Category Archives: Mobile Security

Top 5 Security Settings for Apple iPhones and iPads

0
Filed under Apple, Mobile Security
Tagged as , , , , , , , ,

Apple mobile devices are among the most popular gadgets today. In fact, Apple reports that 250 million iOS devices have been sold and 18 million apps downloaded. I often find that, while the popularity of these devices increases, many don’t understand the basic security features that Apple makes available to them. Some of you may not even realize that these features exist and how easy they are to use. Let’s walk through the top five security settings for these devices:

#1 – The Passcode
This is the most important security feature of your device. It’s also one of the least configured settings. While it may be a pain to “unlock” your device when you want to use it, it’s also your first line of defense if your device is ever lost or stolen. The key to the passcode is to ensure its complex and greater than 4 characters or digits. Never use simple passcodes like “1234” or your ATM PIN number. The two other settings that you need to set are to “Require Passcode Immediately” and set “Simple Passcode” to OFF. You can find these settings under the “Settings” icon then “Passcode Lock”.

#2 – Erase Data
The erase data functionality adds another layer of security to your device. This function will erase all data after 10 failed passcode attempts. What this means is that if someone steals your device and tries to brute force your passcode, if they enter it incorrectly, the device is erased and returned to the factory default settings. Turn “Erase Data” to ON in the Passcode Lock screen.

#3 – Find My iPhone/iPad
If you ever lose or misplace your iPhone or iPad, “Find My iPhone/iPad” is a very important feature to enable. Simply download the application on your device or access it through iCloud (icloud.com). If your device is iOS 4 or below you will need to use the “MobileMe” (me.com) feature instead of iCloud. Either way, you will need to login with your Apple ID to set it up. You can then send the device a message or alert, locate the device on Google Maps, remotely set a passcode, and remotely erase the device. This feature is invaluable if your device is lost or stolen.

#4 – Backup Encryption
One of the more obscure settings that many users don’t set is the “Encrypt Backup” setting, which is found in iTunes. This setting even applies to the new iCloud service in iOS 5. This setting ensures that the backup of your device is encrypted. It goes without saying, if you can access this backup, the data on your device can be accessed and harvested. For example, earlier last year there was a “feature” in which Geolocation data could be easily harvested from the backup file. This has since been remediated, but just think how much information could be harvested about you through an unencrypted backup file.

#5 – Keep iOS Updated
Making sure that you always have the latest version of Apple iOS on your device is important because Apple is always releasing security updates and implementing new security controls. Simply plug your device into iTunes and you will get prompted to update your phone to the latest version. As a side note, don’t Jailbreak your device! Jailbreaking makes many of the built in security features useless and allows your device to be an easy target for data theft.

Ensuring that you have enabled and configured these security settings on your Apple iOS device is more important than ever. Devices like these are lost or stolen all the time and without taking the proper precautions, your data could be vulnerable. Having conducted Apple iOS device penetration testing assessments at SecureState for our clients, I can tell you how easy it is to break into these devices. It’s easy because the proper basic precautions were not taken. Take five minutes now and enable these settings; you’ll be glad you did.

Cross-posted from the SecureState Blog

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Attacking and Defending Apple iOS Devices Presentation

0
Filed under Apple, Mobile Security, Penetration Testing
Tagged as , , , , , ,

Last week I spoke at the Central Ohio ISSA Conference about Attacking and Defending Apple IOS Devices.  This talk was based on information gathered from several of the mobile pentests that I conducted at SecureState.  I’ll be working on more research that will be going into an white paper that I will hopefully be releasing in the next few months.  You can find my slides on SlideShare below and watch the video graciously recorded by Iron Geek.

UPDATE (5/27): I found a very nice script by Patrick Toomey which can dump the contents of the keychain on Jailbroken iOS devices.  More details about how the script runs can be found in this blog post.  Note that the type of information you get back depends if the passcode is enabled or not.  You will get more keychain entries back if the passcode is not enabled.  I had mentioned in my presentation that I hadn’t found a script to do this yet…well here it is. :-)


Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Facebook SPAM on BlackBerry Devices

4
Filed under Mobile Security, Social Networks
Tagged as , , , , ,

I always thought the Facebook Application for BlackBerry was a buggy, slow piece of junk.  Now I have noticed that this application is being abused by spammers to propagate Viagra and Percocet SPAM.  The screen shot to the right is an actual Facebook notification I received on my BlackBerry.

