Risk
4/28/2011
12:09 PM
Connect Directly
RSS
E-Mail
50%
50%

Schwartz On Security: Smile, Your Smartphone Is Watching

In the wake of revelations that Apple devices have been insecurely storing and transmitting location data, it's time for enterprise IT managers to begin spying as well.

The recent brouhaha involving Apple iOS devices tracking users' approximate location--and Android smartphones do it too--appears, thankfully, to be overblown.

Apple earns good grades for stating the purpose of the data collection in a forthright manner, but it loses marks on account of how it handled the data in the first place, because of the resulting security and privacy exposure. Apple blames a programming error for, among other things, storing up to a year's worth of location data on any given phone. From the outside, of course, this data storage didn't look innocent: iPhones were "phoning home" location data to the Apple mother ship on a regular basis, as well as storing the data on computers that synchronized with iOS devices, where it could be recovered using forensic data techniques. Interestingly, security researchers--and the cops--have already known about and have been exploiting this capability, said security researcher Alex Levinson in a blog post. Levinson is also the lead engineer for iOS forensic software vendor Katana Forensics, which develops Lantern software that already includes iOS data location retrieval capabilities.

According to a statement released by Apple on Wednesday, it couldn't care less where you are. Rather, it wants its devices to know your location--not least to support mapping and camera geotagging features. Accordingly, it pushes and pulls a crowd-sourced database of hotspots and cell towers to its devices, instead of relying on global positioning system hardware, which can take minutes to acquire a signal, if one is available.

Of course, this location data can be retrieved from the device, or a device with which the smartphone synchronizes. So Apple has promised to stop storing so much information, to honor opt-outs (a "don't track" setting in the phone), and with the next major release of iOS, to begin encrypting the data it transmits. Apple also said it would begin limiting the amount of location data each phone stores to seven days' worth.

Will that remedy the issue for smartphone users? In the wake of this incident, security and privacy experts have been reviewing Apple iPhone security and finding that in addition to location data, there's a lot of other information that iOS also doesn't store securely.

Notably, Michael Sutton, VP of security research for cloud security firm Zscaler, said in a blog post that it's trivial to recover the authentication credentials for numerous applications--including "Evernote, Google Docs, Apple's iDisk and any WebDav enabled server"--because their passwords are stored in plain text. "It is particularly concerning that Google Docs and Apple's Mobile Me are on this list," he said. "Both services leverage single sign-on for their various online services, so knowledge of these credentials would also provide access to Gmail and Apple's MobileMe email service."

Interestingly, Google has drawn fire for not vetting Android applications before it adds them to the official Android Market, while Apple is often lauded for ensuring that its applications perform as specified. But Apple's new-app review process may not be oh-so security-intensive, said Sutton.

"Despite the fact that Apple must bless all apps before hosting them in the App Store and is very willing to take a 30% cut for doing so, they're clearly concerned more with blessing the 'user experience' as opposed to security," he said. "Storing passwords in clear text is security 101. If I can spot it in 15 minutes, surely they can have processes in place to identify and prohibit at least basic security issues."

Both the crowdsourced data collected by Apple and the insecure storage of credentials illustrate how today's smartphones can produce unintended consequences for enterprise security. "Security and privacy concerns in the enterprise are shifting, and one of the key drivers for that is the influx of personal devices--both smartphones and tablets--coming into the workplace," Ahmed Datoo, VP of marketing at mobile device management vendor Zenprise, told me in an interview. "In the past, companies bought devices on behalf of employees, and therefore it was easier for IT to do things like monitor usage of the device. Privacy around employee-owned devices, however, becomes a much bigger deal."

Furthermore, users want access to all of the features and functionality that they've paid for, and security and privacy issues might not get in the way. For example, a recent study from secure email provider VaporStream found that 28% of people said they'd intentionally shared sensitive information via email, in violation of regulations. The rationale is simple: It was easier to share the information that way, regardless of what corporate security policies, not to mention laws, might dictate.

Enterprise administrators take note: Users don't want to submit to controls. But when left to their own devices--in both senses--it's likely that features and functionality will trump corporate data security issues. Accordingly, and based on having a full and open dialog with employees, it's time for IT managers to spy on people's devices too--or at least monitor and manage their security and privacy settings.


Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2227
Published: 2014-07-25
The default Flash cross-domain policy (crossdomain.xml) in Ubiquiti Networks UniFi Video (formerly AirVision aka AirVision Controller) before 3.0.1 does not restrict access to the application, which allows remote attackers to bypass the Same Origin Policy via a crafted SWF file.

CVE-2014-5027
Published: 2014-07-25
Cross-site scripting (XSS) vulnerability in Review Board 1.7.x before 1.7.27 and 2.0.x before 2.0.4 allows remote attackers to inject arbitrary web script or HTML via a query parameter to a diff fragment page.

CVE-2014-5100
Published: 2014-07-25
Multiple cross-site request forgery (CSRF) vulnerabilities in Omeka before 2.2.1 allow remote attackers to hijack the authentication of administrators for requests that (1) add a new super user account via a request to admin/users/add, (2) insert cross-site scripting (XSS) sequences via the api_key_...

CVE-2014-5101
Published: 2014-07-25
Multiple cross-site scripting (XSS) vulnerabilities in WeBid 1.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) TPL_name, (2) TPL_nick, (3) TPL_email, (4) TPL_year, (5) TPL_address, (6) TPL_city, (7) TPL_prov, (8) TPL_zip, (9) TPL_phone, (10) TPL_pp_email, (11) TPL_authn...

CVE-2014-5102
Published: 2014-07-25
SQL injection vulnerability in vBulletin 5.0.4 through 5.1.3 Alpha 5 allows remote attackers to execute arbitrary SQL commands via the criteria[startswith] parameter to ajax/render/memberlist_items.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.