Project10x: Find an Android Vulnerability and Report it Correctly (Up to 55 pts. extra credit per Vulnerability)

What You Need for This Project

Perform a Security Audit

Choose any App you like. Check for any or all of these problems, or any other security problems you can think of:
  1. Failure to validate the integrity of the app's signature (vulnerability to added Trojan code)
  2. Insecure network communications
  3. Insecure file storage
  4. Insecure logging

Find a Serious Problem

If the app doesn't have any big problems, it's not eligible for this project. You can still report your security audit as a Project 3x, however.

Create a Proof-of-Concept (PoC)

Demonstrate the problem so that a busy, non-technical executive can easily understand it.

Here are recommended ways to do that:

Maintain Confidentiality

Don't publish your vuln on Facebook or Twitter or anywhere public yet!

In order to be polite, you must notify the company privately first. You will lose points if you don't give the company at least 30 days to fix it before going public.

In practice, there is very little chance that the company will pay any attention, but this step is important to protect the reputation of CCSF and our security program. If we are perceived as irresponsible, our program will suffer.

30 Pts: Verifying your PoC

Send your PoC by email to cnit.128sam@gmail.com with the subject line Project 10x from YOUR NAME

Include this information in your email:

After your instructor verifies that you have found a real problem, and made a clear PoC, you get 30 pts.

You may stop at this point, or proceed to the next steps.

15 Pts: Demonstrate the PoC to the Class

Prepare and deliver a brief demonstration of the vulnerability you found to students, after ensuring that they have signed non-disclosure agreements.

Plan for 5-10 min.

10 Pts: Report the Vuln to the Company

Research the company that made the vulnerable app and try to find someone who might care. In many cases there will be no official way to contact the security team at all, and all you can do is email security@company.com, or fill out a generic comment form, or something like that.

You can call the company on the phone and ask where to send the report, but a verbal vuln report on the phone doesn't count. You need to make a written report that can be verified, so if the company complains later that they were not notified we have a good response.

Send your report to someone at the company, and keep screen captures of your reporting including the date.

If you send an email and it is returned undelivered, you must try again. You haven't really reported it until you send something that seems to have arrived.

Send Proof of Report

Send one or more screen captures to cnit.128sam@gmail.com showing how you reported the vulnerability.

If you send proof of a satisfactory report, you get 10 more points.

Repeatability

You can do this project up to 3 times for more points.
Posted 2-23-15 4:26 pm

Title changed on 3-4-15 because @JardineSoftware correctly pointed out that these are not 0days, but normal vulnerabilities, because they do not use newly discovered techniques.