Mobile platform security links
The following links contain information relevant for mobile platform security.
Custom URL
Starting an app by opening a custom URL will fail if the app is not installed. Exampes.
- http://mobile.tutsplus.com/tutorials/iphone/ios-sdk-working-with-url-schemes
- http://www.hunlock.com/blogs/AJAX_for_n00bs
- http://stackoverflow.com/questions/374644/how-do-i-capture-response-of-form-submit
- http://malsup.com/jquery/form
Operating system, update and security
Android, generic update overview:
- Android forum - help for update, Google:
Android security:
- http://jon.oberheide.org/files/cansecwest09-android.pdf
- https://www.defcon.org/images/defcon-18/dc-18-presentations/Lineberry/DEFCON-18-Lineberry-Not-The-Permissions-You-Are-Looking-For.pdf
- http://forum.stanford.edu/events/posterslides/AddressSpaceLayoutRandomizationinAndroid.pdf ASLR
iiOS OTA update:
iOS Security:
- http://images.apple.com/iphone/business/docs/iOS_Security.pdf
- http://trailofbits.files.wordpress.com/2011/08/ios-security-evaluation.pdf
Keychain / crypto
iOS keyChain
- http://media.blackhat.com/bh-us-11/DaiZovi/BH_US_11_DaiZovi_iOS_Security_WP.pdf
- http://www.youtube.com/watch?v=uVGiNAs-QbY - Video demostrating revealing iPhone 4 passwords in 6 minutes (Fraunhofer SIT). See the report sc-iphone-passwords below.
- http://sit.sit.fraunhofer.de/studies/en/sc-iphone-passwords.pdf - Shows the details from the video - seems to show that secrets in keychain stored with "some protection class different from default" can be revealed within 6 miutes. Apps using keychain with default protection are protected (brute force attack required to reveal).
- http://viaforensics.com/mobile-security/question-how-secure-is-ios-keychain.html
- http://www.readwriteweb.com/enterprise/2010/08/crack-iphone-keychains-with-ip.php
- http://blog.crackpassword.com/tag/ios-4/
- How to enable data protection on iOS4: http://useyourloaf.com/blog/2011/5/27/ios-keychain-migration-and-data-protection-part-1.html
- http://www.h-online.com/security/features/iOpener-How-safe-is-your-iPhone-data-1266713.html?page=3 - good explanation of getting keychain secrets
Android keychain:
- http://nelenkov.blogspot.com/2011/11/using-ics-keychain-api.html
- http://www.ehow.com/info_12183909_encryption-android.html - Android 2.3.4+ - natively support for device-level encryption. File based encryption locks device with user PIN
- http://www.scribd.com/doc/25036401/A-Security-Overview-in-Google-s-Android-Phone - Android Security Overview, good explanation and enhancement proposals.
iOS Data protection
- Tutorial of data encryption in iPhone4 - http://anthonyvance.com/blog/forensics/ios4_data_protection/
- http://esec-lab.sogeti.com/dotclear/public/publications/11-hitbamsterdam-iphonedataprotection.pdf
- http://securityxploded.com/demystifying-iphone-forensics-on-ios5.php - a shorter ersion of the Sogeti .pdf above.
Crypto libraries
Android
- BouncyCastle versions on Android
- http://www.java2s.com/Open-Source/Android/android-platform-external/bouncycastle/Catalogbouncycastle.htm (unknown Android version)
- http://stackoverflow.com/questions/6488658/can-i-use-latest-bouncycastle-provider-on-android
- http://code.google.com/p/android/issues/detail?id=3280
- http://www.google.com/codesearch#cZwlSNS7aEw/external/bouncycastle/src/main/java/org/bouncycastle/jce/PKCS10CertificationRequest.java&exact_package=android&q=class:PKCS10CertificationRequest&l=237
iOS
- http://developer.apple.com/library/ios/#documentation/Security/Conceptual/cryptoservices/GeneralPurposeCrypto/GeneralPurposeCrypto.html
- http://developer.apple.com/library/ios/#documentation/System/Conceptual/ManPages_iPhoneOS/man3/CCCryptor.3cc.html#//apple_ref/doc/man/3cc/CCCryptor
Application Stores
Overview
- http://en.wikipedia.org/wiki/Android_Market
- http://en.wikipedia.org/wiki/App_Store_%28iOS%29
- http://en.wikipedia.org/wiki/Ovi_%28Nokia%29
http://allaboutwindowsphone.com/news/item/13913_Windows_Phone_Marketplace_pass.php - detailed statistics for Marketplace.
http://www.pcpro.co.uk/news/security/362485/microsoft-details-windows-phone-7-kill-switch
Threats / malware
- MacAffee down-to-earth analysis of security risks for mobiles - http://www.mcafee.com/us/resources/reports/rp-securing-mobile-devices.pdf
- http://download.microsoft.com/download/0/3/3/0331766E-3FC4-44E5-B1CA-2BDEB58211B8/Microsoft_Security_Intelligence_Report_volume_11_English.pdf
http://www.securelist.com/en/analysis/204792194/ZeuS_in_the_Mobile_Facts_and_Theories - ZitMo - in details, for Symbian, Windows Mobile, Blackberry and Android.
