Category Archives: iOS

Phone Apps Collect User Data Even If You Deny Permissions

All smartphones are data collection machines; hopefully everyone understands that.  There are an amazing number of sensors on the device and many apps just ask for everything.  If the user grants that, then the app can harvest all that data and likely sell it, either individually or in the aggregate.

Researchers took a tiny sample of 88,000 apps out of the Android app store (because that is easier than the Apple store) and found that 1,300+ of those apps – or a bit more than one percent – figured out how to circumvent the permission rules.

Some of these apps are mainstream apps.  For example, Shutterfly grabs the GPS coordinates out of your pictures, assuming they are there in the photos.

Does this mean that they are hacking the phone?  No, it means that they have figured out how to finesse  the system.

Another thing that some apps do is look for data other apps leave unprotected on the phone and snarf that data up.  For example, in older versions of Android do not protect individual data on external storage.  If you give an app access to external storage, it can rummage around on that external storage for any data that might be there.

If an app can find the phone’s IMEI number (basically the phone’s serial number) that was retrieved by another app that has permission to do that and which was not protected, then it can tie all of your data to you even if it doesn’t have permission to retrieve your serial number.

With each new release of iOS and Android, the developers of those operating systems implement new controls in an effort to rein in developers who have figured out how to game the system.

Sometimes it is not the app developer who is being deceptive but rather the provider of one or more libraries that the developer integrated into the application.  That means the the app provider could be unwittingly helping out Chinese library developers (yup, that is happening, for reals).

This is not limited to one operating system.  As they say, if the app is free, then you are the product.

As an app developer, you need to understand what each and every library does and if you can’t be sure, you can sniff the network traffic and see what is actually happening.

Source: The Hacker News.

 

Facebooktwitterredditlinkedinmailby feather

So You Thought Your iPhone Was Secure

The security of all computers is dependent on three things:

  • The Hardware
  • The Operating System
  • The Apps

When it comes to the iPhone, Apple does a great job of making sure the hardware is secure.  The Secure Enclave is the best in the industry and Apple spends a lot of money testing their hardware.  The good news for Apple users is that Apple controls all of the hardware because the make all of it.

The next piece is the operating system.  iOS has a great security reputation and pretty much forces all of the security patches into user’s devices whether they want them or not.

So what is left?

Yes, it is the apps.  Depending on the user and the phone, you could have 50 or a hundred or more apps on your phone.    That’s where the trouble starts.

Security researchers at Wandera evaluated about 30,000 popular apps found in the app store.  They noticed that data was being transmitted unencrypted because app security was turned off.

This seemed odd to the researchers since Apple’s app security framework, called App Transport Security or ATS, is turned on by default.  It comes included as part of Apple’s Swift development platform, so it is no additional work for the developers to use it.

The researchers found that 20,000 of the 30,000 apps had ATS turned off.

Their best guess is that the developers thought, maybe, that encryption would reduce the app’s performance, but on most phones that is not true.

For the last few versions of iOS, Apple even  made it possible for developers to only use ATS when they were transferring sensitive information, but apparently, app developers don’t care.

I think it is fair to say that the state of app security is similar to the state of web site security ten years ago (or older).

The challenge for the end user is that they really have no easy way to tell which apps are secure and which ones are not without being a security expert, which is not reasonable.

Unfortunately, I do not have a silver bullet.  I tend to minimize the number of apps that I have installed as one way to reduce my attack surface.  Maybe not the best answer, but the best one that I have.  Source: Dark Reading.

Facebooktwitterredditlinkedinmailby feather

One in Three Companies Suffered Data Breaches Due To Mobile Malware

As people use their mobile devices as what one friend used to call a “pocket super computer” as opposed to something where you dial 7 digits (remember that) and talk to someone, hackers have figured out that the new attack vector is your phone.

In part, this is due to the fact that finally, after 20 years of trying, Apple and Microsoft have significantly improved the security of their operating systems, making the hacker’s job more difficult (lets ignore for the moment that people are not very good about applying patches).

