Obfuscating to a small self contained library .jar

In the case you would like to create a library jar file, you could:

• Run Proguard once on the library .jar file - this can make the library self-contained and prevent package name collisions.
• Run Proguard once on the application that uses the library file.

Step by step:

1. Ofuscation of library jar is based on http://proguard.sourceforge.net/index.html#manual/examples.html - A typical library.
2. To make the library .jar small, list classes to be kept explicitely instead of -keep public class * {public protected *;}
• -keep public class my.package1.* {*;}
• -keep public class my.package2.* {*;}
3. To make the library smaller, remove unused classes and obfuscate the used ones, omit -dontshrink
4. To optimize and remove dead code, omit -dontoptimize
5. In the case of "Unknown verification type [32] in stack map frame" problems when obfuscating the app, try disabling optimizing rules of the library according to http://proguard.sourceforge.net/index.html#manual/optimizations.html. Examples that can be tried until no more errors:
1. -optimizations !class/merging/*, !field/*, !method/*, !code/*
2. -optimizations  !code/*, !field/*
3. -optimizations !field/*
4. -optimizations !field/propagation/value
6. Finally, repackage classes to your organizations domain (www.package.my):
1. -allowaccessmodification
2. -repackageclasses 'my.package'

You should now have a library .jar where all or most classes are obfuscated located under my.package.*.class

Encap won the award in the Funded category for Norwegian Startups in the Nordic Startup Awards 2012-11-13 at MESH. Thank you for the votes, and thanks to our sustaining investor Alliance Venture. The award includes mentoring and partly TINC funding. The Nordic finale is in Copenhagen 7 Dec 2012.

Ensafer was also among the finalists in the Bootstrapper category - it belongs to the story that Encap and Ensafer apply for a research project together. Ensafer launches Dropbox encryption.

Encap has passed several phases during development. Initially, we put effort in making the product covering ca. 80% of the mobile devices in the consumer market, university and third party evaluations, and approval for the norwegian banking standards. Recently, effort has been made to make the product easy available for developers and integrators, this will be available at http://developer.encapsecurity.com within Dec 2012.

Update of Samsung Nexus S from 2.3.6 to Android 4.0 OTA A pop-up dialog is shown approximately after update is downloaded and ready for install. Pushing the the button for “More Information” reveals it’s an OTA update to Android 4.0.4. Pushing the button for restart and install starts the update that will last a few minutes before Android 4 is waking up:

List of SSL/TLS root certificates

Before purchasing an SSL/TLS certificate for a web server, it is interesting to know whether the mobile device accepts the certificate.

Procedure

1. Download http://bouncycastle.org/download/bcprov-jdk16-141.jar and place it on $JAVA_HOME/jre/lib/ext/

2. get the certificates file

adb pull /system/etc/security/cacerts.bks cacerts.bks 

3. List certificates with keytool.

keytool -list -v -storetype BKS \
      -provider org.bouncycastle.jce.provider.BouncyCastleProvider \
      -keystore ~/Downloads/cacerts.bks.SE_X10 \
       | grep ^Issuer | sort | cut -b 9-

Enter keystore password:

When prompted for password, push enter and ignore the warning. The result will be a list of TLS/SSL certificates that can be inspected. Example findings:

• Sony Ericsson X10 mini pro: RapidSSL not present.

• Mobile Security - Android vs. iOS: http://www.veracode.com/resources/android-ios-security
• The 2012 Accenture Consumer Electronics Products and Services Usage Report: http://www.accenture.com/SiteCollectionDocuments/PDF/Accenture_EHT_Research_2012_Consumer_Technology_Report.pdf

• Automated scanning of Android Market for potentially malicious software
• Windows Phone 8 adds inter-app communication among other
• Phonegap - how to notify Javascript when asynchronous operation is finished
• Windows Phone compared to IOS and Android (1st chapter from Manning book)

Mobile platform security links

The following links contain information relevant for mobile platform security.

Custom URL

Starting an app by opening a custom URL will fail if the app is not installed. Exampes.

