0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/348 Thanks! 1 00:00:09,540 --> 00:00:11,909 That said, thank you very much, 2 00:00:11,910 --> 00:00:13,100 Mr. Seeable. 3 00:00:22,880 --> 00:00:24,940 So if you had dunk for the first time. 4 00:00:27,660 --> 00:00:28,719 So good evening. 5 00:00:28,720 --> 00:00:30,259 We are trying to survive with all the 6 00:00:30,260 --> 00:00:32,749 different problems with technology 7 00:00:32,750 --> 00:00:35,449 and make all the demo. 8 00:00:35,450 --> 00:00:37,189 There is only one demo that it will be 9 00:00:37,190 --> 00:00:39,229 not possible to do, but we will put all 10 00:00:39,230 --> 00:00:40,759 the technical details on the website 11 00:00:40,760 --> 00:00:43,009 along with alongside with 12 00:00:43,010 --> 00:00:43,939 the slide. 13 00:00:43,940 --> 00:00:46,459 So I'm Erica Nepal, 14 00:00:46,460 --> 00:00:48,559 where I've worked on 15 00:00:48,560 --> 00:00:50,899 security or insecurity of banking 16 00:00:50,900 --> 00:00:53,089 and where we are going to present 17 00:00:53,090 --> 00:00:55,759 a few results, uh, 18 00:00:55,760 --> 00:00:57,769 about what we have found. 19 00:00:57,770 --> 00:00:59,989 So here is the agenda 20 00:00:59,990 --> 00:01:01,999 of this presentation. So I will first 21 00:01:02,000 --> 00:01:03,889 introduce the background. 22 00:01:03,890 --> 00:01:05,899 In fact, all these studies had been 23 00:01:05,900 --> 00:01:08,029 performed during the project. 24 00:01:08,030 --> 00:01:10,249 I will present this project 25 00:01:10,250 --> 00:01:12,449 and then Paul will explain 26 00:01:12,450 --> 00:01:14,569 the different tool he has developed 27 00:01:14,570 --> 00:01:16,729 to perform strategic analyzes, to 28 00:01:16,730 --> 00:01:18,799 collect different, uh, 29 00:01:18,800 --> 00:01:20,959 uh, APJ, uh, 30 00:01:20,960 --> 00:01:23,749 and to perform dynamic analyzes. 31 00:01:23,750 --> 00:01:26,479 Then we'll switch to the results. 32 00:01:26,480 --> 00:01:28,729 First, I will give some 33 00:01:28,730 --> 00:01:30,619 statistics about the different apps we 34 00:01:30,620 --> 00:01:33,079 have analyzed, and we will 35 00:01:33,080 --> 00:01:35,929 present four cases which 36 00:01:35,930 --> 00:01:37,609 are rather instructive of what we have 37 00:01:37,610 --> 00:01:39,889 found and what you will see that, 38 00:01:39,890 --> 00:01:42,169 uh, especially for the first one, very 39 00:01:42,170 --> 00:01:44,389 surprising things can be found. 40 00:01:44,390 --> 00:01:46,489 And then, uh, I will conclude. 41 00:01:48,740 --> 00:01:50,929 So, uh, in fact, the Duffy 42 00:01:50,930 --> 00:01:53,149 project was a two 43 00:01:53,150 --> 00:01:55,219 year project to develop a sovereign 44 00:01:55,220 --> 00:01:57,379 and trusted eighty four 45 00:01:57,380 --> 00:01:59,299 Android platform, Linux platform and 46 00:01:59,300 --> 00:02:00,300 Windows, 47 00:02:01,430 --> 00:02:02,869 not for Apple because the French 48 00:02:02,870 --> 00:02:04,880 government was not interested in Apple 49 00:02:05,930 --> 00:02:07,519 to too much Big Brother. 50 00:02:07,520 --> 00:02:09,769 And, uh, it has been 51 00:02:09,770 --> 00:02:12,079 funded partly by the French government. 52 00:02:12,080 --> 00:02:13,699 In fact, the prime minister office, in 53 00:02:13,700 --> 00:02:16,099 the context of the, uh, 54 00:02:16,100 --> 00:02:18,799 detailed plan for sovereignty 55 00:02:18,800 --> 00:02:21,139 that was a grand total, was 56 00:02:21,140 --> 00:02:22,489 about six billion euro. 57 00:02:22,490 --> 00:02:24,599 And the state is a government 58 00:02:24,600 --> 00:02:26,539 that's funded only 35 percent. 59 00:02:27,800 --> 00:02:30,019 So as a research lab, 60 00:02:30,020 --> 00:02:32,179 we have we have produced the proof 61 00:02:32,180 --> 00:02:34,489 of concept and then we have delivered 62 00:02:34,490 --> 00:02:36,949 as a product and as well as intellectual 63 00:02:36,950 --> 00:02:39,109 property to a society who is in charge 64 00:02:39,110 --> 00:02:41,989 of the, uh, marketing. 65 00:02:41,990 --> 00:02:44,089 And the name is no longer defeat 66 00:02:44,090 --> 00:02:46,259 because the fee was a project and is 67 00:02:46,260 --> 00:02:48,979 all Marville and for the mobile 68 00:02:48,980 --> 00:02:51,109 platform and ultimately were 69 00:02:51,110 --> 00:02:52,370 for Linux and 70 00:02:53,630 --> 00:02:54,630 Windows. 71 00:02:55,190 --> 00:02:57,589 Normally it was in the 72 00:02:57,590 --> 00:02:59,839 in the the 73 00:02:59,840 --> 00:03:02,119 timetable. Uh, normally free and open 74 00:03:02,120 --> 00:03:04,249 versions should be released, 75 00:03:04,250 --> 00:03:05,869 at least for noncommercial use. 76 00:03:05,870 --> 00:03:06,799 I hope they will. 77 00:03:06,800 --> 00:03:08,029 They will do it. 78 00:03:08,030 --> 00:03:10,369 But at the lab we have decided 79 00:03:10,370 --> 00:03:12,799 to do work on the folk 80 00:03:12,800 --> 00:03:15,109 version and for Linux at 81 00:03:15,110 --> 00:03:17,329 least. And normally by mid-March, 82 00:03:17,330 --> 00:03:19,009 uh, we should release everything, 83 00:03:19,010 --> 00:03:21,109 including the source code and the 84 00:03:21,110 --> 00:03:22,879 name will be opened a few links. 85 00:03:22,880 --> 00:03:25,279 But if you want more information, please 86 00:03:25,280 --> 00:03:27,349 refer to the official Web page 87 00:03:27,350 --> 00:03:28,550 of, uh, of the project. 88 00:03:29,840 --> 00:03:31,939 So if we focus on 89 00:03:31,940 --> 00:03:34,819 the, uh, platform, 90 00:03:34,820 --> 00:03:36,969 in fact, we have deliver 91 00:03:36,970 --> 00:03:38,839 the product when you're ahead of the 92 00:03:38,840 --> 00:03:39,889 schedule. 93 00:03:39,890 --> 00:03:43,459 And, uh, so in October 2013, 94 00:03:43,460 --> 00:03:46,069 it was based on cyanogen and USPI 95 00:03:46,070 --> 00:03:47,659 sources. In fact, from the beginning it 96 00:03:47,660 --> 00:03:48,660 was clear that 97 00:03:50,240 --> 00:03:52,589 implementing another 98 00:03:52,590 --> 00:03:54,949 application will be a failure because 99 00:03:54,950 --> 00:03:57,079 if you go deeper into the system, you can 100 00:03:57,080 --> 00:03:58,819 get rid of the application. 101 00:03:58,820 --> 00:04:00,919 So, in fact, we decided to build 102 00:04:00,920 --> 00:04:03,319 a complete, uh, anti malware 103 00:04:03,320 --> 00:04:04,969 operating system. 104 00:04:04,970 --> 00:04:07,159 So we rewrite the 105 00:04:07,160 --> 00:04:09,649 Android system based on these 106 00:04:09,650 --> 00:04:11,059 two sources. 107 00:04:11,060 --> 00:04:12,979 And we have added some additional 108 00:04:12,980 --> 00:04:15,139 security features like file 109 00:04:15,140 --> 00:04:17,028 TotalFina system encryption, Esme's 110 00:04:17,029 --> 00:04:19,249 encryption view, IP encryption, 111 00:04:19,250 --> 00:04:20,250 and especially 112 00:04:21,380 --> 00:04:23,599 an application market accepting 113 00:04:23,600 --> 00:04:25,849 only secure and analyzed, 114 00:04:25,850 --> 00:04:27,919 certified and digitally signed, 115 00:04:27,920 --> 00:04:30,029 um, applications. 116 00:04:30,030 --> 00:04:32,239 Well, that's why we decided to analyze 117 00:04:32,240 --> 00:04:35,359 a lot of application, including, um, 118 00:04:35,360 --> 00:04:36,360 banking, navigation. 119 00:04:37,580 --> 00:04:40,039 So all those apps are 120 00:04:40,040 --> 00:04:42,199 analyzed, static analyzes, 121 00:04:42,200 --> 00:04:43,129 dynamic analyzes. 122 00:04:43,130 --> 00:04:45,439 And Paul will present the different, 123 00:04:45,440 --> 00:04:47,239 uh, techniques. 124 00:04:47,240 --> 00:04:49,159 And of course, we are going until the 125 00:04:49,160 --> 00:04:51,499 production of a source code 126 00:04:51,500 --> 00:04:52,820 by reversing step. 127 00:04:54,650 --> 00:04:56,959 And we have defined, of course, 128 00:04:56,960 --> 00:04:59,149 as security policy, a trust 129 00:04:59,150 --> 00:05:01,459 policy I'm going to present right after. 130 00:05:01,460 --> 00:05:03,799 And if it is not a malware 131 00:05:03,800 --> 00:05:06,289 is the application does not contain any 132 00:05:06,290 --> 00:05:08,359 malicious feature and is compliant 133 00:05:08,360 --> 00:05:10,579 to the security policy, then the 134 00:05:10,580 --> 00:05:12,769 application is certified and is 135 00:05:12,770 --> 00:05:15,619 digitally signed and put on the market. 136 00:05:15,620 --> 00:05:17,989 And for, uh, the different, uh, 137 00:05:17,990 --> 00:05:19,879 feature, please refer to the official 138 00:05:19,880 --> 00:05:21,439 website of Innovative Company. 139 00:05:22,750 --> 00:05:24,939 So the trust policy, in 140 00:05:24,940 --> 00:05:27,129 fact, if you just consider 141 00:05:27,130 --> 00:05:29,319 that whether the is a malware 142 00:05:29,320 --> 00:05:32,199 or not is not sufficient because 143 00:05:32,200 --> 00:05:35,409 between malware and very safe 144 00:05:35,410 --> 00:05:36,609 application, you can have a lot of 145 00:05:36,610 --> 00:05:38,679 things, non 146 00:05:38,680 --> 00:05:41,109 desirable property, and especially 147 00:05:41,110 --> 00:05:44,379 regarding data confidentiality 148 00:05:44,380 --> 00:05:46,629 and users privacy, 149 00:05:46,630 --> 00:05:48,429 which is a big problem. 150 00:05:48,430 --> 00:05:50,499 So, in fact, the malware, what 151 00:05:50,500 --> 00:05:52,689 is malicious, must be 152 00:05:52,690 --> 00:05:54,789 extended to something a little bit 153 00:05:54,790 --> 00:05:57,849 broader than simple malware functions. 154 00:05:57,850 --> 00:05:59,919 And in fact, we have we have 155 00:05:59,920 --> 00:06:02,529 defined a trust policy 156 00:06:02,530 --> 00:06:04,839 and application. It tries to see if, 157 00:06:04,840 --> 00:06:06,939 of course, it is not a malware, 158 00:06:06,940 --> 00:06:09,369 which is a minimum, but it does not 159 00:06:09,370 --> 00:06:10,899 contain EDAN functionalities. 160 00:06:12,610 --> 00:06:14,829 No information is collected unless it 161 00:06:14,830 --> 00:06:16,989 is strictly necessary for the 162 00:06:16,990 --> 00:06:18,429 application. 