Category: Mobile

Mobile

Dec 16

Facebook’s iOS Apps Now Work On IPv6-Only Networks

Facebook iOS app iconsFacebook continues to demonstrate their commitment to making sure that people can access Facebook from whatever networks they may be on – and particularly new IPv6-based networks. Not only is Facebook moving to an IPv6-only internal network, but now comes word that their iOS mobile applications, both the regular Facebook app and also the Facebook Messenger app, can work perfectly fine on an IPv6-only network.

The information was relayed by Facebook’s Paul Saab in, of course, the IPv6 Group on Facebook. Back on December 2, Paul wrote:

The most recent release of the Facebook iOS app works on IPv6-only networks. The interesting thing in making this all work, is the example Reachability code that apple released really only showed how to implement it for IPv4 or hostnames, but using a hostname was broken if you were on an IPv4 only network and the hostname was dual stacked. Anyway, the main app is now fixed and our Messenger application will be updated soon to also have the fix.

And late last night he posted:

The FB Messenger was released and now supports IPv6-only networks

As the discussion thread indicates, the Android versions of the two apps should also work on IPv6-only networks but there are currently issues with Android devices in general working on IPv6-only networks.

The key point here is that as some network operators are now deploying IPv6-only networks because of a lack of IPv4 addresses. Consider the case of T-Mobile USA.  Facebook’s applications will work fine and give the best possible user experience on those IPv6-only networks.  Some of these new IPv6-only networks, such as those in the mobile space, use technologies such as 464XLAT to enable IPv4-only applications to still work.  BUT… any such translation technologies do add complexity and introduce some degree of latency (which might be quite tiny, but still there).

Facebook is avoiding all of that by making sure that their mobile applications work well in IPv6-only networks.

Those apps will work over native IPv6 networks to connect back to Facebook’s IPv6 data centers.  Without needing to pass through some IPv4 gateway or translation tool, the apps should provide the fastest and simplest connections – which means a better experience for users.

Now, the Facebook applications also work fine in a “dual-stack” mixed IPv6/IPv4 network.  They have for quite a long time now. But Facebook has now tested these apps on networks without IPv4 – and that is a difference.

Congratulations to Paul Saab and the rest of the team there at Facebook for taking this step – and we hope that other mobile application developers will see this and consider testing their applications on IPv6-only networks as well.

As we run out of IPv4 addresses and have to look at IPv6-only networks with some kind of IPv4 translation on the edge…   the best possible user experience is going to be with those applications and services that can avoid all of the IPv4 translation and work completely over IPv6.

P.S. If you would like to get started with moving your application or service to IPv6, please visit our Start Here page for pointers on how to begin!

 

Dec 13

Verizon Launches Voice Cypher Secure VoIP Mobile App… With A Government Backdoor

Verizon Wireless this week did something that initially seemed quite impressive – they launched “Voice Cypher”, an app available for iOS, Android and Blackberry that promises secure end-to-end encryption. It uses VoIP and is an “over-the-top” (OTT) app that works on any carrier.  If you read the marketing material on their web site, it all sounds great!  Indeed their “Learn More” page has all the right buzzwords and security lingo – and says quite clearly: Voice Cypher provides end-to-end encryption between callers, even if the call crosses over multiple networks.” They include the requisite network diagram that shows how it protects against all threats:

Verizon Wireless Voice Cypher

It turns out there’s just one small little detail … as reported by BloombergBusinessweek, the app comes complete with a backdoor so that Verizon could decrypt the phone calls if requested to do so by law enforcement!

As the Businessweek article states:

Cellcrypt and Verizon both say that law enforcement agencies will be able to access communications that take place over Voice Cypher, so long as they’re able to prove that there’s a legitimate law enforcement reason for doing so.

Unfortunately, in this post-Snowden era I don’t know that many of us put a great amount of trust in our governments to only access communications with a “legitimate law enforcement reason”.  Or perhaps the concern is that what gets classified as “legitimate” can be widely construed to mean almost anything.

