BSidesSF 2018 has ended
Back To Schedule
Sunday, April 15 • 11:00am - 11:30am
Keep it Like a Secret: When Android Apps Contain Private Keys

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
We all have secrets. And the way we keep them secrets is by not telling them to others. Either because of inappropriate design, or by sheer accident, many publicly-available Android applications include private keys in them. By processing over 1 million applications from the Google Play Store, I have found thousands of private key files that are not private. Discovered private keys include PGP private keys, SSH private keys, OpenVPN keys, Android app signing keys, iOS app signing keys, HTTPS web server keys, and more. Password cracking techniques will also be discussed. Especially with password-protected private keys that are not used by the Android applications themselves, the key details and potential uses for them cannot be known until they are cracked.

avatar for Will Dormann

Will Dormann

Software Vulnerability Analyst, CERT Coordination Center (CERT/CC)
Will Dormann has been a software vulnerability analyst with the CERT Coordination Center (CERT/CC) since 2004. His focus areas include web browser technologies, ActiveX, and fuzzing. Will has discovered thousands of vulnerabilities using a variety of tools and techniques.

Sunday April 15, 2018 11:00am - 11:30am PDT
AMC - Theatre 7