There seems to be an interesting bug in the Facebook Application for BlackBerry in which a spammer can spoof the “facebookmail.com” domain to have SPAM messages show up in your notifications list within the BlackBerry Facebook application.  This only works if you have the Facebook for BlackBerry Application installed AND you have an email account configured on your BlackBerry (yes, this includes a corporate email account as well).  The email account you have configured on your BlackBerry is where you actually receive the SPAM message, not through Facebook.

The Facebook Application for BlackBerry appears to notify on any new email in one of your BlackBerry mailbox’s with “*.facebookmail.com” in the sender or return-path field.  This is a win for the spammer because now you think Facebook is spamming you and with the addition of an email, you’re more tempted to click on the link.  The Facebook Application for BlackBerry is no stranger to controversy and this particular bug has been noticed recently by others as well.  It also appears that this bug only affects the BlackBerry Facebook application.  When testing the iPhone app I couldn’t replicate the issue.

To test this bug I used EXIM4 in Ubuntu as a mail relay with mailtools to send the email.  This allowed me to send a spoofed email as “agent0x0@facebookmail.com” to one of the email accounts I have configured on my BlackBerry.  Here are screen shots of the spoofed email in my inbox and what it looks like in the Facebook Application for BlackBerry:

My opinion is that a mobile Facebook application should never be polling your personal email for these messages…but then again this could be a “feature” of this nicely designed application, right? :-)  Special thanks to Kevin Johnson for helping with some of the research/testing.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Potential dangers of BlackBerry Syncing Applications

1
Filed under Mobile Security
Tagged as , , ,

Syncing dangers?

Do you have a BlackBerry for work and you have a corporate policy pushed down and managed by your corporate IT team? Depending on how locked down the policy is for your corporate BlackBerry deployment you may be syncing sensitive or confidential data to a public web site.

So I recently installed the Facebook Blackberry Application v1.5 on my BlackBerry and noticed two interesting settings. First, you can sync your Facebook calendar with your BlackBerry calendar. Second, you can sync your Facebook contacts with your BlackBerry contacts. As far as I can tell syncing is only one way…sort of. The Facebook application has a disclaimer when you install the application that says:

Facebook will “periodically send copies of your BlackBerry device Contacts to Facebook Inc. to match and connect with your Facebook Friends.”

So does this mean Facebook has a copy of your corporate contacts? They must somewhere to do the proper sync matching. There is another disclaimer at the bottom of the “setup wizard” that says you allow Facebook to do this interaction per the same way applications have access to your profile data in Facebook. Interesting. Again, not a nightmare situation…but if any of your business contacts are sensitive in nature I would be hesitant to enable this feature. Worse case? I couldn’t think of a worse security nightmare then of all your users automatically sending sensitive calendar entries with proprietary data to Facebook! So yeah, one way is good. For now one way sync is all the Facebook application does but I would be willing to bet that this will change in the future. Be careful with this one.

So lets step this up a bit. What about two way syncing applications like Google Sync? Google Sync will sync your Google Calendar/Contacts with your Blackberry Calendar/Contacts…both ways! This might be a real problem if you make your Google Calendar public or share it with a group of friends. Same goes for your business contacts. You may have just given Google (and possibly the world) all your business calendar entries. Well..we know Google isn’t evil, right? :-/

What can we do about this? As a user…opt out of installing any syncing apps on your corporate BlackBerry for starters. But what about blocking syncing on the device via BES policy? As far as I can tell the only way is to block the application from being installed via policy. This will become problematic when Google/Facebook releases new versions for example. Not sustainable. I’m no BES administrator but there might be other ways to prevent the application from being installed or the syncing from happening but it brings up some interesting discussion. By the way, there are some problems when you have the Facebook application and Google Sync installed at the same time. No thanks.

Something else to think about. How does your company handle BlackBerry deployments? Are they company issued and owned? Or do you allow your users to own them and the company pays for the data plan? All of this would have to be considered before blocking or preventing syncing applications (or any third-party application) from being installed. If you have any thoughts or ideas on this, comment below!

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS