security

One of our readers, David (aka SilverSharkDev), as informed us about a Mango app he’s been working on called Content Shield. The purpose of the app is to store various kinds of data and protect it should someone else get hold of your phone.

Content Shield stores the following kinds of information:

  • Passwords – Store various kinds of passwords so you don’t forget them. Categories include Facebook, Twitter, etc. Passwords can be copied and then pasted directly into the phone’s web browser.
  • Jokes – Add text jokes of your own or download them from the developer’s Twitter feed.
  • Agenda – Add items to your to-do list, categorize them, and then move them to the Completed page when done. To help remind users of uncompleted tasks, the most recent task appears at the top of the Content Shield Main Menu. Tapping on it jumps straight into the Agenda. The number of incomplete tasks also appears on the app’s Live Tile.
  • Shopping – Create shopping lists in various categories, including groceries and birthdays. Any item in your list can be instantly searched for in the web browser. Don't forget to buy Christmas presents for the WPCentral staff!

The protection aspect of Content Shield comes down to password protecting individual sections of the app. Create a password and a reminder, and then assign it to anything or everything so that other people can’t view or change things. Me, I simply rely on my phone’s lock screen password to protect my stuff, but this could be useful for people who share their phones for whatever reason.

The developer promises to add more features over time. Content Shield will appear on the Marketplace soon, and it will be free.

Head past the break for a second video preview that demonstrates Content Shield’s Agenda and Shopping functions.

More →
0
loading...
0
loading...
9
loading...
0
loading...

Microsoft has recently made changes to its geographic location service, which we reported on not so long ago as having a lack of safeguards and a privacy flaw. Elie Bursztein, a researcher at Stanford University, created a web page that allowed visitors to search the database at Live.com for locations using device MAC addresses.

Reid Kuhn, a Partner Group Program Manager on the Windows Phone engineering team, made the announcement today over at Technet and stated that while it was not possible to track a roaming mobile phone or laptop using its MAC address, they aware of the fine line Microsoft was treading on with regards to privacy issues surrounding geolocation.

"Microsoft's privacy and security team has been in contact with Elie and we will continue the ongoing dialog with experts in the privacy field to improve our service offerings. We thank Elie and his team for working with us on this issue."

Kudos to Microsoft in taking measures to address the issue head on.

Source: Microsoft, via: WinRumors

Microsoft's privacy and security team has been in contact with Elie and we will continue the ongoing dialog with experts in the privacy field to improve our service offerings.  We thank Elie and his team for working with us on this issue.
More →
2
loading...
1
loading...
9
loading...
0
loading...

CNET previously reported on Microsoft's lack of privacy safeguards for their database at Live.com, which both Google and Skyhook Wireless now sport. A researcher at Stanford University, Elie Bursztein, has created a web page that allows one to look up MAC addresses for pin-point location results provided by Windows Phone 7 handsets and Microsoft's army of Wi-Fi recording vehicles as to where they last connected to this device address.

Is it really that much of a problem for the average web user? We have social networking with location-based services that display where the user is currently situated and people are connecting with the www more each year. I would, however, like to see a global opt-out option for Google, Microsoft and all other data collection services should I not wish for my location to be given out.

We're not quite sure if this works with device specific addresses or simply those that are acting as a wireless access point (routers, tethered phones, MiFi, etc.). Bursztein plans to discuss his findings with two other researchers at the Black Hat security conference, being held at Las Vegas next week. Have you attempted to search for your MAC addresses and are you concerned about this information being publicly viewable?

Source: Elie Bursztein, via: CNET

More →
0
loading...
0
loading...
0
loading...
0
loading...

While nothing to be fearful about, I wouldn't recommend sending your bank account number and sort code via Kik Messenger for Windows Phone anytime soon, not that you would anyway. While the user's password is sent either hashed or encrypted, it's reported that Kik is sending user email addresses and messages in clear-text, viewable by any middle man, over an open connection (i.e. unsecured WiFi).

Mike Cardwell, a well established IT specialist, reported a year ago how Kik was insecure with Blackberry, Android and iOS. Kik has since resolved these issues this year and have commented on an article over at Within Windows covering the WP7 client:

 "Hi Rafael, Corry from Kik here. Thanks for your analysis.We are aware of this issue and plan to add WP7 message encryption in a future release. We want to reiterate that the password is not being sent in clear-text, and that our Android and iPhone clients feature full SSL encryption (login info + messages), as Mike Cardwell mentioned in his comment."

At least our passwords are safe, although we do recommend using multiple passwords for your online accounts, especially between social networks and e-commerce sites. Hopefully security will be added for emails and messages in Kik at some point in the near future. Use over 3G should be fine since the signal is encrypted.

Source: Within Windows and Mike Cardwell, thanks insi for the tip!

More →
1
loading...
0
loading...
11
loading...
0
loading...

The other day we mentioned an openly available tool, Dropbox Reader, that is designed to circumvent security measures on your DropBox account. We are now hearing that over the weekend, no tool was needed to access DropBox accounts.

For a brief period of time, users could log into accounts using any password. Just type in an email address and wing it with a password and you were in. DropBox has confirmed this breach and states it left everything vulnerable from 1:54pm PDT to 5:46pm PDT this past Sunday (06/19/2011). The fix only took five minutes to put into place once DropBox became aware of things.

In a statement on DropBox's blog, the cloud storage service reports,

"We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we’ll immediately notify the account owner. If you’re concerned about any activity that has occurred in your account, you can contact us atsecurity@dropbox.com.

This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again."

If you're a DropBox client, you may want to check your account to see if any files were accessed during the time frame or have gone missing. Changing your password might not be a bad idea either.

Glitches in security happen but it sure does seem like DropBox has been snake bitten here lately. 

source: TechCrunch via: Gizmodo

More →
0
loading...
1
loading...
24
loading...
0
loading...

Security is always a cause for concern, whether it be with online banking or simply ordering a Domino's pizza. Passwords used online for applications or services are no different, especially with the amount of cyber crime occuring since the boom of the world wide web. Google have published an article on their blog outlining recent attacks being made on Gmail accounts and how users can protect themselves further.

One way to further protect your email account is to use OTP (One Time Password) via the web interface when logging on across multiple machines, networks and/or locations. For your Windows Phone (and other devices) you can use application specific passwords, which are password that are randomly generated and are used per device. You don't need to remember it and it doesn't affect your main login credentials. Think of it as an access key your device requires to be able to gain access to your account.

Check out the video after the break for the step-by-step walkthrough on using two-step verification and creating an application specific password for your Gmail account on your device. 

More →
1
loading...
0
loading...
0
loading...
0
loading...

Looks like the planned May update is being rolled out, version 7.0.7392.0. This update addresses the fraudulent third-party digital certificates that could lead to potential phishing attacks or intercept web browser connections (man-in-the-middle). The update simply moves these certificates into the "Untrusted Publishers" certificate storage on your device.

More information on the update is available over on the update history page. Have you received the update notification yet?

Updated: According to Microsoft, this update is at the discretion of carriers, again, meaning some of us may not see this until it is tied with another, future update: "How you get 7392 depends on your mobile operator and what updates you’ve installed...If you’ve already installed the March update, you’ll receive 7392 as a standalone download or bundled with a future update."

Source: Microsoft Windows Phone; via WPSauce

More →
0
loading...
0
loading...
0
loading...
0
loading...

Back in March we reported on some fraudulent SSL certificates that could make WP7 users vulnerable to phishing/spoofing attacks, and the possibility that MS would be releasing a security update to fix it. According to SlashGear, sources have revealed that MS plans to roll out the update on May 3. It is still unknown whether the patch will come in the form of an OTA push or through Zune software updates.

