Submit a link Features Reviews Podcasts Video Forums More ▾

Scrutinizing mobile apps: privacy violations, bloat, and poor security

Troy Hunt installed the HTTP proxy Fiddler on his network and used it to examine the way that iPhone apps performed. What he discovered was a series of shockingly poor implementation decisions that massively bloat the bandwidth needed to load and use apps (important for users whose mobile phone plans contain strict bandwidth caps); poor password security (important for mobile users who roam to untrusted WiFi networks); and aggressive, over-the-top surveillance of your activities by apps that harvest every click, as well as your location, and send them to third parties.

I doubt that these issues are unique to iOS devices. Rather, they represent facts in evidence about the limits of software "curation" to guarantee robust, safe, secure software. It's vanishingly unlikely that any app store with hundreds of thousands (or millions) of apps will be able to subject them to the kind of scrutiny that Hunt engages in here. Combine that with the opacity of the platform, which makes it hard for independent auditors (and users!) to discover what their mobile devices are doing and how they're doing it, and you've got a recipe for a mobile ecosystem that subjects users to high bandwidth fees, invasions of privacy, and compromise of their passwords.

Expert curation of code is a good step towards secure mobile computing, but it's insufficient to keep users safe. Unless platforms are designed with the objective of allowing scrutiny of their inner workings -- something that is at odds with business-models that rely upon establishing exclusive rights to approve and distribute software for a platform -- then they should be assumed to be running apps that are riddled with these sorts of defects.

Suddenly monetisation with powerful data starts to make more sense.

But this is no different to a tracking cookie on a website, right? Well, yes and no. Firstly, tracking cookies can be disabled. If you don’t like ‘em, turn ‘em off. Not so the iOS app as everything is hidden under the covers. Actually, it’s in much the same way as a classic app that gets installed on any OS although in the desktop world, we’ve become accustomed to being asked if we’re happy to share our activities “for product improvement purposes”.

These privacy issues simply come down to this: what does the user expect? Do they expect to be tracked when browsing a cook book installed on their local device? And do they expect this activity to be cross-referenceable with the use of other apparently unrelated apps? I highly doubt it, and therein lays the problem.

Accelerometer-based keylogger in your phone guesses your PC keyboard typing from your body's motions

A Georgia Tech team has built a working app for latest-generation mobile phones that uses the built-in accelerometer to guess which words you're typing on your PC's keyboard, by measuring the movements of your body as you type.

The technique works through probability and by detecting pairs of keystrokes, rather than individual keys (which still is too difficult to accomplish reliably, Traynor said). It models “keyboard events” in pairs, then determines whether the pair of keys pressed is on the left versus right side of the keyboard, and whether they are close together or far apart. After the system has determined these characteristics for each pair of keys depressed, it compares the results against a preloaded dictionary, each word of which has been broken down along similar measurements (i.e., are the letters left/right, near/far on a standard QWERTY keyboard). Finally, the technique only works reliably on words of three or more letters.

For example, take the word “canoe,” which when typed breaks down into four keystroke pairs: “C-A, A-N, N-O and O-E.” Those pairs then translate into the detection system’s code as follows: Left-Left-Near, Left-Right-Far, Right-Right-Far and Right-Left-Far, or LLN-LRF-RRF-RLF. This code is then compared to the preloaded dictionary and yields “canoe” as the statistically probable typed word. Working with dictionaries comprising about 58,000 words, the system reached word-recovery rates as high as 80 percent.

(via /.)

(Image: Keyboard, a Creative Commons Attribution Share-Alike (2.0) image from bull3t's photostream)

Intel's "Tomorrow Project" -- public conversations about the future of technology

Forbes has a good article on Intel's "Tomorrow Project," wherein Intel Chief Futurist Brian David Johnson gets science fiction writers and technologists to produce materials about the future of technology as part of the company's future product development plans. I've contributed a short story, Knights of the Rainbow Table (about the moment when human-memorizable passwords become trivially computer-guessable), to the accompanying Tomorrow Project Anthology, which launches at NY Comic-Con today.

“It sounds science-fictiony,” he laughs. “But it’s ultimately pragmatic. Chip designs have lead times of 5-10 years, so it’s important to have an understanding of how people will want to to interact with computers. I’m literally working on chips for 2020 right now.”

I obviously couldn’t let it lie there. What do you take into account when planning the future? The answer is both intriguing and quite unlike most futurists I know. Johnson’s first stop is the social sciences. He works with Dr. Genevieve Bell, a cultural anthropologist who has been at Intel since 1998. Their teams work with ethnographers, social scientists, and others to understand the current state of the culture and try to figure out where it’s going.