The article does point out that Verizon is bound by CALEA to provide lawful intercept  to the phone networks, but points out an interesting caveat that Verizon could have used:

Phone carriers like Verizon are required by U.S. law to build networks that can be wiretapped. But the legislation known as the Communications Assistance for Law Enforcement Act requires phone carriers to decrypt communications for the government only if they have designed their technology to make it possible to do so. If Verizon and Cellcrypt had structured their encryption so that neither company had the information necessary to decrypt the calls, they would not have been breaking the law.

A Verizon Wireless representative indicated that they believe government agencies looking for ways to protect sensitive information may be  customers of this service, as may be corporate customers concerned about leaking private information.

But… as we continue to hear more and more information about the massive amount of pervasive monitoring and surveillance by government agencies from many different governments around the world, you do have to wonder how safe those agencies and companies will feel with a “secure” solution that already comes with a backdoor.  The problem with a known backdoor is that even if you may trust Verizon Wireless to only allow legitimate law enforcement access… how do you know that some attacker may not be able to penetrate that backdoor?   The “secure end-to-end encryption” isn’t entirely secure.

Given that the service has a higher price tag of $45 per month per device, I do wonder how many businesses or agencies will actually embrace the service.

On reading about this Voice Cypher service, it certainly sounds quite interesting.  We need more secure voice solutions out there – and it’s very cool that Verizon Wireless is delivering this as an OTT mobile app that will work across different carriers.

It’s just too bad that it’s not truly “secure end-to-end”.  :-(

P.S. I also recorded an audio commentary on this same topic.

Jul 14

China Telecom Completes IPv6 Test On 4G LTE Network

IPv6 BadgeBy way of a news release from ZTE Corporation we were pleased to read about China Telecom’s recent successful testing of IPv6 capabilities on its 4G/LTE network in the Hunan province of China.  Given that LTE has been a huge area of growth for IPv6 globally, such as the recent measurement of Verizon Wireless’ network as having over 50% IPv6 deployment, we certainly see LTE as one of the first ways that many people will receive IPv6 in a mobile environment.

Given that ZTE Corporation is a equipment vendor their news release naturally explains how they helped China Telecom, but overlooking the marketing for a moment there are some useful data points in the news release:

The comprehensive weeklong test involved trial users and covered IPv4/IPv6 single- and dual-stack services, billing systems and backend IT infrastructure systems, demonstrating China Telecom’s 4G LTE network to be IPv6-ready.

<snip>

As China Telecom rolls out 4G LTE services nationwide, IPv6 will help the operator manage the anticipated explosion in demand for new IP addresses. Becoming IPv6-ready is a key part of China Telecom’s plans for wider 4G LTE network deployments.

<snip>

This successful IPv6 test fully verified the IPv6/IPv4 dual-stack capabilities of China Telecom’s 4G LTE network in Hunan, laying a solid foundation for the operator’s plans for wider deployment of 4G and other next-generation services in the future.

All great to see.  Beyond a “test”, of course, we look forward to seeing the full deployment of IPv6 across China Telecom’s 4G LTE network!

Are you looking to get started with deploying IPv6?  Or just simply understanding more about IPv6?  Please see our “Start Here” page to find resources focused on your type of organization – and please let us know if you need even more information.

Apr 16

Over 25% of Verizon Wireless Traffic Is Now Over IPv6

Verizon Wireless IPv6 statsWe were very pleased to learn via a blog post that a new set of network operator measurements are up on the World IPv6 Launch site at:

http://www.worldipv6launch.org/measurements/

One of the most interesting statistics to me was that IPv6 traffic on Verizon Wireless’ network has now climbed to 26.25%.  This reflects the fact that IPv6 is part of Verizon’s rollout of LTE, as documented in a Verizon Wireless presentation about IPv6 and LTE given at APNIC 34 in August 2012.

Congratulations to Verizon Wireless for passing the 25% mark! They are the first to do so of the mobile operators that are being tracked as part of the World IPv6 Launch measurements.