163 00:06:18,430 --> 00:06:20,859 And every communication 164 00:06:20,860 --> 00:06:22,509 between the application and a remote 165 00:06:22,510 --> 00:06:25,419 server must be encrypted. 166 00:06:25,420 --> 00:06:27,189 And of course, there is no known 167 00:06:27,190 --> 00:06:28,190 vulnerabilities. 168 00:06:30,360 --> 00:06:31,360 So why 169 00:06:32,730 --> 00:06:34,919 did we focus on banking 170 00:06:34,920 --> 00:06:37,019 applications, but in fact, 171 00:06:37,020 --> 00:06:39,209 banks are forcing us to use 172 00:06:39,210 --> 00:06:42,149 more and more, uh, the 173 00:06:42,150 --> 00:06:44,099 tablets and smartphones in order to 174 00:06:44,100 --> 00:06:46,349 connect to a bank account 175 00:06:46,350 --> 00:06:48,539 and more and more conventional banks 176 00:06:48,540 --> 00:06:50,069 will disappear. 177 00:06:50,070 --> 00:06:51,070 So. 178 00:06:51,630 --> 00:06:54,449 It is Almani, money, banking abscission, 179 00:06:54,450 --> 00:06:56,549 give direct access to our money 180 00:06:56,550 --> 00:06:58,499 and all the data about which we have 181 00:06:58,500 --> 00:07:00,569 purchased and so on. 182 00:07:00,570 --> 00:07:02,939 So, of course it is a critical issue. 183 00:07:02,940 --> 00:07:04,919 And for you as a user, I don't want that 184 00:07:04,920 --> 00:07:07,079 my bond as too 185 00:07:07,080 --> 00:07:09,329 much to me, any information about 186 00:07:09,330 --> 00:07:11,399 what I am doing and of course, any 187 00:07:11,400 --> 00:07:12,660 external attacker. 188 00:07:14,350 --> 00:07:16,439 So and the 189 00:07:16,440 --> 00:07:18,989 other aspect, since banks have much 190 00:07:18,990 --> 00:07:21,449 money, normally are supposed 191 00:07:21,450 --> 00:07:23,549 to do a clean job, perfect 192 00:07:23,550 --> 00:07:25,949 job, and they should 193 00:07:25,950 --> 00:07:28,049 normally release only very secure 194 00:07:28,050 --> 00:07:29,069 and safe aggregation. 195 00:07:31,220 --> 00:07:33,499 So we have contacted 196 00:07:33,500 --> 00:07:35,689 all the banks in order to 197 00:07:35,690 --> 00:07:37,369 allow them about the problem we have 198 00:07:37,370 --> 00:07:39,469 found and everything, that 199 00:07:39,470 --> 00:07:40,470 we're free. 200 00:07:41,110 --> 00:07:43,789 Uh, but, uh, 201 00:07:43,790 --> 00:07:45,949 up to now, only a very 202 00:07:45,950 --> 00:07:48,289 few of bonks are answered and ask 203 00:07:48,290 --> 00:07:49,759 for more details. 204 00:07:49,760 --> 00:07:52,339 Only two in France have 205 00:07:52,340 --> 00:07:54,589 asked for the technical details 206 00:07:54,590 --> 00:07:56,719 and are currently correcting 207 00:07:56,720 --> 00:07:59,269 the part regarding civil liberties. 208 00:07:59,270 --> 00:08:01,489 I'm not sure that we will do it for users 209 00:08:01,490 --> 00:08:03,589 privacy, but it is a problem. 210 00:08:03,590 --> 00:08:04,590 We will check everything. 211 00:08:05,990 --> 00:08:06,990 So, 212 00:08:08,690 --> 00:08:09,690 so 213 00:08:10,880 --> 00:08:13,249 but, uh, so 214 00:08:13,250 --> 00:08:15,619 I, uh, I 215 00:08:15,620 --> 00:08:18,379 make, uh, three tools, 216 00:08:18,380 --> 00:08:20,509 one, uh, for 217 00:08:20,510 --> 00:08:23,089 antivirus and static analysis called, 218 00:08:24,440 --> 00:08:25,440 uh, 219 00:08:26,550 --> 00:08:28,909 uh, second one for 220 00:08:28,910 --> 00:08:31,249 Wakering of uh, uh, 221 00:08:31,250 --> 00:08:33,379 Web application to find 222 00:08:33,380 --> 00:08:36,019 malware and, uh, someone, 223 00:08:36,020 --> 00:08:38,329 uh, for dynamic, uh, 224 00:08:38,330 --> 00:08:41,449 analysis, in fact, network communication, 225 00:08:41,450 --> 00:08:43,969 uh, monitoring. 226 00:08:43,970 --> 00:08:46,399 And, uh, I started 227 00:08:46,400 --> 00:08:48,949 with, uh, one thousand 228 00:08:48,950 --> 00:08:51,619 eight hundred, uh, uh, 229 00:08:51,620 --> 00:08:54,139 application bossom malware and 230 00:08:54,140 --> 00:08:57,439 genuine uh 231 00:08:57,440 --> 00:08:59,929 and this tool are not 232 00:08:59,930 --> 00:09:03,019 uh are not present, uh, 233 00:09:03,020 --> 00:09:04,520 are not open source all the time. 234 00:09:09,540 --> 00:09:12,389 So the goal of 235 00:09:12,390 --> 00:09:14,489 that is to detect 236 00:09:14,490 --> 00:09:17,699 malware based on similarity with 237 00:09:17,700 --> 00:09:19,889 known malware, uh, the 238 00:09:19,890 --> 00:09:22,589 main hypothesis is, um, 239 00:09:22,590 --> 00:09:24,989 that there is no 240 00:09:24,990 --> 00:09:27,239 common, not 241 00:09:27,240 --> 00:09:29,279 necessarily common characteristic that 242 00:09:29,280 --> 00:09:31,889 defines, uh, that 243 00:09:31,890 --> 00:09:33,919 characterizes all malware. 244 00:09:33,920 --> 00:09:36,149 Uh, it's why the traditional way 245 00:09:36,150 --> 00:09:38,429 of detecting malware is to, 246 00:09:38,430 --> 00:09:40,739 uh, splitting them into 247 00:09:40,740 --> 00:09:42,309 families of malware. 248 00:09:42,310 --> 00:09:44,819 Uh, it's, uh, these families 249 00:09:44,820 --> 00:09:46,769 that share common characteristics. 250 00:09:46,770 --> 00:09:48,929 So if we could, 251 00:09:48,930 --> 00:09:51,539 uh, do some sort of statistics 252 00:09:51,540 --> 00:09:53,999 on, uh, these families 253 00:09:54,000 --> 00:09:56,189 and we compare them to, 254 00:09:56,190 --> 00:09:58,529 uh, the statistics, uh, 255 00:09:58,530 --> 00:10:00,719 from an application, we 256 00:10:00,720 --> 00:10:02,939 could, uh, we will 257 00:10:02,940 --> 00:10:05,100 these, uh, common characteristics, 258 00:10:07,030 --> 00:10:08,030 um, 259 00:10:09,780 --> 00:10:11,369 uh, uh, 260 00:10:13,440 --> 00:10:14,440 weigh. 261 00:10:15,240 --> 00:10:17,459 Uh, aged can also produced, 262 00:10:17,460 --> 00:10:19,649 uh, static analysis 263 00:10:19,650 --> 00:10:21,719 where I report for, 264 00:10:21,720 --> 00:10:23,490 uh, manual analyzes, 265 00:10:24,630 --> 00:10:25,679 I will show you it. 266 00:10:27,650 --> 00:10:30,199 So there was 267 00:10:30,200 --> 00:10:33,619 there was, uh, um, demonstration 268 00:10:33,620 --> 00:10:35,989 between, uh, uh, 269 00:10:35,990 --> 00:10:38,359 that, uh, because of the bugs 270 00:10:38,360 --> 00:10:40,459 of at the beginning, I could 271 00:10:40,460 --> 00:10:41,839 not show you it. 272 00:10:41,840 --> 00:10:44,059 So it, uh, it will be on the website. 273 00:10:44,060 --> 00:10:45,949 Yeah. So you will find out all the 274 00:10:45,950 --> 00:10:49,249 misinformation when, uh, 275 00:10:49,250 --> 00:10:51,719 I scan an application with 276 00:10:51,720 --> 00:10:52,399 it. 277 00:10:52,400 --> 00:10:54,539 Uh, basically we've asked it to 278 00:10:54,540 --> 00:10:57,169 an equivalent US uh, source code 279 00:10:57,170 --> 00:10:59,000 and uh, um, 280 00:11:00,650 --> 00:11:02,779 uh, it extracts a lot of 281 00:11:02,780 --> 00:11:05,539 characteristics like, uh, permission 282 00:11:05,540 --> 00:11:07,849 file digest uh, class and mittens 283 00:11:07,850 --> 00:11:10,659 name entry points, uh, method, 284 00:11:10,660 --> 00:11:12,769 um uh, known 285 00:11:12,770 --> 00:11:15,749 behavior for uh uh Froneman 286 00:11:15,750 --> 00:11:18,199 um malware, something 287 00:11:18,200 --> 00:11:20,299 like that. And uh, all this 288 00:11:20,300 --> 00:11:22,789 information I used to 289 00:11:22,790 --> 00:11:25,429 um make uh similarities 290 00:11:25,430 --> 00:11:28,069 cause uh um 291 00:11:28,070 --> 00:11:30,199 uh to compare enough 292 00:11:30,200 --> 00:11:31,819 with uh malware family. 293 00:11:31,820 --> 00:11:34,099 OK, this is uh is a demonstration 294 00:11:34,100 --> 00:11:36,169 I could not show you, but I will 295 00:11:36,170 --> 00:11:38,149 I explain. You are quickly. 296 00:11:38,150 --> 00:11:40,880 So, uh. 297 00:11:42,140 --> 00:11:44,359 This report, uh, 298 00:11:44,360 --> 00:11:47,179 summarized some of this extra 299 00:11:47,180 --> 00:11:49,249 data from 300 00:11:51,860 --> 00:11:53,939 this report, from some of these, 301 00:11:53,940 --> 00:11:56,119 uh, extracted data 302 00:11:56,120 --> 00:11:58,219 to help a manual 303 00:11:58,220 --> 00:11:59,220 analysis. 304 00:12:00,620 --> 00:12:03,329 So we we get, uh, basic, 305 00:12:03,330 --> 00:12:05,539 uh, um, 306 00:12:05,540 --> 00:12:07,969 basic data like, uh, permission. 307 00:12:07,970 --> 00:12:10,579 But, uh, more important, one 308 00:12:10,580 --> 00:12:12,889 like, uh, risky 309 00:12:12,890 --> 00:12:14,029 behaviors. 310 00:12:14,030 --> 00:12:16,279 We can see there is not translated 311 00:12:16,280 --> 00:12:18,799 because it's, uh, for internal use. 312 00:12:18,800 --> 00:12:20,419 So it's in fresh French. 313 00:12:20,420 --> 00:12:22,699 Sorry. And the table 314 00:12:22,700 --> 00:12:25,369 of uh, uh, risky 315 00:12:25,370 --> 00:12:27,169 andred API call. 316 00:12:27,170 --> 00:12:29,329 So, uh, these 317 00:12:29,330 --> 00:12:31,999 risky calls are seen 318 00:12:32,000 --> 00:12:34,099 two times more in malware than in, uh, 319 00:12:34,100 --> 00:12:35,579 genuine application. 320 00:12:35,580 --> 00:12:37,939 It's why, uh, it's, uh, 321 00:12:37,940 --> 00:12:40,189 nice to to see where they 322 00:12:40,190 --> 00:12:41,689 are using the code. 323 00:12:41,690 --> 00:12:43,819 So when 324 00:12:43,820 --> 00:12:46,009 I click on, uh, 325 00:12:46,010 --> 00:12:48,319 for example, uh, location service, 326 00:12:48,320 --> 00:12:50,809 which is a known behavior 327 00:12:50,810 --> 00:12:53,029 detected, uh, I can see 328 00:12:53,030 --> 00:12:55,159 where, um, well, 329 00:12:55,160 --> 00:12:57,979 on the code it is, um, used. 330 00:12:57,980 --> 00:13:00,349 And when I click on, uh, one 331 00:13:00,350 --> 00:13:02,989 of these functions, I can 332 00:13:02,990 --> 00:13:04,580 see the revulsed code. 333 00:13:05,600 --> 00:13:07,819 So it's, uh, a sort of 334 00:13:07,820 --> 00:13:09,889 guide, uh, for manual and I 335 00:13:09,890 --> 00:13:12,709 think a starting point, um, 336 00:13:12,710 --> 00:13:15,289 sorry for format windows, 337 00:13:15,290 --> 00:13:16,399 uh, because 338 00:13:18,110 --> 00:13:20,239 normally it was, uh, 339 00:13:20,240 --> 00:13:22,609 without doing a line between those 340 00:13:22,610 --> 00:13:23,719 windows in place. 