Antonio Nappa

Zimperium - App Analysis Team Lead

Talk Title

Android Fight Club: Dualities and Conflicts in Vulnerability Management and Patching






11:45 > 40 min


on Twitter

This talk explores the intricate and ever-evolving world of Android security, dissecting both systemic OS-baseband vulnerabilities and high-level application threats. We kick off by investigating critical vulnerabilities in the OS and baseband layers, highlighted by a slew of CVEs that underscore recent security challenges: CVE-2023-41111, CVE-2023-41112, CVE-2022-21744, CVE-2022-21765, CVE-2023-21517, CVE-2023-42529, CVE-2023-42528, CVE-2023-42527, and CVE-2023-30739. This segment underscores the rigorous efforts required from vendors in identifying vulnerabilities, engineering solutions, and deploying patches effectively.
We then delve into the attacker's playbook, exploring how vulnerabilities are uncovered and exploited, revealing the sophisticated methodologies and tools utilized by attackers. This transition shines a light on the stark realities and necessities of robust security measures.
Shifting focus, the talk examines high-impact vulnerabilities within applications through the lens of the WebP CVE-2023-4863 vulnerability in Flutter's ecosystem. Despite strong security measures by leading tech entities, a broader analysis of numerous Android applications reveals a normal distribution of exposure, indicating widespread risk across the platform.
In response, we discuss practical methodologies and "plug and play" security solutions that empower developers to stay updated, adhere to best practices, and effectively shield apps against threats. This comprehensive approach provides a vital framework for understanding and tackling Android security, highlighting the continuous race from dusk to dawn and back in the effort to secure Android systems.

Speaker Bio

Antonio Nappa is the Application Analysis Team Leader at Zimperium Inc. He has been in the cybersecurity game since 17 years old. He holds a PhD in Software and Systems from the Madrid Institute of Advanced Studies. He has been a visiting scholar at UC Berkeley. His contributions have been published and recognized in international peer-reviewed venues. Since the DEFCON 2008 Finals, he never goes to sleep with a segfault.