Category Archives: mobile

New Presentations on Mobile Security

I’ve just updated the list of presentations on mobile security:

Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security. SSL is hard for developers, mobile or not.
Hacking Femtocell, Immature Femtocells and Security challenges for Femtocell communication architecture
Don’t Trust Satellite Phone — an Analysis of the GMR‑1 and GMR‑2 Standards. Not even satellite phones are safe!
Introducing the Smartphone Pentesting Framework. Very useful, albeit basic, set of pentesting tools.
APK Infection on Android. Easy virii for Android install files.
NFC for Free Rides and Rooms. How to UltraReset the transit cards.
iOS 6 Security.
Android Forensic Deep Dive.
Probing Mobile Operator Networks. What would you find by network scanning the mobile telcos?
Binary Instrumentation Framework for Android. Binary instrumentation for NFC/RFID tag reading.
Bypassing the Android Permission Model
Evolution of iPhone Baseband and Unlocks
Into the Droid: Gaining Access to Android User Data
How many bricks does it take to crack a microcell?
iOS Kernel Heap Armageddon Revisited
Windows Phone 7 Internals and Exploitability
The Heavy Metal That Poisoned the Droid. Reduce the attack surface of Android applications.
Android Reverse Engineering Tools
Why Telcos Keep Getting Hacked. Interesting research on the history of telco security.

The Curious Case of the Diverging Browser’s Caches

Browser’s cache fulfill several aims, among others, to save network bandwidth and to diminish web pages loading time which, in turn, drop down the time costs of delays over user’s web loading. For example, suppose the typical user spends an average of 450 hours/year to surf the web at a rate of 120 pages/hour; an implied wage of 12€/hour; a fall in loading time due to the use of a cache of 1 second via desktop and 10 seconds via mobile; a caching success rate of 40%, then we easily estimate that the typical user can save between 72€/year(computer) and 720€/year(mobile) by just activating the browser’s cache.

Therefore, and given storage and bandwidth’s current costs, the implied break-even point on the use of the browser’s cache is always positive, even to store all the browsed pages that the user would ever visit for decades, a time longer than the average life of any device. This fact will still uphold true not by the exponentially decreasing costs for storage and bandwidth, but just because the labor costs are linearly increasing in time. But taking apart labor costs from the equation just consider the technological trends and taking into account that mobile bandwidth’s costs will always be several orders of magnitude higher than fiber and cable’s bandwidth, we would face the curious case that using the browser’s cache will soon stop making any sense in a computer but will still be profitable in a mobile, and that for the period of several decades and also taking into consideration the higher mobile storage costs. Note that this is just one of the many divergences that could appear in the future evolution of the various Internet browsing devices, and that will entail much greater instruction density per transmitted byte to correct them.

The key point of this and other analyses always rests under the relative differences in the price evolution between magnetic storage (Kryder’s law ‑2x every 13 months-), the circuit’s scale of integration (Moore’s law ‑2x every 18 months-) and bandwidth’s throughput (Nielsen’s law ‑2x every 21 months-), among others. And we should put greater emphasis in the last one, since being the one with the slower evolution will also make it to be the most limited resource and, therefore, the one that will end up dominating the final price of any computer system. And on the other hand, storage will be the most used resource to lessen the disadvantages and deficiencies brought by telecommunication’s slowest evolution, following Jevons’s paradox, which remind us that increases in the efficiency with which a resource is used tend to increase, rather than decrease, the rate of consumption of that resource.

