Author Archive

Enigma Simulator: Live Demo & Lessons Learned

Posted by Craig H on 3 April 2012

I was privileged to present our Enigma simulator app at the Mobile Monday London Demo Night last night; it was pretty nerve-racking, doing a live demo in front of a vocal crowd of 200 knowledgable people with a strict time limit of 3 minutes, but happily the response was enthusiastic and positive!

Apart from giving everyone a quick lesson in how to use an Enigma machine, the main aim was to share the progress so far of our experiment, using in-app advertising and in-app billing for charity fund-raising. This chart shows the numbers of downloads in the few weeks following the app’s release on Google Play (green line) and the revenue breakdown between adverts (dark blue) and donations (light blue):

Read the rest of this entry »

Posted in Applications, Enigma | Leave a Comment »

Our First App Published: Enigma Simulator

Posted by Craig H on 4 February 2012

This started when I was asked to do some prototyping work on Android by a client last November; I hadn’t done any programming on Android before, but I was familiar with Java from my time working on Enhydra Enterprise at Lutris Technologies. When I joined Lutris in 2000 I was new to Java (after 15 or so years working with C on UNIX™) so I wrote an Enigma simulator in Java as a learning project (it was related to security, a good way of getting to grips with object orientation, and fun!) I hadn’t used the code in over 10 years since, but I dusted it off and got it running on Android to get familiar with the new environment.

Having spent a couple of days on it, I had it running with a rudimentary UI and was familiar enough with the Android SDK to put the Enigma project aside and concentrate on the paid work, but I did still wonder if something useful could be done with the code. Back when I first wrote the logic of the simulator, there was a real Enigma machine out on a table at Bletchley Park that you could physically use and experience what the real operators in World War II had to do. These days, with auction prices of the machines topping $200,000, they’re all locked away behind glass. Given the touch UI of Android, it occurred to me that a good enough simulation could be a useful educational tool, perhaps put alongside museum displays on a tablet computer to give people something of the real feel of the machine.

Read the rest of this entry »

Posted in Applications, Enigma, Payment | Tagged: enigma simulator, world war ii | 10 Comments »

Smartphone Apps, Cryptography and Export Controls

Posted by Craig H on 15 January 2012

You can’t work in software product security for as long as I have and not learn something about export controls, like it or not! Historically, many governments regarded encryption as military technology and defined and controlled it as such in their regulations. These days, pretty much anyone who uses the Internet or a mobile phone (and that’s more than 2/3 of the world’s entire population) uses encryption every day, for shopping on the web, logging in to social networks, or simply to call their friends. Nevertheless, export control regulations for encryption are still on the statute books of most countries around the world, and could still be enforced. The UK records of export control prosecutions and fines don’t include any relating to encryption technology in recent years; I would be interested to know if there have been any elsewhere.

Although I have sat in many export control meetings with lawyers over the last twenty-some years, I have to point out that I am not a lawyer, and this is not legal advice. I just thought it might interest others if I share my thinking on the current regimes of export controls, as I’m now in the situation of needing to consider it (again) as we want to publish an Android app that contains cryptographic technology (a simulation of a World War II Enigma machine, more on this soon…)

The main things I’ve learned about export controls on cryptography are that common sense often doesn’t apply and nothing is ever simple.
Read the rest of this entry »

Posted in Applications, Cryptography, Enigma, Export Control | 1 Comment »

Mobile Malware Lies… Sorry, Statistics!

Posted by Craig H on 9 February 2011

McAfee put out a press release this week which has been picked up by many news outlets, leading with two statements that are factually correct but blatantly misleading:

“The number of pieces of new mobile malware in 2010 increased by 46 percent compared with 2009”
“Of the almost 55 million total pieces of malware McAfee Labs has identified, 36 percent was created in 2010”

That is clearly intended to make people think 46 is bigger than 36, so the bad guys must be concentrating more on mobile malware now, and that’s what most of the news outlets are reporting, but that conclusion is ABSOLUTELY WRONG.

You can either say that mobile malware increased by 46% and overall malware increased by 56% (36/64), or you can say that 32% (46/146) of total mobile malware was written in 2010 and 36% of total overall malware was written in 2010. Mixing the frames of reference is obvious misdirection, and that’s even before pointing out that total mobile malware, according to their own statistics, is less than 1000, whereas total non-mobile malware is nearly 55 million!

McAfee’s full report is here.

Posted in Malware | Leave a Comment »

Is the EFF Right to be Concerned About Mobile Security Patching?

