What can be done about polarization in the United States? Reviewing a decade of research reveals unexpected findings.

Before he was elected in 2016, Donald Trump bragged about grabbing women by the pu**y and barging into rooms of partially dressed young pageant contestants.

In this lesson, you’ll learn about: - Goal — verifying if an Android device is compromised (conceptual): - How investigators look for Indicators of Compromise (IoCs) on a device by inspecting network activity and running processes; emphasis on performing all checks only with explicit authorization and on isolated lab devices. - Network‑level indicators: - Look for unexpected outbound or long‑lived connections to remote IPs or uncommon ports (examples of suspicious patterns, not how‑to). - High‑risk signals include connections to unknown foreign IPs, repeated reconnect attempts, or traffic to ports commonly associated with remote shells/listeners. - Correlate network findings with timing (when the connection started) and with other telemetry (battery spikes, data usage) to prioritize investigation. - Process & runtime indicators: - Unusual processes or services running on the device (unexpected shells, daemons, or package names) are strong red flags. - Signs include processes that appear to be interactive shells, packages with strange or obfuscated names, or processes that persist after reboots. - Correlate process names with installed package lists and binary locations to determine provenance (signed store app vs. side‑loaded package). - Behavioral symptoms to watch for: - Sudden battery drain, unexplained data usage, spikes in CPU, or device sluggishness. - Unexpected prompts for permissions, new apps appearing without user consent, or developer options/USB debugging enabled unexpectedly. - Forensic collection & triage (high level): - Capture volatile telemetry (network connections, running processes, recent logs) and preserve evidence with careful documentation (timestamps, commands run, who authorized the collection). - Preserve a copy/snapshot of the device state (emulator/VM snapshot or filesystem image) before further analysis to avoid contaminating evidence. - Export logs and network captures to an isolated analyst workstation for deeper correlation and timeline building. - Correlation & investigation workflow (conceptual): - Cross‑reference suspicious outbound connections with running processes and installed packages to identify likely malicious artifacts. - Use process metadata (package name, signing certificate, install time) and network metadata (destination domain, ASN, geolocation) to assess intent and scope. - Prioritize containment (isolate device/network) if active exfiltration or ongoing C2 is suspected. - Containment & remediation guidance: - Isolate the device from networks (airplane mode / disconnect) and, where appropriate, block suspicious destinations at the network perimeter. - Preserve evidence, then follow a remediation plan: revoke credentials, wipe/restore from a known‑good image, reinstall OS from trusted media, and rotate any secrets that may have been exposed. - Report incidents per organizational policy and involve legal/compliance if sensitive data was involved. - Safe lab & teaching suggestions: - Demonstrate IoCs using emulators or instructor‑controlled devices in an isolated lab network; never create or deploy real malicious payloads. - Provide students with sanitized capture files and pre‑built scenarios so they can practice correlation and investigation without touching live systems. - Key takeaway: - Detecting device compromise relies on correlating suspicious network activity with anomalous processes and device behavior. Always investigate within legal/ethical bounds, preserve evidence, and prioritize containment before remediation.

