Tag Archives: Security

Disabling Java in the Google Chrome browser

With all the security glitches related to Java, it is probably best to disable Java by default in your Chrome browser.

Getting to the Chrome’s options to disable Java takes a few mouse clicks via the menu system but the same result can be achieved by browsing to the address chrome://plugins

If Java is enabled you should end up with a plug-in line item that looks like:

After you click to “Disable” Java, the line item should be greyed out:

Security holes in iOS & flaws in Apple’s App Review Process

Legendary security researcher Charlie Miller has proven that the Apple App Store can be stocked with infected apps despite Apple’s closed ecosystem, strict code signing and code review process. He submitted a fake stock ticker app to Apple called Instastock as a proof-of-concept and this was accepted by Apple.

Instastock allowed Charlie to demonstrate the concept that once it was downloaded from the App Store, Instastock could ping and download another file to his server at home.

So what was Charlie’s exploit as we know that iOS typically only runs code that is signed?

With the release of iOS 4.3, Apple blundered by allowing Safari to run unsigned code due to latency experienced with JavaScript execution. Charlie therefore exploited this flawed security design decision by tricking iOS into assuming that his app was mobile Safari and therefore executing any code segment he wished. He noted that all versions of iOS from 4.3 to the recently released 5.0 contained the bug.

Charlie notified Apple about this bug almost 3 weeks ago but not the fact that he had actually published Instastock to prove the vulnerability. He tweeted yesterday – “For the record, without a real app in the AppStore, people would say Apple wouldn’t approve an app that took advantage of this flaw.”

Apple reacted by banning Charlie’s Apple Developer account for a year.

Mobile App Permissions Are Concerning

I love the freedom and configurability that my Android phone offers me but I’m also very concerned about my privacy.

Recently I’ve been hooked on checking app permissions of popular apps in the Android Market and I’m increasingly concerned about the permissions that app developers are assigning to their mobile applications.  

Tonight I’m checking the permissions behind one of the most popular weather widgets in the Android Market that has been downloaded a couple of million times and can boast of an excellent user rating. From a usability point of view, the widget interface is super-cool with great graphics and is easy to set up.

But it alarms me that this simple weather widget that basically sources weather information from a weather bureau and displays this information via pretty graphics has the following permissions (among others) listed:

YOUR PERSONAL INFORMATION
READ SENSITIVE LOG DATA
Allows an application to read from the system’s various log files. This allows it to discover general information about what you are doing with the device, potentially including personal or private information.

PHONE CALLS
READ PHONE STATE AND IDENTITY
Allows the application to access the phone features of the device. An application with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and the like.

SYSTEM TOOLS
MOUNT AND UNMOUNT FILESYSTEMS
Allows the application to mount and unmount filesystems for removable storage.

CHANGE NETWORK CONNECTIVITY
Allows an application to change the state of network connectivity.

RETRIEVE RUNNING APPLICATIONS
Allows application to retrieve information about currently and recently running tasks. May allow malicious applications to discover private information about other application.

So is there a faster way of determining which apps pose a risk?

There are free applications in the Android market that you could use to track the permissions of other applications. Applications such as PermissionDog appear robust enough to serve the purpose of monitoring app permissions on your mobile because they err on the side of caution, i.e.; some of Google Inc’s own applications are flagged as being dangerous based on their access rights. See some screenshots below.

We built our key duplication software system to show people that their keys are not inherently secret. Perhaps this was once a reasonable assumption, but advances in digital imaging and optics have made it easy to duplicate someone’s keys from a distance without them even noticing.

Stefan Savage, the computer science professor from UC San Diego’s Jacobs School of Engineering who led the student-run project: House Keys copyable from 200 ft away via camera via @newsycombinator. (via mattlehrer)