341 00:13:23,720 --> 00:13:25,409 But, uh, I can, uh, 342 00:13:26,450 --> 00:13:29,029 just can print text currently 343 00:13:29,030 --> 00:13:31,039 because we have a direct link between the 344 00:13:31,040 --> 00:13:32,479 report and the source code. 345 00:13:32,480 --> 00:13:35,239 And it is possible then to check 346 00:13:35,240 --> 00:13:37,699 whether it is a genuine, uh, 347 00:13:37,700 --> 00:13:39,799 call non-dangerous code and 348 00:13:39,800 --> 00:13:40,729 all the malware code. 349 00:13:40,730 --> 00:13:42,919 So we have the constant link 350 00:13:42,920 --> 00:13:45,349 between the report and the source code. 351 00:13:45,350 --> 00:13:47,869 OK, let's, uh, 352 00:13:49,460 --> 00:13:50,460 let's carry on. 353 00:14:00,220 --> 00:14:01,370 So, uh. 354 00:14:03,550 --> 00:14:06,019 Yeah, it's a messy 355 00:14:06,020 --> 00:14:08,379 so sorry for this, so, 356 00:14:08,380 --> 00:14:10,569 uh, let's, uh, go 357 00:14:10,570 --> 00:14:13,229 on. Yeah, yeah. 358 00:14:13,230 --> 00:14:14,489 No, no. 359 00:14:14,490 --> 00:14:15,490 Um, 360 00:14:16,840 --> 00:14:19,189 is it the, um, antivirus, 361 00:14:19,190 --> 00:14:21,699 uh, work pretty well, 362 00:14:21,700 --> 00:14:22,989 uh, but 363 00:14:24,010 --> 00:14:26,709 not as I expected. 364 00:14:26,710 --> 00:14:28,809 And the reason was, uh, 365 00:14:28,810 --> 00:14:30,879 the database of, uh, malware 366 00:14:30,880 --> 00:14:33,189 application was too small 367 00:14:33,190 --> 00:14:35,769 for, um, for 368 00:14:35,770 --> 00:14:37,869 being serious in the 369 00:14:37,870 --> 00:14:39,589 antivirus game. 370 00:14:39,590 --> 00:14:42,309 Uh, so I designed a 371 00:14:42,310 --> 00:14:44,529 massive Web crawler 372 00:14:44,530 --> 00:14:47,109 called Tarantula to, um, 373 00:14:47,110 --> 00:14:49,759 to download, um, 374 00:14:49,760 --> 00:14:52,129 uh, lots of application and, 375 00:14:52,130 --> 00:14:54,339 uh, hoping they were 376 00:14:54,340 --> 00:14:55,340 malware. 377 00:14:57,450 --> 00:15:00,179 So in reality, this subject 378 00:15:00,180 --> 00:15:02,519 is of gathering samples 379 00:15:03,810 --> 00:15:06,209 in the antivirus game is the heart 380 00:15:06,210 --> 00:15:07,509 of the matter. 381 00:15:07,510 --> 00:15:10,319 Um, it's a subject 382 00:15:10,320 --> 00:15:13,409 which is rarely explained 383 00:15:13,410 --> 00:15:15,479 or detailed in, uh, research 384 00:15:15,480 --> 00:15:16,409 paper. 385 00:15:16,410 --> 00:15:18,120 Um, and 386 00:15:19,290 --> 00:15:21,449 it's basically, uh, 387 00:15:21,450 --> 00:15:23,549 uh, that algorithm, 388 00:15:23,550 --> 00:15:26,279 uh, need, uh, 389 00:15:26,280 --> 00:15:27,989 uh, strong statistics. 390 00:15:27,990 --> 00:15:30,530 So, uh, a big database. 391 00:15:31,950 --> 00:15:34,169 So how can 392 00:15:34,170 --> 00:15:35,940 we gather lots of samples? 393 00:15:39,330 --> 00:15:41,849 Several university Qasm, 394 00:15:41,850 --> 00:15:44,069 Preedy, like North Carolina 395 00:15:44,070 --> 00:15:45,070 State 396 00:15:46,470 --> 00:15:48,569 University with the Genome 397 00:15:48,570 --> 00:15:51,089 Project and the University 398 00:15:51,090 --> 00:15:53,489 of Gettinger here in Germany, which 399 00:15:53,490 --> 00:15:55,559 drove in the desert, also 400 00:15:55,560 --> 00:15:57,629 some websites share on malware 401 00:15:57,630 --> 00:16:00,509 like virus share and control them. 402 00:16:00,510 --> 00:16:02,759 Maybe you have heard of it. 403 00:16:02,760 --> 00:16:05,249 It's a good starting point, but not 404 00:16:05,250 --> 00:16:06,789 not enough. 405 00:16:06,790 --> 00:16:08,160 So, um, 406 00:16:09,360 --> 00:16:11,819 I, uh, I researched 407 00:16:11,820 --> 00:16:14,099 on how some malware 408 00:16:14,100 --> 00:16:17,459 combined antivirus companies 409 00:16:17,460 --> 00:16:19,199 get their sample. 410 00:16:19,200 --> 00:16:21,809 So my guess is that they, 411 00:16:21,810 --> 00:16:24,149 um, they, 412 00:16:24,150 --> 00:16:26,789 they get a sample from, um, 413 00:16:26,790 --> 00:16:29,359 client end users mission and, 414 00:16:29,360 --> 00:16:31,979 uh, intercompany 415 00:16:31,980 --> 00:16:33,449 exchange mainly. 416 00:16:33,450 --> 00:16:35,639 Um, he Oisin, 417 00:16:35,640 --> 00:16:37,829 uh, under this report, when we can see 418 00:16:37,830 --> 00:16:40,169 that 70 percent of them 419 00:16:40,170 --> 00:16:42,989 are they are they are they 420 00:16:42,990 --> 00:16:45,399 they got um, 421 00:16:45,400 --> 00:16:47,729 uh, it's from intercompany 422 00:16:47,730 --> 00:16:50,759 exchange and, uh, 423 00:16:50,760 --> 00:16:53,909 um, a known sample, 424 00:16:53,910 --> 00:16:56,039 something labeled as announceable, 425 00:16:56,040 --> 00:16:57,739 which is in fact user and client 426 00:16:57,740 --> 00:16:58,829 submission. 427 00:16:58,830 --> 00:17:01,019 So it's mean, uh, you cannot 428 00:17:01,020 --> 00:17:02,970 mimic, uh, in a laboratory. 429 00:17:04,410 --> 00:17:06,608 So I, I, um, 430 00:17:06,609 --> 00:17:08,669 design, uh, a color 431 00:17:08,670 --> 00:17:11,429 called Tancharoen Uh, 432 00:17:11,430 --> 00:17:13,679 which should get, uh, sample from, 433 00:17:13,680 --> 00:17:16,348 uh, wild ftp terance 434 00:17:16,349 --> 00:17:18,568 uh and uh, alternative market 435 00:17:18,569 --> 00:17:19,559 mainly. 436 00:17:19,560 --> 00:17:21,659 Uh, I stopped scrolling at 437 00:17:21,660 --> 00:17:24,149 uh uh to uh 438 00:17:24,150 --> 00:17:26,639 two hundred and eighty uh 439 00:17:26,640 --> 00:17:29,519 uh thousand 440 00:17:29,520 --> 00:17:31,859 applications and 441 00:17:31,860 --> 00:17:33,149 um. 442 00:17:33,150 --> 00:17:35,249 Yeah, it's uh it's a shame 443 00:17:35,250 --> 00:17:37,709 for, uh, 444 00:17:37,710 --> 00:17:40,739 your internal, uh, structure of Tanesha. 445 00:17:40,740 --> 00:17:42,249 Um. 446 00:17:42,250 --> 00:17:43,359 And, um. 447 00:17:46,090 --> 00:17:47,090 Professor. 448 00:17:50,540 --> 00:17:53,269 And the discovery, um, 449 00:17:53,270 --> 00:17:55,499 uh, with, uh, 450 00:17:55,500 --> 00:17:57,919 the application I've got is, 451 00:17:57,920 --> 00:18:00,589 uh, a work in progress, 452 00:18:00,590 --> 00:18:02,719 but I hope I will find lots of 453 00:18:02,720 --> 00:18:05,210 malware, um, 454 00:18:07,550 --> 00:18:09,919 I'm going to put on to is, uh, dynamic. 455 00:18:09,920 --> 00:18:11,179 And I like this one. 456 00:18:11,180 --> 00:18:13,909 I called it of this and it basically, 457 00:18:13,910 --> 00:18:16,159 uh, monitor almost 458 00:18:16,160 --> 00:18:18,589 all communications, uh, between 459 00:18:18,590 --> 00:18:20,989 an app in Internet 460 00:18:20,990 --> 00:18:23,779 event, the encrypted one. 461 00:18:23,780 --> 00:18:26,179 So at the end of the analysis, 462 00:18:26,180 --> 00:18:28,249 it generates, uh, a graph 463 00:18:28,250 --> 00:18:30,619 of network communication to 464 00:18:30,620 --> 00:18:32,799 out, um, 465 00:18:32,800 --> 00:18:35,179 to to help, um, 466 00:18:35,180 --> 00:18:37,309 um, detecting some 467 00:18:37,310 --> 00:18:39,619 behavior in this mess of 468 00:18:39,620 --> 00:18:40,620 information. 469 00:18:42,110 --> 00:18:44,359 You will, uh, you will see 470 00:18:44,360 --> 00:18:46,609 the, uh, the graph, uh, when 471 00:18:46,610 --> 00:18:49,279 I will present the, uh, 472 00:18:49,280 --> 00:18:51,470 the banking application. 473 00:18:54,590 --> 00:18:56,719 So I just thought you bypass, 474 00:18:56,720 --> 00:18:58,329 as I said, uh, 475 00:18:59,350 --> 00:19:01,699 as I control the phone, I put 476 00:19:01,700 --> 00:19:03,799 a certification fake 477 00:19:03,800 --> 00:19:06,079 certification authority's in 478 00:19:06,080 --> 00:19:08,599 the phone and, um, 479 00:19:08,600 --> 00:19:11,389 my phone connect to a fake access point. 480 00:19:11,390 --> 00:19:13,939 And, uh, basically 481 00:19:13,940 --> 00:19:16,189 the SSL request are 482 00:19:16,190 --> 00:19:18,719 intercepted and, uh, 483 00:19:18,720 --> 00:19:21,019 um, and, 484 00:19:21,020 --> 00:19:23,379 uh, the request, uh, 485 00:19:23,380 --> 00:19:24,549 um. 486 00:19:26,430 --> 00:19:29,439 The decision to address requests 487 00:19:29,440 --> 00:19:30,809 was sent back 488 00:19:31,890 --> 00:19:34,049 to the phone signed by 489 00:19:34,050 --> 00:19:36,299 our fake certificate, so the 490 00:19:36,300 --> 00:19:38,339 phone actually believes that it is a 491 00:19:38,340 --> 00:19:39,359 legit communication. 492 00:19:43,630 --> 00:19:45,759 So at the present time, you have 493 00:19:45,760 --> 00:19:48,519 analyzed, um, in detail, 494 00:19:48,520 --> 00:19:50,769 27 application, of course, will 495 00:19:50,770 --> 00:19:52,899 go on and, uh, 496 00:19:52,900 --> 00:19:54,879 increasing the results and everything 497 00:19:54,880 --> 00:19:56,739 will be made public little by little. 498 00:19:56,740 --> 00:19:59,079 So as you can see, we have, 499 00:19:59,080 --> 00:20:01,749 uh, at the beginning, um, analyzed 500 00:20:01,750 --> 00:20:03,249 a French bank. 501 00:20:03,250 --> 00:20:05,439 And but we we try to cover all 502 00:20:05,440 --> 00:20:07,449 the world. And the next step will be to 503 00:20:07,450 --> 00:20:09,939 analyze, uh, banks from Asia, 504 00:20:09,940 --> 00:20:11,679 uh, because there are a lot of 505 00:20:11,680 --> 00:20:14,439 development in the banking application. 506 00:20:14,440 --> 00:20:16,569 So, uh, before presenting 507 00:20:16,570 --> 00:20:17,979 the for the for the strategic 508 00:20:17,980 --> 00:20:20,019 certificates we have identified, in fact, 509 00:20:20,020 --> 00:20:22,659 I would like to present some statistics 510 00:20:22,660 --> 00:20:24,789 which we are summarizing 511 00:20:24,790 --> 00:20:25,790 what we have found. 512 00:20:26,890 --> 00:20:29,079 First, if we have a look to 513 00:20:29,080 --> 00:20:31,449 permission, uh, we see 514 00:20:31,450 --> 00:20:34,029 that, uh, those applications 515 00:20:34,030 --> 00:20:36,099 generally are very invasive 516 00:20:36,100 --> 00:20:39,099 and they are a lot of 517 00:20:39,100 --> 00:20:41,349 they get a lot of, uh, access to 518 00:20:41,350 --> 00:20:43,779 many, many internal data in your 519 00:20:43,780 --> 00:20:46,599 smartphone or tablet, which is very, 520 00:20:46,600 --> 00:20:48,759 uh, worrying because they 521 00:20:48,760 --> 00:20:52,629 can eavesdrop many, many information. 