THE ULTIMATE GUIDE TO MOBILE SECURITY 3/12

Android Forensics
by Manish Chasta
Smartphones are changing the IT and Communication landscape vastly. A Smartphone can do almost every good thing a computer can do. Today most of the corporate employee access and manage their official e-mails through the e-mail client installed on their Smartphone. Right from booking movie tickets to making fund transfers, all e-commerce and online banking transactions can be done using a Smartphone. With high speed of 3G, Smartphones are getting more popular specially among working professionals and students.

Data Handling on iOS Devices
by Dominic Chell
With over half a million apps in the App Store, Apple’s trademark slogan “There’s an app for that” is bordering on reality. We use these apps for online banking, social networking and e-mail without really knowing if they’re communicating and storing our personal data securely. With Apple controlling over 52% of the mobile market [1], iOS apps are becoming more closely scrutinised in a world where the security of our personal data is
paramount. In the last year, MDSec’s consultants have performed an increasing number of security assessments of iOS applications and their supporting architecture where data security is paramount, specifically the retail/business banking sector.

An Overview of Web Application Security Issues
by Julian Evans
Web application security is very much in its infancy – some security experts believe this is going to be a major emerging area of technology. Nowadays web apps are more complex and are based on a client-server architecture. This architecture is evolving and we see web apps such as Google Apps acting as a word processor, storing the files and allowing you to download the file onto your PC. Facebook and the social web have also moved into Web apps hence the recent coined phrase Web 3.0. This is the overview article in which author points out the most current issues in area of Web App security, such as: programming development, JavaScript API, AJAX programming, mobile security or Facebook app security and authentification.

Movement on the Mobile Exploit Front
by Tam Hanna
All of the exploits and security issues mentioned in this article are the results of plain carelessness of the responsible programmer. Had they been aware of the most basic elements of security, these would have never happened. Unfortunately, developers working at carriers and device manufacturers still see security as an afterthought. Their thinking goes along the lines of nobody bothered to perform large-scale attacks on us
so far, so why should they do so now ?

Mobile Malware – the New Cyber Threat
by Julian Evans
Mobile phone malware first appeared in June 2004 and it was called Cabir. The mobile-phone features at most risk are text messaging (using social engineering), contacts list, video and buffer overflows. GSM, GPS, Bluetooth, MMS and SMS will indeed be some of the attack vector to expect this year and beyond.

Mobile Web: Privacy Keeping and Exploitation Methods
by Mauro Gentle
Inevitably, most of the readers will think that the purpose of this article is to present arguments regarding vulnerabilities related to the protocols for Bluetooth, or even how to intercept telephone calls. In fact, this article takes an entirely different approach. The main objective is to highlight the opportunity to use our phone as a terminal to connect to the network and find possible vulnerabilities of Web applications by putting in place some mini attacks wherever we are.

Mobile Malware Analysis
by Cory Adams
With the emergence of the Android OS into the mobile market, nation state hackers and criminals alike are actively conducting attacks against the OS and its users for information gathering and financial gain. A high reward tool in an attacker’s arsenal is malicious software or malware, which allows information to be gathered and extracted from targeted mobile devices.

Analysis of Zitmo – Zeus in the Mobile
by Dhawal Desai
Over the time security space has seen a number of versions and variants of banking malware. With the increase in popularity and usage of smart phones, mobile attacks are becoming more frequent. Android platforms have been one of the most favorite targets of malware writers.

Android Security, Zitmo Malware
by Prashant Verma
We have computers and we also have viruses, worms and malwares. We have Smartphone and we have malwares there too. Oh yes! You read it right. The shift of the hacker community’s attention towards Smartphone has been alarming. They are increasingly being attracted towards the mobile platforms and the transactions happening through the mobile platforms. Today phones are not just the phones; they are mini computers in your hand. Your
Smartphone could do pretty much anything a computer can do.

Android Trojan Geinimi
by Dhawal Desai
This malware has been identified as another variant of the most popular Geinimi, which targeted a significant number of Android Phone users. The Trojan was originally used as a package namely “com.geinimi”, but over the period of time the variants took more advanced obfuscated form.

Does Your BlackBerry Smartphone has ears?
by Yury Chemerkin
The smartphone becomes the most popular gadget all over the world. Undoubtedly, compactness, convenience and PCs’ functional capabilities have been winning modern users’ hearts. People may think that Internet surfing is safer with their favorite smartphone than by PCs and that the privacy loss risk is minimized, however analytical statistics show the opposite. From this article we will find out why every BlackBerry is vulnerable to
multiple network attacks and how it is that address book provides a spam-attack vector. The author explains also how deceptions may mislead Blackberry users to compromise security and what makes the DMTF signalling a possible covert channel.

Tag, You’re Infected
by Tim Kulp
The internet is a dangerous place. We (as Information Security people) have known this for a while and general users are learning more and more about how malicious web sites can steal your information. As mobile computing enables unique interactions with technology, new security risks arise. With the growing use of QR (Quick Response) Codes our data is becoming available to a format that users do not usually equate with Information Security:
Print Media. QR Codes allow content providers, marketing gurus and cyber criminals to jump from a printed page to executing content on your mobile device. In this article we are going to examine how QR Codes can be used to realize threats facing our mobile devices by examining three attack vectors.

Smartphones, Security and Privacy
by Rebecca Wynn
All the threats that attack your enterprise computer centers and personal computer systems are quickly encompassing mobile devices. Smart phones are part of your Personal Area Network (PAN) and the user needs to remember that everything that is done on them, data saved in them, communications that touch them in anyway (voice, SMS, email) should be viewed as public and not private.

Pentesting on Android, Setting Up a Lab
by Thomas Cannon
The world of Android application security assessment is developing at a rapid pace. Perhaps due to the open nature of Android, the development of tools and techniques for analysing and validating security is very accessible. Even as this article was being written several new fantastic tools became available and it had to be updated.

Apple iOS Security
by Oliver Karow
This article will describe the security mechanisms available on iOS with its strength and weaknesses, and show how a company can adopt this mechanisms to keep up with the latest security threats, targeting mobile devices.

Lawful Interception on Mobile Telecom Service
by Ted Chao
For the past few years, IP network transformation is shaping into a new operation and management on telecommunication for lots of mobile and fixed net service providers in the world. Along with this trend, the technology of lawful interception by police, military intelligence and other law enforcement agencies is also being developed with great leaps and bounds thanks to IP network being extensively used in telecom service
providers.

When Developer’s API Simplify User-Mode Rootkits Developing
by Yury Chemerkin
This is a series of articles about shell extensions that enhance high-level features of any operation system. However, such possibilities not only enrich platform but simplify developing trojans, exploits that leads to the new security holes. Mostly this kind of extensions are known
as user-mode rootkits.

How te Develop in Android
by Duygu Kahmaran
Tutorial for rookies

Bluetooth Hacking Tools
by Dennis Browning
Logical Link Control and Adaptation Protocol (L2CAP): Provides the data interface between higher layer data protocols and applications, and the lower layers of the device; multiplexes multiple data streams; and adapts between different packet sizes.

A bit’s Life
by Tomasz Cedro, Marcin Armand Kuzia
Have you ever wondered what makes all these devices around you alive? I might have to give you a bit of bad news – this is not a black magic of any kind, neither any supernatural powers, not even the Jedi Force; it is just a simple set of interesting ideas, well described with a language called science and technology.