• http://mobile.tutsplus.com/tutorials/iphone/ios-sdk-working-with-url-schemes
• http://www.hunlock.com/blogs/AJAX_for_n00bs
• http://stackoverflow.com/questions/374644/how-do-i-capture-response-of-form-submit
• http://malsup.com/jquery/form

Operating system, update and security

Android, generic update overview:

• Android forum - help for update, Google:
  • http://www.google.com/support/forum/p/Google+Mobile/label?lid=551c5c4cca827a18&hl=en

• http://www.theregister.co.uk/2011/11/22/android_patching_mess/
  • http://www.bit9.com/company/news-release-details.php?id=227
  • http://blog.bit9.com/bid/72676/Orphan-Android-The-Not-So-Smartphones-of-2011

• http://www.theregister.co.uk/2011/10/25/aslr_comes_to_android/

Android security:

• http://jon.oberheide.org/files/cansecwest09-android.pdf
• https://www.defcon.org/images/defcon-18/dc-18-presentations/Lineberry/DEFCON-18-Lineberry-Not-The-Permissions-You-Are-Looking-For.pdf
• http://forum.stanford.edu/events/posterslides/AddressSpaceLayoutRandomizationinAndroid.pdf ASLR

iiOS OTA update:

• http://mashable.com/2011/11/10/ios5-ota-faq/

iOS Security:

• http://images.apple.com/iphone/business/docs/iOS_Security.pdf
• http://trailofbits.files.wordpress.com/2011/08/ios-security-evaluation.pdf

Keychain / crypto

iOS keyChain

• http://media.blackhat.com/bh-us-11/DaiZovi/BH_US_11_DaiZovi_iOS_Security_WP.pdf
• http://www.youtube.com/watch?v=uVGiNAs-QbY - Video demostrating revealing iPhone 4 passwords in 6 minutes (Fraunhofer SIT). See the report sc-iphone-passwords below.
• http://sit.sit.fraunhofer.de/studies/en/sc-iphone-passwords.pdf - Shows the details from the video - seems to show that secrets in keychain stored with "some protection class different from default" can be revealed within 6 miutes. Apps using keychain with default protection are protected (brute force attack required to reveal).
• http://viaforensics.com/mobile-security/question-how-secure-is-ios-keychain.html
• http://www.readwriteweb.com/enterprise/2010/08/crack-iphone-keychains-with-ip.php
• http://blog.crackpassword.com/tag/ios-4/
• How to enable data protection on iOS4: http://useyourloaf.com/blog/2011/5/27/ios-keychain-migration-and-data-protection-part-1.html
• http://www.h-online.com/security/features/iOpener-How-safe-is-your-iPhone-data-1266713.html?page=3 - good explanation of getting keychain secrets

Android keychain:

• http://nelenkov.blogspot.com/2011/11/using-ics-keychain-api.html
• http://www.ehow.com/info_12183909_encryption-android.html - Android 2.3.4+ - natively support for device-level encryption. File based encryption locks device with user PIN
• http://www.scribd.com/doc/25036401/A-Security-Overview-in-Google-s-Android-Phone - Android Security Overview, good explanation and enhancement proposals.

iOS Data protection

• Tutorial of data encryption in iPhone4 - http://anthonyvance.com/blog/forensics/ios4_data_protection/
• http://esec-lab.sogeti.com/dotclear/public/publications/11-hitbamsterdam-iphonedataprotection.pdf
• http://securityxploded.com/demystifying-iphone-forensics-on-ios5.php - a shorter ersion of the Sogeti .pdf above.

Crypto libraries

Android

• BouncyCastle versions on Android
• http://www.java2s.com/Open-Source/Android/android-platform-external/bouncycastle/Catalogbouncycastle.htm (unknown Android version)
• http://stackoverflow.com/questions/6488658/can-i-use-latest-bouncycastle-provider-on-android
• http://code.google.com/p/android/issues/detail?id=3280
• http://www.google.com/codesearch#cZwlSNS7aEw/external/bouncycastle/src/main/java/org/bouncycastle/jce/PKCS10CertificationRequest.java&exact_package=android&q=class:PKCS10CertificationRequest&l=237

iOS

• http://developer.apple.com/library/ios/#documentation/Security/Conceptual/cryptoservices/GeneralPurposeCrypto/GeneralPurposeCrypto.html
• http://developer.apple.com/library/ios/#documentation/System/Conceptual/ManPages_iPhoneOS/man3/CCCryptor.3cc.html#//apple_ref/doc/man/3cc/CCCryptor

Application Stores

Overview

• http://en.wikipedia.org/wiki/Android_Market
• http://en.wikipedia.org/wiki/App_Store_%28iOS%29
• http://en.wikipedia.org/wiki/Ovi_%28Nokia%29

• http://allaboutwindowsphone.com/news/item/13913_Windows_Phone_Marketplace_pass.php - detailed statistics for Marketplace.

