ICSA Labs Blog: Mobile Apps

Testing Built-In Mobile Device Security Functions

Mobile device manufacturers build an array of security features into smartphones and tablets. I suspect that the majority of us take for granted that these protections function and we assume that they will work properly when needed (e.g., remote wipe). But will they?

For several years, ICSA Labs has performed mobile device security testing on behalf of several mobile device manufacturers and mobile network carriers. Mobile devices are tested before they are available to users.

Will the Promise of Hybrid Mobile Apps Outweigh New Security Concerns?

The promise and benefit of hybrid mobile apps is that they can operate on many devices from Apple to Blackberry, from Microsoft to Samsung and everything in between. Typically written in HTML5 and JavaScript, hybrid mobile apps include a native container to facilitate access to the device’s native features. Gartner forecasts that hybrid mobile apps will account for half of all mobile apps by 2016.

But are they safe?

Coffee for Smartphone Users. Is It Enough to Awaken Us?

It’s been reported in the news that the Starbuck’s payment app saves usernames, passwords and location data in plain text right on consumer’s smartphones. Any devious person with a little know-how can get access to this information and use it to get one caffeine fix after another ad infinitum.

Of course this is not good news. But it is more than that.  This should be a wake-up call – not just for those of us who like to pay for coffee with our smartphones.

Ad Networks and Smartphones

Free mobile apps often come chock full of ads.  And it’s not just the free apps.  A surprising number of paid apps come with ads as well.  App developers typically link in one or more advertising network to monetize their otherwise inexpensive mobile apps.

Users are relatively tolerant of mobile app advertising.  That is until a mobile ad network in a seemingly benign mobile app distributes malware or exfiltrates sensitive user information without the user’s knowledge or consent.

Mobile App Development Concerns Echoed

When speaking at conferences or to prospective customers about why there is a need to independently test an enterprise’s custom-made mobile apps, I begin by framing the problem.  I explain that one of the primary issues concerning mobile apps is that they are developed by companies with a limited amount of experience as opposed to by large, well-known companies with a lengthy software development history.

Personal Information at Stake in Enterprise Mobile Apps

There have been several reports this year indicating that many popular, free apps and a surprising number of the most popular paid apps – either Android or iOS – are not good at safeguarding sensitive information.  From contacts to calendars, an amazingly high percentage of app developers don’t seem concerned with protecting your sensitive information. 

Even so, there are apps that accidentally, spectacularly, and unexpectedly transmit your sensitive information. Take Tumblr (now part of Yahoo!) for example.

An Android Master Key Solution...But

Last week I blogged about the “Android Master Key” vulnerability.  Not long after its discovery by Bluebox, the Chinese firm Android Security Squad found a similar Android Master Key vulnerability.  Both vulnerabilities permit adversaries to circumvent the Android app signature verification process after modifying any app.

Almost a Billion Vulnerable Android Devices

Researchers at Bluebox, a new mobile security company, recently found a serious vulnerability affecting almost every version of Android. Vulnerable Android versions include all recent versions as well as those dating back to version 1.6 (code name: Donut) that was released in September 2009.

Mobile App Insecurity

Not that long ago enterprise users did all of their computing work with PCs. Then, the small set of applications utilized each day was largely developed by a few, well-known vendors. Today’s mobile world is much different; there is a much larger set of less recognizable software developers who create mobile apps for enterprises.  

A Hidden Apple in the DNS Changer Sandwich

I wonder if I am following the right crowd on Twitter? Last week, I was inundated with a superabundance of tweets about battling DNS Changer. Sources everywhere warned that if you didn’t take steps soon, you could lose access to the Internet on Monday July 9th (i.e., today). With so many folks tweeting, blogging, and writing articles about the evils of DNS Changer, one might suspect that it’s a really big problem out there on the Internet...