In this lesson, you’ll learn about: - Remote desktop from Android to Windows — legitimate use & risks (conceptual): - What remote desktop access enables: control a Windows desktop from an Android device for administration, support, or productivity (launch apps, browse files). - Legitimate configuration concerns: who should be allowed remote access, least‑privilege user selection, and the importance of strong authentication for remote sessions. - Security risks from exposed RDP‑like services: brute‑force, credential stuffing, and lateral movement if an attacker obtains access. - Secure deployment & hardening of remote desktop services: - Prefer VPN / zero‑trust tunnels rather than exposing remote desktop ports to the Internet. - Enforce multi‑factor authentication, strong passwords, account whitelisting, and limited session times. - Keep host OS patched, limit which users are permitted remote login, and log/monitor remote sessions for anomalies. - Social‑engineering data‑harvesting techniques — high‑level awareness (non‑actionable): - Why attackers use phishing/cloned sites: to trick users into granting permissions (OAuth consent, file access) or revealing device/browser metadata. - Types of data commonly exposed if a user is tricked: browser/user‑agent info, OS details, and location metadata (when permitted by the user). - Emphasize: these are high‑level attack categories to defend against, not to implement. No operational steps are provided. - Detection signals & forensic indicators for defenders: - Unexpected OAuth consent grants or newly‑authorized third‑party apps in user accounts. - Unusual outbound connections after a user clicks a link, sudden telemetry reporting (new IPs, device fingerprints), and spikes in geolocation requests. - Alerts for new remote sessions from unknown devices, unusual login times, or new client software installs. - Retain logs: authorization events, web server access logs, and device telemetry to reconstruct incidents. - Mitigations & user education: - Train users to verify OAuth consent screens and only grant permissions to known, trusted apps. - Disable or tightly control third‑party app authorizations in enterprise accounts; enforce allow‑lists. - Use device/endpoint protection (mobile/desktop EDR), network filters, and DNS/TLS inspection to block known phishing/C2 domains. - Apply principle of least privilege for remote access and require MFA for all remote desktop logins. - Legal, ethical & operational guidance for teaching: - Never test phishing or live social‑engineering techniques on real users without explicit, documented consent and institutional approval. - Use simulated or injected telemetry in closed lab environments for demonstrations. - Follow institutional policies and applicable laws when discussing or demonstrating attacks. - Safe classroom exercises & demos: - Controlled remote‑access demo: show a remote desktop session using an instructor‑controlled device on an isolated lab network; focus on configuration and logs. - OAuth consent analysis: students review benign consent screens and identify risky permission requests. - Detection lab: simulate benign telemetry in an isolated environment and have students create detection rules (alerts on new consent grants, unusual geolocation requests). - Tabletop IR: run a scenario where a user reports a suspicious consent prompt; students draft containment, evidence collection, and notification steps. - Further reading & resources: - Enterprise remote‑access hardening guides, OAuth security best practices, phishing awareness curricula, and incident‑response playbooks for handling compromised accounts/devices.

In this lesson, you’ll learn about: - Access control flaws & exposed debug interfaces: how application components and debug/logging channels can unintentionally reveal sensitive functionality or credentials when accessible from outside the normal UI (e.g., via dev/debug interfaces), and why minimizing exposed surfaces is critical. - Log‑based information leakage: why verbose runtime logs (debug logs, stack traces, or logcat output) can leak API credentials or internal activity flows and how logging policies should avoid emitting secrets. - Input validation failures enabling file access: the risk when inputs meant for URLs or safe IDs are not validated and are instead used directly to read files or resources—leading to unauthorized access to internal app files or external storage. - Reverse‑engineering for source‑level discovery (conceptual): how attackers analyze an app’s distributed package to inspect code paths, SQL queries, and hardcoded secrets; why attackers look for hardcoded credentials, embedded query strings, and sensitive constants in decompiled artifacts. (Discussed at a high level — use only approved analysis tools in controlled labs.) - Insecure storage patterns & common pitfalls: typical insecure storage locations and formats that leak secrets: - Shared Preferences / XML files: plaintext credentials stored in app-config XMLs. - SQLite databases: sensitive tables and records stored without encryption. - Temporary files: transient files (temp dumps) that retain secrets on disk. - External storage (SD card): writable, world‑readable areas where sensitive data may be exposed to other apps or users. - Attack surface demonstrated (high level): combining exposed components, poor input validation, and insecure storage enables an attacker to bypass intended UI controls and access stored credentials or private data — a clear example of failing the “defense in depth” principle. - Mitigations & secure design recommendations: - Never store credentials or secrets in plaintext; use platform keystores or strong encryption. - Validate and strictly sanitize all user‑supplied input before using it in file access or resource locators. - Avoid writing sensitive data to external/shared storage; prefer protected internal storage with proper file permissions. - Minimize and sanitize logging (do not log secrets or sensitive fields). - Harden app components: restrict component exposure, remove debug hooks from production builds, and enforce proper access checks on exported activities/services. - Secure databases with encryption-at-rest and limit sensitive columns; avoid temporary files for secret data. - Defensive testing & lab guidance: - Teach these issues using intentionally vulnerable apps (like DVAR) inside isolated, authorized lab environments only. - Instructors should provide sanitized sample APKs and datasets; students must never attempt these techniques against live/production apps or devices without explicit authorization. - Emphasize documentation: record findings, reproduce safely, and communicate issues with clear remediation steps for developers. - Core takeaway: Effective mobile app security requires careful control of exposed interfaces, strict input validation, and secure handling of all sensitive data (no plaintext secrets, no sensitive external storage). Combining secure coding practices with careful logging, testing, and least‑privilege design prevents the kinds of data exposures highlighted by the DVAR case study.

