Franklin Heath Ltd

Master Your Information Assets

  • Categories

  • Meta

Author Archive

Give the Bad Guys your PayPal Account?

Posted by Craig H on 20 May 2010

I was concerned to read this blog post from PayPal’s VP of Platform, announcing their Mobile Payments Library. The feasibility of in-application mobile payments is something I’ve looked at often over the years, and I’ve always come to the conclusion that it’s extremely difficult to do securely. I haven’t seen any evidence here that PayPal have solved that.

There are some interesting challenges at the API level that are probably only relevant to security geeks (how does the service know that the application that’s invoking it is properly authorised?) but I won’t go into that now, because it seems there is a more basic and glaring error:

Read the rest of this entry »

Posted in Malware, Payment, Risks | Leave a Comment »

Freeware Application Testing Idea

Posted by Craig H on 1 April 2010

We know that there is a lot of inconvenience associated with distributing free (as in beer) applications for the Symbian platform at the moment – either the developer has to pay to get it Symbian Signed or every user has to sign the application for their own phone using Open Signed Online.

I am suggesting that the Symbian Foundation should host a beta test site for free applications. Developers and volunteer testers would be able to sign up to the site with just an email address and an IMEI, and then they could upload any application they like, and download any application they like. On download, the application would automatically go through Open Signed Online and be signed for that user’s specified IMEI.

Read the rest of this entry »

Posted in Applications, Malware, Risks | 4 Comments »

Health Apps on Phones?

Posted by Craig H on 8 February 2010

This post is about trustworthiness (security in a broad sense) and specifically about reliability.

I see increasingly frequent suggestions that people should use their phones to monitor their health. This is, on the face of it, attractive; being an insulin-dependent diabetic, I carry a blood glucose meter with me pretty much everywhere, and in line with the general trend of convergence (calculator, camera, music player, radio, etc.) wouldn’t it be great if that was built in to my phone?

Well yes, that would be very convenient, but I’m afraid I think it’s a fundamentally bad idea.

Read the rest of this entry »

Posted in Applications, Risks | Leave a Comment »

Security Roadmap and Strategy Published

Posted by Craig H on 28 January 2010

This week we’ve published the first full version of the Symbian Platform Security Roadmap and Strategy. It’s by no means set in stone, so any and all comments and suggestions are welcome (either in the Security forum or using the comment facility on the wiki page).

I have taken some liberties with the format and tagged on a longish “wish list” of items Open for Contribution at the end. I’d particularly like to draw attention to the last four, which are opportunities for concerned individuals or organisations to address some consumer protection issues (which our traditional contributors probably won’t address).

I did allude to this six months ago, but this time I’ll be shorter and more to the point: 🙂

  • Notarised Call Recording
    how to hold faceless utility companies to account?
  • Pre-Advice of Premium-Rate Charges
    think twice before giving your money away?
  • Privacy Labels
    how not to embarrass yourself on social networking sites?
  • Vendor Relationship Management
    how to do e-commerce on your terms?

Volunteers welcome 😉

Posted in Uncategorized | Leave a Comment »

Apps for the Paranoid Needed?

Posted by Craig H on 4 January 2010

I can’t let Karsten Nohl‘s presentation at 26C3 go without comment. To be clear, he was only talking about weaknesses that were already known (so headlines like “Secret mobile phone codes cracked” are at best misleading) but his purpose was to demonstrate that those theoretically known attacks are now practical. His point is a very valid one, and holds for most (all?) cryptographic algorithms: researchers will discover more efficient attack techniques, and technology will evolve to make such attacks practical, so you’d better design your cryptographic protocols so you can switch to different algorithms if and when the future need arises.* Happily this is the case for the GSM protocols, and all (!) that is needed is for the phone manufacturers and network operators to deploy the A5/3 algorithm and we can all go about our business.

That said, there is an interesting point made, almost in passing, in the presentation. Read the rest of this entry »

Posted in Applications, Network Protocols, Privacy | 3 Comments »

What to do about SMS Spam?

Posted by Craig H on 2 December 2009

I don’t often get SMS spam (maybe once a month on average) but it really feels like an intrusion when I do. What I get are usually borderline scams of the “you have won a prize” or “our records indicate you are due compensation for your recent accident” type. I really think that replying to these things (even with “STOP” as they suggest) is only going to encourage them, so I did some investigation about what can be done. I’m in the UK, so I’m going to talk about what to do in the UK, but if anyone can add to this with advice for other countries please do so in the comments!

Read the rest of this entry »

Posted in Spam | 5 Comments »

What Defines a "Botnet"?

Posted by Craig H on 23 November 2009

There have been various reports over the weekend of a new development of the “Ikee” iPhone worm that now collects banking details. It is being reported as a “botnet“, which seems to be a popular term with journalists (possibly because it appeals to “Rise of the Machines” type scare-mongering 🙂 ).

I’ve been quite sceptical about such reports since this July when the “Sexy View” malware on the Symbian Platform was reported as the “first mobile botnet“. Now in my view that wasn’t even a proper worm (it had to be manually installed by the user on every phone it spread to) and definitely not a botnet (there was no remote control of the malware after it was installed), so is there any more truth in these latest reports?

According to F-Secure’s initial analysis, the latest iPhone malware connects to an IP address in Lithuania, and downloads something from it, but it’s not clear from that what the thing it downloads is, or what it does with it. Although they call the IP address a “command & control center”, I remain sceptical, and would like to see some more details before conceding that this actually is the “first mobile botnet”…

Posted in Malware | 1 Comment »

Opening up the Security Strategy Working Group

Posted by Craig H on 6 November 2009

We’ve been trying to get a Security Strategy Working Group going, and thus far it hasn’t really taken off. Chatting with various people about this, we’ve decided that, following Symbian’s principles of open governance, we should be brave and open the discussions to the world at large.

Do please note that this is not a commitment to full disclosure of unfixed security vulnerabilities; the point of this working group is, among other things, to discuss what the right policy should be for dealing with vulnerabilities. I (Craig) favour responsible disclosure, but that’s up for discussion.

If you have an opinion on the work items (and you really should, they will affect device manufacturers, security researchers, network operators, package owners and committers, security tools vendors and anyone who even uses a Symbian Platform device) then please sign up for the mailing list!

Posted in Open Source, Vulnerabilities | Leave a Comment »

Meet the Package Owners: Timo

Posted by Craig H on 5 November 2009

Completing the set of package owners in the security technology domain is Timo J. Heikkinen, owner of the Security Services package (and also the Application Installation package in the runtimes technology domain):

Read the rest of this entry »

Posted in People | Leave a Comment »

Meet the Package Owners: Simo

Posted by Craig H on 19 October 2009

Next up is Simo Järvinen, owner of the DRM package:

Read the rest of this entry »

Posted in People | Leave a Comment »