3:00 PM Sunday
Town Square B
Silicon Valley Code Camp : October 7 & 8, 2017session

Passwords on a Phone

Android apps by Safeway, Kroger, Walgreens, and many others store passwords locally, which is dangerous and unnecessary. I'll demonstrate how to reverse their worthless encryption methods. I notified them but they ignored me.

About This Session

Almost all Android apps from major retailers store your password on the phone, which is dangerous and unnecessary. And they don't even use the Android KeyStore; they just use custom encryption schemes that generate a key in predictable ways, so passwords are easily recoverable. This is “fake encryption” – the data appears to be encrypted but in fact is not actually protected from attackers.

The Safeway app is typical: it encrypts passwords with AES, generating the key from other values that are stored on the phone. I notified Safeway of this in April, 2017, but they never fixed it.

I will present results of my tests of many top retailers, and demonstrate how to steal passwords from them. I will also list a few (very few) companies who actually protect their customers' passwords properly.

The purpose of this talk is to raise awareness of the poor quality of retail Android apps, and to encourage developers into improving their products.

Time: 3:00 PM Sunday    Room: Town Square B 

The Speaker(s)

undefined undefined

Sam Bowne

instructor, Computer Networking and Information Technology , City College San Francisco

Sam Bowne has been teaching computer networking and security classes at CCSF since 2000. He has given talks at CodeCamp, DEFCON, BayThreat, LayerOne, and Toorcon, and taught classes and seminars at many other schools and teaching conferences. He has a Ph.D. and a CISSP and a lot of other certifications, and a lot of computer and cables and firewalls and stuff.