Microsoft wants Windows Phone to be “the most secure phone the market has ever seen.”
In a recent job posting Microsoft has made its intention to secure Windows Phone very clear.
The company is looking for a software Development Engineer in Test to engage in “cutting edge fuzzing technology, pentesting, and other security tools to help us ship the most secure phone the market has ever seen.”
Windows Phone 7 has so far not really had any significant testing of their sandbox, and truth be told hackers have managed to work around most of the lock down features Microsoft has implemented so far e.g. the ability to jailbreak and sideload apps, and likely largely benefits from less attention, so this move is certainly welcome.
We however hope it also includes a focus on enterprise security and features like full device encryption, which are there more to reassure corporations than keep hackers out, but which are essential for enterprise adoption of Windows Phone 7.
See the full job posting after the break.
Is Microsoft failing to police Marketplace?
A rash of NES Emulator games recently managed to make it into Marketplace, with the games, which remain subject to copyright, being sold for considerable amounts of money, even when they did not have proper controls or even working sound.
Emulators have of course always been banned in Marketplace, but of course the “developer” Jesse Dudley never advertised it as such.
Microsoft is currently in the process of removing these apps from Marketplace, but it does raise questions regarding the scrutiny apps receive before going live in Marketplace. While, due to sandboxing, the damage rogue apps can do is limited on Windows Phone 7, apps could still very easily steal private information from users, including their address book, location and user ID.
The security of users remains crucially dependent on the how much effort Microsoft puts into policing Marketplace, and with the rash of spams apps seen recently it suggests Microsoft could do a lot better.
Windows Phone 7 security attacks to be discussed at Deepsec
While we know Android is riddled like Swiss cheese with security exploits, Windows Phone 7, except for the jailbreaking scene, has been left more or less alone.
At Deepsec in Vienna security researchers will be discussing methods to attack OS security in Windows Phone 7 by exploiting the special privileges OEM applications have.
They write:
The talk will aim to provide an introduction into the Windows Phone 7 (WP7) security model to allow security professionals and application developers understand the unique platform security features offered. Currently very little public information is available about Windows Phone 7 OS security preventing adequate determination of the risk exposed by WP7 devices.
The ever increasing challenges and stages of exploitation an attacker has to overcome to achieve full compromise will be discussed. The talk will outline the implementation of these security features and will demonstrate weaknesses and vulnerabilities an attacker could use to bypass the multiple levels of platform security.
A number of OEM manufacturer weaknesses, “features?” will be discussed and a demonstration of how these “features” can be abused in conjunction with conventional exploits to achieve full compromise of the phone will be performed. The talk will demonstrate how OEM phone manufacturers can weaken the security posture of an otherwise strong granular security model and also demonstrate how targeted attacks can be made which leverage this OEM “functionality” to compromise sensitive information.
We already know the jailbreaking community is using the same route using Microsoft.Phone.InteropServices, a hole which Microsoft is already trying to close. However while Microsoft gives OEM special privileges their security will only be as good as the implementation of those OEMs.
Read more about Deepsec here.
Via TamsPPC
Windows Phone does transmit location data without authorization
Microsoft is currently being sued for tracking users using Windows Phone 7 handsets without authorization. The claim was supported using packet traces by an independent security researcher.
Microsoft denied the allegations, but now Rafael Rivera from Within Windows has been able to replicate the findings, showing Windows Phone 7 does ping Microsoft’s servers to establish the location of a handset using surrounding WIFI access points before permission has been granted by the user.
While this is of course pretty convenient it is against Microsoft’s own guidelines to developers, which says “Microsoft does not collect information to determine the approximate location of a device unless a user has expressly allowed an application to collect location information.”
The case, being brought in U.S. District Court, Western District of Washington by Rebecca Cousineau, is of course seeking class action status, but I wonder if enough Windows Phone 7 users would be perturbed enough to join her in the suit.
In the mean time I suspect Microsoft already has an emergency patch in the works to fix the breach.
Read more at Within Windows here.
