MOBILE PHONE SECURITY THREATS

Standard

Note: This is a re-created post. Find the original content by using reference links (PFB).

Mobile platforms are going to be harder to secure


Lost and stolen

Lost and stolen smartphones and other mobile devices are the biggest mobile security threat to enterprises, according to security experts watching the evolving threat landscape. Yet, the hype around malware would lead users to believe otherwise.
The risk of an employee leaving their smartphone behind at a restaurant or bar and having it fall into the wrong hands is far greater than an employee downloading malware onto their device.
Device owners rarely use a passphrase or code to protect unauthorized access to their device. That leaves the phone wide open to a thief. Contacts, email messages and data saved in some applications can be easily accessed by the average criminal. While most enterprise mobile security software suites have device location and wipe features, but a lack of security policy around personally owned devices means many employees and their organizations remain at risk. By the time a device is reported lost or stolen, a thief could have already made off with the data.
Near field communications (NFC)


The potential still exists for a sustained and exponential increase in mobile device attacks, but it will likely take years before cybercriminals flock from the desktop to mobile devices, he said. New payment technologies, such as near field communications (NFC), which can turn any smartphone into a virtual credit card, may make attackers take a closer look at mobile platforms.

Fewer security controls

The attack surface is much greater on mobile devices and there are far fewer security controls. You can do everything you can do on a laptop but you also have other things like location information, an SMS channel, voice dialing, a camera and sensors that are a potential way in. These are still the early days and we still need to get a handle on the new risks and threat models and learn how to use some of the security strengths of the mobile platforms correctly

Geolocation madness

A device user’s location can be an extremely valuable piece of data for marketers. It also can add important and valuable functionality for certain applications.

Privacy protection legislation will mostly address location-based services, but look for loopholes put in place for mobile carriers and other entities. We’re going to see indiscriminant use of location-based information become a crime. Cybercriminals could eventually latch onto this location-based services trend with malware and other tricks that take advantage of location data to trick users into giving up more sensitive information about themselves, including account credentials.

Excessive permissions


Application permission requests were built into mobile platforms as a way to improve security, but those notifications, which require the end user to confirm an application’s breadth on a device, are being largely disregarded by device users. People are quick to choose functionality over security and privacy. Most device owners continue to give applications elevated privileges and that means the latest game they downloaded may have the functionality to tap into the device’s messaging app or location data.

Carrier IQ software
This diagnostics application was placed on some devices by mobile carriers, but the software was not always optional, and in many cases users didn’t even know it was on their devices. Security and privacy advocates were outraged because the software could report GPS location data, record which dialer buttons were being pressed and the URLs being visited by device owners.

Unsecure Wi-Fi


Most devices automatically roam for the nearest open Wi-Fi hotspot. Unfortunately, automated tools make it easy for just about anyone to snoop on people or even take over their browsing session. Researchers have demonstrated that by using basic tools of the trade they could take over a person’s unsecure webmail session, Twitter or other social media account. Many services, including Google, have responded, supporting encrypted sessions that protect users on open Wi-Fi, but the threat remains.

Websites that don’t use SSL/TLS encryption correctly could be putting smartphone users at risk to a well-known Wi-Fi hotspot attack called sidejacking.

Mobile application vulnerabilities


The Google Android and Apple iOS app stores have given rise to a new crop of mobile application developers. Mobile application frameworks lack maturity, and when combined with the need for speed, that has resulted in applications with shoddy code, flaws and functionality that is not needed. Some developers churn out new mobile applications too quickly. Researchers studying mobile applications are finding a lot of coding errors. Speed leads to costly mistakes, such as authentication or authorization errors, poor file-system permissions and application permissions that are too lax.

Mobile operating system threats: ANDROID

Android has been the most successful mobile operating system this year and rules more than 50% of the market. This success has made it a target and all the rivals as well as the cybercriminals have made various applications for android that are malicious. All these activities are being performed in order to rage the android users and kill Google’s market.
Google has taken action to delete more than a dozen cloned applications hosted on its Android Market after they were found to be malicious, racking up expensive text messaging charges on owners smartphones. Google’s reaction has been quick, but not quick enough, at least ten thousand users downloaded one of the malicious apps from the list.

One of the most popular hidden Trojan is called DroidDream which gives cybercriminals the ability to break out of Android’s built-in application security sandbox feature.



Flawed Android Apps


Mobile developers building applications for Android devices are making many of the same mistakes as enterprise developers, and those poor coding practices may be rendering encryption and other security features ineffective.

 

Hard-code cryptographic keys

The Developers sometimes hard-code cryptographic keys to make it easier to develop the application.
40% of Android applications contain at least one instance of hard-coded cryptographic keys. The practice gives every user of an application the same encryption key, which is similar to everyone within an organization using the same password to secure their data. Because Android applications are easy to decompile, an attacker can easily extract and publicize hard-coded keys.
Coding errors abound in mobile apps, because the tools and frameworks for building them are less mature.

Application permissions
As with all Android applications, users must choose to allow the permissions requested by applications before they can be installed. Permissions are displayed by the Android operating system under broad headings that summarizes the implications of the permissions requested. For example the permission to allow an application to send SMS or MMS messages is organized under the easy to understand heading of “Services that costs you money”.  Understanding these permissions can help users avoid applications which make unnecessary requests. In this particular instance, the applications ask for the permission to send SMS messages – a service that will cost you money (something users should think twice about before accepting and proceeding with the install).

Android’s success makes it a target
Microsoft is using the latest malware campaign aimed at rival Android to give away new Windows 7 Phones to the five Android users who tell the best tales of woe.

