Category Archives: Smart Phone
The dark art of iOS app hacking presented at Black Hat.
There are three ways to hack an iOS app. One involves a zero-day exploit, a previously-unknown security hole. These are rare but not unheard of for iOS apps. The other two involve getting physical access to the phone, Zdziarski said.
“You can infect the phone without a passphrase. The virus or bit of code sits on the phone, waiting for the user to unlock it.” Or, he explained, “Give me two minutes with somebody’s phone and I can dump the entire file system from it.” From there, he said he could look at apps for an exploit to take advantage of remotely.
He argued that this could become a serious problem as iPhones and iPads continue to increase in popularity. Enterprise use of iOS is growing, he said, as is government use.
All due to a double-edged sword.
The problem, Zdziarski explained, comes from the double-edged sword that is the iOS monoculture. It has benefits, he said, including a reduced attack surface, rapid prototyping, and fewer holes to blame on the developer. But, he added, its homogeneous attack surface means that if you can hack one iOS device, you can hack nearly all. (While it’s true that there are different versions of iOS in use, there are significantly fewer than the different flavors of Android.)
Zdziarski noted that security has become an afterthought for iOS app developers, since they’re trusting Apple’s iOS Keychain and runtime to be secure. Keychain is the iOS feature that stores passwords, certificates, and other security-related items under encryption. “Anybody with freely available open source tools can get around that encryption now,” said Zdziarski, who said the encryption has been busted for two years. Zdziarski also showed how he didn’t even have to have the passcode to an iPhone to break its encryption. With a phone in his possession, he was able to drop a small piece of code from his computer onto the otherwise-locked phone. The code sits on the iPhone idle until the owner enters in the passcode, decrypting the file system and giving the malicious code access to the entire file system. “Developers are not turning on the encryption for most of their apps, and most users defer to a four-digit PIN, or a simple keyboard friendly passphrase.” So, although the phone’s operating system may be protected, the level of data security on the phone presumes that iOS won’t be hacked.
A great illustration of how developers need to understand the need for security trumps all.
- 19% Of iOS Apps Access Your Address Book Without Your Permission… Until iOS 6 [Report] (cultofmac.com)
- Apple investigating iOS in-app purchase hack (zdnet.com)
Wonder what Google will have to say regarding this.
Security researchers have discovered malware hosted on the Google Play marketplace that went weeks undetected masquerading as games.
Android.Dropdialer, a Trojan that sends costly text messages to premium-rate phone numbers in Eastern Europe, had gone undiscovered for two weeks in the form of two game titles, Symantec researcher Irfan Asrar wrote in a blog post yesterday. The two games — “Super Mario Bros.” and “GTA 3 – Moscow city” — were uploaded to Google Play on June 24 and generated 50,000 to 100,000 downloads, Asrar said.
“What is most interesting about this Trojan is the fact that the threat managed to stay on Google Play for such a long time, clocking up some serious download figures before being discovered,” Asrar wrote. “Our suspicion is that this was probably due to the remote payload employed by this Trojan.”
The Trojan’s authors avoided detection during Google Play’s automated screening process by breaking up the malware into separate, staged payloads, Asrar said. Once downloaded and installed from Google Play, the apps would download an additional package for installation that sent the text messages.
- Premium-rate SMS malware survived in Google Play for weeks (androidauthority.com)
- New Android malware runs rings around Google Play security protocols (bgr.com)
- Google Play Fails to Remove All Super Mario Malware (f-secure.com)
Mobile devices allow workers, including government employees, to work in multiple locations and to improve their efficiency. But the same features that make these devices desirable make them a security challenge. Mobile
devices can easily be lost or stolen, and users may be tempted to download nonsecure apps that might conceal “malware” that could be used to steal confidential data. Since security is minimal for mobile devices, a thief can retrieve sensitive data directly from the device, or use the phone or tablet to access an organization’s computer network remotely.
The revised guidelines recommend using a software technology that centralizes device management at the organization level to secure both agency-issued and personally owned devices that are used for government business. Centralized programs manage the configuration and security of mobile devices and provide secure access to an organization’s computer network. They are typically used to manage the smart phones that many agencies issue to staff. The new NIST guidelines offer recommendations for selecting, implementing, and using centralized management technologies for securing mobile devices.
“Mobile devices need to support multiple security objectives: confidentiality, integrity and availability, so they need to be secured against a variety of threats,” explains co-author and NIST guest researcher Karen Scarfone.
Due to the loose restrictions Google places on it’s app-marketplace?
Clickjacking rootkits could pose the next big threat for the Android platform, according to a research team out of North Carolina State University. Led by computer science professor Xuxian Jiang, the team has developed a prototype clickjacking rootkit that’s more sophisticated than the other Android-oriented malware already out there.
This new prototype rootkit — which attacks the Android framework, rather than the kernel — differs from other malware in key ways, according to Jiang. “Unlike other rootkits for the platform, this one can function without a restart and without deep modification of the underlying firmware,” Jiang explained in a video in which he demonstrates the rootkit in action. “But it can still do all the things that a rootkit wants to do, such as hide or redirect apps.”
In other words just as with other computing devices keep anti-virus software up-to-date.
- Researchers create prototype Android clickjacking rootkit (androidauthority.com)
- “Clickjacking” Android could lead to app level phishing (h-online.com)
This could be handy in snow areas like Wisconsin.
A new alarm clock application for the iPhone and Android wakes you earlier if it snowed last night. Called simply, “Winter Wake-Up,” the app lets you configure its settings to wake you up earlier than your scheduled alarm depending on weather conditions, with separate settings for both “Frost” and “Snow.”
There’s also an optional setting – a checkbox – which you can select that says “don’t bother to wake me if the weather’s too bad. I’ll work on Saturday.” (Or, as is more likely in today’s world, you’ll work from home that same day…just maybe a little later).
Is it something you would use?
- Winter Wake-Up Automatically Wakes Your Up Earlier if it Snows [Alarm Clocks] (lifehacker.com)
- Mobile app wakes users earlier on days with wintry weather (springwise.com)