The fake certificates were brought to light by Comodo, who issued them without fully verifying their validity, and affect nine different websites. Comodo has since revoked the certs in question, while Microsoft posted a bulletin for desktop users of Internet Explorer. The sites affected are:

  • login.live.com
  • mail.google.com
  • www.google.com
  • login.yahoo.com (3 certificates)
  • login.skype.com
  • addons.mozilla.org
  • “Global Trustee”

Source: SlashGear; Via: PocketNow

UPDATE: Bruce Cowper, Group Manager of Microsoft’s Trustworthy Computing, has told WinRumors that users will be notified of the update's availability over the air, while the update itself will come through Zune.  He could not confirm the release date, but simply said, “the Windows Phone team is actively working with mobile partners to develop and distribute a mitigation update.”

More →
0
loading...
1
loading...
17
loading...
0
loading...

While far from exciting, as it won't bring any new features, Microsoft is rumored to be working on an update to fix fraudulent SSL certificates in a hacking attempt that took aim at many web browser. Microsoft just published a security advisory on the issue to address the bogus SSL certs. As Bruce Cowper, manager of the Microsoft Trustworthy group states:

This is not a Microsoft security vulnerability; however, one of the certificates potentially affects Windows Live ID users via login.live.com...These certificates may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against end users. We are unaware of any active attacks.

Microsoft has since patched Internet Explorer against the attack is reportedly mulling over an update, even possibly an over-the-air (OTA) one for Windows Phone, though nothing is certain at this point. No time line was given either. It will be interesting to see if Microsoft utilizes the OTA update capability for Windows Phone, a feature which was originally thought to be used for adding copy/paste but has since taken a back seat due to reliability concerns.

Edit: For those curious about SSL certs and how they work, see VeriSign

Source: WinRumors

More →
0
loading...
0
loading...
20
loading...
0
loading...

We previously covered the famed hacker GeoHot possibly moving over to Windows Phone 7, and it seems that this is now possibly happening with Pwn2Own 2011 hacking contest listing GeoHot as a registrant on the Dell Venue, which is being held next week.

Update: We're now told Geohot had to back out due to the ongoing Sony lawsuit with him needing to devote time to that instead. Thanks, @aaronportnoy.

More →
0
loading...
0
loading...
5
loading...
0
loading...

Yesterday, the Android market had 21 applications pulled by Google and force-removed from users' devices due to them containing an exploit called 'rageagainstthecage'. And while Google successfully and quickly pulled the software from the market and from devices ("kill switch"), those 21 apps were downloaded over 50,000 times (bigger market, bigger target).

It was bound to happen. We've been bombarded for years about the threat of computer viruses, exploits, Trojans, etc. and if there was ever a viable target today, Android would be it. It has an open market (no approval processes), huge market share and one heck of a hacker community. How serious is the exploit? Our sister site Android Central says:

rageagainstthecage...opens the door for the app to do anything with your data -- like send it to a remote server. Of course with root it can do much worse as well.

If you installed any of these applications, they should have been pulled off your phone, but that's not enough. You need to do a full system wipe and reset your phone completely, the data wipe and reset from settings may not be enough. This means ODIN, RUU's, .sbf files or a trip to your carrier store if this is beyond your capabilities.

Mind you, all 21 apps were uploaded by one person. Going further, Android Police, who originally broke the story says

...it steals nearly everything it can: product ID, model, partner (provider?), language, country, and userID. But that’s all child’s play; the true pièce de résistance is that it has the ability to download more code. In other words, there’s no way to know what the app does after it’s installed, and the possibilities are nearly endless.

Egads. While we hope nothing too nefarious has happened, it goes to show that having a regulated Marketplace, like Windows Phone, where the code is checked for such things can be quite valuable when compared to what Android users are now facing. Will this become a regular occurrence? What will Google do to address the problem? It will be interesting to see in the next couple of days the fallout from this breach.

More →
0
loading...
111
loading...
60
loading...
0
loading...

Apps with Live Tiles are always fun, so here's one from Touchality, makers of that popular Foursquare app on Windows Mobile.

It shows the Homeland Security info like threat level (color codes, though we abandoned that though) as well as airport statuses via lookup. It also has links to the Department of Homeland Security websites for quick reference. But really, it's the color coded Live Tile that's kind of cool here--even though it is set to expire in April.