Other platforms won’t be safe either
We’ve already seen it done in the Android Market and we’re bound to see it happen on other platforms. Rather than traditional desktop malware, “Trojanized” applications could initially cause trouble to individual owners and ultimately be a problem for enterprises. Attackers could steal account credentials and use them against corporate networks or they can tap into freely available information – data found on Facebook and other social networks – to conduct targeted social engineering attacks against employees. In other words, If someone loses their phone and an attacker gets access to that application, the attacker could basically get access to all the data that everyone in the organization can access.

Conclusion:Even though we don’t know how everything is going to get attacked, we can still be prudent in how we go about building mobile applications.

References:
http://network-security.alltop.com/
http://searchsecurity.techtarget.com/news/2240112288/Top-5-mobile-phone-security-threats-in-2012

Manage all your social networks via single interface- Tweetdeck

Standard

Intel Appup Center offers a great deal of applications varying from education to games. When I browsed for my favourite App my eyes got fixed at Tweetdeck.

It is a Twitter, Facebook, MySpace, Google Buzz, Foursquare and LinkedIn client, which has been popular since 2009.

Although there are many applications that may offer similar integrations with these networks, there are certain features that make Tweetdeck stand alone.

The most important thing to be considered is that Tweetdeck has recently been acquired by twitter (May 25 2011) which makes it more authentic and proves to be good enough.

Some of the main facilities available are:

Multiple columns: One can organize the information into real-time columns which may include updates from friends, Facebook notifications, tweets from certain groups, etc. This provides the very recent updates organized as per the user’s interest.

Multiple twitter accounts: Some users like to keep up more than one twitter accounts. Like if you want to post tweets related to a certain topic from a different profile. Tweetdeck allows you to do so, and you can swap between the profiles with a single click.

Reply, retweet, direct message and favorite from a tweet: There are small buttons for these, which appear on the concerned image as one hovers on it. This makes it pretty fast and easy.

View user profiles: There is no need to open a separate web page as one can view the profiles in tweetdeck itself which will give all the required options like Follow, See recent updates and who a person is following and being followed by, etc

Follow or unfollow and block or unblock a user: This can be done very easily and saves time.

Add All Friends, Mentions and DM columns: These are some of the columns that may help you to deal with different activities of twitter simultaneously. This allows you to keep track in real-time.

Add Search columns: This is another important feature that allows you to add a separate column featuring the results of your search. (Very useful for dealing with hashtags)

Add Trending Topic columns: These columns connect you with the world in a single go.

Add Twitter list columns: You can organize various lists and keep track of them so.

Cross post updates to any combination of your accounts: This is my favourite feature as it allows you to decide which of the accounts you want to use for posting your updates.

Geotag your tweets: Just set your location once and your tweets can be geotagged automatically.

Shorten URLs: This makes sharing links fairly easy. It also allows you to choose the shortening service on your own.

Access your Twitter contact list: You can browse among the contacts and can search for a friend.

Upload photos (from the on-board Photo Library): Sharing photos is of course one of the most required feature which is being covered.

Rearrange columns however you like and delete those you no longer need: Thus, you can always change your mind and try experimenting.

View geocoded tweets on a full-screen map: This feature allows you to see where the tweets are coming from.

And this is not the end of it, the development status of this application is active and there are likely to be even more magical updates to it. Some of them can be listed as:

Quick Send tweet: Suppose you notice a tweet which seems interesting but you don’t have enough time to explore. This feature will allow you to directly email it for later consideration.

Gmail Notifications: These when integrated with tweetdeck will allow you to keep track of your emails as well.

Unicode Art: This will allow you to use smiley faces, arrows, etc.

Tweet as you go: This can truly be a fresh design that will allow the users to use the camera in their portable device to see where they are going while using tweetdeck. Hence you don’t have to worry about crashing into a pole while you were busy typing your tweet while walking.
———————————————————————————

Thus, I can say that tweetdeck is the best application I have ever used for dealing with my twitter account. And if you are into facebook, you will notice that reading updates and responding to them is a lot easier and faster.

The environment that allows Tweetdeck to take care of all the above mentioned characteristics is called Adobe Integrated Runtime. This cross-platform runtime environment is abbreviated as Adobe AIR which might be already installed on your computer as it comes along various installations of Adobe like Adobe Reader 9, Photoshop and Lightroom with no option for exclusion.

Support: Tweetdeck is supported by operating systems like Windows, Linux, Apple iOS and Android as well. Thus you can use it anywhere anytime. Several different versions have been launched which allow you to decide how you want to use it. There is a downloadable desktop version that allows you to use it just like any other application installed. Other versions include iPhone, iPad, Android, Chrome and Web(limited beta). Each of these has been carefully designed keeping in mind the needs and platform being used.

As most of us are on facebook, even if you are not a fan of twitter or other networks specified, you can try this application for the sake of most popular social network (facebook as for now) at least. I would suggest that one should sign-up for twitter and try using this application after connecting the account, and I am pretty sure that even the least active person on twitter will start enjoying it.

This blog is an entry to the “My Favorite PC App” contest. Check out numerous apps for PC/Netbooks available at the Intel AppUp Center. If you are looking for an opportunity to build and monetize your applications, check out the Intel® Atom™ Developer Program.
Reference:

http://tweetdeck.posterous.com/ http://en.wikipedia.org/wiki/TweetDeck https://www.facebook.com/GoTweetDeck http://thenextweb.com/apps/2010/04/02/tweetdeck-coming-ipad-awesome/
Image: Screenshot taken from https://www.tweetdeck.com/api/webbeta/