On the subject of the expected evolution of telecommunications, it would always be necessary to take apart the trends of the different underlying technologies (fiber, cable and wireless). And although the most optimistic would certainly lean into Edholm’s law, that predicts that the throughput of the different technologies will end up converging as a result of the law of the decreasing marginal returns on the fastest ones and even when taking into consideration the parallel increases in throughput that they have been experiencing, it will be the Cooper’s law regarding the efficiency in the use of the electromagnetic spectrum (-2x every 30 months-), the one law that highlights the underlying idiosyncrasy of wireless since it exploits a natural resource with no possibility of being expanded: analyzing its increases in efficiency in the last 100 years, we find that improvements in coding methods only explain the 0,6% of its enhancement; the enlargement of the spectrum under utilization, a mere 1,5%; and the most efficient use of the spectrum by its better confinement, the resting 97,9%. Nevertheless, optical fiber is in hard contrast to any wireless technology (Butter’s law ‑2x every 9 months), and just another reason to expect that the differences between the software applications available on mobile devices and the non-mobile ones using optical fiber cannot but be heightened over the years, the raison d’être of the mobile software cambrian explosion.

The Price of [Mobile] Freedom (II)

Leave a reply

As a follow-up to my previous post about mobile subsidies, it’s important to note that new IFRS financial accounting rules affecting them are under discussion (IAS 18: Revenue in Relation to Bundled Sales), even though they are not expected to come by 2015. Traditionally, mobile revenue per month is recognised for the whole bundled mobile contract, the cost of the handset is expensed on the first day of the contract and the initial subsidised payment, if any, is reported; under the forthcoming accounting proposals, these subsidised contracts would be effectively unbundled and interests would be taken into consideration. That is, a receivable for the unsubsidised fair value of the terminal would be recognised on the first day and every monthly instalment per month would be proportionally split into two parts: a fraction to settle the terminal receivables with their corresponding income from interests, the handset being recognised at inception of the contract, and the rest will be booked as revenue for the services.

These changes will provide a much more faithful view of the real nature of the current mobile business model: handsets are just not marketing expenses but integral to the whole mobile experience, therefore their costs won’t be diffused with other charges and profits and revenue will stop being misstated. But on the other hand, the new approach is more imprudent and the treatment of the breach of mobile contracts will further introduce unnecessary complexity.

Books on Mobile Security

Leave a reply

All the recent news about the Android and iPhone smartphones storing geo-location data without the user’s knowledge and consent are just the tip the iceberg of the very long history of the clash between the growing functionality of mobile phones and the unawareness of the userbase, and a omen of what’s to come in the ever increasing privacy erosion created by the digital world. The applications to uncover the hidden features are freely available (iPhoneTracker, Location Cache) and it was their very own existence what propelled the public worry and interest.

Yet as Scott McNealy, CEO and co-founder of SUN, once said, “You have zero privacy anyway, get over it”: a truth best-known to computer scientist but hardly understood by the general public.

I’ve also been reading the very small list of books written on mobile security, and these are my recommendations:

[amazon_link id=“1439820163” target=“_blank” ]Mobile Device Security: A Comprehensive Guide to Securing Your Information in a Moving World[/amazon_link]. Very high level and non-technical overview of the new mobile paradigm for computing and communications, covering the threats, risks, scenarios, business cases, security models and policies of organizations. Technical readers will be highly disappointed.
[amazon_link id=“0071633561” target=“_blank” ]Mobile Application Security[/amazon_link]. Recent book covering all the topics required to master mobile application security, making it a very good compilation of all the data currently scattered all over the net. It covers all the mobile operating systems, even the disappearing ones (Windows Mobile, WebOS, Symbian, Java ME) and the specific mobile technologies (Bluetooth, SMS, geolocation). An expanded chapter on enterprise security on the mobile OS would be preferred.
[amazon_link id=“1597492981” target=“_blank” ]Mobile Malware Attacks and Defense[/amazon_link]. A wonderful technical and historical reference on mobile malware and other mobile threats, with an emphasis on forensic techniques applied to the different mobile platforms. It shines at its comprehensiveness, as it lists almost every technique, malware and software known as of its publishing date. The only shortcoming is that Android is not mentioned since the book is a bit dated.

Updated List on Smartphone Security

Leave a reply

I’ve just updated the list of the best technical presentations available on the net about smartphone security. Nowadays, smartphones are the weakest part of any corporate network and it’s quite fun having lots of flashbacks while watching the same attacks of the 90s working again and again on the new smartphones.