The app has been out for awhile now and fetches for $0.99. While it is nicely done and works well enough, we can't help but think it's not much use either, especially after April.  But if you're the "I own a bunker" type, then we got you covered. No trial. Grab it here in the Marketplace.

More →
0
loading...
0
loading...
3
loading...
0
loading...
2

Keeping your location private

Location sharing is a key component to Windows Phone 7. From apps to photos, your location is used with regularity when you access your Windows Phones. Curious about how location based services are used, in conjunction with Data Privacy Day 2011 (January 28, 2011), Microsoft commissioned a study on various aspects of these services.

The 1,500 person survey was conducted in December of 2010 and involved consumers in the U.S., Japan, Canada, and Germany. The survey found that only 51% of the participants had used location-based services but that 94% found them to be valuable. 84% of those surveyed were worried about the services sharing their location without permission.

More after the break.

More →
0
loading...
0
loading...
3
loading...
0
loading...

Small note to our developer friends out there, Dotfuscator for Windows Phone has been released and as promised (via Windows Phone Developer Blog) is completely free through March 31, 2011

Providing so-called  "security through obscurity", code obfuscators at least can aid a smidge in protecting developers from prying eyes and hackers (though it's far from fool proof). In this case through string-encryption.  In addition, Dotfuscator for Windows Phone also provides developers with important application analytics to better understand how their software is being used and ways to improve it. For example, you can know how many people have your software installed, how often the app is run, what features are customers using the most and even performance data. Sounds good.

Source: Preemptive Solutions, Windows Phone Developer Blog

More →
0
loading...
1
loading...
3
loading...
0
loading...

Awhile back, we first broke the news about Windows Phone 7 and the tough protection scheme Microsoft has implemented to prevent piracy. Specifically, private keys (PVKs) which are tied to the hardware and need to server-authenticate. This hurdle would prevent non-approved devices from accessing all LIVE services and severely limit device functionality. Interestingly enough, just weeks later this was confirmed by team DFT, who were attempting to hack WP7 to the aging (but versatile) HTC HD2.

Fast-forward today and it is being claimed (not yet demonstrated) that certain aspects of PVK has been breached. But, like before, they're still far from a viable implementation. Pocketnow has summarized this as follows:

Several different methods are being attempted to bypass the limitation, including the search for a so-called "corporate key," which would essentially be a universal PVK for large-scale activations. Unfortunately, because all devices are security-flashed at the factory, such a key may not even exist. Secondly, overseas developers -- beyond the reach of Microsoft legal, apparently -- are said to be hacking the different bits of the device-side authentication piecemeal, but because of the unusually intricate security measures employed by Redmond, "it doesn't really look good" according to our source.

What does this all mean? In reality, that nothing has changed. While porting portions of the WP7 OS to the HD2 is doable, attempting everything is and will remain very difficult. So difficult in fact, it begs the question if this is worth all the effort. At least here in the U.S., with a new Samsung Focus fetching for $99 without 3rd party sales, WP7 hardware seems cheap enough to negate the value of hacking a broken but new OS onto the HD2.

Source: PocketNow

More →
0
loading...
0
loading...
5
loading...
0
loading...

Disclosure: Well before the publication of this article, WPCentral contacted Microsoft's Brandon Watson directly about the breach and we are cooperating with Microsoft in any way we can. Microsoft may be providing a statement to us addressing this issue, which we will of course post in its entirety if they choose to do so.

Yesterday we reported on a controversial "whitepaper" over at XDA (since pulled) which gleaned publicly available information to outline how the WP7 Marketplace could be cracked. To some, this was new. For others, it was very old. And for others still, it was information that was plain incorrect.

For developers, the weakness in Microsoft's DRM for Windows Phone 7 applications has been well known for quite some time, and there have been calls for Microsoft to address these concerns (see here in their forums).

Since then, a "white hat" developer has provided WPCentral with a proof-of-concept program that can successfully pull any application from the Marketplace, remove the security and deploy to an unlocked Windows Phone with literally a push of a button. Alternatively, you could just save the cracked XAP file to your hard drive. Neither the app nor the methodology is public, and it will NOT be released (please don't ask). It is important to note that this was all done within six hours by one developer.

