Sunday, November 20, 2011

The Rupert Syndrome

EA was recently featured in a local news article that discusses the dangers of not setting passwords on your mobile phone's voice mail.  Most cell phone carriers will redirect to voice mail if the calling number matches the called number, assuming the user is calling to check their voice mail.  Without having a password set, the user is then able to directly access their voice mailbox.  An attacker can do just the same by calling your number spoofing your caller-ID.

Tuesday, September 27, 2011

Presentation: Online Privacy

EA Senior Security Consultant Gerrit Padgham gave a presentation with Ashkan Soltanti at the AppSecUSA 2011 Conference in Minnesota.

The presentation presents the current state of online tracking and highlights current practices that popular websites and mobile applications engage in. MobileScope, a technical solution we have been developing to give the end user ultimate visibility into the traffic their device is sending is also demonstrated.

When Zombies Attack: A Tracking Love Story with Ashkan Soltani & Gerrit Padgham from OWASP on Vimeo.

Saturday, August 20, 2011

Presentation: Mobile Security and Privacy

EA Principal Consultant David Campbell delivered the keynote presentation at the August 2011 meeting of the Rocky Mountain Information Management Association.

 The slide deck (pdf) is posted and the abstract of the presentation is as follows:

Twenty years ago wireless mobile communications was science fiction.  Today it's transforming the world.  In this session we look at the exponential increase of technological capability and some of the security and privacy implications of the forthcoming mobile "singularity".

Monday, August 8, 2011

Survey Finds Smartphone Apps Store Too Much Personal Data

The work that EA did for the Wall Street Journal made it clear that most apps are far too permissive with the sensitive data that they share 'on the wire'.  Subsequently a report by ViaForensics concludes that many apps are also carelesss with the sensitive data they store locally on the mobile device.

EA Principal Consultant David Campbell was interviewed by Wired for this article about the study.

Abstract follows:

An uncomfortably large percentage of mobile applications are storing sensitive user account information unencrypted on owners’ smartphones, according to a new survey of 100 consumer smartphone apps.

Some 76 percent of the apps tested stored cleartext usernames on the devices, and 10 percent of the tested applications, including popular apps LinkedIn and Netflix, were found storing passwords on the phone in cleartext.

Conducted by digital security firm ViaForensics, the testing occurred over a period of over eight months and spanned multiple categories, ranging from social networking applications to mobile banking software. The firm tested apps only for iOS and Android, the market’s leading mobile platforms.

“If I get my hands on someone’s lost phone, it could take me ten minutes to find an account username and password,” said Ted Eull, techology services vice president at ViaForensics, in an interview.
ViaForensics sells mobile security tools and services to corporations, attorneys and government agencies.
User names ranked highest on the list of discoverable data. App data — the term ViaForensics uses for private information exchanged using the applications — came in second place, with such data recovered from 69 percent of tested apps.’s iPhone and Android apps — which are used for maintaining financial account information — were found to store user transaction history and balance information on the phone. The Android version of the Mint app stores the user’s PIN on the phone unencrypted, ViaForensics found.

“We’re already working on ways to make this experience better,” said Jason Yiin, lead mobile engineer at, in an interview. “At the moment, if users are highly concerned, they can log in and out of the application each time they access it on their phones.” Yiin also points out that if an intruder accesses your PIN, they won’t be able to manipulate any account information or move assets between accounts. The intruder will, however, be able to see account balance and transaction history information.

In June, based on ViaForensics’ early findings, Netflix promised a security update at a yet to be specified date. But LinkedIn says it is satisfied with the security of its app.  “We’re using the standard Android programming practices for storing and managing data,” LinkedIn spokeswoman Krista Canfield told

Apple’s iOS-based apps scored consistently higher marks than Android apps in ViaForensics’ tests. That doesn’t surprise security analysts, who say Apple’s Keychain security architecture for storing user credentials is stronger than Android’s Account Manager. “Right now, Apple does a better job on iOS in providing an API where app developers can use a pretty decent mechanism to protect stored information,” says David Campbell, mobile security consultant at Electric Alchemy. “Currently, that doesn’t exist on Android.”

Google makes no bones about its platform’s security. “We dispute the claim that this data is insecurely stored on Android devices,” a Google spokesman told “The data is not accessible by default unless the phone has been rooted to gain full privileges, which Android actively protects against and would result in similar exposure for any platform.”

Earlier this year, German security researchers Jens Heider and Matthias Boll published a paper detailing how to partially circumvent keychain protections (.pdf) in a six-minute procedure on an IOS device.
In any case, developers too often choose not to use the operating system’s security resources to begin with. “What we have is a strong developer community who are good at coding on the whole, but not necessarily experts in security,” independent security analyst Ashkan Soltani told “A developer writes an app, and he’s just trying to get it off the ground as fast as he can.”

With two lucrative emerging mobile platforms, early traction is crucial for app developers competing for space. Apple’s App Store menu is closing in on a half-million applications available for download; add the Android Market to that, and you’ve got another 250,000 titles. App developer teams aren’t always focused on security first, especially when some of them consist of a handful of engineers.

“The main thing lacking in mobile development is approaching the platform with the understanding that these are essentially small computers,” Eull said. “Computers that are easily lost, and can travel through countless hands afterwards.”

Thursday, March 3, 2011

Google yanks apps that could take over your phone

Following a malware outbreak on the Android Marketplace, EA Principal Consultant David Campbell is interviewed on American Public Media radio.

Abstract of the interview follows:

 A malicious app can take several forms. Some of them will be apps for seemingly innocuous things, stuff like wallpaper, but then they'll find attempt to manipulate the user into giving a variety of permissions that give the app (and the app developer) more and more control of the device.

Then there are the apps that get installed and manage to "root" the device, essentially giving total control over it to someone on the outside. In that scenario, everything you do, from texting to online banking to phone calls to emails, can be monitored and recorded by someone else. That person can also send out messages, install new apps, do whatever they want.

We talk to Kevin Mahaffey of the security firm Lookout about how these bad guys are able to get into your phone.

We also talk with David Campbell of the security company Electric Alchemy. He points out the differences between Apple and Google in the way that apps are vetted for iPhone and Android. David says Apple inspects apps ahead of time and for the moment they seem to be the best platform for users concerned about security. But over the long term, he favors Android because the apps are easier to inspect and peer review will become stronger.