5 Tips for Better iPhone Development

Leave a reply

1. Manage memory properly, but resist the urge to use
  1
  retainCount
  
  , it’s a bad idea. Also, it’s better not use
  
  1
  autorelease.
2. Draw on the available toolset to improve the quality of the code: Instruments, to find the root cause of bugs; Shark, to improve performance; Clang Static Analyzer, to get the most detailed and comprehensive compiler warnings.
3. Try to anticipate every iOS update, because there will always be changes to be made.
4. Develop re-entrant code, because every method could be interrupted and the app could get any message in any state: it’s very important to remember this before coding every method. Read the open-sourced iPhone app code available on the net: the idioms and the patterns are very different from the Java/C++ paradigm.
5. Beware of using SQLite with flash memory I/O: it will block the GUI.

iPhone Decompilation & Obfuscation

Leave a reply

The tools to decompile iPhone apps are quite well-known:

Otx, an advanced disassembler based on otool
class_dump_z, an updated version of the old class-dump for the iPhoneOS, to extract Objective‑C class interfaces
Hex-Rays, the most advanced decompiler ever, also supports ARM binaries (based on Datarescue’s IDA Pro)

Unfortunately, there’s no easy way to obfuscate iPhone apps, even if the iPhone is 4 years old. The easiest approach would be to take advantage of the LLVM source-to-source feature to recompile the mobile apps to an intermediate high level-language and transform the source code using a specialized tool like TXL to modify the control flow before generating the final binaries. Delving into the LLVM route, it would be ideal for using more sophisticated obfuscation techniques to bring the superb DynInst into play, but it doesn’t support the ARM instruction set. As a final point, there is a commercial tool to obfuscate Objective‑C, Morpher, although there are not outside reviews about its value.

Presentations about Smartphone Security

Leave a reply

A list of the best presentations about smartphone security all over the net:

Smartphone In(Security). Android/iPhone multi-platform shellcode.
Post Exploitation Bliss: Meterpreter for iPhone. iPhone shellcode development.
The Smart-Phones Nightmare. iPhone shellcode development.
ARM Exploitation ROPMAP. ROP automation for ARM.
Antid0te 2.0 — ASLR in iOS. Perfecting the ASLR protection of iOS.
Overcoming iOS Data Protection to Re-enable iPhone Forensic. A summary on iOS protections.
Targeting the iOS kernel. Advanced security-related debugging techniques.
iOS 6 Security. New iOS security features.
Evolution of iPhone Baseband and Unlocks.
iOS Kernel Heap Armageddon Revisited.
Popping Shell on A(ndroid)RM Devices. Android shellcode development.
Beating up on Android. Android exploit recap and development.
Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security. SSL is hard for developers, mobile or not.
Hacking Android for fun & profit. In-depth view of the Android security system.
APK Infection on Android. Easy virii for Android install files.
Android Forensic Deep Dive.
Android Reverse Engineering Tools.
Bypassing the Android Permission Model.
Into the Droid: Gaining Access to Android User Data.
The Heavy Metal That Poisoned the Droid. Reduce the attack surface of Android applications.
Inside Apple’s MDM Black Box. Just an overview of Apple’s Mobile Device Management system.
These aren’t the permissions you’re looking for. Weak permissions on the Android file system and applications.
Exploiting Symbian. Symbian shellcode development.
iPhone Rootkit? There’s an App for That!. How to make iPhone rootkits from jailbreaks.
Secure Development in iOS. The point of view of a pentester.
Introducing the Smartphone Pentesting Framework. Very useful, albeit basic, set of pentesting tools.
This is not the droid you’re looking for. Android rootkit development.
iPhone Privacy. Handset data privacy and the SpyPhone app.
App Attack. Android/iPhone apps security analysis.
A Study of Android Application Security. Mass-scale Android app decompilation.
Reversing Android Apps. Good overview of tools for decompilation.
Windows Pwn 7 OEM – Owned Every Mobile? Always easy hacks on new OSes.
Windows Phone 7 Internals and Exploitability.
Detecting Mobile Phone Spy Tools. FlexiSpy and its spawn.
Mobile App Moolah: Profit taking with Mobile Malware. An overview of frequent malware.
Mobile Malware Madness and How to Cap the Mad Hatters. On behavioural detection of mobile malware.
Transparent Botnet Control for Smartphones over SMS. Basic Android botnet with SMS C&C.
Rise of the iBots: 0wning a telco network. Botnet architecture with SMS/P2P C&C.
Exploratory Android Surgery. Android Intent fuzzing and sniffing.
Blackbox Android. Breaking “Enterprise Class” Applications and Secure Containers.
Pwning a 4G Device for the Lulz. Multiple attack recombination.
Advanced Attacks Against PocketPC Phones. PocketPC MMS User Agent attack.
Analyzing Complex Systems: The Blackberry Case. General Blackberry security.
Smartphone Backdoors: An Analysis of Blackberry and Other Mobile Device Spyware. On the Blackberry TXSBBSpy backdoor.
Symbian Phone Security. General Symbian security.
Symbian Malware. Basics on Symbian malware.
Attacking NFC Mobile Phones. Simple DoS and authentication issues on S40 phones.
Hacking NFC and NDEF. Revisiting the previous slides.
NFC for Free Rides and Rooms. How to UltraReset the transit cards.
Binary Instrumentation Framework for Android. Binary instrumentation for NFC/RFID tag reading.
Intercepting GSM traffic. A5/1 cracking.
GSM — SRSLY?. More on A5/1 cracking and A5/3 cracking.
GPRS Intercept: Wardriving your country. Old attacks, not going fast.

