Aug 022013
 

A New Surveillance Defeating Messaging App

Info-Security
July 11, 2013

 

A New Surveillance Defeating Messaging App

A New Surveillance Defeating Messaging App

 

An app for both Android and iOS is being planned by one of the original founders of The Pirate Bay. In the wake of PRISM server surveillance and Tempora traffic surveillance, it plans to use true end-to-end encryption so that only its users will ever see the content.

 

Peter Sunde, co-founder and former spokesman for The Pirate Bay, is part of a new company and project: Heml.is. ‘Hemlis’ is Swedish for secret, and the project is a completely secure and secret chat app for iOS and Android. The intention is to use end-to-end encryption so that only the users can ever know the content of the message.

“All communication on today’s networks is being monitored by government agencies and private companies,” says Sunde in a video. “The politicians are not going to stop it, they’re actually asking for more. That’s why we decided to build a messaging platform where no one can spy on you, not even us.” If law enforcement or intelligence agencies intercept the messages, they will not be able to decipher them. If they obtain court orders for access to the servers, they will only get encrypted files because that’s all that will exist on the servers.

Sunde doesn’t accept the political argument that encrypted chat would be a boon for terrorists and organized crime. “We are talking here about normal people who do not have access to that technology yet. So terrorists are definitely not going to be on our system – they are already on their own systems; they wouldn’t trust us… so I think the only people we are helping are the [ordinary citizens] whom the government is surveilling,” he told RT yesterday.

The app will be free for basic messages, but there will be a charge ‘to unlock certain features’. The purpose is to provide the funding to run the service and maintain development (future file-sharing, for example, is an aspiration). Details are not yet clear, but Heml.is stresses that it “will never introduce adds or selling your data to fund the app.” One option might be a time-limiter for storage on the server: if the message is not collected within a specified time period, it could be automatically deleted.

The project is being funded by donations. “The fundraising campaign is in its early stage, though,” warned RT yesterday, “so there is no official release date planned for the application.

But this morning Heml.is blogged, “Funded 100% in 36 hours!

Wow and incredible thanks to all our backers for funding us in 36 hours…

“Now it’s time to get to work!”

At the time of writing this report, Heml.is had received $110.324 (the target was $100,000) in 42 hours.

 

Direct Link:  http://www.infosecurity-magazine.com/view/33402/a-new-surveillance-defeating-messaging-app/

Jan 022012
 

Android vs iOS vs BlackBerry: Which is the most secure holiday gift?

 

Which smartphone and tablet OS provides the best security?

Steve Hunt and the Neohapsis team provide a guide for holiday gift-givers (or any gadget lover).

By Steve Hunt and Neohapsis
December 14, 2011 

CSO

As the holiday season approaches, smartphones and tablets are some of the most in-demand items for anyone with even a hint of gadget love in their DNA. Coverage of these exciting new tools is full of hype about new features (SIRI) and also new fears (Carrier IQ). With the sheer volume of marketing and fear being thrown around—eclipsing even the number of holiday songs on the radio—it can be hard for even well-informed users to discern meaning from marketing when it comes to security on mobile devices.

 

[Also see 5 questions to ask about tablet security | Creating a smart mobile device security policy]

 

It’s a bit like gifting a car: The right choice can greatly improve the recipient’s life, while a bad choice could leave them with problems for years to come. This guide is to help you with the security side of the decision, to enable you to take it into account and make the right choices for that special someone (or special self!)

Neohapsis Labs (an independent security think tank based in Chicago) has looked into the general security issues and distilled them down to this short guide (a more detailed report will be released early next year). While there are many available choices of device, the main security decision is what platform to get. There are some main contenders at present (iOS, Android, Blackberry) and a few aspiring players (e.g. Windows Phone, Meego, WebOS, Bada). We are not covering Symbian due to Nokia’s recent decision to move to windows phone 7 in 2012. We will focus on the differences between the platforms and not go into any cross-platform issues such as widespread use of mobile analytics packages to track users for advertising purposes.

 

Android

Google’s Android operating system is the most widely deployed platform on tablets and smartphones at present, with a large number of vendors providing their own customized versions. Integrating smoothly with many Google services, Android is rapidly evolving with the latest version (the very well reviewed Ice Cream Sandwich) offering a slew of new features.