522 00:20:52,630 --> 00:20:55,509 But it is probably more interesting 523 00:20:55,510 --> 00:20:58,029 if you, uh, consider 524 00:20:58,030 --> 00:21:00,219 the various, uh, 525 00:21:00,220 --> 00:21:02,379 you are as a member of Europe that are, 526 00:21:02,380 --> 00:21:04,809 uh, uh, involved 527 00:21:04,810 --> 00:21:06,219 in the in the 528 00:21:07,660 --> 00:21:09,729 in the application, uh, between 529 00:21:09,730 --> 00:21:11,889 the smartphone and the 530 00:21:11,890 --> 00:21:13,989 server. And two of them are 531 00:21:13,990 --> 00:21:15,519 rather interesting. 532 00:21:15,520 --> 00:21:17,919 First, uh, er, it is possible 533 00:21:17,920 --> 00:21:20,319 to identify specifically, 534 00:21:20,320 --> 00:21:22,569 um, a phone, 535 00:21:22,570 --> 00:21:24,009 but if you consider er 536 00:21:25,150 --> 00:21:27,249 this for something which is rather I 537 00:21:27,250 --> 00:21:29,539 96 percent uh are 538 00:21:29,540 --> 00:21:31,809 rodding uh dynamically the content 539 00:21:31,810 --> 00:21:34,149 of the, of the up from the web. 540 00:21:34,150 --> 00:21:35,150 It means that. 541 00:21:36,400 --> 00:21:38,469 This content can be Ligget content, 542 00:21:38,470 --> 00:21:40,539 but it can be on purpose 543 00:21:40,540 --> 00:21:42,859 and very, very specifically 544 00:21:42,860 --> 00:21:44,649 malicious content. It depends whether you 545 00:21:44,650 --> 00:21:45,670 trust your bank on it. 546 00:21:46,750 --> 00:21:48,999 Uh, and 547 00:21:49,000 --> 00:21:50,770 er, the second is a second, 548 00:21:51,880 --> 00:21:54,159 the second, uh, behavior, which is, uh, 549 00:21:54,160 --> 00:21:56,379 rather interesting, is this 550 00:21:56,380 --> 00:21:58,569 many funds are by 551 00:21:58,570 --> 00:22:01,119 now vulnerable to the discussion, 552 00:22:01,120 --> 00:22:03,349 arbitrary JavaScript, 553 00:22:03,350 --> 00:22:06,729 um, uh, instructions. 554 00:22:06,730 --> 00:22:10,239 So it means that it is possible 555 00:22:10,240 --> 00:22:12,459 by providing this and 556 00:22:12,460 --> 00:22:14,139 exploiting the fact that many funds are 557 00:22:14,140 --> 00:22:16,569 still able to um 558 00:22:16,570 --> 00:22:17,499 still variable. 559 00:22:17,500 --> 00:22:19,869 But now for the newer version, 560 00:22:19,870 --> 00:22:22,809 there's a number of, uh, JavaScript 561 00:22:22,810 --> 00:22:25,059 that can be, uh, executed is limited. 562 00:22:25,060 --> 00:22:27,429 But for an older version, it is not. 563 00:22:27,430 --> 00:22:29,679 And it's possible to remotely 564 00:22:29,680 --> 00:22:32,759 execute possible JavaScript, 565 00:22:32,760 --> 00:22:34,839 JavaScript, of course, 566 00:22:34,840 --> 00:22:37,089 either if you are on the banks or 567 00:22:37,090 --> 00:22:39,249 if you are, uh, an attacker. 568 00:22:39,250 --> 00:22:41,169 For example, in Manzie attack, we will 569 00:22:41,170 --> 00:22:43,589 see when bank is vulnerable to this 570 00:22:43,590 --> 00:22:44,619 to this kind of attack. 571 00:22:47,030 --> 00:22:48,030 So 572 00:22:51,280 --> 00:22:53,569 let's get started with a demonstration 573 00:22:53,570 --> 00:22:54,739 report. 574 00:22:54,740 --> 00:22:56,869 OK, I 575 00:22:56,870 --> 00:22:59,089 will start by JP 576 00:22:59,090 --> 00:23:01,369 Morgan Access, which is a mobile 577 00:23:01,370 --> 00:23:03,769 banking app of JP Morgan. 578 00:23:03,770 --> 00:23:06,019 And here's the 579 00:23:06,020 --> 00:23:08,269 graph of network communication I've told 580 00:23:08,270 --> 00:23:10,179 you about just before. 581 00:23:10,180 --> 00:23:12,499 Uh, so the, 582 00:23:12,500 --> 00:23:15,409 um, and it's an interesting, 583 00:23:15,410 --> 00:23:17,799 uh, Jizan file received from 584 00:23:17,800 --> 00:23:19,010 a JPMorgan servers. 585 00:23:20,290 --> 00:23:22,359 I can see there, so the, 586 00:23:22,360 --> 00:23:24,939 um, the photograph shows 587 00:23:24,940 --> 00:23:27,249 all the, uh, 588 00:23:27,250 --> 00:23:29,349 and, uh, Samarai overcommunication 589 00:23:29,350 --> 00:23:32,109 for, uh, a address, 590 00:23:32,110 --> 00:23:33,130 OK, and. 591 00:23:34,500 --> 00:23:36,929 We can also see all swing 592 00:23:36,930 --> 00:23:39,159 that, uh, the application, 593 00:23:39,160 --> 00:23:41,349 uh, send to 594 00:23:41,350 --> 00:23:43,200 Washington to, um, 595 00:23:44,220 --> 00:23:45,220 to enlist. 596 00:23:46,350 --> 00:23:48,479 So, uh, it's it's for 597 00:23:48,480 --> 00:23:50,639 finding, uh, some, 598 00:23:50,640 --> 00:23:53,039 um, that are personal. 599 00:23:53,040 --> 00:23:54,659 Detrich So. 600 00:23:57,190 --> 00:23:59,259 Here we can see just two 601 00:23:59,260 --> 00:24:01,789 strange, and it's, 602 00:24:01,790 --> 00:24:04,179 uh, in the 603 00:24:04,180 --> 00:24:06,309 argument of get method 604 00:24:06,310 --> 00:24:07,839 or in a post request. 605 00:24:11,290 --> 00:24:12,789 So here 606 00:24:13,870 --> 00:24:16,659 is the application received, uh, 607 00:24:16,660 --> 00:24:17,920 Ajilon file their. 608 00:24:24,020 --> 00:24:27,379 So here we can see a signature 609 00:24:27,380 --> 00:24:29,809 either at the beginning, I, 610 00:24:29,810 --> 00:24:32,029 uh, I thought it was a 611 00:24:32,030 --> 00:24:34,409 bit long for signature, 612 00:24:34,410 --> 00:24:36,619 uh, for authentication, 613 00:24:36,620 --> 00:24:37,639 for example. 614 00:24:37,640 --> 00:24:40,039 So maybe, uh, 615 00:24:40,040 --> 00:24:42,139 it is, um, an 616 00:24:42,140 --> 00:24:44,300 encrypted string, uh. 617 00:24:46,380 --> 00:24:48,719 I just after that, 618 00:24:48,720 --> 00:24:51,209 I, uh, um, used 619 00:24:51,210 --> 00:24:53,759 a tool called API Monitor 620 00:24:53,760 --> 00:24:56,549 to see if, uh, 621 00:24:56,550 --> 00:24:58,550 after receiving the string zap 622 00:24:59,990 --> 00:25:01,559 and decrypt something. 623 00:25:04,470 --> 00:25:06,789 So what 624 00:25:06,790 --> 00:25:08,789 is wrong with it? 625 00:25:08,790 --> 00:25:10,979 So, uh, API 626 00:25:10,980 --> 00:25:13,079 monitor, uh, basically 627 00:25:13,080 --> 00:25:15,359 reverse the app and monitor function 628 00:25:15,360 --> 00:25:17,459 around Ondrej code that 629 00:25:17,460 --> 00:25:19,649 we configure and at 630 00:25:19,650 --> 00:25:21,839 one time, uh, dump the 631 00:25:21,840 --> 00:25:24,059 content of the arguments into 632 00:25:24,060 --> 00:25:26,789 the la carte, which is the centralized 633 00:25:26,790 --> 00:25:28,979 Android, uh, log system. 634 00:25:28,980 --> 00:25:31,169 So we can see argument 635 00:25:31,170 --> 00:25:31,979 of function. 636 00:25:31,980 --> 00:25:34,589 We configure, uh, dynamically. 637 00:25:35,610 --> 00:25:37,889 So could you film 638 00:25:37,890 --> 00:25:38,589 it first? 639 00:25:38,590 --> 00:25:39,590 Asked 640 00:25:41,100 --> 00:25:43,649 us if 641 00:25:43,650 --> 00:25:46,829 it's not very visible, but, uh, 642 00:25:46,830 --> 00:25:48,599 so far this, uh, 643 00:25:49,680 --> 00:25:51,809 here trust me, um, it's, 644 00:25:51,810 --> 00:25:53,999 uh, it's, uh, received a strange 645 00:25:54,000 --> 00:25:56,069 signature. Uh, it's a little 646 00:25:56,070 --> 00:25:58,709 messy, but it's, uh, 647 00:25:58,710 --> 00:26:00,839 the string, uh, I just, 648 00:26:00,840 --> 00:26:04,019 uh, show you before and, 649 00:26:04,020 --> 00:26:05,159 uh, this is 650 00:26:06,870 --> 00:26:08,939 this is, uh, uh, 651 00:26:08,940 --> 00:26:11,879 a decryption function, um, 652 00:26:11,880 --> 00:26:13,049 uh, user. 653 00:26:13,050 --> 00:26:15,239 And this, uh, ASCII 654 00:26:15,240 --> 00:26:17,339 codes are, in fact, the 655 00:26:17,340 --> 00:26:19,479 argument of, uh, the, 656 00:26:19,480 --> 00:26:21,179 uh, decipher function. 657 00:26:21,180 --> 00:26:23,999 And, uh, here's the result 658 00:26:24,000 --> 00:26:24,929 at one time. 659 00:26:24,930 --> 00:26:27,299 So what I did is I, uh, 660 00:26:27,300 --> 00:26:29,869 I, um, uh, 661 00:26:29,870 --> 00:26:32,339 I could buy copy, 662 00:26:32,340 --> 00:26:34,449 uh, the return value and I use 663 00:26:34,450 --> 00:26:36,509 some just some scripting 664 00:26:36,510 --> 00:26:39,089 commands to get, uh, readable, 665 00:26:39,090 --> 00:26:40,439 uh, string. 666 00:26:40,440 --> 00:26:41,879 So here we go. 667 00:26:41,880 --> 00:26:42,880 The readable string. 668 00:26:48,370 --> 00:26:50,529 So it's 669 00:26:50,530 --> 00:26:53,079 a civil strain separated 670 00:26:53,080 --> 00:26:55,749 by a pattern and 671 00:26:55,750 --> 00:26:57,849 the content of the string are not very 672 00:26:57,850 --> 00:26:59,740 important because 673 00:27:01,030 --> 00:27:03,399 it's the pattern, uh, 674 00:27:03,400 --> 00:27:05,079 with this pattern, we can search in the 675 00:27:05,080 --> 00:27:08,069 code in the rest of it, whether 676 00:27:08,070 --> 00:27:10,509 we have a code, uh, 677 00:27:10,510 --> 00:27:12,789 where this, uh, string 678 00:27:12,790 --> 00:27:15,129 are used and what 679 00:27:15,130 --> 00:27:17,709 it, uh, what does the application do? 680 00:27:17,710 --> 00:27:18,819 So it's what I did. 681 00:27:18,820 --> 00:27:20,979 I cannot show you the code because 682 00:27:20,980 --> 00:27:23,619 it's proprietary. 683 00:27:23,620 --> 00:27:26,449 So, uh, it's just a subset, 684 00:27:26,450 --> 00:27:28,659 um, just just to show 685 00:27:28,660 --> 00:27:30,699 you what to do. 686 00:27:30,700 --> 00:27:32,889 So the string is 687 00:27:32,890 --> 00:27:35,109 repressive past with 688 00:27:35,110 --> 00:27:36,069 this pattern. 689 00:27:36,070 --> 00:27:38,349 And, um, a part of the string 690 00:27:38,350 --> 00:27:40,539 is sent directly into a 691 00:27:40,540 --> 00:27:41,829 command. 692 00:27:41,830 --> 00:27:43,989 Uh, I reversed this, 693 00:27:43,990 --> 00:27:46,809 uh, this function run command. 694 00:27:46,810 --> 00:27:49,089 Uh, it's not, uh, 695 00:27:49,090 --> 00:27:51,429 basic, uh, Andre, the, uh, 696 00:27:51,430 --> 00:27:53,619 function, uh, and 697 00:27:53,620 --> 00:27:56,079 if the phone is, uh, of 698 00:27:56,080 --> 00:27:58,269 privilege, uh, this command 699 00:27:58,270 --> 00:28:00,669 execute, uh, the argument as 700 00:28:00,670 --> 00:28:01,670 would privilege. 