Via Winrumors.com
Chrome to WP7 has less than ideal security
Chrome to WP7 is a handy app which lets one send links from the desktop to one’s Windows Phone 7 handset using an intermediate server.
The app is by Dave Amenta and the service is provided free of charge.
Martani Fakhrou however has a complaint about the security model of the app, which relies on an obfuscated device ID.
He writes:
While Google Chrome to Phone uses OAuth to authenticate users along with their Google accounts, Send to WP7 generates a 6 chars hex number which is calculated from a random GUID generated when the app is started for the first time. This code is then used by the extension to send data back to daveamenta.com server, waiting to be served when the WP7 client fetches the updates.
Since there is absolutely no validation process on the server and the design of the app that makes it impossible to verify who is sending to who depending only on the randomly generated code, abusing this app is just like taking a walk on the shore.
In short an attacker would just send messages to random IDs on Dave’s server, record the ones that belong to real people and could then spam them all day long.
Of course in reality no real attacker would waste their time searching the over 16777216 different available codes to spam a small subset of already small Windows Phone 7 population who has the app installed, but Martani notes that Google’s Chrome to Phone uses OAuth to authenticate users along with their Google accounts, and suggests Dave might want to tighten up on his security.
Read more at Martani.net here.
Update: Dave Ameta, the developer of Send to WP7 (Previously Chrome to WP7) has given us a statement denying there is any real security issue. He notes:
The attack posed here would not have been successful after scanning approximately 250 pair codes, which wouldn’t have exposed a single user. Furthermore, upon finding out about the suggested attack, I tightened security further to ensure that there is absolutely no information leak, even if someone were to distribute this attack across many computers. Using pair codes is a feature, to avoid harvesting “account information” like so many apps prefer to do. I’m confident that this security model is sufficient for this class of application today.
If you are reassured, as we are, Send to WP7 is a great utility which can be found at Dave’s site here.
Android root exploit remains unpatched for months
The Register reports two serious security vulnerabilities in Android has remained unpatched for more than a month, and allows apps to be installed without permission, and also apps to escape from the Android sandbox and do pretty much whatever they want.
“The Android Market ecosystem continues to be a ripe area for bugs,” said security researcher Jon Oberheide in an email. “There are some complex interactions between the device and Google’s Market servers which has only been made more complex and dangerous by the Android Web Market.”
The Register notes than Google has been slow in updating Android, and also that even when Google does release updates handsets are slow to receive then, leaving many users vulnerable to old exploits.
On Android exploits are more than theoretical, and are in fact found in the wild often, stealing not just private data but also costing users large amounts of money in premium phone calls.
The Windows Phone 7 Marketplace aims to provide better security and a more coherent update story, keeping Windows Phone 7 users safer than on Android.
Read more at The Register here.
95% of WP7 apps can access the internet, 1/3 can make calls and 1/6 can track you
Justin Angel, who has been analysing the Windows Phone 7 Marketplace after downloading all 108 GB of it, has published some results about the security privileges the apps request for themselves.
It seems more than 95% of apps request access to the internet, a number which seems larger than necessary given the vast number of simple ebooks in Marketplace.
Other interesting findings is that 1/3 of apps can make phone calls, again a number which seems unusually high given this is a relatively rare feature provided by a apps.
The stats also revealed that 15% of apps have access to your location and 30% want get your user ID.
Have any of our readers refused to install apps because they ask for too many privileges? Let us know below.
AVG Security Suite will scam your Windows Phone for malware in pictures and music
 |
 |
AVG has released a free application which will supposedly protect Windows Phone 7 users from malicious malware. This of course presents two problems – 1) Windows Phone is not Android and 2) Windows Phone is not Android.
Regarding the first issue, there is no viruses or other malware for Windows Phone 7 (unlike the festering hellhole which is Android) and secondly, 3rd party applications like AVG Security Suite does not have the deep access to scan other applications on Windows Phone 7 in any case, meaning even if their was viruses the app could not find them.
In fact the app goes about scanning music and pictures, not really well-known vectors for malware on Windows Phone 7.
Which brings us to the title, which is not a typo – sounds a bit like a scam, doesn’t it?