When it comes to phones and security, we are at roughly the same point we were with Windows computers in say 1995 or so.  That is not very comforting.

For example,  when was the last time you patched your phone?

In fact, DO YOU KNOW FOR SURE if there are patches available for your phone on a regular – monthly – basis?

For most iPhone users, Apple does provide patches for the operating system BUT NOT FOR THE APPLICATIONS THAT RUN ON IT. And not for old iPhones.

For Android users, it is a much more complicated situation that splits the job between Google, the phone manufacturer (such as LG or Samsung or 100 other vendors) and the carrier.  With one exception – Google provides patches directly to phones for Google branded phones.

According to a new Verizon report, one in three organizations ADMITTED that  they suffered a compromise due to a mobile device.  That is up five percent since last year.  And probably highly underreported.

Mobile devices are susceptible to many of the same attacks as Windows and Macs as well as a whole host of special mobile attacks.  And, no, Linux users are not in the clear.  Remember that the Android kernel is basically Linux and the iPhone OS is basically BSD Unix on top of a Mach kernel, so all phones are Linux cousins and other relatives.

And here is an interesting tidbit – OVER 80 percent of organizations BELIEVE their protections are either effective or very effective, even though less than 12 percent had implemented all basic protections: Encrypting data on public networks, changing default passwords, REGULARLY testing security systems and restricting access based on a need to know.

80% of the companies said they could spot a problem quickly.  Only problem is that 63% of the problems were found by customers.

Okay, so now that we have a kind of “state of the phone security union”, what should you do?

First, you should create a policy regarding mobile device security.

Part of that policy needs to include what mobile devices are allowed to access corporate data (for example, only phones which are running a currently supported operating system) and what happens if the mobile device does not meet those requirements.

Then you need to decide how you are going to enforce the rules – software generically called mobile device management (MDM) is the most efficient way to do that and there are many vendors of MDM software.

Next you need to set up the people and the processes to make this work from now forward.  (If you need help with this, contact us).

Not simple, not easy, but absolutely necessary.  Sorry.

Some information for this post came from CSO.

Facebooktwitterredditlinkedinmailby feather

What is YOUR Level of Paranoia?

A Houston lawyer is suing Apple alleging that Apple’s Facetime bug (still not fixed) that allowed people to eavesdrop even if you do not answer the call, allowed a private deposition to be recorded.

If you are among the geek crowd you probably know that the most paranoid person around, Edward Snowden, required reporters to put their phones in the freezer (not to keep them cold, but rather the metal box of the freezer kept radio waves out) when they were talking to him.

The lawyer is calling the bug a defective product breach and said that Apple failed to provide sufficient warnings and instructions.

I am not intimately familiar with Apple’s software license agreement, but assuming it is like every other one I have seen, it says that they are not responsible for anything and it is completely up to you to decide if the software meets your needs.

That probably conflicts with various defective product laws, but if that strategy had much promise you would think some lawyer would have tried that tactic before.

But the problem with the iPhone and the lawsuit do point out something.

We assume that every user has some level of paranoia.  Everyone’s level varies and may be different for different situations.  We call that your Adjustable Level of Paranoia of ALoP (Thanks James!)

YOU need to consider your ALoP in a particular circumstance. 

You should have a default ALoP.  Depending on who you are, that might be low or high.  You will take different actions based on that.

In this case, if the lawyer was really interested in security, he should not have allowed recorders (also known as phones and laptops) into the room.  He also should have swept for bugs.

That is a trade-off for convenience.  But, that is the way security works.  Low ALoP means high convenience.  High ALoP means lower convenience.  Ask anyone who has worked in the DoD world.   If you work in a classified environment you cannot bring your phone into the building.  They have lockers to store them in if you do.  If you ignore that rule you can lose your clearance or even get prosecuted.