701 00:28:03,590 --> 00:28:06,349 So basically what it's mean, it's 702 00:28:06,350 --> 00:28:07,829 it's a remote challenge. 703 00:28:08,990 --> 00:28:11,359 Why why is it is this why they 704 00:28:11,360 --> 00:28:13,639 at one time when you 705 00:28:13,640 --> 00:28:16,759 longit, uh, um, 706 00:28:16,760 --> 00:28:18,979 send, uh, commands 707 00:28:18,980 --> 00:28:21,219 from, uh, the website and 708 00:28:21,220 --> 00:28:23,629 they execute it on your phone. 709 00:28:23,630 --> 00:28:25,849 It's a part of a framework that 710 00:28:25,850 --> 00:28:27,919 verify the, um, the security 711 00:28:27,920 --> 00:28:29,179 of the phone. 712 00:28:29,180 --> 00:28:30,180 Um, 713 00:28:31,340 --> 00:28:33,589 and a lot of this verification is done 714 00:28:33,590 --> 00:28:35,030 by sending commands 715 00:28:36,080 --> 00:28:38,629 to verify the phone have been infected 716 00:28:38,630 --> 00:28:40,580 or also on 717 00:28:41,630 --> 00:28:44,449 that they could have done it differently. 718 00:28:44,450 --> 00:28:48,049 For example, Lodine, uh, verification, 719 00:28:48,050 --> 00:28:50,339 uh, procedure from 720 00:28:50,340 --> 00:28:52,489 encrypted assets, 721 00:28:52,490 --> 00:28:53,490 for example. 722 00:28:54,840 --> 00:28:56,999 That this way of 723 00:28:57,000 --> 00:28:58,000 a very free 724 00:28:59,150 --> 00:29:01,229 let's let the harbor, because they 725 00:29:01,230 --> 00:29:02,700 can send arbitrary commands 726 00:29:04,080 --> 00:29:06,629 targeted because, uh, 727 00:29:06,630 --> 00:29:07,950 uh, the 728 00:29:09,090 --> 00:29:11,579 connection and the applications 729 00:29:11,580 --> 00:29:13,889 and the I m e 730 00:29:13,890 --> 00:29:16,979 e i which you not identify 731 00:29:16,980 --> 00:29:18,689 one particular device. 732 00:29:18,690 --> 00:29:21,119 So if they want, 733 00:29:21,120 --> 00:29:23,459 they can send, uh, arbitrary command 734 00:29:23,460 --> 00:29:25,379 at, uh, targeted device. 735 00:29:25,380 --> 00:29:28,079 So basically we 736 00:29:28,080 --> 00:29:30,150 have to consider it as a backdoor. 737 00:29:35,920 --> 00:29:38,180 The next application is BNP Paribas. 738 00:29:40,390 --> 00:29:41,859 It's a French application. 739 00:29:43,540 --> 00:29:44,540 Uh. 740 00:29:47,020 --> 00:29:50,099 So let's see, uh, 741 00:29:50,100 --> 00:29:51,549 the network communication. 742 00:29:55,450 --> 00:29:56,450 So a. 743 00:29:58,790 --> 00:29:59,790 Um, 744 00:30:00,890 --> 00:30:04,219 we received an interesting JavaScript, 745 00:30:04,220 --> 00:30:05,359 uh, code. 746 00:30:08,020 --> 00:30:10,689 It's there in context, you can see it 747 00:30:10,690 --> 00:30:12,280 in text and. 748 00:30:14,890 --> 00:30:15,890 Let's get 749 00:30:16,990 --> 00:30:19,329 this straight so 750 00:30:19,330 --> 00:30:21,609 you can see, because there's nothing 751 00:30:21,610 --> 00:30:22,610 to see 752 00:30:23,800 --> 00:30:24,849 here. 753 00:30:24,850 --> 00:30:27,069 So this not seems to be 754 00:30:27,070 --> 00:30:29,589 a regular JavaScript function. 755 00:30:31,000 --> 00:30:33,369 So maybe this is a JavaScript 756 00:30:33,370 --> 00:30:35,679 interface and 757 00:30:35,680 --> 00:30:38,139 JavaScript interface in Android are. 758 00:30:38,140 --> 00:30:40,809 But, uh, 759 00:30:40,810 --> 00:30:42,969 it's, uh, uh, 760 00:30:42,970 --> 00:30:44,439 it's, um, it's a grant. 761 00:30:44,440 --> 00:30:46,489 The robot keeps the right to call defined 762 00:30:46,490 --> 00:30:48,669 function of, uh, Java 763 00:30:48,670 --> 00:30:49,779 application. 764 00:30:49,780 --> 00:30:52,029 But in older version 765 00:30:52,030 --> 00:30:54,129 version of Android, 766 00:30:54,130 --> 00:30:55,119 there was a flaw. 767 00:30:55,120 --> 00:30:56,589 And, um, 768 00:30:58,210 --> 00:31:00,759 the JavaScript cooled, um, 769 00:31:00,760 --> 00:31:03,369 called arbitrary command, 770 00:31:03,370 --> 00:31:05,199 uh, by reflection. 771 00:31:05,200 --> 00:31:07,299 So the rabbi could 772 00:31:07,300 --> 00:31:08,739 get a shall, for example. 773 00:31:09,940 --> 00:31:12,459 And there are lots of, 774 00:31:12,460 --> 00:31:14,679 uh, vulnerable phone in use 775 00:31:14,680 --> 00:31:15,669 today. 776 00:31:15,670 --> 00:31:17,919 So when you when they do it 777 00:31:17,920 --> 00:31:18,920 in clear text. 778 00:31:20,000 --> 00:31:22,439 It any 779 00:31:22,440 --> 00:31:23,749 right in the middle Ataka. 780 00:31:24,800 --> 00:31:26,239 Can control the phone. 781 00:31:27,540 --> 00:31:29,759 Basically, so 782 00:31:29,760 --> 00:31:31,949 it is a major vulnerability, 783 00:31:31,950 --> 00:31:34,079 so BNP has taken this 784 00:31:34,080 --> 00:31:36,839 information, is currently trying to to 785 00:31:36,840 --> 00:31:37,840 to correct there no. 786 00:31:54,650 --> 00:31:56,390 So it is summarizer. 787 00:31:59,390 --> 00:32:01,449 The next one is, uh, a 788 00:32:01,450 --> 00:32:04,119 Russian sperm bank, 789 00:32:04,120 --> 00:32:06,619 and it's an interesting, 790 00:32:06,620 --> 00:32:08,769 uh, it's 791 00:32:08,770 --> 00:32:11,739 an interesting example, not because 792 00:32:11,740 --> 00:32:13,899 it is renewable, it's not 793 00:32:13,900 --> 00:32:14,439 vulnerable. 794 00:32:14,440 --> 00:32:17,049 It's sent it's like some informations, 795 00:32:17,050 --> 00:32:19,209 but you will see why 796 00:32:19,210 --> 00:32:20,589 it is very interesting. 797 00:32:26,760 --> 00:32:27,760 So. 798 00:32:30,300 --> 00:32:31,300 Here. 799 00:32:32,770 --> 00:32:35,499 So we choose an API called 800 00:32:35,500 --> 00:32:38,169 Yandex Maps API 801 00:32:38,170 --> 00:32:39,170 and. 802 00:32:40,650 --> 00:32:42,719 Let's see what it sounds, 803 00:32:42,720 --> 00:32:44,879 wi fi networks, and 804 00:32:44,880 --> 00:32:46,979 this is a Mac address I of 805 00:32:46,980 --> 00:32:49,409 my access point used 806 00:32:49,410 --> 00:32:52,079 for doing, uh, 807 00:32:52,080 --> 00:32:54,179 um, network moonshining 808 00:32:54,180 --> 00:32:56,759 so it could dump 809 00:32:56,760 --> 00:32:58,929 all surrounding. 810 00:32:58,930 --> 00:33:01,019 It's not the WiFi networks, 811 00:33:01,020 --> 00:33:03,239 so it's only WiFi networks. 812 00:33:03,240 --> 00:33:05,489 So why why did you 813 00:33:05,490 --> 00:33:06,490 want to do it? 814 00:33:07,530 --> 00:33:09,929 Uh, it's, uh, I done 815 00:33:09,930 --> 00:33:12,569 some research and it is uh 816 00:33:12,570 --> 00:33:13,570 in fact. 817 00:33:14,220 --> 00:33:16,589 It is used for finding the location, 818 00:33:17,660 --> 00:33:20,909 uh, and every 819 00:33:20,910 --> 00:33:23,399 every other operator 820 00:33:23,400 --> 00:33:26,879 did this way, um, 821 00:33:26,880 --> 00:33:29,639 Google Maps, uh, do it this way, too, 822 00:33:29,640 --> 00:33:30,640 and. 823 00:33:31,170 --> 00:33:33,659 It sends also the idea 824 00:33:33,660 --> 00:33:36,029 of, uh, all Wi-Fi 825 00:33:36,030 --> 00:33:38,099 networks and 826 00:33:38,100 --> 00:33:40,259 when we consider 827 00:33:40,260 --> 00:33:42,959 the responses of 828 00:33:42,960 --> 00:33:45,599 these calls, so 829 00:33:45,600 --> 00:33:46,919 let's try one now. 830 00:33:46,920 --> 00:33:49,379 This is not one. 831 00:33:49,380 --> 00:33:50,519 It's a random try. 832 00:33:50,520 --> 00:33:52,759 So maybe not 833 00:33:52,760 --> 00:33:53,760 the first. 834 00:33:54,710 --> 00:33:57,139 OK, yeah, 835 00:33:57,140 --> 00:33:59,449 so it sends Wi-Fi networks 836 00:33:59,450 --> 00:34:00,799 and the response is. 837 00:34:05,180 --> 00:34:07,579 Fund by WiFi, so they 838 00:34:07,580 --> 00:34:09,799 know Miyoshi and they get 839 00:34:09,800 --> 00:34:11,949 my location with my wife. 840 00:34:13,139 --> 00:34:15,229 Uh, it means that 841 00:34:15,230 --> 00:34:17,329 they have my wi fi, my 842 00:34:17,330 --> 00:34:18,760 address in the database. 843 00:34:19,810 --> 00:34:21,908 But how do they have 844 00:34:21,909 --> 00:34:24,908 all this information, in fact, 845 00:34:24,909 --> 00:34:27,428 when you, um, 846 00:34:27,429 --> 00:34:30,279 for example, Google Maps, uh, 847 00:34:30,280 --> 00:34:32,619 all the time, they send, 848 00:34:32,620 --> 00:34:34,839 uh, also sending Wi-Fi 849 00:34:34,840 --> 00:34:37,419 networks, which you last 850 00:34:37,420 --> 00:34:39,488 known, GSM location, 851 00:34:39,489 --> 00:34:41,709 because GSM, GSM 852 00:34:41,710 --> 00:34:43,269 cannot locate you. 853 00:34:43,270 --> 00:34:45,428 Precisely. Indore 854 00:34:45,429 --> 00:34:47,919 So the map, uh, your fi 855 00:34:47,920 --> 00:34:50,738 networks with the last 856 00:34:50,739 --> 00:34:53,229 last, uh, final GSM 857 00:34:53,230 --> 00:34:55,329 location is this way. 858 00:34:55,330 --> 00:34:56,860 They populate the database. 859 00:34:58,410 --> 00:35:00,689 And so 860 00:35:00,690 --> 00:35:03,539 they can, um, locate 861 00:35:03,540 --> 00:35:04,639 other users, 862 00:35:06,090 --> 00:35:08,399 so basically they have a database of 863 00:35:08,400 --> 00:35:10,409 world Wi-Fi networks. 864 00:35:12,250 --> 00:35:13,250 Wonderful. 865 00:35:19,070 --> 00:35:21,179 And it's not, uh, it's 866 00:35:21,180 --> 00:35:23,959 it's not, uh, especially Yandex, 867 00:35:23,960 --> 00:35:26,569 it's Google Maps and all the, 868 00:35:26,570 --> 00:35:28,789 uh, companies that do, uh, 869 00:35:28,790 --> 00:35:31,399 that does, um, Wi-Fi, 870 00:35:31,400 --> 00:35:33,110 um, location. 871 00:35:35,800 --> 00:35:37,959 And it's not, uh, 872 00:35:37,960 --> 00:35:40,209 it's not the end because 873 00:35:40,210 --> 00:35:42,429 the reimplement, 874 00:35:42,430 --> 00:35:44,799 the Google Map API, 875 00:35:44,800 --> 00:35:46,179 they do not use it. 876 00:35:46,180 --> 00:35:48,459 Yandex, um, 877 00:35:48,460 --> 00:35:50,919 you your option for 878 00:35:50,920 --> 00:35:52,989 disabling the, um, 879 00:35:52,990 --> 00:35:55,179 the location of 880 00:35:55,180 --> 00:35:57,429 just no effect on, uh, 881 00:35:57,430 --> 00:35:59,649 this application on spamming so 882 00:35:59,650 --> 00:36:02,109 we can disable your location each 883 00:36:02,110 --> 00:36:04,119 track your location. 