At least its free, and if having a useless application on your phone rocks your boat it can be downloaded from Marketplace here.
Thanks Chirag for the tip.
McAfee confirms Android the number one target for Malware
Android is very often top of the popularity charts these days, so it should come as no surprise that the OS now also takes the top spot for mobile malware also.
Android now has 3 times as much malware as the second-placed platform, Java ME, with the number increasing by 76% this quarter.
“The rapid rise in Android malware in Q2 indicates that the platform could become an increasing target for cybercriminals,” Vincent Weafer, senior vice president of McAfee Labs.
“As we watch steady, significant growth in the mobile-malware threat landscape, many of the same functions and features of PC-based threats are already part of the codebase,” McAfee said.
“Mobile threats already take advantage of exploits, employ botnet functionality, and even use rootkit features for stealth and permanence,” it said.
“The platform could become an increasing target for cybercriminals, affecting everything from calendar apps and comedy apps to SMS messages and fake Angry Birds updates.”
Particularly malicious is premium SMS senders such as Android / Jmsonez.A. which poses as a calendar app and sends premium SMS messages whenever the user tries to change the date, and monitor and deletes confirmation messages so users do not detect the activity.
The most common vector is still modified apps in the Android Market. Google has so far only taken a reactive approach to the problem, removing apps after users complain, but not implementing policies and procedures to prevent infected apps from being uploaded to the Android Market in the first place.
This policy is the opposite to curated app stores like the iPhone App Store or the Windows Phone 7 marketplace, where applications are rigorously tested before being made available to users.
Read the full report here.
Via AreaMobile.de.
Nokia’s developer website defaced
Indian Hacker “pr0tect0r AKA mrNRG” has defaced Nokia’s developer website by replacing it with a picture of Homer Simpson.
“pr0tect0r AKA mrNRG” was however not a disgrunted Symbian developer, but more had Nokia’s security interests at heart, posting:
“LOL, Worlds number 1 mobile company but not spending a dime for a server security! FFS patch your security holes otherwise you will be just another antisec victim. No Dumping, No Leaking!!”
Nokia claimed the website was being hosted externally, and did not reflect on the security of their internally hosted Ovi store and other services. The hack was quickly cleaned up.
Lets hope Nokia beefs up their protection before they start running their services on the majority of Windows phone 7 handsets also.
Via IntoMobile.com
Hundreds of thousands of Android users affected by malware, 30% to be exposed this year
It seems Android malware writers are getting every more creative, and the threat to users of Google’s free OS every increasing.
According to research by Lookout Security half million to one million people were affected by Android malware in the first half of 2011, with Android apps infected with malware going from 80 apps in January to over 400 apps cumulative in June 2011.
Attackers are deploying a variety of increasingly sophisticated techniques to take control of the phone, personal data, and money. Additionally, malware writers are using new distribution techniques, such as malvertising and upgrade attacks.
The company described ways even regular and careful users could be affected, for example by drive by web exploits and in-app advertising of malware in legitimate apps, as was recently the case with an app which claimed to be a battery saving utility which then sent premium text messages at $40 per message.
According to Lookout Android users are two and a half times as likely to encounter malware today than 6 months ago and three out of ten Android owners are likely to encounter a web-based threat on their device each year.
Lookout offers a number of techniques which could help Android users to stay safer, including installing virus scanners for Android. They however neglect the most effective- switching to a platform which takes security seriously likes Windows Phone 7, rather than a model which would simply repeat the mistakes of the PC world.
Read more at Lookout here.
Close to 10% of Android Apps festering pits of spyware, worms and premium SMS senders, getting worse
We all know Android Market is increasingly afflicted by malware, but I do not think any of us has thought is was as bad as this.
According to security firm named Dasient, of the 10,000 Android apps they studied, 800 or 8% turned out to be malware, engaging in activities such as stealing data, e.g email account passwords, sending premium SMS messages, trying to spread to users in one’s contact list by sending SMS messages with links to your friends, and even stealing IMEI and IMSI numbers, allowing for the mass cloning of a user’s phone.