• http://www.pcpro.co.uk/news/security/362485/microsoft-details-windows-phone-7-kill-switch

Threats / malware

• MacAffee down-to-earth analysis of security risks for mobiles - http://www.mcafee.com/us/resources/reports/rp-securing-mobile-devices.pdf
• http://download.microsoft.com/download/0/3/3/0331766E-3FC4-44E5-B1CA-2BDEB58211B8/Microsoft_Security_Intelligence_Report_volume_11_English.pdf

• http://www.securelist.com/en/analysis/204792194/ZeuS_in_the_Mobile_Facts_and_Theories - ZitMo - in details, for Symbian, Windows Mobile, Blackberry and Android.

• http://www.symantec.com/content/en/us/about/media/pdfs/symc_mobile_device_security_june2011.pdf
• http://www.symantec.com/about/news/release/article.jsp?prid=20110627_02&om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2011Jun_worldwide_mobilesecuritywp - Apple’s iOS and Google’s Android Platform Cites Improved Security over PCs, but Major Gaps Remain.
• http://press.pandasecurity.com/usa/wp-content/uploads/2011/06/CNCCS-Smartphone-Malware-Full-Report-Translated-06-7-11-FINAL.pdf

Android

• http://www.symantec.com/connect/blogs/new-android-threat-gives-phone-root-canal - Ca. 50 apps from Android Market contained malware.
• http://www.androidpolice.com/2012/01/24/lookout-releases-mobile-threat-tracker-a-pretty-way-to-visualize-how-many-threats-lookout-finds-on-a-daily-basis-and-thats-about-it/
• http://www.androidpolice.com/2010/12/09/gingerbread-sdk-closes-a-tapjacking-vulnerability/

• http://blog.appuarium.com/2011/09/19/malicious-apps-found-on-google-android-market/ - "asroot" static linked ELF file tried to exploit Linux Kernel vulnerabilities (CVE-2009 -2692, CVE-2008 -0010 and CVE-2008 -0600) - apps have been removed from Market.

• http://securitywatch.pcmag.com/none/291627-android-malware-found-in-fake-angry-birds-cut-the-rope-and-more - trojan sends SMS

• http://blog.appuarium.com/2011/10/09/malware-prevalence-in-android-markets/
• http://www.sans.org/reading_room/whitepapers/pda/reverse-engineering-malware-android_33769

Windows Phone Marketplace

• http://www.afterdawn.com/news/article.cfm/2011/09/11/microsoft_pulls_avg_anti-virus_app_from_windows_phone_marketplace - sends too much private data to AVG
• http://www.wpcentral.com/psa-chrome-broswer-scam-alert-windows-phone-marketplace - Fake chrome browser app for $0.99
• http://www.wpcentral.com/fake-spotify-app-removed-marketplace - Fake spotify app for $1.99
• http://www.windows8update.com/2012/01/02/fake-spotify-app-hits-windows-phone-marketplace/

Nokia store

• http://www.developer.nokia.com/Distribute/Packaging_and_signing.xhtml
• http://articles.cnn.com/2011-05-12/tech/kill.switch_1_android-phones-nokia-s-symbian-app-store?_s=PM:TECH

Firewall and anti trojan / anti virus

Firewall

• Wikipedia: "permit or deny network transmissions based upon a set of rules"

Firewall programs from the application stores App Store / Market:

• Android: Droidwall (requires root)
• iOS: None (Lookout: Warn if on unencrypted WiFi)

Anti trojan / anti virus

Protection from malicious apps - anti-virus, block outgoing calls and SMS, and similar.

• Android: Avg, Avast, Kaspersky, Lookout, Symantec Norton
• iOS: None (Intego VirusBarrier: Mac/Windows email virus scanner running on iOS)

Android Market:

• https://market.android.com/details?id=com.antivirus&feature=more_from_developerAntivirus FreeAVG Mobilation
• https://market.android.com/details?id=com.avast.android.mobilesecurity&feature=related_appsavast! Mobile SecurityAVAST Software
• https://market.android.com/details?id=com.kms&feature=related_appsKaspersky Mobile SecurityKaspersky Lab https://market.android.com/details?id=com.lookout&feature=related_appsLookout Security & AntivirusLookout Mobile Security
• https://market.android.com/details?id=com.symantec.mobilesecurity&feature=related_appsNorton Security and AntivirusNortonMobile

Developing

• Analyzing Inter-Application Communication in Android - ComDroid tool
• http://isecpartners.com/files/iSEC_Securing_Android_Apps.pdf
• http://www.isecpartners.com/storage/docs/presentations/Secure_Development_on_iOS.pdf