After the break, you can see a video of the application (called "FreeMarketplace") in action, demonstrating how easy it can be to download any app from the Marketplace. While many will condemn us for "promoting piracy," we respectfully disagree. We have heard many complaints from developers about this weakness for months now and it is their right to know about the flaws in the system. We are confident Microsoft will work hard to implement a stronger DRM system, in part due to this proof-of-concept demonstration.

Tobias, technical adviser for this article, can be contacted via WPCentral

More →
0
loading...
0
loading...
0
loading...
0
loading...

Walking the fine line between black and white hat security, XDA member V@l€n has gone and posted a detailed "security whitepaper" on the state of app piracy in the Windows Phone Marketplace.

We almost hate to write on the topic since it will attract claims of supporting piracy,  but the fact is developers and Microsoft need to know just how vulnerable the platform is so that it can be improved on before it's a problem. And that's just it, right now there is no issue with app piracy for Windows Phone, but it is inching closer and once those few remaining hurdles are cleared, there will literally be a flood of pirated apps on the market.

But before we jump into all of that, lets detail exactly what is going on here. For better or worse, V@l€n has done a great job of outlining all the steps needed to make a ridiculous piracy campaign, showing all the necessary procedures that need to be cleared.

Follow us after the jump as we walk through this story...

More →
0
loading...
4
loading...
9
loading...
0
loading...

A few days ago we broke the news about the Genuine Software checker for Windows Phone 7. To recap, the system would check the OS against the hardware using PVK (private keys)--if no match occurred, then the OS would be crippled (no cloud services).

Now DFT, the team behind the attempted Windows Phone 7-to-HD2 port, have come forward and said that indeed, this is the case. The result, as predicted, is that the OS is "mostly a demo" without the Live services but that "...it will be released soon, but don't expect anything from it - without Live services it's not really usable".

Looks like Microsoft has won this battle, for now. But it is still early in the game and perhaps someone will figure a way around the security.

Bottom line: if you were expecting a usable port to happen anytime soon for your HD2, you can stop hoping now.

Source: Twitter; via Pocketnow

More →
0
loading...
1
loading...
6
loading...
0
loading...

When people talk about smart-phone platforms, the two that stand out to people (for better or worse) are iPhone and Android. There are a lot of reasons for this; usability, ecosystem (apps, services), and just sheer popularity are all factors. It makes you wonder why a brand-spanking-new platform like Windows Phone 7 would get a popular app like NetFlix before one of the two 300 lb gorillas in the room (Android); and if you really think about it, the Windows Phone 7 app was demoed at the Mix conference (March 15-17) before it was available for the iPhone (August 26). So what is it about Windows Phone 7 that makes a company like NetFlix choose a fledgling OS as their starting point for mobile over the more established platforms?

It turns out that the answer comes down to security (ironic, considering this is Microsoft). According to Wired (via @joebelfiore), Android doesn’t offer a secure enough DRM system to make Hollywood happy. With all of the concerns about piracy digital rights, Microsoft has been able to get a leg up on the competition by building Windows Phone as a secure platform.

Now before I start getting hate mail from the Android faithful, I recognize that NetFlix is coming to Android; but the current plans are for limited device support (can you say fragmentation?); not a full-fledged roll out.

So what does this mean to Joe Consumer? Microsoft is making every effort to make app developers happy and successful with Windows Phone 7 as a platform. This will serve to help the Windows Phone ecosystem (apps and services) grow and mature; which is great news for you and me.

More →
0
loading...
0
loading...
0
loading...
0
loading...
1

Review: SureCop

SureCop was recently released by 42Gears Mobility and is a security application for your Windows Phone that allows you to activate security features remotely via SMS messaging.

SureCop will allow you to locate your Windows Phone, lock your Windows Phone, wipe your data clean, remote callback, remotely alarm, and recieve notification is the SIM card is changed.

We took SureCop out for a test drive recently and just follow the break to see how it measured up.

More →
0
loading...
1
loading...
1
loading...
0
loading...

Pages