Dasient CTO Neil Daswani also stated that the amount of infected applications has doubled over the last two years, and the issue does not just involve trojan apps – even browser-based “drive by downloads” have come to the platform.
This occurred earlier this year when a malicious website advertised cheats for the extremely popular mobile game Angry Birds. Another attempt happened last month with malware masking as Angry Birds add-ons.
Google has so far done little to stem the tide, and with the rise of increasingly popular 3rd party marketplaces there may in fact be very little they can do – with the platform never taking security seriously this may simply be a cost Android users will have to bear.
Windows Phone 7 users are protected by a curated app store with strict sandboxing of apps. I suspect we will not be needing to download antivirus software for our phones anytime soon.
Read more at Darkreadings.com
Thanks Guy for the tip.
Microsoft evangelist: Windows Phone is the “most secure” smartphone platform on the market.
Speaking to Siliconrepublic.com, Dave Northey, technology evangelist at Microsoft Ireland said Windows Phone 7 was the most secure smartphone platform on the market.
Touting the advantages of isolated storage, he said:“We keep applications away from the bones of the OS. When an application fires up, the OS will give it a dynamically allocated security bubble, for lack of a better word, and every app has its own one of those,”
“So every application is completely secure, has its own isolated storage, can encrypt that storage if it likes to and as such, there’s no other smartphone on the market that’s as secure,” said Northey.
His statement comes as another wave of trojan apps wash over android.
“No one application can talk to another and no one application can steal data from another application.”
Saying Windows Phone 7 was initially aimed at the consumer, he noted Mango would change this.
“Initially, when Windows Phone was launched, it was positioned as a consumer device but it has an awful lot of enterprise features and Mango will introduce a few more. Soon we’re going to announce the enterprise features of the phone in the Mango time frame,” he said.
Unfortunately Mango still does not however deliver full storage encryption which means the phones will still be barred by default from many enterprise settings. Hopefully we will not have to wait 18 months for this to be delivered.
Read the full article at Silicon Republic here.
Scan QR Codes, UPC, EAN, Code 39/128 or ITF barcodes on your Windows Phone 7 to find best prices online.
Enjoy slots? Blackjack? Video Poker? Play Crazy Casino FREE!
#1 FREE Solitaire on WP7
If your a fan of Pong then you will love this game. Heavenly Skies. Save the universe! Are you ready?
A rewarding mix of match 3 and tetris gameplay
Free, Live Tile support for Word Of The Day and so much more. Why NOT try it out?
Set up reminders with only two taps. Supports also text reminders and voice reminders.
Download the best puzzle game in WP7 Marketplace for FREE!
Are you a good Alchemist ?
Use your brain to discover Atomic Energy, Chuck Norris, Angry Birds and 1400 more !
Fun puzzle game with over 150 levels!
Fully featured, beautifully designed WP7 YouTube app.
u.n.i MEGA PACK (FREE), the ultimate addictive top GAMES bundle for Windows Phone 7! 7+ and growing!
Highly addictive word game designed for adrenaline junkies. Practice locally, but then are you fast enough to compete online?
The smartest Google reader app.
Air Soccer Fever - Realtime Online Multiplayer casual soccer game for FREE
Beat the Story Mode. When your done Bring your skill online. Rank up by winning online matches. Have 1 on 1's with anyone! Global Online Multiplayer!
Newest devices leaks, online charts and ultimate performance benchmark for every Windows Phone.
Every day, get great app deals from Windows Phone developers pushed to you!
Quick Tiles, a fully featured live tile editor for Windows Phone.
Great sports app for NFL, NBA, MLB, NHL. Pin scores/games to live tile on your home screen.
MobileFax gives you the opportunity to send fax pages from your mobile phone anytime, anywhere !
WP7 Exclusive version of Hanging with Friends
Fabulously fun, lovable, crazy! Bubble Pong Championship
A remake of the classic snake game. The snake wants to grow so don't wait and help her!
Promote your app on WMPoweruser.com
Facebook
Twitter
RSS
Youtube
GooglePlus