Category: Security

The Creepy – And Insecure – Side of iOS and Android Apps

Want to see the dark side of mobile apps? Just read this great bit of research from Troy Hunt:
Secret iOS business; what you don’t know about your apps

As people have noted in the comments, "iOS" (Apple's operating system for iPhones and iPads) is purely the platform Troy Hunt did his research on... but he's really talking about issues with mobile applications.

I'm my unfortunately sure that these type of issues will also be there on apps on Android and probably on other mobile operating systems from Microsoft, RIM, WebOS, etc.

These are application design issues.

The article starts off with the incredibly inefficient case of stuffing large images from "regular" websites down the mobile pipe to the phone... and then simply "resizing" them with "width" and "height" attributes. This is just laziness"efficiency" on the app developers part in that they are simply "repurposing their existing content" for a mobile audience, i.e. it's too much work/effort for them to create and track a separate smaller image for a mobile environment so they will just send you the larger one and eat up your data plan bandwidth.

But Troy Hunt goes on to talk about far worse issues... he calls out the analytics sent back to Flurry.com in particular (and there are other similar players out there) that report what the user is doing. I agree with Troy Hunt's comment that where this gets "creepy" for me is not so much reporting data back for one application, but rather that all this data is being aggregated across applications inside of Flurry's databases.

And then the truly scary issue of how little security some applications use to protect login credentials (i.e. NONE!) or to protect confidentiality of the information people are seeing.

As Troy Hunt points out with regard to the Facebook app for iOS:

Unfortunately, the very security that is offered to browser-based Facebook users is not accessible on the iPhone client. You know, the device which is most likely to be carried around to wireless hotspots where insecure communications are most vulnerable.

Mobile devices are being brought to the worst possible WiFi environments... and per this article seem to have some awfully insecure apps running on them.

Every mobile developer needs to read this article - and start looking at how to secure their apps!

P.S. Thanks, Troy Hunt, for writing this piece!


If you found this post interesting or useful, please consider either:


Pondering All The Strange (Chinese?) Accounts Joining My Email Newsletter List…

huh
Has anyone else operating an email mailing list noticed subscriptions pouring in over the past few months from strange email accounts?

I have been amazed - and I can't for the life of me understand WHY this is going on.

For my VERY infrequently issued email newsletter, A View From The Crow's Nest, I've seen probably 50 subscriptions over the last month from email accounts with very bizarre names - both names of email address and also the first and last names of the users. They pretty much all have come from accounts at:

  • hotmail.com
  • tom.com
  • 163.com
  • sohu.com
  • yeah.net

Now, in looking at those sites... outside of hotmail.com, they are all Chinese-language sites.

Did my (English-only!) blogs get on some list for people to read in China?

... and some % of those people decided to actually subscribe to my (again, English-only) email newsletter?

I find this hard to believe, particularly when Google Analytics shows NO increased visitation to any of my sites from China or Chinese-language browsers.

Is something else going on here? The IT security part of my brain was spiked into high paranoia by the patterns in the last names that were entered into the subscription form. The vast majority of these "last names" were either:

  • andeson
  • aifseng
  • billaa
  • John

And the "first names" make no sense as an English name. Here's a screenshot showing some recent subscriptions (with, yes, some info deliberately hidden):

Strangeaddresses

This pattern continues for several more pages.

Now, I have no real knowledge of the Chinese language. Is this perhaps a translation of Chinese characters into Roman letters by the iContact email service I use? i.e. are these perhaps legitimate subscription requests where the info is getting lost in translation?

My first thought before I realized all the sites (sans hotmail.com) were Chinese was that this was spammers subscribing to my newsletter from free email services.

But why?

I couldn't (and still can't) figure that out. What good would it do for a spammer (or other attacker) to subscribe to my email newsletter list?

Or are the subscription records bogus anyway? Are they the byproduct of attackers trying to probe the security of the signup forms? To see if they could exploit a SQL injection attack or something like that?

Or is something more widespread going on? A Google search on "aifseng", for instance, shows that "word" paired with other nonsensical (in English) "words" on a host of other sites.

Did I miss a memo about some security issue going on? Or is this the case where something is getting lost in translation?

Any ideas or info out there?

Image credit: maddercarmine on Flickr


If you found this post interesting or useful, please consider either:


Survey: Only 40% of Canadians Password-Protect Their Cell Phones

GlobeandmailOnly 40% of Canadian cell phone users password-protect their phones or use other privacy options, a survey by Canada's privacy commissioner found. The results of the 2000-person survey were released in August and written up in a Globe And Mail piece entitled "How private is that text message?".

When I saw the headline, I honestly thought it was going to be something about the security of SMS messages... but in fact it was about the security of the cell phones themselves. If the phones aren't secured then someone can go in and look at your text messages. Ergo... the link-bait title of the article. (And yes, it got me to look.)

Still, it had some interesting data points such as the fact that the users from age 18 to 34 were the ones most likely to use privacy tools, which is good to see, since they are probably the ones pumping the most information out online.

Nice to see, too, that 82 percent did not think police should have access to your online usage info without a warrant.

I was surprised, in all honestly, about the 40% number... I actually might have thought of it being lower as I know MANY people who don't password-protect their phones mostly because of the "inconvenience" of having to enter the password to get into the phone.

And in truth the % who password-protect their phones may be lower... the article says that "only four in 10 people password-protect their phones or adjust privacy settings on personal-information sharing via downloaded applications". The number of people who adjust privacy settings - but don't password-protect their phone - may be driving that % up.

I wonder what a survey like this might find in the United States?

Do you password-protect your phone? (I do)


If you found this post interesting or useful, please consider either:


Speaking Next Week on IPv6 and VoIP Security at 7th Real-Time Communications Conference in Chicago

Rtcconf2011
If any of you will be in Chicago next week, October 4-6, 2011, for the 7th Annual Real-Time Communications Conference & Expo, I'll be there on the 5th and 6th as a speaker.

I'll be speaking twice. First on Wednesday the 5th at 4pm on "The Current State of VoIP Security", wearing my VOIPSA hat and leading off a series of talks about security. I'll be providing an overview of the main threats to VoIP and communications security in general, leading the way into the two more specific talks following mine.

I'm rather excited that my second session will be my first public appearance wearing my new Internet Society hat (if you are not aware, I've posted details about my recent move) and will of course be about IPv6... more specifically "How IPv6 Will Impact SIP And Telecom".

Due to ongoing events on the personal front, I wasn't sure that I was going to make it out there... and quite frankly there's still a chance that I won't... but I should be out there.

If you look at the conference schedule, the speakers include outstanding people involved with so many different aspects of real-time communications. It should be truly an excellent event!

P.S. You can still register if you would like to attend!


If you found this post interesting or useful, please consider either: