Vulnerabilities Found in Android Web Browsers Dolphin & Mercury; GuidePoint Security Making Ongoing Investment in Mobile Security Research & Commitment to Testing for Customers

Vulnerabilities within Android mobile browsers, Dolphin and Mercury, have been identified. Benjamin Watson, Mobile & Application Security Practice Lead at GuidePoint Security, has discovered these vulnerabilities. “I have been researching common vulnerability patterns in Android Web Browsers since the beginning of 2015. Since the beginning of my research efforts, I have found that quite a few of the most popular browsers available on Google Play are subject to these vulnerability patterns,” Watson explained. GuidePoint Security will continue to meticulously research vulnerability patterns in Android and iOS applications, as well as provide robust mobile security testing to customers to help prevent the consequences of a potential glitch.

lobotomy graphic

The flaws found within each respective application are different. Mobotap’s Dolphin Browser is customizable, allowing users to choose unique search bars or themes; it’s been found that the download and installation of a theme can result in exploitation or potentially full blown code execution. The Mercury browser was found to be susceptible to the arbitrary reading and writing of files in the browser’s data directory. While the teams at both Dolphin and Mercury have been made aware of the vulnerabilities and Dolphin has released an update, there’s an onus on the mobile security world to respond to the implications of having identified vulnerabilities in such commonly used browsers.

Mobile applications available today are often designed to solve some sort of user problem, but most have not been properly assessed for security issues, usually due to the aggressive quick-to-market philosophy used in the world of mobile application development. GuidePoint Security is investing continuous effort in researching mobile security and how potential vulnerabilities impact consumers at large. “We’re continuing to investigate Android web browsers and other largely consumed applications for vulnerabilities,” Watson said.

It’s imperative for organizations working on the development of mobile applications to understand the importance of testing. As made clear by Watson’s findings, common Android browsers and other applications used universally routinely have serious security vulnerabilities due to the lack of security input during their development lifecycle. GuidePoint is not only researching the implications of common vulnerability patterns in largely consumed Android and iOS mobile applications, but also offers services that help identify these problems before those applications are pushed to market.

Benjamin Watson, Mobile & Application Security Practice Lead – Ben Watson has over 7 dedicated years to application and mobile security. Prior to joining GuidePoint Security, Ben has solved application problems for cutting-edge companies in the financial services, ecommerce and medical industries. Ben has been frequently sought after for building application security programs from the ground up, due to his experience in not only developing testing methodologies, tools and techniques, but his understanding and perspective on what is required to build secure products. Ben has managed and lead efforts in large mobile application security managed services and is also an experienced mobile security researcher. He currently focuses his efforts around discovering new exploitable vulnerability patterns in Android and iOS. He also has multiple published zero day vulnerabilities effecting various Android web browsers, and is the creator and curator of an Android assessment toolkit called Lobotomy.

About GuidePoint Security
GuidePoint Security LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

 

Lobotomy | The Android Assessment Toolkit

Through the years of assessing and reverse engineering Android applications, I consistently found a number of manual tasks overwhelmingly tedious and, at times, in desperate need of automation. I repeatedly found efficiency issues while working through my methodology for assessing Android applications, having to bounce from tool to tool in order to accomplish a specific goal. However, an idea that had been festering in the back of my mind for a while finally found its way into code, thus, Lobotomy was created.

Lobotomy, a new Android security toolkit, was developed to serve multiple purposes. The first objective was to build a framework that could easily be used to add in new features or functionality that would solve certain tasks when hacking up and reverse engineering Android applications. This was created on the notion that you will load once and work forever, meaning you can load your target Android application and work on the innards of that application through different modules without having to switch to other tools to perform operations on the same application. Another purpose of the framework was to become a wrapper for other well-known tools and their features sets.

Some of the tools Lobotomy provides wrappers for include:

• apktool
• bowser
• Dex2Jar
• Androguard
• Frida
• Adb

Perhaps the most important aspect of Lobotomy is its ability to find the important functionality and vulnerabilities within any target application quickly. There are many features that help motivate someone to look at the material that really matters. Whether that is an exported Broadcast Receiver, or the instrumentation of the Activity lifecycle, Lobotomy also helps minimize the amount of time spent looking at unnecessary components as well.

Features

Here are some of Lobotomy’s current features:

• APK loader
• APK Decompilation with apktool
• Conversion magic with Dex2Jar
• Attack surface enumeration
• Component enumeration
• Permission enumeration
• Permission to API mappings (BETA)
• Convert any APK into a debuggable APK
• APK Profiler
• Bowser | parseUri, loadUrl, addJavascriptInterface search and destroy
• Web services and frontend UI
• Logcat wrapper
• Frida implementation (BETA)
• SurgicalAPI | Find API usage for common vulnerabilities in targeted methods

Lobotomy is evolving as it continues to be developed by GuidePoint Security. We would love your help and input with the new features.

You can check out Lobotomy here:

https://github.com/guidepointsecurity/lobotomy

We will also be adding a Wiki to document all of the features and how to use them, as well as a list of new and upcoming features in the works for the tool.

About GuidePoint Security
GuidePoint Security, LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

Join GuidePoint Security and Partners at Charlotte SecureWorld 2015

SecureWorld Logo-Icon 2015

If you’re an Information Security professional looking for globally relevant education, training and networking, you don’t want to miss the Charlotte SecureWorld 2015 Conference.

GuidePoint Security will be attending the conference, along with two of our premier technology partners, Absolute Software and Varonis.

When: Wednesday, February 11, 2015
Where: Charlotte SecureWorld Conference, Booth #300, at Harris Conference Center, Charlotte, NC

GuidePoint Security is proud to partner with Absolute Software and Varonis. Both companies bring their own innovative solutions to the table, making it possible for us to match the right tools and resources to the unique information security demands of our clients.

Absolute Software was founded in 1993 on the idea that individuals and businesses should be able to track, manage and secure their mobile computers regardless of the physical location of the device. Today, their security-as-a-service solutions protect millions of computers worldwide with subscribers who range from individuals to the largest public and private sector organizations.

Varonis provides an innovative software platform that allows enterprises to map, analyze, manage and migrate their unstructured data. They specialize in human-generated data, a type of unstructured data, such as documents and audio/video files, which often contains an enterprise’s financial information, intellectual property and other forms of vital information.

To learn more and to network with GuidePoint Security and our partners, please stop by booth #300 at the Charlotte SecureWorld 2015 Conference.

For additional information about the Charlotte SecureWorld 2015 Conference, visit http://www.secureworldexpo.com/charlotte/home.

About GuidePoint Security, LLC

GuidePoint Security provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps our clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Reston, Virginia, and with offices in Michigan, New Hampshire, Florida and North Carolina, GuidePoint Security is a small business and classification can be found with the System for Award Management (SAM). Learn more at www.guidepointsecurity.com.

Mobile Security and Privacy in an iOS 8 World

iOS 8 was released on September 17 of this year for the iPad 2, iPhone 4S, and newer devices, and is pre-installed on the new iPhone 6 and 6+, which was released on September 19, 2014. Since blogs and articles detailing the new features and changes in iOS 8 abound, we won’t share those details here. Instead, we will cover only the security and privacy improvements. If you’re interested in all the juicy details surrounding iOS 8, have a look at the iPhone or iPad user guides published by Apple, which are available for free in the iBook store.

Now, on the topic of mobile security, according to 451 Research, mobile device security is the top source of pain for the enterprise security managers who were interviewed for their latest study. The pain points cover several general areas including consumerization, employee expectations, and device management. Mobile device security was a top concern of 16% of respondents, up 13% from last year.

Screen Shot 2014-09-25 at 3.19.24 PM

So, will the security changes in iOS 8 help enterprise security managers sleep at night? Time will tell, but let’s have a look at the goods.

For starters, Apple can no longer unlock a user’s device even if requested by government or law enforcement order – that ability was removed in iOS 8. This is very important for privacy and security, especially with the rollout of the Apple Pay feature available with iPhone 6/6+. Apple also patched the so-called “diagnostic backdoors” that were supposedly used by the NSA to steal users’ data. If that isn’t enough, several other features have been created or modified to quickly enable “un-trusting” of all computers that a device has been connected to and the ability to limit the amount of data that applications collect and share about you. You can even change Safari’s default search from Google to the privacy-conscious DuckDuckGo.

Furthermore, Apple’s updated privacy policy assures users that they don’t use email and Web browsing habits to build a user profile for monetization. As if this isn’t enough to prove Apple is serious about security and privacy, most of the security measures are implemented by default. One exception is the necessity of users to manually implement two-step verification for their iCloud accounts, which will help prevent potentially sensitive data, such as selfies, from getting stolen.

Well, what do you think? Will these changes make a difference for the troubled security managers around the country? They certainly won’t hurt, but anyone involved in enterprise mobility management or mobile security research knows there’s still much to be done to reduce the risk of mobility and BYOD in the enterprise. Reach out to your GuidePoint Security account executive to learn more about what you can do to reduce the risk of adopting BYOD in your organization.

Finally, I’d be remiss if I didn’t mention the partnership that Apple & IBM announced over the summer. In my opinion, this is going to be a good thing for users and enterprises, but not so much for device and application management vendors, who may find stiff competition from companies with much deeper pockets. Will 2014 be the year that Apple and Google finally decide to take enterprise mobility seriously? We’ll all have to stay tuned as this evolves.

About GuidePoint Security

GuidePoint Security, LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Reston, Virginia, and with offices in Michigan, New Hampshire, Florida and North Carolina, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

 

 

 

Securing People and Assets Via Mobile Security

Banner two

GuidePoint Security is adding another partner to its portfolio of technologies.  In an effort to provide its clients with best-of-breed solutions, GuidePoint Security has expanded its list of partners to include Bluebox Security™. Bluebox was chosen as a new partner for its unique ability to deliver enterprise visibility, security, and control of mobile data, while simultaneously enabling mobile productivity for employees, without compromising their privacy.

GuidePoint Security understands the importance of mobile security and how it plays a significant role for the people and businesses it protects.  By adding another mobile security vendor, GuidePoint Security has expanded it’s reach to provide the best service possible to its existing and future customers.

“Mobile Security has been redefined, and Bring Your Own Device is here to stay,” said Justin Morehouse, Founder and Principal at GuidePoint Security.  “This partnership expands our offerings to confirm us as a leader in Information Security.”

“GuidePoint Security was founded by Information Security veterans who understand the importance of a data-first security strategy, and we are thrilled to have their endorsement both as a customer, and a partner,” said Caleb Sima, CEO, Bluebox Security. “The combination of GuidePoint Security’s deep domain expertise with Bluebox’s next-generation solution, will allow companies to rethink their mobile security approach to reduce risk in today’s rapidly changing mobile landscape.”

In order to further solidify the relationship between the two companies, GuidePoint Security and Bluebox are co-hosting a live webinar: 10 Questions CISOs Should Ask About Mobile Security. The webinar will be an interactive conversation about factors CISOs should be considering when implementing a mobile security solution.

The mobile landscape is changing rapidly, creating new challenges and opportunities for CISOs tasked with balancing business enablement and risk. This webinar provides a great opportunity for people to get in-depth information about how the partnership works and how it can benefit their business.  Click here to register.

Read additional news about this partnership: GuidePoint Security Secures Mobile Data With Bluebox Security.

About GuidePoint Security

GuidePoint Security, LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. GuidePoint Security is a small business. Classification can be found with the System for Award Management (SAM).  For more information visit  www.guidepointsecurity.com.

