Secure Analysis

Now that iOS 5 has released and Apple CLAIMS to have fixed the issue, I believe its time for a full disclosure... What Users/Enterprises MUST know: I had reported a security vulnerability with iOS 4 implementation to Apple in OCT 2011. This vulnerability allows an attacker with physical possession of an iOS device or an attacker with the ability to remotely jailbreak a device to retrieve the victims EXCHANGE/Account (email or exchange account) credentials (username + password) in clear text. Hence, if an iOS 4 device is lost/unwillingly jailbroken, immediate steps MUST be taken to ensure that the users credentials are RESET or account locked. Remote administration options like Remote Wipe/Lock/Locate are not effective as an attacker can easily bypass or block remote administration options. This issue has been partially addressed and fixed by Apple in iOS 5. New changes in iOS 5 ensures that the credentials on an iOS device remain secure if a device is lost/stolen. However, the ri...

I had reported a potential flaw in the Android system that could be used to perform DOS (Denial-of-Service) on an Android Phone. The issue was caused by a poor programming assumption which could have been avoided with a good programming 101 course . I had developed a tool called c-ray to help me with quick and dirty pentest and analysis of android applications and system. I stumbled on the issue while playing around with android core system and c-ray application. The issue was caused by an input validation error caused by assumption of the developer. An intent to "android.accounts.GrantCredentialsPermission" class of android core system results in system crash and reboot of the system. Further analysis and reasons below.

I recently noticed that iOS MDM servers have the ability to connect to phones and initiate checkins even when a device is connected to WiFi. Packet analysis showed absolutely no communication between Apple PUSH service or MDM servers with the phone. On the contrary, the transaction was always magically initiated by the iOS device. How could this happen? As we know, iOS devices have 2 NIC's - one for WiFi and the other for 3G communication. On further analysis, I was able to observe that even though the device switched over to the WiFi network, the 3G network interface of the device was still active in the background and maintained a persisten connection to apple PUSH servers at port 5223 . Hence, whenever Apple or MDM servers wanted to send a PUSH notification, the notification was sent over 3G and in response the device responds back over WiFi. A simple netstat on the device reveals the following: netstat -a tcp4 0 0 10.XXX.XXX.XXX.4XXXX nk11p01st-courie.5223 ESTABLISHED The 3G/E...

I have been wanting to write a blog on this topic for quite a while and finally here I'm. With the rampant adoption and popularity of Android phones, Android apps and android market place are gaining wide spread popularity. I have noticed that most of the apps that we see/use now ask for seemingly harmless permissions like "READ PHONE STATE", "READ_SMS" etc. This post highlights the dangers and security flaws associated with "READ_SMS" permission on Android devices.

Mobile browsers and applications are gaining wide spread populrity with the evolution of iPhone, Android and other mobile platforms. Security has always played the catch-up game with evolution of technology. It was recently observed that gmail sessions opened using mobile browsers such as safari and Android webkit fails to invalidate the session id when a user logs outs. When a user logs out of gmail, the user is redirected to the login page and asked to re-enter the credentials. Though the end user sees a login page and cannot access inbox unless signed in again, the server session associated with the users login remains active at the server side and becomes an orphaned session. This flaw can be leveraged by an attacker to compromise a victims gmail account.

Google turns on SSL encryption for search  (Source: theregister.co.uk) This is indeed a good gesture from Google. In the era where Google is considered a synonym for Search, ensuring privacy of users accessing Google's search features is indeed a gesture that can win the confidence (at-least partially) of critics who question Google's commitment  towards protecting end user privacy. I believe, this move to ensure privacy of search and user information, especially from a company whose CEO has stated - "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place," is definitely a move in the right direction. Though this is not the ONE step that ensures absolute privacy from all standpoints, this certainly ensures that ones personal information stays secure from (third-party)eavesdroppers. As mentioned earlier, Google has become the one stop where people can search for explanations of health issues, me...

The Dark Future of Tech: Apple Syncs iPhone Security to Your Heart  (Source: www.thetelecomblog.com) Incorporating biometric features into iphone or devices of daily use certainly has its merits as well as demerits. It does certainly raise security to the next level wherein one's unique biometric identity becomes one's identitiy in the world of technology. Since biometric identities are unique, we would probably be heading in a direction where we would no longer require a password, access cards or even a key. The uniqueness of biometric signatures that provide security and privacy to technology is the demerit as well. If I lose a key or if my password gets compromised, I can procure a new key/password and ensure that my security and privacy is safeguarded. However, What if my biometric signature/identity is compromised? Will I be able to change the way my heart beats, my finger print or the signature of my Iris? What if I forget my phone which bears my biometric identity i...