iPhone 5 fingerprint reader/Touch ID articles

A few articles (many quoting colleagues) with information on the new iPhone 5 fingerprint reader (aka. Apple Touch ID):

ARS Technica: TouchID Hacking commentary (summary: it’s not easy)

CNN – How iPhone 5S makes your finger into a password

ABC News – Does the iPhone 5S Fingerprint Sensor Make it More Secure?

Ars Technica – Fingerprints as passwords: New iPhone Touch ID gets mixed security verdict

Mac News World – New iPhone Could Kick Biometrics Into High Gear

International Business Times – LG Nexus 4 vs. iPhone 5S, 5C: 3 Absolute Reasons Why Nexus 4 is More Practical than Next-Gen iPhones

Silicon Angle – iPhone 5s Fingerprint Sensor Replaces Home Button : Fast Unlock + iTunes Purchases

ComputerWorld – Why Apple will disappoint businesses with iPhone 5S fingerprint scanner

1250 WTMA Talk – Does iPhone 5S Fingerprint Sensor Make It More Secure?

Mobile malware samples

From author Neil Bergman:

This is the best site that I’ve come across for mobile malware samples.

http://contagiominidump.blogspot.com (mobile malware dump / download all)

But, there tends to be a dearth of iOS malware in the world.

http://contagiominidump.blogspot.com/search/label/iphone

 

A team of researchers from Georgia Tech has demonstrated how hackers can slip a malicious app by Apple’s reviewers so that it’s published to the App Store and ready for unsuspecting victims to download.

Led by Tielei Wang, a research scientist at Georgia Tech’s school of computer science, the team created a “Jekyll” app — named for the Robert Louis Stevenson novella, Strange Case of Dr. Jekyll and Mr. Hyde — that posed as a benign news reader. Hidden inside the app, however, were code fragments, dubbed “gadgets,” that self-assembled to create a proof-of-concept exploit only after the app was approved by Apple.

The assembled attack code was able to send tweets, email and texts without the user’s knowledge, and could steal the iPhone’s unique device ID, turn on the camera and take video, forward voice calls to other phones and connect with local Bluetooth devices. Because the reconfigured app also “phoned home” to a server operated by the researchers, they were able to download additional malware and compromise other apps on the smartphone, including the Safari browser.

See http://www.computerworld.com/s/article/9241742/ for full details.

http://mobilehackingexposed.com/591/

Installing custom cert into android emulator system cert store

A quick Android security testing tip from our colleagues John Kozyrakis and Doug Logan…

Up to Android 2.3 adding trusted CA certs to the keystore required either a rooted phone and manual editing of the java keystore or an OTA update.

After 2.3 Android added that GUI in the Settings app, making possible for non-rooted phones to install new certs.

Some other options for easily inserting a new trusted system cert into the Android emulator:

1) mount an sdcard on the emulator. Just use ‘mksdcard 50M’ and start the emulator with -sdcard [or hardcode it in its config file].

2) upload the cert somewhere, browse to it, download, install. http://www.realmb.com/droidCert/

3) use a third party app like otertool

Andriod 4.3 new security features

Android 4.3 was released today. Here’s a list of security related changes or new features and some comments, provided by our colleague, John Kozyrakis:

–          /system is now mounted as nosuid. Not sure how this makes things more secure since there are no setuid binaries in /system by default afaik

–          New system to revoke individual permissions from applications. Seems to gather a list of used permissions at runtime. That list could be useful in testing. http://www.androidpolice.com/2013/07/25/app-ops-android-4-3s-hidden-app-permission-manager-control-permissions-for-individual-apps/

–          SELinux mandatory access control system

–          KeyChain is now hardware-backed (if appropriate hardware exists). It uses a hardware root of trust (Secure Element/TrustZone/TPM) to encrypt keys, so keychain data would be unusable outside the phone

–          There’s now a Keystore Provider API that creates and stores app-private keys for use by applications.

–          Multi-user is more polished

–          ‘restricted profiles’ can be created on tables – this is basically customised guest accounts with access to specific installed apps

–          Capability bounding using prctl(PR_CAPBSET_DROP) to drop sensitive capabilities from apps – should research which ones are dropped

–          Apps use prctl(PR_SET_NO_NEW_PRIVS) to block addition of new privileges after application start

–          More FORTIFY_SOURCE enhancements

–          A number of other undisclosed security fixes

 

https://developer.android.com/about/versions/jelly-bean.html#android-43

http://developer.android.com/about/versions/android-4.3.html

http://developer.android.com/sdk/api_diff/18/changes.html

http://source.android.com/devices/tech/security/enhancements43.html

Online Resources and Tools

Mobile security is a rapidly changing discipline, and we recognize that the printed word is often not the most adequate medium to keep current with all of the new happenings in this vibrant area of research.

Thus, we have created a website that tracks new information relevant to topics discussed in this book, along with errata and a compilation of the public-domain tools, scripts, and techniques we have covered throughout the book. That site address is

It also provides a forum to talk directly with the authors. We hope you return to the site frequently as you read through these chapters to view any updated materials, gain easy access to the tools that we mentioned, and otherwise keep up with the ever-changing face of mobile security. Otherwise, you never know what new developments may jeopardize your mobile devices before you can defend yourself against them.

A Final Word to Our Readers

We’ve poured our hearts, minds, and combined experience into this book, and we sincerely hope that all of our effort translates to tremendous time savings for those of you responsible for securing mobile infrastructure and applications. We think you’ve made a courageous and forward-thinking decision to stake your claim on the new mobile frontier—but, as you will discover in these pages, your work only begins the moment the app goes live. Don’t panic—start turning the pages and take great solace that when the next big mobile security calamity hits the front page, you won’t even bat an eye.