Defending mobile phones. On the predictable padding of the GSM protocol.
Open source 4G radio. A WiMAX scanner in Matlab.
All Your Baseband Are Belong To Us. An exploration on remote baseband exploitation.
Vulnerabilities in Dual-mode/Wi-Fi phones. VoIP vulnerabilities.
Telecom Signaling Attacks on 3G and LTE networks. Advanced scanning in telco networks.
A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications. GPRS/EDGE connection hijacking via a rogue base station attack.
GPRS Intercept: Wardriving your country.
An OpenBTS GSM Replication Jail for Mobile Malware. DIY network cell.
Attacking 3G and 4G mobile telecommunications networks. An exploration on network scanning 3G/4G networks.
Attacking GRX. Attacking The GPRS Roaming eXchange.
Playing with the GSM RF interface. Random Access Channel bursts (RACH) flooding.
Base Jumping. GSM DoS (RACH, IMSI Flood, IMSI Detach).
SIM Toolkit Attack. SIM-playing made easy.
The blackbox in your phone. An easier overview on the functionalities of the SIM.
Machine-to-machine (M2M) security. Easy attacks on common setups.
Fuzzing your GSM phone using OpenBSC and scapy. GSM protocol introduction with some details on how to fuzz the GSM stack (no particular attack is discussed).
Extending Scapy by a GSM Air Interface. Advanced toolkit for GSM DoS.
Fuzzing the Phone in Your Phone. Discovering DoS attacks and remote exploits with fuzzed SMSs on iPhone/Android/WinMo.
The Carmen-San Diego Project. Tricks of the trade to geolocate any mobile phone.
Locating Mobile Phones using Signalling System #7. A different way to explain mobile phone geolocation.
Android geolocation using GSM network. How to extract geolocation information from an Android smartphone.
Attacking SMS. It’s No Longer Your BFF. Mail2SMS and IM2SMS abuses.
Hijacking Mobile Data Connections. WAP-provisioning spoofing to hijack mobile connections.
Attacking Mobile Phone Messaging. MMS spoofing, fingerprinting and various attacks.
Random tales from a mobile phone hacker. On the MSISDN disclosure in HTTP headers by web proxies and other curiosities.
A Million Little Tracking Devices. Zoombak in-depth analysis.
Mobile and Contactless Payment Security. Introduction to protocols, formats and attacks.
Probing Mobile Operator Networks. What would you find by network scanning the mobile telcos?
Why Telcos Keep Getting Hacked. Interesting research on the history of telco security.
Satellite Telephony Security. Introduction to protocols and call interception.
Don’t Trust Satellite Phone — an Analysis of the GMR‑1 and GMR‑2 Standards. Not even satellite phones are safe!
Intelligent Bluetooth Fuzzing. The ignored but omnipresent protocol.
Femtocells: a Poisonous Needle in the Operator’s Hay Stack. Interceptions, injections and invading the operator network. Also Hacking Femtocell, Immature Femtocells and Security challenges for Femtocell communication architecture from the same author.
How many bricks does it take to crack a microcell?

