It’s been quiet a while since I’ve posted anything on my blog. It’s hard to always post information, though I felt I’ve done a good job posting relevant information I’ve researched over the past two years. It’s about time I start getting back into it - though in the mean time it’s time for a little life update. So if your here for a technical blurb - read no further since this won’t have any source code embedded in it, or post-mortems of any applications.

For the past year I’ve had an awesome job at Amadeus North America, working on an excellent new cutting edge product for the travel industry. It was a great learning experience, getting to delve into the world of rapid agile development and learn new tools such a Google Web Toolkit (GWT). I developed countless strong relationships with many coworkers, picking up plenty of coding ’style’ and quirks. Things that I directly contribute to my coding style today, and definitely something that I’m proud of. Most importantly, I have a real issue making code without writing unit tests (Thanks @RyanNorris!) and feel sick to my stomach if I ever try to check in code without JavaDocs. Looking back, I can honestly say I loved my time at Amadeus. The long days, even the stressful ones, helped me prepare for being a real software engineer - learning more than I ever had in school.

Then I meet the Lookout team…

“Lookout” is right, because these guys were insane. I grabbed some food with them while at a conference in San Francisco. Never in my life had I had such an awesome nerd-fest day. Conventions where always interesting, and you always meet interesting people - but these guys where real. They didn’t just talk the talk - they actually did very impressive things day in and day out. Much to my surprise, I had things to actually add to the many interesting talks the evolved through the night. Even more shocking to me, I was asked if I’d ever considered relocating to the west coast for a job.

I remember thinking, “Yikes, these guys are just being nice, it’d never happen”. I talked it over with my girlfriend the next morning after arriving on the red-eye. Lots of words where thrown back and forth using with “it’s probably never going to happen, but…” We agreed I’d go along with the process, like the many other times I’d been approached by companies. It never worked out before, so I wasn’t going to make a big deal of it, or even think of it as anything but a remote possibility.

Then came the phone interview… I always hated these things, they’re worse than face to face interviews because you can’t see the other person expressions. Are you talking to in-depth? Not in-depth enough? Does this person just not believe you? It’s just hard sometimes to gauge peoples reactions without being in the same room. I remember walking away from the phone interview thinking, “Damn… That either really sucked, or went really well.” Luckily, it went well and I got an email asking if I could come out to San Francisco for an interview. This is when everything really started to him me, could I really be getting the dream job I’ve always wanted?

To shorten this post, since I’ve already babbled along for too long - I came in for the interview and ended up doing well. Some of the most interesting interview questions I’ve ever heard where asked, like “How would you exploit this code?” from Anthony Lineberry. After the interview, I actually ended up getting an offer that blew my mind away. It was settled, there was no question in my mind that I wanted this job. My family kept reminding me, sometimes your favorite hobby isn’t the best job… Thank god that didn’t hold true :)

So I up and moved to San Francisco, got an awesome apartment with some killer roommates. Now i’ve been a part of the Lookout Mobile Security team for almost a month now. Officially I’m a “Security Response Engineer” (I know, that’s bad ass, never thought I’d have that title..) and getting to learn more and do more thing with Android and other mobile systems than I thought I’d get too. I know get to do for work, what I did in my off hours, it’s quiet possibly the greatest adventure I’ve gotten a chance to take on yet. In the short time I’ve been here I got to even goto Defcon for my first hacker convention. I got to take in tons of great talks with many smart people, and even help with some of my coworkers presentations; “App Attack: Surviving the mobile application explosion”, “These aren’t the permissions you’re looking for”.

Anyway, just figured I’d use this as a kick off post as I get back into the gear with blogging again. For now though, I’m going to get back to doing my part with this awesome team in keeping mobile safe and developers smart.

Much similar to a previous post I had, “Brutal” Google coding humor…, I was perusing over some code in the AOSP and found an interesting comment:

// XXX: PROTECT FROM VIKING KILLER

Below is the full snippet from the file, logwrapper.c.

void child(int argc, char* argv[]) {
    // create null terminated argv_child array
    char* argv_child[argc + 1];
    memcpy(argv_child, argv, argc * sizeof(char *));
    argv_child[argc] = NULL;

    // XXX: PROTECT FROM VIKING KILLER
    if (execvp(argv_child[0], argv_child)) {
        LOG(LOG_ERROR, "logwrapper",
            "executing %s failed: %s", argv_child[0], strerror(errno));
        exit(-1);
    }
}

I’m not sure if “Viking Killer” is an inside joke, an actual good comment or what. Though read allowed - it sounds like a badly named european adult film…

Continuing with the tread of “stealth” and “locking” devices I’ve decided to look at WaveSecure. I’ve been getting many emails regardin the Uninstall Protection Add-on. The concept behind WaveSecure and the UPA is that they monitor each other - locking the phone if either one is installed. Seems like a pretty slick way to protect the application - though like everything else in the world, there are loop holes. I’ve gotten a few emails from people asking how secure it really is, and even how to circumvent it if they forget the password or locked the phone. While I’m never sure what these peoples intentions really are, assuming they’re not lying to me there is a good use case for knowing how to remove program that “lock down” your phone.

When removing either WaveSecure or the UPA program, you’ll be prompted with a locked phone - as shown by the picture above. How do we get around that? How can we make this better? Well, there is a quick way to get around this that can work for or against you. If you’ve enabled debug mode on your phone which allows your to connect via ADB then your in luck - this is really easy. Simply using adb we can quickly disable the locking program.

If the Uninstall Protection Add-on was removed from your phone, then WaveSecure is the application locking your phone. The inverse is also true, this is important to know since we need to know which package to disable. UPA’s package name is “com.wsandroid.uninstall_listener” while the main application (WaveSecure) package name is “com.wsandroid”. Following the instructions below you can quickly disable the nessicary application to get into your phone;

adb shell pm disable

This will disable the package, as long as adb has root access - otherwise it will attempt to kill the process which should also gain you access. This method should also work for nearly any package you wish to disable.

The second method for getting around this lock is rebooting the phone into Safe Mode - this will prevent any applications that are not system based from starting up. This includes any malware, spyware or locking applications. The good (bad?) thing about this is that you do not need to be rooted or have adb enabled to get into Safe Mode. Safe Mode can be booted into by holding “Menu” during boot up, though googling for specific directions for your phone might yield different results.