The next step is then looking at the hardware. Johnson and his team work with computer scientists to look at the current state of the art in hardware, software, and algorithms, as well as the research coming up. The tech data is meshed with the social sciences data to answer a simple question: how can we apply this technology to capture people’s imaginations and make their lives better?

Why handmade keys?

Jimmy DiResta from Discovery's "Dirty Money" explains how and why he mods the keys he uses from day to day, making them into artworks:

Maker Jimmy DiResta shares his modded keys at World Maker Faire NYC. His collection of handmade keys are a combination of his problem solving skills and creativity. They are a great example of making art from everyday items without sacrificing functionality. Jimmy is a designer and fabricator who can make just about anything, from just about anything. He’s a woodworker, he sculpts in resin, he welds, and builds with plastics. His hammer and ax skull and crossbone belt buckle started as one of his wooden carvings before he cast it in metal. On a recent tour of his shop, I found the sewing machine he uses to add leather fronts to his pants next to the high-end wooden display he was building for a pop-up gallery.

Facebook's misleading "log out" button and the future of privacy legislation

The Electronic Frontier Foundation's Activism Director Rainey Reitman has an in-depth analysis of how Facebook continues to track its users even after they've taken several affirmative steps to log out of the service, and how this may interact with eventual privacy legislation.

This newest privacy snafu could prod legislators into moving on one of the many online privacy bills that have been introduced this year. Users’ unease with the quickly-evolving technical capabilities of companies to track users, combined with the abstruse ways in which that data can be collected (from social widgets to super cookies to fingerprinting), has resulted in a growing user demand to have Congress provide legal safeguards for individual privacy when using the Internet.

Unsurprisingly, Facebook hopes that its brand of data collection through ‘like’ buttons won’t be subject to federal regulation. According to AdAge, Facebook sent an “army of lawyers” to Washington to convince Senators McCain and Kerry to carve out exceptions to their recently introduced privacy bill so that Facebook could track their users via social widgets on other sites (dubbed the "Facebook loophole"). But while Kerry and McCain may have acquiesced to Facebook's requests, Senator Rockefeller did not. He introduced legislation that would empower the FTC to create rules around how best to protect users online from pervasive online tracking by third parties.

Facebook seems keen to influence future legislation on these issues. They recently filed paperwork to form a political action committee that will be "supporting candidates who share our goals of promoting the value of innovation to our economy while giving people the power to share and make the world more open and connected."

How online crooks use "work from home" patsies to launder goods and forward them offshore

Brian Krebs continues his excellent investigative series on the inner workings of online ripoffs, today with a deep look at underground freight-forwarders, so-called "Drops for stuff." These services use patsies recruited on Craigslist through a "work at home" scam to receive goods bought with stolen credit card numbers and forward them on to crooks.

A typical drop will receive and reship between two and four packages per day. The packages arrive with prepaid shipping labels that are paid for with stolen credit card numbers, or with hijacked online accounts at FedEx and the US Postal Service. Drops are responsible for inspecting and verifying the contents of shipments, attaching the correct shipping label to each package, and sending them off via the appropriate shipping company.

One drops operation,, allows “clients” to “rent” drops who have signed up for reshipping jobs. “Managers,” those who facilitate drop recruitment scams, can earn money by purchasing merchandise that the reshipping operation can quickly resell. Most reshipping operations seek consumer electronics that can be easily sold for cash, including laptop computers, cameras, smart phones and parts for sports cars. pays managers and clients 30 percent of the value of laptops from ACER, HP, Toshiba, Dell, Compaq and Samsung, for example, and more than 40 percent of the retail price for Apple, Sony, VAIO, Canon and Nikon products.

HOWTO write more secure free/open source software

Having recently conducted a security audit of several free/open source software programs for the Electronic Frontier Foundation, Chris Palmer and Dan Auerbach have published some guidelines for improving security in free/open software:

Avoid giving the user options that could compromise security, in the form of modes, dialogs, preferences, or tweaks of any sort. As security expert Ian Grigg puts it, there is “only one Mode, and it is Secure.” Ask yourself if that checkbox to toggle secure connections is really necessary? When would a user really want to weaken security? To the extent you must allow such user preferences, make sure that the default is always secure.

Chaos Computer Club cracks Germany's illegal government malware, a trojan that spies on your PC and lets anyone off the street hijack it

Germany's Chaos Computer Club published the sourcecode for a piece of malware used by the German government to spy on citizens. The software was discovered in the wild and reverse engineered. It can be used to spy on or control remote PCs. Because of flaws in the software, anyone who was infected with this by German police was vulnerable to spying by "anyone on the street." The German supreme court banned the use of trojans to spy on German citizens in 2008.

