Okay, i see what the problem is here but i think it's not a problem with the monkey rather than with the developer. i think that security as you understand it from a PC, Server or Laptop will be very different than from a phone. because you think "it's just a phone" and not "it's a pc in a small case, with some voice communication stuff" (or at least the majority will think like that). also it's always about securing the weakest link. I don't think that a possible brute force attack will be the weakest link here. I think most people dont care about there pin codes and will leave them 00000 or something, just because they think its annoying.
On Wed, 7 Aug 2013 13:18:56 -0700 (PDT), Keith Makan <k3170ma...@gmail.com> wrote: > Hi reox, thanks for the reply :) > > I should frame this problem a bit better; so here goes... > > Recently I've been serveying some high-end apps on the PlayStore to see > how well they protect against brute-force protection; > and what I found was that a lot of the password manager and anti-theft > apps actually don't have much protection at all i.e. if i can still > successfully > auth after submitting around 20-30 successively incorrect login attempts > then there is no protection. > > So the next challenge was to find a way to rapidly and programmatically > submit login attempts to the apps; > the answer I came up with was to abuse abuse the MonkeyRunner framework, > here's a PoC I whipped up against the Kaspersky anti-theft app: > " > from com.android.monkeyrunner import MonkeyRunner,MonkeyDevice > device = MonkeyRunner.waitForConnection() > valid_login = "12345" > #do hoards of incorrect login attempts, and hope to get locked out or > CAPTHA'd > > for attempt in _list_of_pins:_ #set this for about a 100 rapid attempts > device.type(attempt) #type pin into textbox, its the only editText and > it grabs focus so I don't need to know its screen position > device.touch(360,366,"DOWN") #press the "Sign in button and wait for the > magic..." > > #submit a valid login attempt and see if we can actually still auth > device.type(valid_login) # > > Links: > ------ > [1] > http://developer.android.com/reference/android/app/ActivityManager.html#isUserAMonkey() > [2] http://groups.google.com/group/android-security-discuss > [3] https://groups.google.com/groups/opt_out > [4] http://groups.google.com/group/android-security-discuss > [5] https://groups.google.com/groups/opt_out -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+unsubscr...@googlegroups.com. To post to this group, send email to android-security-discuss@googlegroups.com. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/groups/opt_out.