884 00:36:07,570 --> 00:36:09,939 So the last one is, 885 00:36:09,940 --> 00:36:12,049 uh, Bradesco, um, a 886 00:36:12,050 --> 00:36:13,050 Brazilian bank 887 00:36:15,670 --> 00:36:18,340 in this, uh, application. 888 00:36:21,870 --> 00:36:24,659 Uh, is, um, 889 00:36:24,660 --> 00:36:26,939 some exchange I sent with, 890 00:36:26,940 --> 00:36:29,009 uh, this oast, uh, Web 891 00:36:29,010 --> 00:36:32,069 service are full of money 892 00:36:32,070 --> 00:36:34,179 that come that year 893 00:36:34,180 --> 00:36:35,180 and 894 00:36:36,400 --> 00:36:38,820 anesthetizing station there. 895 00:36:44,350 --> 00:36:46,329 We receive a private key. 896 00:36:47,750 --> 00:36:50,479 In context, yeah, 897 00:36:50,480 --> 00:36:52,849 so, uh, what, 898 00:36:52,850 --> 00:36:54,080 uh, why 899 00:36:55,700 --> 00:36:58,099 is this private key, I just 900 00:36:58,100 --> 00:36:59,100 done some 901 00:37:00,950 --> 00:37:02,479 quick research. 902 00:37:02,480 --> 00:37:04,699 So basically, uh, 903 00:37:04,700 --> 00:37:06,980 uh, you take 904 00:37:08,120 --> 00:37:09,120 this address 905 00:37:10,980 --> 00:37:11,980 could be, 906 00:37:14,750 --> 00:37:16,849 I know, no Internet connection so I 907 00:37:16,850 --> 00:37:19,459 can see you that I will continue. 908 00:37:19,460 --> 00:37:21,649 This private key is for accessing the 909 00:37:21,650 --> 00:37:23,119 Web service of the bank 910 00:37:29,240 --> 00:37:30,240 where. 911 00:37:33,880 --> 00:37:37,149 And this is not over 912 00:37:37,150 --> 00:37:39,789 is the application and, uh, 913 00:37:39,790 --> 00:37:42,219 Chickory JavaScript, uh, 914 00:37:42,220 --> 00:37:44,979 file is here, the library, 915 00:37:44,980 --> 00:37:47,889 uh, but it is 916 00:37:47,890 --> 00:37:50,019 very, very detailed from, 917 00:37:50,020 --> 00:37:52,809 uh, 2010. 918 00:37:52,810 --> 00:37:55,359 So, uh, there are 919 00:37:55,360 --> 00:37:57,549 several Savona vulnerabilities 920 00:37:57,550 --> 00:37:59,439 that have been discovered. 921 00:37:59,440 --> 00:38:01,539 And, uh, they are in the, 922 00:38:01,540 --> 00:38:04,009 uh, CVT database. 923 00:38:04,010 --> 00:38:05,010 Um, 924 00:38:06,310 --> 00:38:08,979 I, I did not 925 00:38:08,980 --> 00:38:11,109 find a way to exploit this winnability, 926 00:38:11,110 --> 00:38:13,299 Ismat, or but although 927 00:38:13,300 --> 00:38:15,429 surely we can do it is 928 00:38:15,430 --> 00:38:17,140 just what I say. 929 00:38:21,090 --> 00:38:23,269 I think you 930 00:38:23,270 --> 00:38:24,929 know why 931 00:38:27,270 --> 00:38:29,939 this is the end of the presentation. 932 00:38:29,940 --> 00:38:31,650 I will be pleased to answer 933 00:38:32,850 --> 00:38:33,850 your question 934 00:38:35,550 --> 00:38:37,769 so and I will let Eric 935 00:38:37,770 --> 00:38:38,770 show concrete. 936 00:38:39,930 --> 00:38:42,149 So in fact, 937 00:38:42,150 --> 00:38:44,739 it is only a small sample because twenty 938 00:38:44,740 --> 00:38:47,459 twenty seven is a small part 939 00:38:47,460 --> 00:38:49,649 of what we intend to 940 00:38:49,650 --> 00:38:51,929 to cover. But in the forthcoming 941 00:38:51,930 --> 00:38:54,359 weeks, many details, details 942 00:38:54,360 --> 00:38:56,219 will be published. In fact, we just we 943 00:38:56,220 --> 00:38:58,309 are waiting either for the end 944 00:38:58,310 --> 00:39:00,719 of the bunk or 945 00:39:00,720 --> 00:39:02,939 for the correction of the program. 946 00:39:02,940 --> 00:39:05,609 And of course, uh, 947 00:39:05,610 --> 00:39:07,769 if the banks do not answer so 948 00:39:07,770 --> 00:39:09,749 we will have to publish at least in order 949 00:39:09,750 --> 00:39:11,969 to make them aware of the problem. 950 00:39:11,970 --> 00:39:14,699 So we intend, of course, 951 00:39:14,700 --> 00:39:16,829 to analyze other 952 00:39:16,830 --> 00:39:19,299 kind of apps because some games 953 00:39:19,300 --> 00:39:21,569 are maybe the games 954 00:39:21,570 --> 00:39:22,889 is less less important. 955 00:39:22,890 --> 00:39:24,879 That banking, of course, but it can leaks 956 00:39:24,880 --> 00:39:26,099 a lot of data. 957 00:39:26,100 --> 00:39:28,199 And we intend to to 958 00:39:28,200 --> 00:39:30,599 see whether the new for the new version 959 00:39:30,600 --> 00:39:32,669 of Angry Birds and so on still 960 00:39:32,670 --> 00:39:34,829 contains many undesirable 961 00:39:34,830 --> 00:39:37,439 functionalities, uh, impaction, 962 00:39:37,440 --> 00:39:39,599 security tools, because we have 963 00:39:39,600 --> 00:39:41,759 some concern about apps who 964 00:39:41,760 --> 00:39:43,889 are supposed to protect often, but in 965 00:39:43,890 --> 00:39:46,259 fact, they are leaking information and, 966 00:39:46,260 --> 00:39:48,399 uh, making or 967 00:39:48,400 --> 00:39:49,860 smartphones, tablets are weaker. 968 00:39:51,210 --> 00:39:52,210 So, 969 00:39:53,520 --> 00:39:55,619 in fact, all those tools are 970 00:39:55,620 --> 00:39:56,759 still under development. 971 00:39:56,760 --> 00:39:58,619 And we intend to, uh, to put more 972 00:39:58,620 --> 00:40:00,809 mathematics in order for people to use 973 00:40:00,810 --> 00:40:03,029 some advanced techniques in 974 00:40:03,030 --> 00:40:05,129 data mining in order to have a better 975 00:40:05,130 --> 00:40:07,589 view and understanding of the different, 976 00:40:07,590 --> 00:40:09,899 um, uh, relationship 977 00:40:09,900 --> 00:40:12,209 between, uh, API call or functional 978 00:40:12,210 --> 00:40:13,320 internal functionalities. 979 00:40:17,480 --> 00:40:19,819 Of course, for every time 980 00:40:19,820 --> 00:40:22,099 a bank will correct a security 981 00:40:22,100 --> 00:40:24,469 issue, we will look after world 982 00:40:24,470 --> 00:40:27,139 if they correct the security 983 00:40:27,140 --> 00:40:29,809 and the users privacy as well, 984 00:40:29,810 --> 00:40:32,239 because in fact, just switching from HGP 985 00:40:32,240 --> 00:40:34,369 to GPS, if you don't correct a very 986 00:40:34,370 --> 00:40:35,590 narrow, it is not a solution. 987 00:40:36,890 --> 00:40:38,809 So it will be very careful about the 988 00:40:38,810 --> 00:40:40,909 respect of the privacy aspect 989 00:40:40,910 --> 00:40:42,859 in working apps. 990 00:40:42,860 --> 00:40:45,769 So it is only 991 00:40:45,770 --> 00:40:47,839 a small uh, we are 992 00:40:47,840 --> 00:40:49,969 very sorry not to be 993 00:40:49,970 --> 00:40:51,799 able to show all the technical details, 994 00:40:51,800 --> 00:40:53,539 but everything will be very public as 995 00:40:53,540 --> 00:40:54,709 soon as possible. 996 00:40:54,710 --> 00:40:56,809 In fact, it is clear that the banking 997 00:40:56,810 --> 00:40:59,269 application market is not a very 998 00:40:59,270 --> 00:41:00,349 mature market. 999 00:41:00,350 --> 00:41:01,760 And, um, 1000 00:41:03,080 --> 00:41:04,489 of course, we have found some 1001 00:41:04,490 --> 00:41:06,589 vulnerabilities. But as main a 1002 00:41:06,590 --> 00:41:09,259 figure, as main, uh, aspect. 1003 00:41:09,260 --> 00:41:11,089 In fact, a user's privacy is not 1004 00:41:11,090 --> 00:41:12,079 respected. 1005 00:41:12,080 --> 00:41:14,209 So banks are collecting a 1006 00:41:14,210 --> 00:41:16,279 lot of information that they should not 1007 00:41:16,280 --> 00:41:18,499 collect. And we are not strictly 1008 00:41:18,500 --> 00:41:20,839 related to the bank account 1009 00:41:20,840 --> 00:41:21,840 management. 1010 00:41:22,760 --> 00:41:25,159 So I think that every 1011 00:41:25,160 --> 00:41:26,160 everyone should 1012 00:41:27,800 --> 00:41:30,349 put a big pressure on developers and 1013 00:41:30,350 --> 00:41:32,509 of course, maybe, just 1014 00:41:32,510 --> 00:41:34,489 maybe a dream. But I think that as as 1015 00:41:34,490 --> 00:41:36,559 users and consumer, we should have, 1016 00:41:36,560 --> 00:41:38,659 uh, we should ask 1017 00:41:38,660 --> 00:41:40,759 for more security and 1018 00:41:40,760 --> 00:41:43,129 especially for, uh, regarding 1019 00:41:43,130 --> 00:41:44,860 privacy and the technology. 1020 00:41:46,160 --> 00:41:48,319 Uh, the main problem was to find, 1021 00:41:48,320 --> 00:41:50,869 identify, contact banks 1022 00:41:50,870 --> 00:41:51,829 issue. 1023 00:41:51,830 --> 00:41:53,929 And even 1024 00:41:53,930 --> 00:41:55,760 for French bank, we are French. 1025 00:41:56,960 --> 00:41:59,270 It was very, very difficult. 1026 00:42:00,710 --> 00:42:02,779 And even going through the year, as 1027 00:42:02,780 --> 00:42:04,939 is said, computer emergency 1028 00:42:04,940 --> 00:42:06,859 response team in the banks, they are not 1029 00:42:06,860 --> 00:42:09,469 communicating between themselves. 1030 00:42:09,470 --> 00:42:11,359 So it is very difficult. 1031 00:42:12,980 --> 00:42:15,379 So what is interesting, 1032 00:42:15,380 --> 00:42:17,599 all those apps are 1033 00:42:17,600 --> 00:42:20,509 as well on the Google, uh, play 1034 00:42:20,510 --> 00:42:22,579 it mean that Google does not does 1035 00:42:22,580 --> 00:42:25,550 not perform any security verification. 1036 00:42:26,660 --> 00:42:28,639 So don't trust application because they 1037 00:42:28,640 --> 00:42:30,139 are on the Google Play. 1038 00:42:30,140 --> 00:42:31,550 There is no verification. 1039 00:42:33,670 --> 00:42:35,979 I think, however, that Google has a power 1040 00:42:35,980 --> 00:42:38,079 maybe to enforce some trust policy 1041 00:42:38,080 --> 00:42:40,389 and to ask for more security. 1042 00:42:40,390 --> 00:42:41,390 Well. 1043 00:42:42,110 --> 00:42:44,209 So what's the solution once 1044 00:42:44,210 --> 00:42:46,789 again, if they are available, 1045 00:42:46,790 --> 00:42:49,169 choose open source apps, but in world 1046 00:42:49,170 --> 00:42:51,229 is difficult because is a closed 1047 00:42:51,230 --> 00:42:54,619 world and uh, 1048 00:42:54,620 --> 00:42:57,559 as a main observation, 1049 00:42:57,560 --> 00:42:59,869 it is maybe better to you 1050 00:42:59,870 --> 00:43:02,089 to prefer local or national 1051 00:43:02,090 --> 00:43:04,519 banks or instead of international 1052 00:43:04,520 --> 00:43:06,529 banks because they they try to collect a 1053 00:43:06,530 --> 00:43:07,530 lot of data. 1054 00:43:08,180 --> 00:43:10,249 So sorry for the 1055 00:43:10,250 --> 00:43:12,289 problem of the move, but everything once 1056 00:43:12,290 --> 00:43:13,879 again will be made available as soon as 1057 00:43:13,880 --> 00:43:15,619 possible. And thank you for your 1058 00:43:15,620 --> 00:43:16,620 attention. 