Note: this post will be expanded in the future.

Samsung: Advantages from Vertical Integration

Leave a reply

The mobile industry is not like the PC industry, populated by manufacturers that are just component assemblers of the various parts (memory, CPU, HD, …). In the mobile industry, the more vertical integrated mobile manufacturer is Samsung, a market leader in displays, memory and CPUs for mobile phones that also sells its quality components to other OEMs and ODMs (Apple To Buy Components Worth $7.8 Bln From Samsung Electronics This Year).

As shown in the graph above of a typical bill of materials of a mobile phone, those parts are the costlier and more important of a mobile phone: from this point of view, Samsung looks like a vertical mainframe manufacturer from the 60–70s, but with much of its software developed by an external provider (Android). So not only they have an obvious cost advantage on the low end of the smartphone market, they are also the leaders managing component droughts and bullwhip effects, which are very profit destroying in the mobile industry. Finally, note that the first reason Nokia has decided to go the Microsoft’s route is to differentiate enough from Samsung’s Android offerings, the second biggest mobile manufacturer after Nokia.

Best Android Apps for Development

Leave a reply

DynJava. Java dynamic scripting interpreter engine. Gives you runtime access to all protected and private methods and fields of all running applications, and executes arbitrary Java code with all permissions.
AndroidShell. You can invoke any Android APIs from PC and see the execution result immediately.
aLogCat. View color-coded, scrolling (tailed) Android device (logcat) logs directly from your phone. No USB, adb, or emailing necessary.
adbWireless. adbWireless enable ADB wireless connection to connect to the phone as if connected by USB.
Titanium Backup. Backup, restore, freeze your apps + data + Market links, even protected apps.
Android Scripting Environment. Scripting Layer for Android (SL4A) brings scripting languages to Android by allowing you to edit and execute scripts and interactive interpreters directly on the Android device. These scripts have access to many of the APIs available to full-fledged Android applications, but with a greatly simplified interface that makes it easy to get things done.
touchqode. View and edit source code on Android phone. Touchqode is a true mobile code editor that comes with syntax highlighting, autocomplete and other features found in a desktop IDE. We support Java, HTML, JavaScript, Python, C++, C#, Ruby and PHP.
aGrep. aGrep is a open-source text search program like a “grep”.

Hertz, No Moore

Leave a reply

More than half of all computers aren’t computers anymore. Smartphone shipments surpass PCs. The transition is done. But in this new era of mobile personal computing, the limiting factor is not the CPU, it’s the spectral efficiency of the whole mobile environment, experienced as the user goodput. At least 1MBit/s is needed to get an optimal browsing experience on a mobile phone.

As in Moore’s law, the growth is exponential, but with a rather less pronounced slope. And underlying both, economic models that serve as a self-fulfilling prophecy and a barrier of what technology could achieve in the future: the costly deployments of mobile networks, financed by debt, parallel those of semiconductor chip fabrication plants that Rock’s law models as constraints to transistor integration limits.