Android WebLogin: Google's Skeleton Key presented at DEFCON 2013

by Craig Young,

Summary : Millions of businesses worldwide trust in Google Apps to run their organization's domain. The life-blood of these organizations is routinely stored with Google accounts and accessed with mobile devices. This talk explores how an adversary can parlay the compromise of a single Android device into a complete Google apps domain takeover. The attack vectors explored in this talk make use of various design considerations made by Google to enhance the user-experience and can be equally utilized with malware or physical device access.
Several iterations of malicious Android applications were created using these techniques. The apps were then analyzed with multiple Android Anti-Virus products and subsequently published in Google's Play Store. The PoC iterations and analysis results provide some insight into the state of Google's Bouncer and Android malware analysis at the end-point.
The final part of the talk is aimed at identifying best practices to minimize risk as well as guidelines for recovering from security incident.