1059 00:43:26,130 --> 00:43:28,349 Thank you very, very much for the 1060 00:43:28,350 --> 00:43:30,659 insight into this huge ongoing 1061 00:43:30,660 --> 00:43:32,879 effort before 1062 00:43:32,880 --> 00:43:34,979 taking questions, some 1063 00:43:34,980 --> 00:43:36,119 practical advice. 1064 00:43:36,120 --> 00:43:38,429 If there are questions, please line up. 1065 00:43:38,430 --> 00:43:40,439 But within the hour after the 1066 00:43:40,440 --> 00:43:42,569 microphones, some practical 1067 00:43:42,570 --> 00:43:44,759 advice. You find all the slides 1068 00:43:44,760 --> 00:43:47,639 and all the links to the websites 1069 00:43:47,640 --> 00:43:49,859 on the Congress Web page. 1070 00:43:49,860 --> 00:43:51,989 If you go to the schedule, the far plant, 1071 00:43:51,990 --> 00:43:54,279 click on the lecture, 1072 00:43:54,280 --> 00:43:56,669 click on the lecture site, you find 1073 00:43:56,670 --> 00:43:58,739 all the links and even a PDF of all 1074 00:43:58,740 --> 00:44:00,449 the slides and the links. 1075 00:44:00,450 --> 00:44:02,699 And it's a very well worth, a close 1076 00:44:02,700 --> 00:44:03,800 look and a visit. 1077 00:44:04,830 --> 00:44:07,259 Now, I think we wait half 1078 00:44:07,260 --> 00:44:09,359 a minute until those who want to 1079 00:44:09,360 --> 00:44:11,849 leave have left the room. 1080 00:44:11,850 --> 00:44:13,709 For those of you who want to ask 1081 00:44:13,710 --> 00:44:15,969 questions, please line 1082 00:44:15,970 --> 00:44:18,059 up on the 1083 00:44:18,060 --> 00:44:20,819 microphones to 1084 00:44:20,820 --> 00:44:21,479 sit at home. 1085 00:44:21,480 --> 00:44:23,969 You have some 1086 00:44:23,970 --> 00:44:26,100 sort of equilibrium based on what the 1087 00:44:27,480 --> 00:44:29,669 president of Georgia, Jimmy 1088 00:44:29,670 --> 00:44:31,289 Fictionist. No, it was more of a 1089 00:44:31,290 --> 00:44:31,799 procedure. 1090 00:44:31,800 --> 00:44:32,800 You mean 1091 00:44:35,060 --> 00:44:37,139 something called Windows 1092 00:44:37,140 --> 00:44:38,140 in Mexico? 1093 00:44:39,320 --> 00:44:41,489 I mean, the problem is 1094 00:44:41,490 --> 00:44:42,490 we do 1095 00:44:44,100 --> 00:44:45,979 know that you're all 1096 00:44:47,640 --> 00:44:48,640 right. 1097 00:44:51,840 --> 00:44:52,840 OK. 1098 00:44:58,460 --> 00:45:00,589 OK, ask your question. 1099 00:45:00,590 --> 00:45:03,319 Yeah, I let this one slide 1100 00:45:03,320 --> 00:45:04,939 regarding which please use the 1101 00:45:04,940 --> 00:45:05,849 microphone. 1102 00:45:05,850 --> 00:45:08,209 Yes, that's one slide which 1103 00:45:08,210 --> 00:45:10,849 apps use which permissions statistics 1104 00:45:10,850 --> 00:45:11,850 page. 1105 00:45:12,350 --> 00:45:14,569 And the second point was, I 1106 00:45:14,570 --> 00:45:16,879 think that 1107 00:45:16,880 --> 00:45:18,709 the ability to use plain text 1108 00:45:18,710 --> 00:45:20,839 communication is clear text 1109 00:45:20,840 --> 00:45:22,429 communications. 1110 00:45:22,430 --> 00:45:23,749 What does it mean exactly? 1111 00:45:23,750 --> 00:45:26,420 That they could use HTP, 1112 00:45:28,130 --> 00:45:29,800 but I can't figure to use. 1113 00:45:30,880 --> 00:45:31,880 So what does it mean? 1114 00:45:32,870 --> 00:45:35,779 Um, if a well understood 1115 00:45:35,780 --> 00:45:38,359 why they use GDP instead of actually GPS 1116 00:45:39,590 --> 00:45:41,879 know now what do they use 1117 00:45:41,880 --> 00:45:44,119 it for sending banking 1118 00:45:44,120 --> 00:45:45,229 information. 1119 00:45:45,230 --> 00:45:47,329 No, no, no. 1120 00:45:47,330 --> 00:45:49,849 When uh we uh I, 1121 00:45:49,850 --> 00:45:52,129 I never seen an application banking 1122 00:45:52,130 --> 00:45:54,439 application, uh, 1123 00:45:54,440 --> 00:45:56,629 connecting, uh, to the, 1124 00:45:56,630 --> 00:45:58,809 uh, bank account in 1125 00:45:58,810 --> 00:46:00,949 HGP. It's, uh, 1126 00:46:00,950 --> 00:46:03,409 the other functionality 1127 00:46:03,410 --> 00:46:05,509 like user tracking, which is a 1128 00:46:05,510 --> 00:46:06,899 functionality. Yeah. 1129 00:46:06,900 --> 00:46:07,909 And, uh, 1130 00:46:09,350 --> 00:46:11,509 um, since, uh, we, we 1131 00:46:11,510 --> 00:46:13,669 have seen like, uh, 1132 00:46:13,670 --> 00:46:16,069 the private k uh, we see 1133 00:46:16,070 --> 00:46:18,679 this product is not used for, 1134 00:46:18,680 --> 00:46:20,749 uh, connecting to your account 1135 00:46:20,750 --> 00:46:22,819 is used for other service 1136 00:46:22,820 --> 00:46:23,820 services. 1137 00:46:24,920 --> 00:46:26,179 So, uh, 1138 00:46:27,540 --> 00:46:29,179 your money is 1139 00:46:30,740 --> 00:46:33,589 pretty safe if, uh, 1140 00:46:33,590 --> 00:46:36,559 if they not choose some backdoor 1141 00:46:36,560 --> 00:46:38,689 like in the JPMorgan 1142 00:46:38,690 --> 00:46:39,690 case. 1143 00:46:40,820 --> 00:46:42,949 OK, but do their checks, 1144 00:46:42,950 --> 00:46:45,139 uh, the certificates of, 1145 00:46:45,140 --> 00:46:47,689 uh, of the server and 1146 00:46:47,690 --> 00:46:49,549 there were some lectures last year and 1147 00:46:49,550 --> 00:46:51,739 the year before on how they 1148 00:46:51,740 --> 00:46:53,389 all do it wrong and not check the 1149 00:46:53,390 --> 00:46:55,489 certificates and necessary connections 1150 00:46:55,490 --> 00:46:56,219 and stuff. 1151 00:46:56,220 --> 00:46:57,199 Mm hmm. 1152 00:46:57,200 --> 00:46:58,200 Uh. 1153 00:47:00,280 --> 00:47:02,409 Uh, so your question 1154 00:47:02,410 --> 00:47:04,659 is it is any other, uh, 1155 00:47:04,660 --> 00:47:06,909 trustbusting or, uh, 1156 00:47:06,910 --> 00:47:09,009 O'Shea's or something like that or 1157 00:47:09,010 --> 00:47:11,859 not doing a good. 1158 00:47:11,860 --> 00:47:14,049 Yeah, I, I've 1159 00:47:14,050 --> 00:47:16,209 seen one up, one application, 1160 00:47:16,210 --> 00:47:18,399 but it's not an official backing 1161 00:47:18,400 --> 00:47:20,529 up. It's a knapsack. 1162 00:47:20,530 --> 00:47:22,929 Uh, um, 1163 00:47:22,930 --> 00:47:24,319 aggregate. 1164 00:47:24,320 --> 00:47:26,769 Uh, I don't know, it's in English, 1165 00:47:26,770 --> 00:47:29,439 but, uh, in fact it used 1166 00:47:29,440 --> 00:47:31,729 um which aggregates 1167 00:47:31,730 --> 00:47:33,879 a lot of banking account 1168 00:47:33,880 --> 00:47:36,189 when you have, um, multiple accounts 1169 00:47:36,190 --> 00:47:38,689 and this up uh 1170 00:47:38,690 --> 00:47:39,759 uh thing. 1171 00:47:39,760 --> 00:47:42,279 Um, uh was sending 1172 00:47:42,280 --> 00:47:44,469 the uh the 1173 00:47:44,470 --> 00:47:46,779 the password with 1174 00:47:46,780 --> 00:47:49,059 uh uh, SSL 1175 00:47:49,060 --> 00:47:51,459 communication that trust almost so 1176 00:47:51,460 --> 00:47:53,769 that there was not no 1177 00:47:53,770 --> 00:47:56,559 security at all, but is, 1178 00:47:56,560 --> 00:47:59,379 uh, the only one case 1179 00:47:59,380 --> 00:48:01,479 where I've seen, uh, 1180 00:48:01,480 --> 00:48:03,539 misconfiguration in SSL. 1181 00:48:05,230 --> 00:48:06,759 OK, yeah. 1182 00:48:06,760 --> 00:48:08,889 So it's not as bad as it sounded 1183 00:48:08,890 --> 00:48:09,890 on the slide. 1184 00:48:10,660 --> 00:48:12,879 Yeah. But in fact the 1185 00:48:12,880 --> 00:48:14,979 apps were aggregating several uh, 1186 00:48:14,980 --> 00:48:17,529 banking applications will be probably a 1187 00:48:17,530 --> 00:48:19,749 problem in the future because at 1188 00:48:19,750 --> 00:48:21,759 the present time we're mainly banking 1189 00:48:21,760 --> 00:48:22,809 apps alone. 1190 00:48:22,810 --> 00:48:25,119 But those, uh, aggregation, 1191 00:48:25,120 --> 00:48:27,189 uh, application, uh, will 1192 00:48:27,190 --> 00:48:29,559 have to be monitored because they are 1193 00:48:29,560 --> 00:48:30,569 only a very few. 1194 00:48:30,570 --> 00:48:32,799 But the problem will be maybe at that 1195 00:48:32,800 --> 00:48:33,800 level. 1196 00:48:34,990 --> 00:48:37,869 Yeah, this is a whole different 1197 00:48:37,870 --> 00:48:40,089 problem, right, if you if you 1198 00:48:40,090 --> 00:48:41,919 trust your bank to deliver a secure 1199 00:48:41,920 --> 00:48:43,599 application, it's one thing if you trust 1200 00:48:43,600 --> 00:48:45,669 somebody else to do 1201 00:48:45,670 --> 00:48:48,189 to the implementation of 1202 00:48:48,190 --> 00:48:49,689 our banking APIs, it's 1203 00:48:50,830 --> 00:48:51,830 gonna be a tough thing. 1204 00:48:52,780 --> 00:48:53,780 OK, thank you. 1205 00:48:54,580 --> 00:48:55,870 OK, next question 1206 00:48:57,790 --> 00:48:59,919 after we now, quite a few 1207 00:48:59,920 --> 00:49:02,259 of the good examples for 1208 00:49:02,260 --> 00:49:04,659 horrible practices, which 1209 00:49:04,660 --> 00:49:06,309 was the best app you found. 1210 00:49:06,310 --> 00:49:09,039 And to directly add on that question, 1211 00:49:09,040 --> 00:49:11,709 how the two German bank apps 1212 00:49:11,710 --> 00:49:12,710 compare 1213 00:49:16,000 --> 00:49:16,959 the best. 1214 00:49:16,960 --> 00:49:19,359 I don't know if they are the best 1215 00:49:19,360 --> 00:49:22,639 application, but, uh, more generally, 1216 00:49:22,640 --> 00:49:25,029 uh, I found that, 1217 00:49:25,030 --> 00:49:27,319 for example, uh, some, 1218 00:49:27,320 --> 00:49:29,649 uh, and national banking, 1219 00:49:29,650 --> 00:49:32,319 France was would, uh, 1220 00:49:32,320 --> 00:49:34,929 like Societe Generale 1221 00:49:34,930 --> 00:49:37,629 and some up from, um, 1222 00:49:37,630 --> 00:49:40,239 uh, India was good. 1223 00:49:40,240 --> 00:49:42,369 But they are not known at 1224 00:49:42,370 --> 00:49:45,069 the, uh, international level. 