/FCC/status/120…
|
||
|
|
||
|
Chad Brubaker
@ChadBrubaker5
|
13. pro |
|
I can only hope twitter.com/migueldeicaza/…
|
||
|
|
||
| Chad Brubaker proslijedio/la je tweet | ||
|
Stephan Somogyi
@thinkpanzer
|
4. pro |
|
I'm hiring Android Platform Security Product Managers. Plural.
I'm especially interested in candidates with a wide range of backgrounds.
1/8
|
||
|
|
||
|
Chad Brubaker
@ChadBrubaker5
|
4. pro |
|
.@BramBonne and I with a happy "an update on" secure connection adoption on Android!
android-developers.googleblog.com/2019/12/an-upd…
I've been working on this since I was MiTMing all the things with nogotofail back in 2014, and it's pretty awesome to see how far it's all come
|
||
|
|
||
| Chad Brubaker proslijedio/la je tweet | ||
|
Daniel J. Bernstein
@hashbreaker
|
24. stu |
|
Amazing compendium of failures of "provable security": eprint.iacr.org/2019/1336. I saw a preprint months ago and the shock value of the huge lists still hasn't worn off. I think (and hope) this will put an end to the delusion that provable-security failures are isolated mistakes.
|
||
|
|
||
|
Chad Brubaker
@ChadBrubaker5
|
9. stu |
|
It's not a security barrier sooooooooo twitter.com/mobilesecurity…
|
||
|
|
||
|
Chad Brubaker
@ChadBrubaker5
|
6. stu |
|
Great article. Hopefully someday this won't be shocking to anyone. twitter.com/k8em0/status/1…
|
||
|
|
||
| Chad Brubaker proslijedio/la je tweet | ||
|
Maddie Stone
@maddiestone
|
30. lis |
|
Hey current students, interested in a Security Engineer internship with Google? The application deadline closes TOMORROW, Oct 31 for CA and WA roles. Apply!
careers.google.com/jobs/results/7…
Interested in a SE internship in Zurich? Deadline FRIDAY, Nov 1! careers.google.com/jobs/results/8…
|
||
|
|
||
| Chad Brubaker proslijedio/la je tweet | ||
|
Sami Tolvanen
@samitolvanen
|
30. lis |
|
Google Online Security Blog: Protecting against code reuse in the Linux kernel with Shadow Call Stack security.googleblog.com/2019/10/protec… via @google
|
||
|
|
||
|
Chad Brubaker
@ChadBrubaker5
|
20. lis |
|
Glad you liked the glass :)
|
||
|
|
||
|
Chad Brubaker
@ChadBrubaker5
|
16. lis |
|
Sure, and they're in a browser with a nice http stack and everything else is already X over http, but if we want everything to have encrypted DNS we need to have this in the OS's resolver, and pulling an http stack into that feels a bit overkill and a lot of exciting maintenance
|
||
|
|
||