Introducing the iOS Reverse Engineering Toolkit

It should be the goal of every worker to expend less time and energy to achieve a task, while still maintaining, or even increasing, productivity. As an iOS penetration tester, I find myself repeating the same manual tasks for each test. Typing out the same commands to run various tools that are required to help […]

How Angry is That Bird?

The news regarding the NSA and its British counterpart discussed how the Angry Birds app was targeted as a means to collect personal information about app users. Presumably the agencies were collecting data that the app was already accessing as part of its normal operations. What data is being accessed and should it concern us?

We performed a behavioral analysis on Angry Birds for Android with our mobile application reputation service. Here’s what we found.

Mobile Myth: iOS is Safer Than Android

It’s easy to be lulled into a false sense of security when you’re using an iphone, but is iOS really the better smartphone operating system when it comes to malware?

According to F-Secure Labs’ latest Mobile Threat Report, malware authors continue to concentrate on the Android platform with 252 new threat families and variant families.  The report also shows that 81% of discovered threats are profit motivated. So what does this mean? Most bad guys are still looking for cash with their malware!

Fake Weather Channel App Serving up Malware

Top weather app in Google Play ‘Weather Channel VDO‘ looks to be serving more than the forecast. Capabilities include accessing device and carrier information, and examining account and file system. This app is performing Trojan like-capabilities, downloading a 466 kB file from an IP address listed as a known virus site. Findings also include an association with known adware.

Learn more about Veracode’s mobile application reputation service.

Food for Thought: Mobile Application Security & HIPAA

As a pentester, it’s always a different story when we are the ones writing the report. Being on the receiving end is stressful, even more so when you throw compliance into the mix. I figured since I have been fielding questions left and right about what to do when it comes to mobile applications and HIPAA compliance, I would simply write a blog post on the topic.

Mobile App Security Myths

I like to think about myths as common ideas that seem to perpetuate regardless of the rapid pace of technology change that is part of the modern world. When I’m out talking to folks about securing mobile apps I find that the same ideas about what enterprise security being perpetuated.

Many of the myths that I come across appear to offer panaceas that are comforting to the status quo. The idea that the newest iPhone or Samsung device will automatically make enterprise mobility safe. If enterprise data is encrypted then it is perfectly safe. If we put a wall around our apps and data then no one will be able to get in. These are comforting myths.

Our Apps Are Our Digital Lives

One of my national cyber security month activities was participating in an employee awareness day at NYU Langone Medical Center. Kudos to the infosec team for putting on a nice event.

Since the audience was doctors, nurses and students my goal was to present mobile security statistics in a memorable way. I had two slides showing at a very high level how mobile malware works, but one of the main points I wanted to convey was an app doesn’t have to be malware to do you harm.

Apple’s Fingerprint Scanner: Who is Likely to Hack – Mobile Device Security Series 3 of 3

We know that any type of software is bound to be hacked eventually, but Apple is claiming that nothing will get past its new fingerprint scanning technology. While its security implications far exceed those of a traditional PIN, could a hack of this nature truly be dangerous to high profile individuals? What would a hack like this mean for an enterprise or government agency? In part three of our discussion of Apple’s fingerprint scanning technology for the iPhone 5S, we discuss where these attacks are likely to come from and what this means for your mobile security.

Apple’s Fingerprint Scanner: Claims, Concerns, and Implications – Mobile Device Security Series 2 of 3

Apple’s making a lot of claims about how well they securely store that fingerprint and who can access it and what’s actually being stored. Nobody’s ever been really too deeply verify any of this yet. We do have a few hints from patent filings, from documentation of the company that makes the sensor, documentation of the trust zone technology that Apple says they’re using to store. Apple really put quite a bit of engineering effort into this, so they claim a couple of things.

Biometrics and Fingerprint Scanner Applications – Mobile Device Security Series 1 of 3

Did you know that 30-50% of people choose not to use any sort of passcode on their smartphones? The inconvenience that comes with typing in a long passcode means users are willing to put their mobile lives at risk. Apple has attempted to solve this problem by creating a fingerprint scanning application that allows for convenience and security without compromise. With this type of technology on the rise, users may be wondering how it works and if this type of passcode is really safer. In part 1 of our Apple fingerprint technology series, Jared Carlson and Darren Meyer, both senior security researchers at Barracuda, discuss this type of technology and what it means for mobile security.

1 2 3