ICSA Labs Blog: Security

Why Certify? The Significance of ICSA Labs Certification

When it comes to security, many vendors consider certification of its products by an independent organization an option, not a requirement. However, third party testing is an important element when a company is deciding on technology solutions that are part of its security management program.

Testing Built-In Mobile Device Security Functions

Mobile device manufacturers build an array of security features into smartphones and tablets. I suspect that the majority of us take for granted that these protections function and we assume that they will work properly when needed (e.g., remote wipe). But will they?

For several years, ICSA Labs has performed mobile device security testing on behalf of several mobile device manufacturers and mobile network carriers. Mobile devices are tested before they are available to users.

Will the Promise of Hybrid Mobile Apps Outweigh New Security Concerns?

The promise and benefit of hybrid mobile apps is that they can operate on many devices from Apple to Blackberry, from Microsoft to Samsung and everything in between. Typically written in HTML5 and JavaScript, hybrid mobile apps include a native container to facilitate access to the device’s native features. Gartner forecasts that hybrid mobile apps will account for half of all mobile apps by 2016.

But are they safe?

Coffee for Smartphone Users. Is It Enough to Awaken Us?

It’s been reported in the news that the Starbuck’s payment app saves usernames, passwords and location data in plain text right on consumer’s smartphones. Any devious person with a little know-how can get access to this information and use it to get one caffeine fix after another ad infinitum.

Of course this is not good news. But it is more than that.  This should be a wake-up call – not just for those of us who like to pay for coffee with our smartphones.

Ad Networks and Smartphones

Free mobile apps often come chock full of ads.  And it’s not just the free apps.  A surprising number of paid apps come with ads as well.  App developers typically link in one or more advertising network to monetize their otherwise inexpensive mobile apps.

Users are relatively tolerant of mobile app advertising.  That is until a mobile ad network in a seemingly benign mobile app distributes malware or exfiltrates sensitive user information without the user’s knowledge or consent.

Mobile App Development Concerns Echoed

When speaking at conferences or to prospective customers about why there is a need to independently test an enterprise’s custom-made mobile apps, I begin by framing the problem.  I explain that one of the primary issues concerning mobile apps is that they are developed by companies with a limited amount of experience as opposed to by large, well-known companies with a lengthy software development history.

Personal Information at Stake in Enterprise Mobile Apps

There have been several reports this year indicating that many popular, free apps and a surprising number of the most popular paid apps – either Android or iOS – are not good at safeguarding sensitive information.  From contacts to calendars, an amazingly high percentage of app developers don’t seem concerned with protecting your sensitive information. 

Even so, there are apps that accidentally, spectacularly, and unexpectedly transmit your sensitive information. Take Tumblr (now part of Yahoo!) for example.

An Android Master Key Solution...But

Last week I blogged about the “Android Master Key” vulnerability.  Not long after its discovery by Bluebox, the Chinese firm Android Security Squad found a similar Android Master Key vulnerability.  Both vulnerabilities permit adversaries to circumvent the Android app signature verification process after modifying any app.

Almost a Billion Vulnerable Android Devices

Researchers at Bluebox, a new mobile security company, recently found a serious vulnerability affecting almost every version of Android. Vulnerable Android versions include all recent versions as well as those dating back to version 1.6 (code name: Donut) that was released in September 2009.

Facebook exposes some emails and phone numbers – Big Deal!

Hi folks,

Over the weekend, FaceBook disclosed that a bug in their code had accidentally leaked some six million email addresses and phone numbers over the course of about a year. While the majority of the comments on FaceBook’s Mea Culpa page indicate outrage and worry, in my opinion, no one should be in the least bit surprised.

By this, I’m not implying that FaceBook is unprofessional in how it codes its website, or that it is unconcerned about its users’ privacy. It’s simply a tough job, and humans make mistakes.