1225 00:49:45,070 --> 00:49:46,530 Uh uh, the. 1226 00:49:47,640 --> 00:49:50,309 Commerzbank in Germany was 1227 00:49:50,310 --> 00:49:52,469 pretty good and, 1228 00:49:52,470 --> 00:49:54,569 uh, um, 1229 00:49:54,570 --> 00:49:56,759 uh, Dutch bank was 1230 00:49:56,760 --> 00:49:58,409 also quite good. 1231 00:49:58,410 --> 00:50:00,719 So, uh, Zsa Zsa 1232 00:50:00,720 --> 00:50:03,549 Zsa Zsa Zsa 1233 00:50:03,550 --> 00:50:06,119 Zsa was not all horrible, 1234 00:50:07,350 --> 00:50:09,839 if it can, uh, uh, 1235 00:50:09,840 --> 00:50:11,639 reassure you. 1236 00:50:11,640 --> 00:50:12,059 Yes. 1237 00:50:12,060 --> 00:50:14,909 Thank you. There is one problem. 1238 00:50:14,910 --> 00:50:16,319 There is two different point. 1239 00:50:16,320 --> 00:50:18,629 You have the American security issue, 1240 00:50:18,630 --> 00:50:20,459 but from a more general point of view, 1241 00:50:20,460 --> 00:50:23,039 you have user's privacy, uh, 1242 00:50:23,040 --> 00:50:25,319 respect. And in this case, uh, 1243 00:50:25,320 --> 00:50:27,929 Bankside may be less, uh, 1244 00:50:27,930 --> 00:50:30,429 respectful of all data. 1245 00:50:30,430 --> 00:50:32,579 Um, maybe you are not 1246 00:50:32,580 --> 00:50:35,009 you don't know the concept, the concept 1247 00:50:35,010 --> 00:50:37,199 of user tracking in, uh, 1248 00:50:37,200 --> 00:50:39,150 websites of, uh, 1249 00:50:40,230 --> 00:50:42,299 if you like, you know, so each 1250 00:50:42,300 --> 00:50:44,339 time you click on something that you do 1251 00:50:44,340 --> 00:50:46,409 request to send onto a server 1252 00:50:46,410 --> 00:50:48,569 and say, uh, this 1253 00:50:48,570 --> 00:50:51,029 user clicked on this 1254 00:50:51,030 --> 00:50:53,819 and eat it, 1255 00:50:53,820 --> 00:50:56,219 it stayed, uh 1256 00:50:56,220 --> 00:50:58,829 uh, it's it's time 1257 00:50:58,830 --> 00:51:00,719 on these windows. 1258 00:51:00,720 --> 00:51:02,819 So it's like, uh, 1259 00:51:02,820 --> 00:51:05,489 all you do is known and 1260 00:51:05,490 --> 00:51:07,919 is, uh, uh, stored 1261 00:51:07,920 --> 00:51:10,229 and, uh, is Z'Ha'Dum 1262 00:51:10,230 --> 00:51:12,689 statistic and some behaviors, 1263 00:51:12,690 --> 00:51:14,819 uh uh, you 1264 00:51:14,820 --> 00:51:17,049 know, some behaviors of, uh, 1265 00:51:17,050 --> 00:51:18,360 uh, consumption. 1266 00:51:20,730 --> 00:51:22,949 It's pretty 1267 00:51:22,950 --> 00:51:24,630 creepy to me, but 1268 00:51:26,430 --> 00:51:27,900 thank you. Next question here. 1269 00:51:29,340 --> 00:51:31,079 Well, uh, thanks a lot. 1270 00:51:31,080 --> 00:51:33,299 First of all, thanks a lot for your work 1271 00:51:33,300 --> 00:51:35,489 and for presenting it, because it is 1272 00:51:35,490 --> 00:51:36,599 really interesting. 1273 00:51:36,600 --> 00:51:38,819 I would like to ask, uh, this 1274 00:51:38,820 --> 00:51:41,219 question. Uh, your program, 1275 00:51:41,220 --> 00:51:42,220 uh, 1276 00:51:43,770 --> 00:51:46,019 does some reverse engineering 1277 00:51:46,020 --> 00:51:48,599 of the KODE and you are able to browse 1278 00:51:48,600 --> 00:51:50,399 the reverse engineered code. 1279 00:51:50,400 --> 00:51:52,979 But how does it behave when the Cojocaru 1280 00:51:52,980 --> 00:51:54,719 skated, for example, with programed 1281 00:51:54,720 --> 00:51:57,179 DexCom or if the code is developed 1282 00:51:57,180 --> 00:51:58,529 using A.K. 1283 00:51:58,530 --> 00:52:01,589 or something like that, the reverse 1284 00:52:01,590 --> 00:52:03,359 never fail. 1285 00:52:03,360 --> 00:52:06,089 OK, but the code can be obfuscated. 1286 00:52:06,090 --> 00:52:09,209 But when you are, uh, 1287 00:52:09,210 --> 00:52:11,429 trying to understand, uh, Riverside 1288 00:52:11,430 --> 00:52:13,529 Code, you do not need 1289 00:52:13,530 --> 00:52:16,349 to understand all 1290 00:52:16,350 --> 00:52:19,029 it all it happen, 1291 00:52:19,030 --> 00:52:20,239 OK. 1292 00:52:20,240 --> 00:52:22,709 The main important thing in Android 1293 00:52:22,710 --> 00:52:25,019 application are Android API 1294 00:52:25,020 --> 00:52:27,419 call, which is the 1295 00:52:27,420 --> 00:52:29,759 function that the 1296 00:52:29,760 --> 00:52:32,259 phone provide to access, 1297 00:52:32,260 --> 00:52:34,859 uh, valuable information. 1298 00:52:34,860 --> 00:52:37,229 OK, so if 1299 00:52:37,230 --> 00:52:39,779 I can see this function, 1300 00:52:39,780 --> 00:52:42,059 I basically can see what 1301 00:52:42,060 --> 00:52:44,819 the application can do, even 1302 00:52:44,820 --> 00:52:47,039 if there are some different code 1303 00:52:47,040 --> 00:52:48,959 here and there. 1304 00:52:48,960 --> 00:52:50,609 It's not important. 1305 00:52:50,610 --> 00:52:52,769 And I never I 1306 00:52:52,770 --> 00:52:55,319 never seen an application of 1307 00:52:55,320 --> 00:52:57,929 that Officemates API 1308 00:52:57,930 --> 00:53:00,509 calls, but it isn't 1309 00:53:00,510 --> 00:53:02,729 typically possible, but I never 1310 00:53:02,730 --> 00:53:03,730 seen it. 1311 00:53:05,250 --> 00:53:06,250 More of a 1312 00:53:07,800 --> 00:53:08,969 static analyzes. 1313 00:53:08,970 --> 00:53:11,129 We all know of 1314 00:53:11,130 --> 00:53:13,349 limitations on obfuscation 1315 00:53:13,350 --> 00:53:16,319 and where nobody can 1316 00:53:16,320 --> 00:53:18,729 beat all of it. 1317 00:53:18,730 --> 00:53:21,209 OK, so it's why 1318 00:53:21,210 --> 00:53:23,399 we use also dynamic 1319 00:53:23,400 --> 00:53:24,400 analyzes. 1320 00:53:25,080 --> 00:53:27,959 In fact, when obfuscated 1321 00:53:27,960 --> 00:53:30,119 obfuscation is used for obfuscation, 1322 00:53:30,120 --> 00:53:31,859 it means that with the tool it is 1323 00:53:31,860 --> 00:53:34,259 possible to bypass the obfuscation. 1324 00:53:34,260 --> 00:53:36,469 But if some 1325 00:53:36,470 --> 00:53:38,589 some some day we will find 1326 00:53:38,590 --> 00:53:40,889 very deeply obfuscated, 1327 00:53:40,890 --> 00:53:43,019 uh, application, we will do by 1328 00:53:43,020 --> 00:53:44,429 end manually. 1329 00:53:44,430 --> 00:53:46,739 So but most of the time 1330 00:53:46,740 --> 00:53:48,599 the automatic reversing is still 1331 00:53:48,600 --> 00:53:50,879 insufficient in order to bypass very 1332 00:53:50,880 --> 00:53:52,949 poor obfuscation that we 1333 00:53:52,950 --> 00:53:53,339 excuse. 1334 00:53:53,340 --> 00:53:55,919 What the what do you mean with bypass? 1335 00:53:55,920 --> 00:53:59,069 Because when you obfuscate, you lose some 1336 00:53:59,070 --> 00:54:01,139 information, at least understand 1337 00:54:01,140 --> 00:54:03,689 the function in some functionalities. 1338 00:54:03,690 --> 00:54:05,429 OK, ok, ok, ok. 1339 00:54:05,430 --> 00:54:07,409 But it's at the present time we didn't 1340 00:54:07,410 --> 00:54:10,319 ever found very sophisticated application 1341 00:54:10,320 --> 00:54:12,449 sophisticatedly, you know, 1342 00:54:12,450 --> 00:54:14,609 didn't care about protecting the apps. 1343 00:54:14,610 --> 00:54:15,119 Mm hmm. 1344 00:54:15,120 --> 00:54:16,140 OK, thanks a lot. 1345 00:54:17,670 --> 00:54:19,319 Well, that's another question on the 1346 00:54:19,320 --> 00:54:20,519 other microphone. 1347 00:54:20,520 --> 00:54:22,169 OK, in the beginning of the talk, you 1348 00:54:22,170 --> 00:54:24,959 said you used men in the middle 1349 00:54:24,960 --> 00:54:26,939 to be able to analyze the SSL 1350 00:54:26,940 --> 00:54:28,109 communication. 1351 00:54:28,110 --> 00:54:29,729 But this to me means that the 1352 00:54:29,730 --> 00:54:31,979 applications should have understood 1353 00:54:31,980 --> 00:54:33,779 they are not talking to the bank and 1354 00:54:33,780 --> 00:54:35,489 should have just stopped communication at 1355 00:54:35,490 --> 00:54:36,299 all. 1356 00:54:36,300 --> 00:54:38,669 It's a very interesting question 1357 00:54:38,670 --> 00:54:41,159 because BNP 1358 00:54:41,160 --> 00:54:44,339 Paribas, which is venerability, 1359 00:54:44,340 --> 00:54:46,799 beat my, uh, 1360 00:54:46,800 --> 00:54:48,619 SSL man in the middle. 1361 00:54:50,340 --> 00:54:52,380 The vulnerability I've discovered is 1362 00:54:53,580 --> 00:54:55,799 because of user tracking 1363 00:54:55,800 --> 00:54:56,800 framework. 1364 00:54:57,840 --> 00:55:00,689 But, uh, I could not connect 1365 00:55:00,690 --> 00:55:02,909 to the server because 1366 00:55:02,910 --> 00:55:06,099 they refuse my connection wi because 1367 00:55:06,100 --> 00:55:08,159 I think I am not 1368 00:55:08,160 --> 00:55:10,479 sure that, uh uh 1369 00:55:12,360 --> 00:55:14,549 but uh, one hundred 1370 00:55:14,550 --> 00:55:16,619 percent that I think 1371 00:55:16,620 --> 00:55:18,899 they and they are honest are set 1372 00:55:18,900 --> 00:55:21,539 of certification authorities 1373 00:55:21,540 --> 00:55:23,369 and they do not use the systemized. 1374 00:55:23,370 --> 00:55:25,559 So it basically 1375 00:55:25,560 --> 00:55:28,079 bypasses for uh beat my uh 1376 00:55:28,080 --> 00:55:29,339 my system. 1377 00:55:29,340 --> 00:55:31,409 OK, but this happened only with BNP 1378 00:55:31,410 --> 00:55:32,729 Paribas. 1379 00:55:32,730 --> 00:55:33,809 Uh, can we please. 1380 00:55:33,810 --> 00:55:35,549 I just happened only with one bank. 1381 00:55:35,550 --> 00:55:38,339 All the others blocked it up and, uh, 1382 00:55:38,340 --> 00:55:40,739 with maybe five 1383 00:55:40,740 --> 00:55:43,259 of the twenty seven banks. 1384 00:55:43,260 --> 00:55:45,689 But, uh, it's um 1385 00:55:45,690 --> 00:55:47,760 the banks are, uh, more, 1386 00:55:48,960 --> 00:55:51,059 more careful, a little more careful 1387 00:55:51,060 --> 00:55:53,279 on security. So some of the bank 1388 00:55:53,280 --> 00:55:55,949 implements that trick, but 1389 00:55:55,950 --> 00:55:58,319 not all apps 1390 00:55:58,320 --> 00:55:59,639 at all. 1391 00:55:59,640 --> 00:56:00,640 Thank you. 1392 00:56:01,980 --> 00:56:04,229 More questions, if not again, 1393 00:56:04,230 --> 00:56:06,479 you find the slides and the links on 1394 00:56:06,480 --> 00:56:08,849 the Congress website and, uh, 1395 00:56:08,850 --> 00:56:10,079 keep an eye on it. 1396 00:56:10,080 --> 00:56:12,839 Thank you very much, gentlemen, for that. 1397 00:56:12,840 --> 00:56:13,840 Thank you.