I’ll note, too, that when you go to that IPv6 measurements page and click the column headed “IPv6 traffic” twice you wind up with a list sorted by highest percentage of IPv6 that is quite interesting:

Network Operator IPv6 Traffic

Somewhat predictably a number of universities are leading the way with Gustavus Adolphus College having an outstanding 62.17% of all traffic being IPv6. Great to see the U.S. Navy’s SPAWAR network in there, too, with 41.30% IPv6 traffic. It’s also nice to see webhosting providers Dreamhost and Hurricane Electric in the top 10 with just over 29% (Dreamhost) and 25% (HE) of all their traffic being IPv6.  I admit that I do find it a bit fascinating to scroll through the lists and see who is doing what with IPv6. The graphics further down the page are also interesting to see.

Note that these measurements are only from network operators that ask to be included in the World IPv6 Launch.  If you are a network operator providing IPv6 connectivity and are interested in being included on this list, please fill out the form on the World IPv6 Launch site.

Now, the question in my mind is, who will be the next mobile operator to climb over 25%?  And how soon will Verizon Wireless pass other prominent marks?

Oct 25

All Mobile Apps Developers (iOS, Android, Windows, Blackberry, etc.) Need To Read Troy Hunt’s Post

As I mentioned on my Disruptive Telephony blog today, this post by Troy Hunt really should be mandatory reading for anyone developing applications for mobile platforms:

Secret iOS business; what you don’t know about your apps

Yes, his post is about Apple’s iOS, but I’m unfortunately rather confident that the results would be similar if someone were to do a similar analysis with a proxy server on apps on Android, Blackberry, Windows Phone 7, WebOS and any other mobile platform.

These are application design problems.

As programmers, we all take “short cuts” from time to time… I’m as guilty of that as anyone… but sometimes those shortcuts have grave consequences.

Mobile developers need to read Troy’s piece… and then look at their own apps and see how they can change. Actions like:

  1. Securing the transport of login credentials! (DUH!!!)
  2. Not stuffing giant images down onto mobile devices when those images are going to be restyled in HTML to be tiny.
  3. Being wary about what info is gathered by apps – and also disclosing that to customers (and perhaps offering a way to opt out).

The list can go on… Troy’s article has other ideas in it, too… but the point is that in the rush to get a mobile app out there, some of these security and privacy issues (and bandwidth costs!) really do need some attention!

Sep 20

Skype for iOS/iPhone Vulnerable to Cross-Site-Scripting (XSS) Attack

News from the SUPEREVR security blog is that Skype for iOS is vulnerable to a cross-site scripting (XSS) attack that allows an attacker to send someone a message and, for instance, capture that user’s address book from their iPhone.

The author of the article posted a video that demonstrates the attack:

He further states in a tweet that he notified Skype of the vulnerability on August 24th:

In case anyone is wondering, I disclosed the vulnerability to Skype on 8/24. I was told an update would be released early this month.

Skype has issued a statement through their PR firm:

We are working hard to fix this reported issue in our next planned release which we hope to roll out imminently. In the meantime, we always recommend people exercise caution in only accepting friend requests from people they know and practice common sense Internet security as always.

Skype’s mitigation recommendation is a good one as the default privacy setting is typically that you can only receive chat messages from people on your Contact list. Therefore, the attacker would have to be someone who you have authorized and added to your contact list.

Meanwhile, hopefully Skype will be out with their update soon.

P.S. Hat tip to Tom Keating for writing about this exploit as that was where I first learned of it.

Aug 02

New Android Malware/Trojan Records Your Phone Calls

AndroidtrojanNews out of the CA Security Advisor Blog today is that there is a new piece of Android malware that records phone calls that you make on an Android phone. The post author, Dinesh Venkatesan, goes into some detail about what they found – and how they found it – in testing this malware.

While this is not a “VoIP” issue, per se, as the trojan seems to record calls over the “regular” phone connection it is a general communications security issue and something we all have to watch out for. Over on the ReadWriteWeb, Dan Rowinski published a good piece putting this malware in context with other recent Android malware.

The net of both posts is that ultimately you need to be extremely careful about the source of applications you are installing on your Android phone – and what permissions you are granting them.

Meanwhile, I expect that we’ll continue to more creativity coming out of the attacker community..

Image credit: CA Security Advisor Blog