Unfortunately, when it comes to security, Android still has a long way to go. The large delay in releasing fixes for security issues is problematic as it requires a different release for each carrier, manufacturer and model. As a result, many Android devices are stuck using old and insecure versions of the operating system.

When it comes to applications, the primary source of applications is the Android Market, which contains tens of thousands of applications, most of them free. These applications are uploaded by developers and go through no review before being published, allowing fast turnaround, but leaving the door open for malicious apps to linger until Google hits the remote kill switch to remove them from devices (as has happened numerous times). Alternatively, curated markets such as the Amazon Appstore show promise for preventing malicious apps getting in—however they also have drawn complaints for the slow rollout of application updates.

Because it uses a very flexible model for applications, Android apps can do things that cannot be done on the other platforms. A user is notified what an application will be allowed to do at install time, and can choose to install it or not. Once installed, third party apps can (if authorized at install time) read and send messages, make and receive calls, access the internet and turn the microphone or camera on and off.

Because users are not very good at either reading or understanding the implications of these permissions, Android applications have been caught sending and receiving premium rate calls and messages, recording users keystrokes or sounds, tracking user locations, or even containing botnet-style malware as might be found on a desktop machine. There are quite a few third party solutions available that purport to secure your device, but their effectiveness is in many cases under question.

The flexibility of Android makes it a great choice for a highly capable user, but it can require quite a bit of knowledge to keep secure in the long run—often this will require that users root the device and install their own custom updates directly if the carrier does not provide them. Clearly not for the technical novice!

 

Blackberry

While Android is taking the biggest bite out of the consumer market, Blackberry has been very much the jewel of the business world. With its users being likened to drug addicts for their dependence upon the device, RIM’s Blackbery devices have earned the designation Crackberry. Even President Obama couldn’t part with his device, reportedly much to the irritation of the Secret Service and delight of Research in Motion.

Security and control are some of the main selling points of Blackberry, with the ability to completely encrypt data, tightly control what is done with the device, restrict what individual applications can and cannot do, require tunneling of any and all internet traffic through the company’s servers, control apps and much more. The downside is that this control comes at a cost, and the ease of management to keep your device secure can be time consuming for a non-enterprise user.

 

[Also read Al Sacco's Mobile predictions for 2012: Security, payments, Windows phone and more on cio.com]

 

Blackberry App World, the source for third party applications, offers a degree of review over all submissions. However, source code is not reviewed by RIM, and only so much can be understood of application behavior. While Blackberry hasn’t been targeted by nearly the same amount of spyware or malware as Android, there have been instances of nefarious applications and spyware-trojaned carrier updates.

The ability to lock down and secure Blackberry devices is definitely a plus, but because much of it was designed with enterprises in mind it can get a bit complex for a standard user unless they are careful. The release of more consumer oriented devices based upon Blackberry 10 shows promise, but as it is unreleased at present, this one should stay on hold for individual users for now.

 

IOS (iPhone / iPad / iPod Touch)

In a market where the market leader is represented by a green robot, and the trailer (Blackberry) is likened to a notoriously addictive drug, the company with second-place market share has a level of customer loyalty and satisfaction often described as a cult. (All of which gives you some idea about how seriously people take these devices!) We are, of course, talking about Apple’s iOS, the platform where it seems every new addition will sell more than the predecessor no matter what they do.

iOS is a slower-moving and far more tightly controlled platform than Android, with features designed to give a consistent, fluid, and controlled experience. As a result, the platform is great for doing things within Apple’s designs, but beyond that it is by design inflexible. Because of the level of control Apple exerts over iOS, users cannot patch vulnerabilities until Apple releases an update – which in sometimes takes months and in many cases older devices are not compatible with the updates and so are never patched.

 

[See a security-approved smartphone!]

 

For applications there is the Apple app store, which Apple can be quite restrictive over. There have been many reported instances of applications being rejected for mysterious/unknown reasons, most famously Google’s voice app in 2009. Because applications are all granted the ability to do everything allowed (with the exceptions of some things such as notifications and reading location) there are no complex permissions for users to keep track of and manage. While there has been at least one instance of a malicious app getting into the App Store, the most notable example was only a researcher’s proof of concept.

