By Lee Neely
Mobile device administrators and end users need to be more cognizant of the risks of allowing unauthorized access to their smartphones and take steps to raise the bar on accessing those devices to mitigate those risks.
This is part one of two articles on securing mobile device access. In this article, I am going to focus on securing access to the physical device itself. In part two, I will discuss on-device security APIs and how one would know they are still in place.
The case for a strong passcode
When the first smartphones were introduced, they were corporate owned, managed, and secured to business standards. Device access was on par with accessing corporate laptop systems. The number, variety, and quantity of applications and personal or sensitive information stored on the device was far less than we see in modern iOS, Android, Windows Mobile, and other devices. While there were
Hey folks... check this out!
We're delighted to announce a Twitter-based contest here with a fantastic prize. And, participating in this one is really easy.
On November 16th through 23rd, SANS will be running our third annual Pen Test HackFest Summit and Training event in Washington DC. We throw everything we've got into this extra special event, including:
- Two days of amazing,in-depth talksby leading minds of the industry, who will give you insight into the offensive tools and tactics being used today to discover an organization's vulnerabilities to potential adversaries.
- Six days of training, with six different classes to choose from.
- Three nights of NetWars Tournament challenges for hands-on fun and
By Chris Crowley
"What is a DDD report?" you're wondering. That's my pet name for a Daily DNS Delta.
You see, human beings are creatures of habit. Some have excellent habits, some have gross habits, some actually wear habits, but whatever works for you, we all are creatures of habit. We can use this feature of humanity to identify behavior to investigate within our network.
Short story is that most people go to the exact same websites every day. Every single day of their lives, they go to the exact same sites...so a request to a new site is essentially an anomaly, worthy of investigation. If a user goes to a really weird website in some strange location, as a security person, I'd like to know so I can follow up. I really like daily reports that are actionable.
So, how do you know what sites users are going to? DNS query logs are a fantastic source of this information. I've created ascript will help you to generate DDDs for your network. The script
By Joshua Wright
In the last installment of this article
, we looked at the IsItDown
application, and how it is designed not to run in the Android Emulator, and to include a super-annoying banner ad. We showed how the Apktool
utility can be used to decompile an Android APK file, and how we can evaluate and modify the produced Smali code to manipulate the application's functionality.
In this final installment, we'll re-build the IsItDown application with our Smali file changes, then
By Joshua Wright
As a security professional, I'm called on to evaluate the security of Android applications on a regular basis. This evaluation process usually takes on one of two forms:
- Evaluate app security from an end-user perspective
- Evaluate app security from a publisher perspective
While there is a lot of overlap between the two processes, the difference effectively boils down to this: whose risk perspective does my customer care about the most?
When an app publisher wants me to evaluate the security of their Android app, I need to determine if the app employs sufficient controls to protect the required app functionality and publisher brand. Often, this