Google Apps is a powerful platform which allows businesses of any size to have a cloud of their own.

Many have embraced Google Apps to enhance corporate collaboration but the security implications of renting space in Google’s cloud are not well understood.

In recent months I have been working with Google’s application security team to shed light on some risks stemming from the use of Android in conjunction with Google Apps.

Based on my previous research which demonstrated that Android could be used to bypass Google’s 2-step verification, I decided that token based attacks would be a good place to start evaluating Google Apps as well.

I found several attack vectors which make it possible for an adversary targeting a single Android device to compromise an entire organization.

With this realization I did a little reading about the Android API and quickly prototyped several iterations of Android applications designed to mislead the user and gain complete account access without passwords or 2-step verification codes.

Below is a screenshot from Google Play from the period during which my application was available for sale.  Please note that the ridiculous description and price were intended to discourage downloads:

pic

I will be presenting my findings at Defcon21 in an effort to raise awareness of best practices for staying safe within Google’s eco-system.  Although the focus will be on Google Apps for Business, the information is also relevant to all Google users.

If you will be attending Defcon, I encourage you to come hear more on Saturday, August 3rd at 1PM in track 2.  The name of my talk is ‘Android WebLogin: Google’s Skeleton Key’.

Stay tuned to Tripwire’s The State of Security blog for more information and a complete slide deck to be made available shortly after the presentation.

 

Related Articles:

P.S. Have you met John Powers, supernatural CISO?

 

Title image courtesy of ShutterStock

Categories:

Tags: , , , , , , , ,


Craig Young

Craig Young has contributed 21 posts to The State of Security.

View all posts by Craig Young >