- http://www.symantec.com/content/en/us/about/media/pdfs/symc_mobile_device_security_june2011.pdf
- http://www.symantec.com/about/news/release/article.jsp?prid=20110627_02&om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2011Jun_worldwide_mobilesecuritywp - Apple’s iOS and Google’s Android Platform Cites Improved Security over PCs, but Major Gaps Remain.
- http://press.pandasecurity.com/usa/wp-content/uploads/2011/06/CNCCS-Smartphone-Malware-Full-Report-Translated-06-7-11-FINAL.pdf
Android
- http://www.symantec.com/connect/blogs/new-android-threat-gives-phone-root-canal - Ca. 50 apps from Android Market contained malware.
- http://www.androidpolice.com/2012/01/24/lookout-releases-mobile-threat-tracker-a-pretty-way-to-visualize-how-many-threats-lookout-finds-on-a-daily-basis-and-thats-about-it/
- http://www.androidpolice.com/2010/12/09/gingerbread-sdk-closes-a-tapjacking-vulnerability/
http://blog.appuarium.com/2011/09/19/malicious-apps-found-on-google-android-market/ - "asroot" static linked ELF file tried to exploit Linux Kernel vulnerabilities (CVE-2009 -2692, CVE-2008 -0010 and CVE-2008 -0600) - apps have been removed from Market.
http://securitywatch.pcmag.com/none/291627-android-malware-found-in-fake-angry-birds-cut-the-rope-and-more - trojan sends SMS
- http://blog.appuarium.com/2011/10/09/malware-prevalence-in-android-markets/
- http://www.sans.org/reading_room/whitepapers/pda/reverse-engineering-malware-android_33769
Windows Phone Marketplace
- http://www.afterdawn.com/news/article.cfm/2011/09/11/microsoft_pulls_avg_anti-virus_app_from_windows_phone_marketplace - sends too much private data to AVG
- http://www.wpcentral.com/psa-chrome-broswer-scam-alert-windows-phone-marketplace - Fake chrome browser app for $0.99
- http://www.wpcentral.com/fake-spotify-app-removed-marketplace - Fake spotify app for $1.99
- http://www.windows8update.com/2012/01/02/fake-spotify-app-hits-windows-phone-marketplace/
Nokia store
- http://www.developer.nokia.com/Distribute/Packaging_and_signing.xhtml
- http://articles.cnn.com/2011-05-12/tech/kill.switch_1_android-phones-nokia-s-symbian-app-store?_s=PM:TECH
Firewall and anti trojan / anti virus
Firewall
- Wikipedia: "permit or deny network transmissions based upon a set of rules"
Firewall programs from the application stores App Store / Market:
- Android: Droidwall (requires root)
- iOS: None (Lookout: Warn if on unencrypted WiFi)
Anti trojan / anti virus
Protection from malicious apps - anti-virus, block outgoing calls and SMS, and similar.
- Android: Avg, Avast, Kaspersky, Lookout, Symantec Norton
- iOS: None (Intego VirusBarrier: Mac/Windows email virus scanner running on iOS)
Android Market:
- https://market.android.com/details?id=com.antivirus&feature=more_from_developerAntivirus FreeAVG Mobilation
- https://market.android.com/details?id=com.avast.android.mobilesecurity&feature=related_appsavast! Mobile SecurityAVAST Software
- https://market.android.com/details?id=com.kms&feature=related_appsKaspersky Mobile SecurityKaspersky Lab https://market.android.com/details?id=com.lookout&feature=related_appsLookout Security & AntivirusLookout Mobile Security
- https://market.android.com/details?id=com.symantec.mobilesecurity&feature=related_appsNorton Security and AntivirusNortonMobile
Developing
- Analyzing Inter-Application Communication in Android - ComDroid tool
- http://isecpartners.com/files/iSEC_Securing_Android_Apps.pdf
- http://www.isecpartners.com/storage/docs/presentations/Secure_Development_on_iOS.pdf
No comments:
Post a Comment