About Bluebox Security

Founded in 2012 by a team of security experts, Bluebox Security offers the first mobile data security solution to safeguard corporate data across the device, application, and network. The cloud-based solution provides complete visibility and security of corporate data, while providing employees the freedom, ease of use, and privacy that ensures widespread adoption. Bluebox Security has received a total of $27.5 million in funding from Andreessen Horowitz, Tenaya Capital, Sun Microsystems co-founder, Andreas Bechtolsheim, SV Angel, and Google Board member Ram Shriram. The company is headquartered in San Francisco. For more information visit  www.bluebox.com.

 

GuidePoint Security Presents on Offensive Mobile Forensics and Bitcoin Transactions at BSides Boston 2014

Conference attendees will get a new experience this year at the annual Security BSides Boston 2014 Conference.  GuidePoint Security speakers will cover two new topics at BSides:  Offensive Mobile Forensics and Bitcoin Transactions.

When:  May 9-10, 2014
Where:  Security BSides Boston 2014, Cambridge, MA

First up of our two speakers is David Bressler. He will discuss Bitcoin Explorer – Visualizing/Monitoring Bitcoin Transactions.

Bitcoin was originally made public as a proof-of-concept in 2009.  Since then, Bitcoin and other crypto currencies have been gaining a vast amount of public attention with their valuation and volatility, ultimately making them a target for online criminals to steal.  Bitcoin, in particular, is both controversial and interesting to a large number of people, due to recent attacks on its exchanges. The pseudo-anonymous nature of Bitcoin has also piqued public interest because it makes tracking specific transactions and uncovering the Bitcoin address where the coins are stored difficult.  This talk will go over the basics of crypto currencies, specifically Bitcoin, and demonstrate how anyone could visualize Bitcoin transactions by utilizing the public Bitcoin block chain (general ledger).

Our next Speaker, Joey Peloquin, will discuss Offensive Mobile Forensics.

Offensive Mobile Forensics is a process in which an analyst employs the same techniques and tools potential attackers or criminals use on lost or stolen devices, to determine the actual risk of that loss or theft to the enterprise.  What data is accessible? This talk will educate attendees on some of the tools that can be used, where the most interesting data is stored on the device, and examples of data leakage from actual analysis.  Finally, he’ll perform a couple of live technical demos.

Be sure to visit the Security BSides Boston Conference to hear these accomplished speakers.  Also, stop by to see GuidePoint Security in the exhibit hall.

For additional information about the Security Bsides Boston 2014 Conference, visit http://gpsec.me/1iGR4Ff.

About GuidePoint Security, LLC

GuidePoint Security provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. GuidePoint Security is a small business. Classification can be found with the System for Award Management (SAM). Learn more at www.guidepointsecurity.com.

GuidePoint Welcomes Joey Peloquin as Director of Professional Services

RESTON, Va., January 7, 2014 – GuidePoint Security LLC, a leading provider of innovative information security solutions, today announced that industry veteran Joey Peloquin has joined the company’s growing professional services team as Director of Professional Services.  GuidePoint Security’s customized, innovative information security solutions enable commercial and federal organizations to more successfully secure IT resources. The company will leverage Peloquin’s experience to further mature its world-class Information Assurance and Technology Integration services, including application, cloud and mobile security offerings.

“Joey brings a wealth of real-world expertise in dynamic fields of application, cloud, and mobile security,” said Bryan Orme, Principal at GuidePoint Security. “This expertise coupled with his proven records of building elite technical teams forwards our momentum of providing innovative security solutions for our clients’ most complicated information security challenges.”

As commercial and federal organizations further embrace today’s data-centric technologies, including mobile and cloud computing, the need to implement effective information security controls becomes paramount. Traditional thinking and controls no longer appropriately safeguard data and assets against emerging threats. GuidePoint Security provides customized innovative solutions to address the real-world information security threats that its customers face.

“I joined GuidePoint because they have managed to attract and retain a team of brilliant consultants of varying backgrounds, in addition to the founders and leadership that are veterans in the information security industry. In a nutshell, GuidePoint provides the support required to build a successful consulting practice, and the openness and attitude of sharing that will help make sure the journey together is a fun and successful one,” said Peloquin.