Bottom line is that you need to figure out what your ALoP is for a particular situation and make adjustments accordingly.

Suing Apple will not solve this attorney’s problem.  There will be more software bugs.  I promise this was NOT the last one.

But the lawyer will get his 15 seconds of fame before the suit is settled or dismissed.

Source: ABC 13.

Facebooktwitterredditlinkedinmailby feather

Apple Didn’t Get It Quite Right – Again

Parental controls are generally a good thing.

Except when it blocks the wrong sites and lets the bad sites  through.

So what is Apple doing in this case?

Sites that are blocked: Scarleteen and O.school, which are sex education sites and Teen Vogue.

Sites that are OK: The Daily Stormer, a neo-nazi site that publishes articles about how women secretly like to be raped.

Web searches like “how to say no to sex”, “sex assault hotline” and “sex education” were all blocked.

But “how to poison my mom”, “how to join isis” and “how to make a bomb” were all okay.

Suffice it to say, Apple has a bit of work to do.

Apple did not respond to Motherboard’s request to explain what is going on.

This is a new feature in iOS 12 and if you remember what happened when Apple released it’s mapping program (like telling people to drive into the ocean), it takes some work to get this right.

There are lots more examples in the article, some rated a little less PG so I am not including them here.

My recommendation – if you want to block content, you should probably discuss that with your kids.  The Internet is a bit of a cesspool and for young kids, some protection is probably in order.  You should find a paid product (that has support available) that has been around for a while and has good reviews.  Apple, apparently, doesn’t fit into that category.  YET.

Information for this post came from Motherboard.

 

Facebooktwitterredditlinkedinmailby feather

Soldiers Get Lonely Too

If you can’t beat them on the battlefield, beat them in cyberspace.  Israel has accused Hamas of creating a fake dating app and targeting both male and female Israeli soldiers to download the app.

Once installed, the app has the ability to see the soldier’s location, contact list and to use the phone as a listening device and camera.

The app targeted Android phone users, likely because that was easier to do.  This is apparently the second generation of a surveillance app and is more sophisticated than the earlier app.  The user granted the app the permissions to do all of these things, which sort of makes sense for a dating app.

In an effort at spin control, the Israeli Defense Force said that the apps had failed to do any security damage at all, saying that some soldiers had refused to download the app and reported it to superiors.  They did admit that some soldiers had downloaded and installed the app.

In another situation, researchers at Northeastern University ran a small experiment to try and detect if their phones were eavesdropping on them.

They took what amounts to a tiny sample of apps – 17,000 out of millions – to see if the phone’s microphone was activated.  Out of this small sample, they didn’t find any.

What they did find, however, may be more disturbing.

They discovered that many of these apps were sending screenshots of the phone to third party domains and also video recordings of the user’s interaction with the apps.  There is only a very tiny step from there to listening to you in general.

The fact that these apps were doing this was not obvious to a normal user.

Given this, what do you do?

First, and you are not going to like this, read the user license agreement.  While only some of the apps that secretly recorded screenshots and video disclosed the fact in their license agreement, some of them did disclose it.

Second, if you are no longer using an app, uninstall it.  If the app is not there, it is hard to eavesdrop.

Finally, be cautious about installing apps.  Some people never met an app that they couldn’t use.  Being selective is probably just smart.

This, apparently, is both an Android and iPhone problem as some of the frameworks that mobile apps are built on top of intentionally offer this screen and video capture.  At least one vendor, Appsee, said they their developers are violating their license agreement by capturing user data without permission.  Once they were outed by the media, they disabled the video capture for a single app and feel a lot better about themselves.  Google also says this violates the Play store agreement.  Gee, I am sure that any hacker would be scared about that.

Other software platforms may not even care.

Until Google and Apple give you the ability to absolutely, positively know if your data is being captured, you have something else to be concerned about.

 

Information for this post came from The Guardian and Gizmodo.

Facebooktwitterredditlinkedinmailby feather