New Site

The new site for the business that my lovely wife Louise and I have started is now available, with a rough-and-ready layout for the time being.

This blog will be continued at franklinheath.co.uk/blog, with a corresponding RSS feed at franklinheath.co.uk/feed. If you’d like to continue to follow my irregular ponderings, please do subscribe there!

I am intending to continue the Symbian OS Platform Security book wiki there too, but we haven’t got the MediaWiki hosting sorted yet. Please tune in for further announcements 🙂

Thoughts on Trusting Password Managers

There has been a lot of buzz about the Gawker Media user account data breach, which came to light last weekend. One aspect of that is a privacy issue (anonymous comments are now no longer anonymous) but the main concern seems to be passwords from Gawker Media sites being used to gain access to accounts on other systems.

First a clarification: it’s not obvious that Gawker Media did anything fundamentally wrong here. The passwords were one-way encrypted, and database breaches can happen to even the most diligent system administrators (software inevitably has flaws, and there are lots of bad guys, some of whom will be able to develop or find out about Zero Day exploits). It doesn’t really matter how good the password encryption was either; once the encrypted passwords are available, off-the-shelf hardware can run through a staggering number of possible passwords to “brute-force” the encryption in seconds.

There are really only two defences, Read the rest of this entry »

Future of this Blog

Subscribers to this blog may well already have noticed that various symbian.org web sites will be shutting down on Friday. This blog, secblog.symbian.org, isn’t specifically mentioned; it is hosted at a free provider (actually sfsecurity.wordpress.com) so there’s no particular need for it to be closed, but the domain name may well be redirected along with the rest of the symbian.org subdomains.

Perhaps more to the point: this Friday will be the last working day for most Symbian Foundation staff, including me, so it won’t be appropriate for me to blog in Symbian’s name after that. I am planning to export the existing content from here though, and continue this blog* under another banner. I do want to say a few words about the Gawker Media breach while that’s still fresh, so I’ll do that here, and then update you on the new home for the blog before Friday.

* probably more accurate to say “restart this blog” as my last post was in July 😉

The Symbian Signed Story, Part 4

It really is time that I brought my very occasional series of posts on the history of Symbian Signed up to date. We have some future changes in the pipeline that we are hoping will make things still less of a burden for developers, and I think it’s helpful to put that in the context of what has gone before (a 6 year history of incremental improvements).

In the last instalment, I had got up to 2006, when the first phones with platform security started shipping. This was a major turning point in the perception of Symbian Signed, as before then it was an optional thing for developers, but afterwards it was a requirement for access to the more security-sensitive APIs on the platform. I’ve already explained (I hope!) why that was necessary, but it did mean that some developers who would really rather not care about security now were forced to, and started to complain very loudly about it.

Read the rest of this entry »

Give the Bad Guys your PayPal Account?

I was concerned to read this blog post from PayPal’s VP of Platform, announcing their Mobile Payments Library. The feasibility of in-application mobile payments is something I’ve looked at often over the years, and I’ve always come to the conclusion that it’s extremely difficult to do securely. I haven’t seen any evidence here that PayPal have solved that.

There are some interesting challenges at the API level that are probably only relevant to security geeks (how does the service know that the application that’s invoking it is properly authorised?) but I won’t go into that now, because it seems there is a more basic and glaring error:

Read the rest of this entry »

Freeware Application Testing Idea

We know that there is a lot of inconvenience associated with distributing free (as in beer) applications for the Symbian platform at the moment – either the developer has to pay to get it Symbian Signed or every user has to sign the application for their own phone using Open Signed Online.

I am suggesting that the Symbian Foundation should host a beta test site for free applications. Developers and volunteer testers would be able to sign up to the site with just an email address and an IMEI, and then they could upload any application they like, and download any application they like. On download, the application would automatically go through Open Signed Online and be signed for that user’s specified IMEI.

Read the rest of this entry »

Health Apps on Phones?

This post is about trustworthiness (security in a broad sense) and specifically about reliability.

I see increasingly frequent suggestions that people should use their phones to monitor their health. This is, on the face of it, attractive; being an insulin-dependent diabetic, I carry a blood glucose meter with me pretty much everywhere, and in line with the general trend of convergence (calculator, camera, music player, radio, etc.) wouldn’t it be great if that was built in to my phone?

Well yes, that would be very convenient, but I’m afraid I think it’s a fundamentally bad idea.

Read the rest of this entry »

Security Roadmap and Strategy Published

This week we’ve published the first full version of the Symbian Platform Security Roadmap and Strategy. It’s by no means set in stone, so any and all comments and suggestions are welcome (either in the Security forum or using the comment facility on the wiki page).

I have taken some liberties with the format and tagged on a longish “wish list” of items Open for Contribution at the end. I’d particularly like to draw attention to the last four, which are opportunities for concerned individuals or organisations to address some consumer protection issues (which our traditional contributors probably won’t address).

I did allude to this six months ago, but this time I’ll be shorter and more to the point: 🙂

• Notarised Call Recording
  how to hold faceless utility companies to account?
• Pre-Advice of Premium-Rate Charges
  think twice before giving your money away?
• Privacy Labels
  how not to embarrass yourself on social networking sites?
• Vendor Relationship Management
  how to do e-commerce on your terms?

Volunteers welcome 😉

Apps for the Paranoid Needed?

I can’t let Karsten Nohl‘s presentation at 26C3 go without comment. To be clear, he was only talking about weaknesses that were already known (so headlines like “Secret mobile phone codes cracked” are at best misleading) but his purpose was to demonstrate that those theoretically known attacks are now practical. His point is a very valid one, and holds for most (all?) cryptographic algorithms: researchers will discover more efficient attack techniques, and technology will evolve to make such attacks practical, so you’d better design your cryptographic protocols so you can switch to different algorithms if and when the future need arises.* Happily this is the case for the GSM protocols, and all (!) that is needed is for the phone manufacturers and network operators to deploy the A5/3 algorithm and we can all go about our business.

That said, there is an interesting point made, almost in passing, in the presentation. Read the rest of this entry »

What to do about SMS Spam?

I don’t often get SMS spam (maybe once a month on average) but it really feels like an intrusion when I do. What I get are usually borderline scams of the “you have won a prize” or “our records indicate you are due compensation for your recent accident” type. I really think that replying to these things (even with “STOP” as they suggest) is only going to encourage them, so I did some investigation about what can be done. I’m in the UK, so I’m going to talk about what to do in the UK, but if anyone can add to this with advice for other countries please do so in the comments!

Read the rest of this entry »