Peloquin’s 13 plus years of experience in the information technology industry includes specializing in all areas of information security. Prior to joining the GuidePoint Security team, Joey served as Worldwide Security Architect for F5 Networks focusing on mobile and application security, and authentication and access security. His previous experience also includes managing application and mobile security consulting teams at national security consulting firms, and establishing HP Software’s professional security services division after the acquisition of SPI Dynamics.

About GuidePoint Security

GuidePoint Security LLC provides customized, innovative and valuable information security solutions that enable commercial and federal organizations to more successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps our clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. For more information, visit www.guidepointsecurity.com.

GuidePoint Founder & Principal Contributes to Consumers Council of Canada’s Report on Cyber Threats on Mobile Devices

Justin Morehouse, GuidePoint’s Founder & Principal served as a key resource for the development of the newly released report on Cyber Threats on Mobile Devices by the Consumers Council of Canada. Their press release is below.

Consumers can do more to reduce threats posed by mobile devices

Toronto – Manufacturers and retailers of smartphones and mobile Internet devices can and should do more to keep their customers safe, research by the Consumers Council of Canada has found.

“Most consumers don’t understand the risks they take and often fail to take simple, inexpensive actions to prevent the loss and exposure of their private information,” Council President Aubrey LeBlanc said. “Retailers, in particular, can help consumers protect themselves better.”
The Council advises consumers to do the following:

  • Lock the smartphone (or other mobile device) with a password.
  • Buy a sturdy case.
  • Backup regularly.
  • Don’t connect to unfamiliar public Wi-Fi sites.
  • “Think before you click” on a link or an e-mail that “doesn’t smell right.”
  • Scare yourself.  Pretend you’ve lost your smartphone. What will nosy people find? What would your parents or your kids say if they found it?
  • Check carefully that the device you buy will let you avoid risks you cannot accept. (e.g., How sturdy does the device need to be? Can you afford all the costs if the device is lost, stolen or broken? Are the security features easily understood?)

Focus groups of consumers who participated in the research said wireless carriers and device retailers are in a key position to help them avoid the risks of using smartphones.
The report advises that device manufacturers need to make “on” and not “off” the default setup for security features. Also, wireless carriers, manufacturers and software platform providers should distribute software updates faster and for more years of device ownership to protect against new, malicious activity.
Regulators should ensure systems get put in place that make it easy to secure and disable stolen and lost devices, so they are less attractive to thieves.
Dennis Hogarth and Howard Deane, who specialize in data governance, knowledge management, information risk management and personal data privacy, authored the report for the Council. Research House, a division of Environics, conducted focus groups for the research.

The Council received funding from Industry Canada’s Contributions Program for Non-profit Consumer and Voluntary Organizations to conduct the research. The views expressed in the report are not necessarily those of Industry Canada or the Government of Canada.

The research report can be downloaded at:
http://www.consumerscouncil.com/cyberthreats

GuidePoint Security Presents on Mobile Security Abroad at AppSec DC

AppSecDC 2012Heading to AppSec DC next week? Be sure to catch GuidePoint Security’s Co-Founder and Principal, Justin Morehouse, present Behind Enemy Lines Practical Triage Approaches to Mobile Security Abroad 2012 Edition on Thursday, April 5 at 11 a.m.

If you are unable to make it to the conference, we will post Justin’s slides after the presentation. If you would like more information about the presentation, leave a comment below.

Abstract: Having traveled over 100K miles internationally during the past 9 months, the topic of mobile security while abroad was on my radar. I took some precautions myself and jotted down some ideas to discuss with my peers. Then one of my clients asked me to come up with a solution for their executives while traveling to locations that would benefit greatly from their intellectual property. This presentation covers the lessons learned while securing mobile devices for both the enterprise and consumer while outside the 50 states. Areas of particular interest will be common threats and attacks and the REALISTIC steps you can take to reduce your attack surface and return your IP home safely. We’ll also cover what to do when your primary safeguards fail or end up in a toilet somewhere…