The analysis also revealed serious security holes that the trojan is tearing into infected systems. The screenshots and audio files it sends out are encrypted in an incompetent way, the commands from the control software to the trojan are even completely unencrypted. Neither the commands to the trojan nor its replies are authenticated or have their integrity protected. Not only can unauthorized third parties assume control of the infected system, but even attackers of mediocre skill level can connect to the authorities, claim to be a specific instance of the trojan, and upload fake data. It is even conceivable that the law enforcement agencies's IT infrastructure could be attacked through this channel. The CCC has not yet performed a penetration test on the server side of the trojan infrastructure.

"We were surprised and shocked by the lack of even elementary security in the code. Any attacker could assume control of a computer infiltrated by the German law enforcement authorities", commented a speaker of the CCC. "The security level this trojan leaves the infected systems in is comparable to it setting all passwords to '1234'".

To avoid revealing the location of the command and control server, all data is redirected through a rented dedicated server in a data center in the USA. The control of this malware is only partially within the borders of its jurisdiction. The instrument could therefore violate the fundamental principle of national sovereignty. Considering the incompetent encryption and the missing digital signatures on the command channel, this poses an unacceptable and incalculable risk. It also poses the question how a citizen is supposed to get their right of legal redress in the case the wiretapping data get lost outside Germany, or the command channel is misused.

Unicode's "right-to-left" override obfuscates malware's filenames

Unicode has a special character, U+202e, that tells computers to display the text that follows it in right-to-left order; this facility is used to write text in Arabic, Hebrew, and other right-to-left scripts. However, this can (and is) also used by malware creeps to disguise the names of the files they attach to their phishing emails. For example, the file "CORP_INVOICE_08.14.2011_Pr.phylexe.doc" is actually "CORP_INVOICE_08.14.2011_Pr.phyldoc.exe" (an executable file!) with a U+202e placed just before "doc."

This is apparently an old attack, but I've never seen it, and it's a really interesting example of the unintended consequences that arise when small, reasonable changes are introduced into complex systems like type-display technology.

Some email applications and services that block executable files from being included in messages also block .exe programs that are obfuscated with this technique, albeit occasionally with interesting results. I copied the program that powers the Windows command prompt (cmd.exe) and successfully renamed it so that it appears as “evilexe.doc” in Windows. When I tried to attach the file to an outgoing Gmail message, Google sent me the usual warning that it doesn’t allow executable files, but the warning message itself was backwards:

“evil ‮”cod.exe is an executable file. For security reasons, Gmail does not allow you to send “this type of file.

Unfortunately, many mail applications don’t or can’t reliably scan archived and zipped documents, and according to Commtouch and others, the malicious files manipulated in this way are indeed being spammed out within zip archives.

(via Command Line)

Technique for fighting submission-form spam

Ned Batchelder sums up a series of technique to keep spammers from attacking submission forms with automated bots (it won't work against humans, but even cheap humans are more expensive than bots). Some of these techniques look like they'll continue to work even if they're widely known, while others depend merely on exploiting vulnerabilities in spammer techniques that will be refined as soon as the exploits are widespread.

We get titanic amounts of spam to the anonymous Boing Boing submission form, and most of it gets stopped using variations on these techniques. One interesting thing about our submission spam is how indiscriminate it is: various scumbags have gone to some lengths to figure out how to send spam to a form whose output is emailed to four people, and who will never, ever accidentally post their submission to this blog -- indeed, I just bulk-delete the stuff that makes it through the filter without even opening it -- our spammers are indiscriminate enough to use spammy subject lines, which means, I suppose, that they think they're going to end up someone a human being won't see them but a search-engine might.

The comment form has four key components: timestamp, spinner, field names, and honeypots.

The timestamp is simply the number of seconds since some fixed point in time. For example, the PHP function time() follows the Unix convention of returning seconds since 1/1/1970.

The spinner is a hidden field used for a few things: it hashes together a number of values that prevent tampering and replays, and is used to obscure field names. The spinner is an MD5 hash of:

The timestamp,
The client's IP address,
The entry id of the blog entry being commented on, and
A secret.

The field names on the form are all randomized. They are hashes of the real field name, the spinner, and a secret. The spinner gets a fixed field name, but all other fields on the form, including the submission buttons, use hashed field names.

Honeypot fields are invisible fields on the form. Invisible is different than hidden. Hidden is a type of field that is not displayed for editing. Bots understand hidden fields, because hidden fields often carry identifying information that has to be returned intact. Invisible fields are ordinary editable fields that have been made invisible in the browser.

