The U.S. National Security Agency (NSA) released the specifications for a new, super-secure smartphone for use by government officials and based on Google’s widely-used Android operating system, inviting the public to make use of its research.
Browsing Category: Mobile Security
SAN FRANCISCO – Companies that are hoping to catch a ride on the mobile wave should pay close attention to the application development firms they choose to work with, unless they want to be saddled with a buggy and insecure albatross bearing their corporate logo, a leading application security expert warns.
Right on cue this week, the anarchic hacking collective Anonymous stepped up and grabbed the story line away from the lions of the IT security industry.With the annual RSA Conference set to begin, the whistle blowing site Wikileaks released the first of some five million e-mail messages stolen from the security intelligence firm Stratfor. Ever sensitive to the fickle attention of the media, Anonymous inserted itself into the story, claiming responsibility for leaking the data and pointing a finger of blame at Stratfor and its media, private and public sector customers, which Anonymous accuses of spying and other dark offenses.
This has turned out to be an interesting week for privacy. Just a few days after the White House laid out is privacy agenda, the California attorney general has announced an agreement with several major mobile platform providers, including Apple and Google, that will have the companies provide privacy statements for apps before users download them.
Apple has pushed back the deadline for developers to include a sandbox in all of the apps on the Mac App Store, giving them a reprieve until June 1. The deadline was set for March 1, but Apple has changed it in order to give developers more time to work with the new requirements.
Context is a funny thing. In most segments of society, Apple is seen as an exemplary company, with an unrivaled record of innovation, much-admired ad campaigns and a stock price that is the envy of every company not named Google. But in the security community, Apple is regarded with some combination of disbelief, confusion and the disdain that once was reserved for Microsoft.
When I first saw the release notes for the new Android Ice Cream Sandwich (ICS) platform, I was excited to see that Google mentioned that “Android 4.0 now provides address space layout randomization”. For the uninitiated, ASLR randomizes where various areas of memory (eg. stack, heap, libs, etc) are mapped in the address space of a process. Combined with complementary mitigation techniques such as non-executable memory protection (NX, XN, DEP, W^X, whatever you want to call it), ASLR makes the exploitation of traditional memory corruption vulnerabilities probabilistically difficult.
New research has found information leaked by cell towers can be used to determine your cell phone’s general location.
It’s gotten to the point now where it’s almost easier to talk about the mobile apps and services that don’t ship your personal data off to some remote server for purposes unknown rather than discussing the ones that do. The latest discussion of privacy invading apps flowed from the discovery that Twitter and some other iPhone apps were uploading users’ contact lists without their knowledge. Now, a researcher at Veracode has written a small app that allows users to figure out exactly which iOS apps are doing what with their personal data.
Avi Rubin is the technical director of the Information Security Institute at Johns Hopkins University, and in this talk from the TEDxMidAtlantic conference in November he discusses the history of hacks on various devices, including implanted medical devices, cars and virtually anything else with a computer chip.