Posted by Craig H on 22 January 2011

There was a thought-provoking post yesterday from Chris Palmer, Technology Director at the Electronic Frontier Foundation (EFF). He specifically calls out Google Android, for being an open source platform but not being open about security fixes. I agree this looks bad – I’ve been following a couple of threads on the Android Security Discussions group on this topic, waiting for an answer from Google staff, but none has been forthcoming.

I don’t really blame Google for not announcing the details of fixed security vulnerabilities though; the reasons are clear, and pointed out in the EFF post (inability to patch operator-customised ROMs). The Symbian Foundation faced the same dilemma, but didn’t recklessly say they were going to announce fixed security vulnerabilities in the first place! Google should at least be honest about their policy.

That said, I disagree with the EFF on two points: Read the rest of this entry »

Posted in Open Source, Vulnerabilities | Leave a Comment »

2011: Not the Year of Mobile Malware

Posted by Craig H on 30 December 2010

It’s nearly New Year, so it’s time for the usual “Next year will be the year of mobile malware” posts from companies trying to sell you PC-style anti-virus products. They’ve been saying this every year for 5 years now, and it still hasn’t happened because, very simply, phones aren’t PCs.

There are many control points which exist for phone software but not for PCs: Read the rest of this entry »

Posted in Malware | 2 Comments »

Platform Security Book Now Online

Posted by Craig H on 19 December 2010

I was the lead author for the book Symbian OS Platform Security published in 2006, at the time that the first Symbian OS v9 phones with platform security came out. The Symbian Foundation put a wiki version of the book online earlier this year, so that the content would be freely available to the community and people could contribute corrections and additions. The foundation wiki closed last week, but Wiley has kindly agreed to us hosting the book wiki here to keep the resource available. Our MediaWiki is now up and running, and the book wiki is available there.

I’ve been thinking for some time that we co-authors of the book should put together an article covering the lessons learned from nearly 5 years of the Symbian platform security architecture in the field; there are certainly some things that, in hindsight, I would choose to do differently. Maybe we can use this wiki to make that a living document!

Posted in Announcement | Leave a Comment »

Thoughts on Trusting Password Managers

Posted by Craig H on 14 December 2010

There has been a lot of buzz about the Gawker Media user account data breach, which came to light last weekend. One aspect of that is a privacy issue (anonymous comments are now no longer anonymous) but the main concern seems to be passwords from Gawker Media sites being used to gain access to accounts on other systems.

First a clarification: it’s not obvious that Gawker Media did anything fundamentally wrong here. The passwords were one-way encrypted, and database breaches can happen to even the most diligent system administrators (software inevitably has flaws, and there are lots of bad guys, some of whom will be able to develop or find out about Zero Day exploits). It doesn’t really matter how good the password encryption was either; once the encrypted passwords are available, off-the-shelf hardware can run through a staggering number of possible passwords to “brute-force” the encryption in seconds.

There are really only two defences, Read the rest of this entry »

Posted in Authentication, Risks | Leave a Comment »

Future of this Blog

Posted by Craig H on 14 December 2010

Subscribers to this blog may well already have noticed that various symbian.org web sites will be shutting down on Friday. This blog, secblog.symbian.org, isn’t specifically mentioned; it is hosted at a free provider (actually sfsecurity.wordpress.com) so there’s no particular need for it to be closed, but the domain name may well be redirected along with the rest of the symbian.org subdomains.

Perhaps more to the point: this Friday will be the last working day for most Symbian Foundation staff, including me, so it won’t be appropriate for me to blog in Symbian’s name after that. I am planning to export the existing content from here though, and continue this blog* under another banner. I do want to say a few words about the Gawker Media breach while that’s still fresh, so I’ll do that here, and then update you on the new home for the blog before Friday.

* probably more accurate to say “restart this blog” as my last post was in July 😉

Posted in Uncategorized | Leave a Comment »

The Symbian Signed Story, Part 4

Posted by Craig H on 2 July 2010

It really is time that I brought my very occasional series of posts on the history of Symbian Signed up to date. We have some future changes in the pipeline that we are hoping will make things still less of a burden for developers, and I think it’s helpful to put that in the context of what has gone before (a 6 year history of incremental improvements).

In the last instalment, I had got up to 2006, when the first phones with platform security started shipping. This was a major turning point in the perception of Symbian Signed, as before then it was an optional thing for developers, but afterwards it was a requirement for access to the more security-sensitive APIs on the platform. I’ve already explained (I hope!) why that was necessary, but it did mean that some developers who would really rather not care about security now were forced to, and started to complain very loudly about it.

Read the rest of this entry »

Posted in Applications | 1 Comment »

« Previous Entries

Next Entries »