Smartphones are hot, like a server from 1995, public ip address (phone number) and sending all it’s data over telnet (unencrypted). Add in apps with your passwords and credit card and, you’ve got a way for a bunch of kids to get famous. This presentation is all about plausible mitigations that smartphone and app providers could adopt to mitigate attacks we’ve seen at conferences and in the wild. Can I completly fix smartphone security in 50 minutes or less? No, but in this talk I address specific risks that have been exploited either in the wild or in previous papers and talks, and discuss ways they can be mitigated given what the smartphones already have going for them. For example did you know most of the data you send over the cell provider network is encoded not encrypted? Yet the base smartphone OS has openssl installed. So here’s some code that provides end to end encrpytion for your text messages without even breaking the telecom SMS specficiations. As for the smartphone that acts like a credit card so you buy your Starbucks, if you want it to be secure, I still say throw it in the river.

Back to Derbycon 2011 video list