ICSA Labs Security Testing Blog

Ad Networks and Smartphones

Free mobile apps often come chock full of ads.  And it’s not just the free apps.  A surprising number of paid apps come with ads as well.  App developers typically link in one or more advertising network to monetize their otherwise inexpensive mobile apps.

Users are relatively tolerant of mobile app advertising.  That is until a mobile ad network in a seemingly benign mobile app distributes malware or exfiltrates sensitive user information without the user’s knowledge or consent.

Mobile App Development Concerns Echoed

When speaking at conferences or to prospective customers about why there is a need to independently test an enterprise’s custom-made mobile apps, I begin by framing the problem.  I explain that one of the primary issues concerning mobile apps is that they are developed by companies with a limited amount of experience as opposed to by large, well-known companies with a lengthy software development history.

Personal Information at Stake in Enterprise Mobile Apps

There have been several reports this year indicating that many popular, free apps and a surprising number of the most popular paid apps – either Android or iOS – are not good at safeguarding sensitive information.  From contacts to calendars, an amazingly high percentage of app developers don’t seem concerned with protecting your sensitive information. 

Even so, there are apps that accidentally, spectacularly, and unexpectedly transmit your sensitive information. Take Tumblr (now part of Yahoo!) for example.

The Age Of Enterprise Malware (A.k.a APT vs AFT)

In 2013, most people understand that the acronym APT stands for Advanced Persistent Threat, but I’m coining a new one … AFT, which stands for Another… uh … Freaking Trojan, and I suggest that all malware now falls into one of these two categories.

An Android Master Key Solution...But

Last week I blogged about the “Android Master Key” vulnerability.  Not long after its discovery by Bluebox, the Chinese firm Android Security Squad found a similar Android Master Key vulnerability.  Both vulnerabilities permit adversaries to circumvent the Android app signature verification process after modifying any app.

Almost a Billion Vulnerable Android Devices

Researchers at Bluebox, a new mobile security company, recently found a serious vulnerability affecting almost every version of Android. Vulnerable Android versions include all recent versions as well as those dating back to version 1.6 (code name: Donut) that was released in September 2009.

Facebook exposes some emails and phone numbers – Big Deal!

Hi folks,

Over the weekend, FaceBook disclosed that a bug in their code had accidentally leaked some six million email addresses and phone numbers over the course of about a year. While the majority of the comments on FaceBook’s Mea Culpa page indicate outrage and worry, in my opinion, no one should be in the least bit surprised.

By this, I’m not implying that FaceBook is unprofessional in how it codes its website, or that it is unconcerned about its users’ privacy. It’s simply a tough job, and humans make mistakes.

This does not seem to be playing entirely fair

One of the nice things about FaceBook is that you get to see that which is important to your friends, and by association therefore, important to you, but which might not make the mainstream news.

For example, the beautiful Vitava River which flows through Prague, in the Czech Republic, is in flood, and is threatening Prague’s wonderful historic centre. Seemingly, this is not important enough to make it to CNN or Fox, but my friend, Siobhan MacDermott, posted about it on FaceBook, saying something to the effect that we hoped our friends in Prague were all safe.

Lessons from the latest Mac malware

One of the Hoary Old Chestnuts of computer security is that “SMB don’t get 0-days”. Aside from arguably bad grammar, the latest Mac malware shows this to be patently false.

What is meant by “SMB don’t get 0-days” is that brand-new exploits, or zero-days, are relatively hard to write, and possibly expensive, and therefore tend to be used against high-value targets, such as Fortune 500 companies, or military, rather than being “wasted” against Small and Medium Business, who by implication have nothing worth stealing.

Assume You’re Breached

The Verizon DBIR came out today, and, as usual, it’s full of interesting data, and, as usual, it should be printed out, read thoroughly and marked liberally with your favorite highlighter, but for me, my favorite sentence was in the opening paragraph. It said, “A growing segment of the security community adopted an “assume you’re breached” mentality.”