Rating is available when the video has been rented.
This feature is not available right now. Please try again later.
Published on Jan 25, 2016
Mobile devices became a central part of today's daily life. Every mobile offering comprises a complex ecosystem of technologies interacting to provide solutions to the increasing need of having ubiquitous availability of business-critical data. This trend speeds business decisions and processes but at the same time poses big security challenges. A recurring question when deciding to "go mobile" is: Is it a wise decision having so many business secrets in your pocket? For sure it is not if you don't take any measure to guarantee the security of the data at rest. To tackle this, several companies offer solutions to cryptographically protect the business information stored inside our mobile devices. During this talk we will focus on an SAP framework called DataVault, one of the key components of the SAP Mobile Platform (SMP) which implements a secure storage for confidential information using proven strong cryptography. In particular, we will present and exploit live a series of vulnerabilities on this framework which allow an attacker to partially decrypt the content of the secure key-value storage without the prior knowledge of any secret or key. Also, leveraging these vulnerabilities, we will show a practical cloning attack against the SAP Authenticator, a time-based one-time password (TOTP) two-factor authenticator app based on the RFC6238.