Profile

Cover photo
Joshua J. Drake
Works at Accuvant
Attended Central Michigan University
1,154 followers|147,976 views
AboutPostsPhotosVideos

Stream

Joshua J. Drake
moderator

Discussion  - 
 
Seems like it's finally happening!

"Although WebView has been based on Chromium since Android 4.4, the Chromium layer is now updatable from Google Play.

As new versions of Chromium become available, users can update from Google Play to ensure they get the latest enhancements and bug fixes for WebView, providing the latest web APIs and bug fixes for apps using WebView on Android 5.0 and higher."

This change closes a huge gap in Android security. Kudos to everyone that pitched in to make it a reality!
56
9
Aleksander Piotrowski's profile photoPhilippe Prados's profile photoJames Lee's profile photoJames Boyd's profile photo
 
I'm also very excited about this.
Add a comment...

Joshua J. Drake
moderator

Commercial  - 
 
In case any of you missed it, myself and several of my esteemed colleagues finished and published Android Hacker's Handbook this spring. This book is around a year and a half in the making and is well worth the cover price! We hope you find it interesting. Further, we hope the knowledge within will help advance the state of security in the Android ecosystem!

You can pick the book up at any of your favorite [e-]book outlets. Here's a link to the US amazon product: http://www.amazon.com/dp/111860864X
24
1
Amir Etemadieh's profile photoDavid Krznar (DirtyDroidX)'s profile photosanthosh kumar's profile photoTommy Chiu's profile photo
5 comments
 
got this book from accuvant booth in OWASP Appsec usa good job in the book really worth the every time spent on this book
Add a comment...

Joshua J. Drake

Shared publicly  - 
 
It's official! I'm having another baby!
21
James Boyd's profile photoJoshua J. Drake's profile photoTroy May's profile photoJon Miller's profile photo
7 comments
 
good job! ;)
Add a comment...

Joshua J. Drake

Shared publicly  - 
 
In case you missed it...
8
2
Zero Cool's profile photoJoshua J. Drake's profile photom4jid _'s profile photoReini Urban's profile photo
5 comments
 
I don't. sorry.
Add a comment...

Joshua J. Drake

News & Updates  - 
 
Hey everyone, please take care not to visit URLs from people you do not trust on your Glass until this is fixed!
 
Google Glass Hacked - Web View Browser Exploit exposes Glass to hackers. Oops.

Devs at http://headsupventures.com/ just ran a test to see if this exploit works on Glass...and indeed it does.

Exploit details - here https://github.com/rapid7/metasploit-framework/pull/2942 

Whats the worst that can happen? 
How about taking photos, videos, turning on your microphone remotely without you knowing! 
Your phone and Glass is now vulnerable via browser and Ad Networks, so a compromised wifi hotspot could essentially gain access to your phone. Or just visit a malicious page where the javascript can access your security protected APIs.
+Google Glass +Society of Glass Enthusiasts  #glassexplorers  +Engadget +Gizmodo +GizmodoUK 
8
Justin Wells's profile photo
 
Thanks for the heads up!
Add a comment...

Joshua J. Drake
moderator

Discussion  - 
 
I just posted an advisory for two security issues I discovered in the Android SDK. Check it out at http://www.droidsec.org/advisories/2014/02/04/two-security-issues-found-in-the-android-sdk-tools.html
28
3
Justin Case's profile photoAleksander Piotrowski's profile photoZach Lanier's profile photoBronto Bo's profile photo
9 comments
 
+Artem Russakovskii havent had time to add myself
Add a comment...

Joshua J. Drake
moderator

Discussion  - 
 
Hey all, this CVE just crossed my gaze. This is a bug I discovered in June while doing research for RECon 2013. All Android devices between version 4.0 and 4.3 (inclusive) are affected with the exception of a handful (Moto X, Note 3, Nexus 10 on JWR66Y).

https://www.codeaurora.org/projects/security-advisories/missing-access-checks-putusergetuser-kernel-api-cve-2013-6282
15
Renato Rodrigues's profile photoJoshua J. Drake's profile photoAskk Askk's profile photo
4 comments
 
+Joshua J. Drake
you can get it from here: http://pan.baidu.com/s/17pKMt
Add a comment...
Have him in circles
1,154 people
Scott Swigart's profile photo
Shai Rod's profile photo
Dan Sherman's profile photo
Jack Bergen's profile photo
Cody Tubbs's profile photo
Allen S'quard's profile photo
Ryan Mein's profile photo
The SciaticNerd's profile photo
Peter VE's profile photo

Joshua J. Drake
moderator

Discussion  - 
 
This isn't entirely security related, but it certainly has security relevant applications.
 