(via O'Reilly Radar)

HOWTO erase about 15 drives

A Slashdot user posed a question: how to conclusively destroy 15-some hard-drives without spending big bucks on a degausser or wasting a lot of time waiting for DBAN to run. I like this response from Plover (who also recommends protective gear):

If you're looking for fast production-line destruction, take a three pound hammer and punch. A punch driven through the aluminum plate covering the platter section, midway between the center spindle and the edge of the drive, down to the bottom of the case through the platters, will effectively destroy the disks. It will cheaply render the data unreadable to anyone who doesn't want to invest ten thousand dollars investigating the remains of the disks. You can crank through many disks per hour. A 3/8" bit in an electric drill would be similarly effective, and less labor intensive than a hammer, but slower...

But with 15 drives, it's just not that big of a job. Why make a big mess? Disassemble them. It takes about 10 minutes per drive, and it's both educational and fun. You can probably do it watching TV on the couch.

A miniature Torx driver set (T6-T9, available from Sears), a flat bladed screwdriver, a #2 Philips screwdriver, and a pocket knife is all I need to take most drives apart down to their components. Recover the voice coil driver magnets, they're always useful. Remove the circuit boards and recycle them as they were probably soldered with lead. Remove the platters from the spindles. To truly be rid of the data, you'll have to basically destroy the platters in a very hot fire. Heating them past their Curie point will completely destroy the data, leaving them totally unrecoverable; but that may require heat as high as 1500 degrees F. You won't get that on a stovetop.

(Image: Hard Drive 016, a Creative Commons Attribution (2.0) image from jon_a_ross's photostream)

747s as flying Unix hosts: SCADA in the sky

From Craig S Wright, vice president of Global Institute for Cybersecurity + Research, a look at the use of SCADA systems that are connected to the Internet. You probably remember SCADA from the starring role it played in the Stuxnet worm.

For those who do not know, 747's are big flying Unix hosts. At the time, the engine management system on this particular airline was Solaris based. The patching was well behind and they used telnet as SSH broke the menus and the budget did not extend to fixing this. The engineers could actually access the engine management system of a 747 in route. If issues are noted, they can re-tune the engine in air.

The issue here is that all that separated the engine control systems and the open network was NAT based filters. There were (and as far as I know this is true today), no extrusion controls. They filter incoming traffic, but all outgoing traffic is allowed. For those who engage in Pen Testing and know what a shoveled shell is... I need not say more.

(Thanks, Ashkan!)

(Image: 747, a Creative Commons Attribution (2.0) image from dannyboymalinga's photostream)

Should we worry about cyberwar?

Pithiness from Bruce Schneier: "I'm not worried about cyberwar, but I am worried about the proliferation of cyber weapons. Arms races are fundamentally destabilizing, especially when their development can be so easily hidden. I worry about cyberweapons being triggered by accident, cyberweapons getting into the wrong hands and being triggered on purpose, and the inability to reliability trace a cyberweapon leading to increased distrust. Plus, arms races are expensive." Cory

Social media expert's "fired ghostwriter" takes over Twitter account

The Twitter account of Mark Davidson, a self-described social media professional, has apparently been taken over by someone claiming to be an ex-employee who had been paid to ghostwrite Davidson's tweet-feed. Actually, the hijacker claims to have been part of a staff of three such ghostwriters, and makes further damning accusations about Mr Davidson's social media competence.
Unfortunately using ghostwriters on Twitter isn’t anything new or particularly unusual – even some of Twitter’s biggest names have done it – but that doesn’t mean it’s a good idea. At best it’s lazy and duplicitous, and hardly puts the ‘social’ in ‘social media’, and at worst it all goes pear-shaped like this.
Social Media ‘Professional’ Fires Twitter Ghostwriter, Forgets To Change Password, Hilarity Ensues

Cloaklet: zero-knowledge private messaging and file-transfer system

Cloaklet is a service that provides end-to-end private IM, email and file-transfer. The system uses three physically and logically separate systems, each of which has limited knowledge of what the other is doing, theoretically creating a system where there is zero knowledge -- that is, where the service operator can't say who is talking to whom, what they're saying, which files they're storing, and so on.

No one has independently audited Cloaklet's design and implementation (though the company has posted its source-code), but on its face it sounds like it should be a secure and trustworthy site -- that is, a site that you can trust even if its operators turn rogue or if its security is compromised or if its servers are confiscated by government, which is better than its competition, whose designs don't seem to encompass these objectives.

Cloaklet (Thanks, Mark!)