Also of note though is the parallel ecosystem surrounding Jailbroken (where users have forcibly removed Apple’s software protections) Apple devices. Jailbreaking gives users the ability to give devices new features, protect themselves from issues which Apple has not yet fixed, and install unapproved (or pirated) applications. At the same time, however, the removal of these protections potentially leaves users more vulnerable from a security perspective, as happened with the ikee worm in 2008.

iOS devices are a good balance when it comes to security, but this does come at a cost of flexibility that more experienced smartphone/tablet users may not like.

 

Windows Phone 7 and Other Aspirants

There are numerous other potential contenders in the smartphone space, most notably Microsoft’s Windows Phone 7, but also including the Linux Foundation’s Meego and Samsung’s Bada. Symbian (formerly pushed by Nokia) and WebOS (formerly from HP) may in future rise or reappear as contenders, but at this stage they have both been dropped by their main proponents and open-sourced and so we will wait and see.

The other platforms all have their own pluses and minuses when it comes to security, and they seem to have learned from the experiences of the big players. However, they also all have much smaller market shares so we will not discuss them here. In particular we will be keeping a close eye on Windows Phone 7 as the relationship between Microsoft (big software) and Nokia (big hardware) may provide some interesting results for enterprise consideration.

Conclusions

security comparison of android, iOS, blackberry

 

So, which platform should you buy from a security standpoint? For most users the answer will be iOS, but for the technically experienced Android can work if they are careful. However, if a user is willing to jailbreak they can get many of Android’s benefits anyway. Blackberry may be a good choice from a security standpoint, but generally those who want a consumer device will prefer the others for non-security reasons. Windows Phone and the other platforms may be good in future, but at present there probably has not been enough exposure to make this risk a good long term bet, especially after what happened to the touchpad.

 

In short, our recommendation for each type of phone user:

Non-technical person: iOS (iPhone/iPad/iPod touch)

Techie: iOS/Android

Business user: Blackberry / iOS (but check what the company standard is first)

 

Note: Others have reached similar conclusions on these points; for instance see Symantec

 

Security industry veteran Steve Hunt is CTO of Neohapsis Labs.

Read more about wireless/mobile security in CSOonline’s Wireless/Mobile Security section.

 

 

Direct Link:  http://www.csoonline.com/article/696493/android-vs-ios-vs-blackberry-which-is-the-most-secure-holiday-gift-?source=ctwartcso

Dec 032011
 

Apple and Google told to improve smartphone security by Blue Coat
Vendors should check for malicious content when developing applications, says cloud services vice president
Computerworld Australia
By Hamish Barwick
18 November 2011

Blue Coat US vice president of cloud services Anthony James says the practice of “security by obscurity” on Apple iOS needs to improve as smartphone adoption increases, while he also criticised Google Android for its open operating system.

James, an ex-pat Australian who has worked in the US for 10 years with security companies such as Fortinet, said iOS users have been lulled into a false sense of security because Apple does not check an application for security controls before it is published.

“They’ve had this whole sense of security around to get an application published, you need to go through their scrutiny,” he said. “They don’t check for security controls but for inappropriate content with the app,” he said.

* Malware-infected applications

He pointed out that a US principal research consultant called Charlie Miler was able to exploit a bug in iOS which could stock the Apple App Store with malware-infected applications.

Miller built a fake stock ticker app, dubbed “Instastock,” as a proof-of-concept, then submitted it to Apple, who approved and placed it in the App Store in September 2011.

“Apple has done a great job of security by obscurity,” James said.

He also criticised Google, the developer of Android, for having an open operating system but said Android 4.0 did contain some security improvements.

* Ice Cream Sandwich

“If you look at Android 4.0, the Ice Cream Sandwich, they put in some enterprise management features,” he said.

“We’re starting to see pressure on Google because what’s happening now is that corporate Australia is starting to dictate to these vendors that if they are going to allow these smartphones into their organisation they need to have some control,” he said.

“That’s where we have seen Android take their first step into enterprise management capabilities so I see Google is going to be more active in that.”

James, who was working on cloud security offerings for release next year, said he was targeting four operating systems, iOS, Android, Blackberry and Windows Mobile.

Direct Link:  http://news.techworld.com/security/3319300/apple-and-google-told-to-improve-smartphone-security-by-blue-coat/