Introducing Process Explorer for Android, a web-based process & logcat viewer for Android. All Apache-licensed.

There are lots of process visualizers in the app store, but the trouble is you actually have to use your Android user interface to see the stats. Usually I'm interested in viewing the effects of what's going on in Android in the same time as it's doing its thing, not instead of.

APK:
aosp.opersys.com/files/process-explorer-app.apk

Repos:
https://github.com/opersys/process-explorer-web
https://github.com/opersys/process-explorer-app
30
6
xiaolin li's profile photoEric Grall's profile photoVisual Zhang's profile photoSeth Brendle's profile photo
2 comments
 
Wow just seen this, thanks!
Add a comment...

Joshua J. Drake
moderator

Discussion  - 
 
We put together some of our thoughts about the WebView.addJavascriptInterface flaws that are still putting users at risk. http://www.droidsec.org/news/2014/02/26/on-the-webview-addjsif-saga.html
14
3
Joshua J. Drake's profile photodre g's profile photoNikolaos Chrysaidos's profile photoChristopher Basinger's profile photo
5 comments
 
+John Kozyrakis Yeah. Unfortunately there's not much to recommend :-(
Add a comment...

Joshua J. Drake
moderator

Discussion  - 
 
After I opened my addjsif Metasploit module repository on GitHub, +Joseph Vennix took a closer look and found out +Google Glass XE12 was affected! This allows a remote compromise of the Glass browser by persuading someone to visit a URL. Pretty nasty if you ask me. The bug has been long since fixed on most Android devices, but since Glass runs Android 4.0.4 it's still vulnerable ! OOPS!
 
Google Glass Hacked - Web View Browser Exploit exposes Glass to hackers. Oops.

Devs at http://headsupventures.com/ just ran a test to see if this exploit works on Glass...and indeed it does.

Exploit details - here https://github.com/rapid7/metasploit-framework/pull/2942 

Whats the worst that can happen? 
How about taking photos, videos, turning on your microphone remotely without you knowing! 
Your phone and Glass is now vulnerable via browser and Ad Networks, so a compromised wifi hotspot could essentially gain access to your phone. Or just visit a malicious page where the javascript can access your security protected APIs.
+Google Glass +Society of Glass Enthusiasts  #glassexplorers  +Engadget +Gizmodo +GizmodoUK 
11
4
Ali-Reza Anghaie's profile photoCorsin Camichel (cocaman)'s profile photoAlain Carlucci's profile photoBryan L's profile photo
3 comments
 
not sure if I have time right now. I'll give it some thought.
Add a comment...

Joshua J. Drake
moderator

Discussion  - 
 
Some food for thought. Android is only vulnerable to a total of 30 vulnerabilities ever!!! http://www.cvedetails.com/product/19997/Google-Android.html?vendor_id=1224
Google Android security vulnerabilities, exploits, metasploit modules, vulnerability statistics and list of versions
12
3
Joshua J. Drake's profile photoIrreverent Monk's profile photoLuander Ribeiro's profile photoWasim Halani's profile photo
5 comments
 
Oh? OSVDB lists 74, still seems awfully low. See http://j.mp/1kus6ju
Add a comment...

Joshua J. Drake

Questions/Speculation  - 
 
Has anyone received their "one time swap" email yet? I thought they said they'd be reaching out to people in November? +Google Glass 
1
Doug Truex's profile photoErin McCann's profile photoGoogle Glass's profile photoJolyn Bowler's profile photo
4 comments
 
Not yet '-{
Add a comment...
People
Have him in circles
1,154 people
Scott Swigart's profile photo
Shai Rod's profile photo
Dan Sherman's profile photo
Jack Bergen's profile photo
Cody Tubbs's profile photo
Allen S'quard's profile photo
Ryan Mein's profile photo
The SciaticNerd's profile photo
Peter VE's profile photo
Education
  • Central Michigan University
    Math & Computer Science, 1996 - 1998
Story
Tagline
Computer Security Enthusiast
Introduction
I've been into skateboarding since 1988, computers since 1989, and computer security since 1993.
Bragging rights
Pwn2Own 2013 Winner - Java, Defcon 18 CTF Winner, w00w00 affiliate
Work
Occupation
Computer Security Research and Development
Employment
  • Accuvant
    Labs Research Scientist, 2011 - present
  • Rapid7
    Lead Exploit Developer - Metasploit, 2009 - 2011
  • VeriSign / iDefense
    Vulnerability Researcher, 2005 - 2009
  • Mannetron, Inc.
    Lead Software Architect, 2003 - 2005
Basic Information
Gender
Male
Other names
jduck