In this lesson, you’ll learn about: - ADB & SCRCPY — purpose & components (conceptual): - What the Android Debug Bridge (ADB) is (a client/daemon/server communication layer) and its role for device management, debugging, and automation in development and incident response. - What SCRCPY (screen‑mirror tool) does: mirror and control an Android device screen from a desktop for testing and demonstrations. - Common ADB capabilities (overview, non‑actionable): - Device enumeration and an interactive device shell as a controlled interface for diagnostics. - High‑level categories of system utilities accessible via the shell (activity management, package management, device policies, screen capture) and why they matter for dev, testing, and forensics. - Wireless vs. wired connectivity tradeoffs (risk surface of enabling remote ADB/TCP) — conceptual only. - System management utilities (what they are & why they’re useful): - Activity Manager (am): monitoring app lifecycle and services (useful for debugging and detection). - Package Manager (pm): inventorying installed apps, checking app metadata, and assessing potential risk from side‑loaded packages. - Device Policy Manager (dpm): obtaining security posture indicators and enforcing enterprise policies. - Screen capture utilities: capturing screenshots or video for debugging and evidence collection — emphasise consent and chain‑of‑custody when used for forensics. - Screen mirroring & remote control (defensive uses): - How mirroring aids usability testing, accessibility demos, and secure classroom demos — and the importance of using it only on devices you control. - Security considerations: ensure mirroring is used on isolated networks and trusted hosts to avoid leaking sensitive data. - Security risks & hardening recommendations (practical, non‑actionable): - Disable USB debugging on production devices; enable only in controlled lab/dev environments. - Avoid enabling ADB over TCP on public or untrusted networks; prefer wired/authorized sessions. - Enforce ADB authorization (device ↔ host key confirmation) and rotate management keys in enterprise settings. - Remove or restrict developer options and sideloading on production/managed devices via MDM. - Use device encryption, strong lock screens, and biometrics as an additional layer of defense. - Forensic & incident‑response perspective (safe practices): - How ADB and related tools can be used legally and ethically for device triage in authorized investigations (collection of logs, capturing screenshots, listing installed packages) — emphasize documentation, consent, and evidentiary chain of custody. - Prefer read‑only collection methods and snapshotting (VMs, emulator states) during lab analysis to avoid contaminating evidence. - Use instrumented emulators or disposable test devices for any dynamic analysis. - Ethics, legality & authorization: - Clear rule: do not attempt privilege escalation, device unlocking, or bypassing authentication on devices without explicit, documented authorization from the device owner and appropriate legal clearance. - University lab policy suggestions: require signed authorization, isolated networks, and instructor oversight for any hands‑on mobile analysis. - Safe classroom exercises & demos: - Manifest & package inventory lab: students inspect app manifests and package metadata (provided benign APKs) to spot excessive permissions. - Mirroring demo: use SCRCPY to demonstrate UI workflows on an emulator or instructor‑controlled device (network isolated). - Telemetry detection lab: generate benign, explainable network traffic from an emulator and have students write detection rules for anomalous behavior (flow volume, unusual destination). - Forensics table‑top: present a logged incident and have students draft a triage and evidence‑collection plan that follows legal/ethical best practices. - Defender tooling & monitoring (recommended): - Mobile endpoint management (MDM/EMM) to enforce policies and control ADB/dev options. - Runtime telemetry monitoring (battery, CPU, network) and alerting for anomalous device behavior. - Use reputable static analysis tools (e.g., MobSF) and sandboxing for safe APK inspection in labs. - Further reading & resources: - OWASP Mobile Top 10 and MASVS (Mobile App Security Verification Standard). - Official Android docs on ADB and security best practices. - Mobile forensics and incident response guides (academic/industry publications).

YouTube video by ALRA TV