Our Blog has moved! Please visit our new site.

New blog site

My heart doesn't bleed. I have Secure Spaces!

The pervasive use of the OpenSSL libraries in Android apps, mostly gaming apps, has seen a disproportionate amount of attention placed on Android for failing to prevent the Heartbleed attack. A recent report ( http://au.ibtimes.com/articles/549464/20140424/google-android-play-store-heartbleed-bug-security.htm#.U1pbA_ldV8E ) with research from FireEye states that nearly 150 million Android app downloads were vulnerable to the Heartbleed bug. 

Adding to this disturbing fact is that of 17 apps created to detect the Heartbleed issue, 6 of those apps did not include sufficient techniques to accurately detect the bug. 

The report goes on to state that while many apps do not have direct access to banking or credit card information those gaming apps do typically have cross-linked authentication to Google, Facebook, Twitter or other social media apps that may have access to other important credentials.

With Secure Spaces I maintain a "quarantine" Space into which I place all of my newly downloaded apps. I have anti-malware tools in my quarantine Space that let me scan those apps and other apps that let me review all of the permissions and resources used by the downloaded app. Once I am satisifed I can then use the App Manager in Secure Spaces to move the app to my Open Space or another personal Space.

Even if I didn't use a quarantine Space (I am a bit of a geek) by simply placing the newly downloaded app into a personal Space or Open Space that does not have any contacts records, no access to my email or other critical information I can prevent a malicious app, even with the Heartbleed bug, from doing any real damage. Secure Spaces allows me to isolate my important information that I need from the neat apps that I want and lets me do it all on one device.

Ready to Rumble: IT vs Employee for BYOD

The challenge remains to bring harmony to the enterprise's need for data protection and the employee’s need for privacy and convenience. This issue existed to a small extent on the desktop, grew larger with the portability and convenience of laptops but now extends and dominates the discussion for mobile devices whether provided by the company or owned by the employee.

Our mobile devices are being used in entirely different ways than our desktops and laptops and this now has to be factored into the decision to permit mobile devices onto corporate networks. Failing to recognize the consumer requirements for mobile device use is a guarantee to have any BYOD program fail.

In addition, our phones primary function is communications. It is not until recently that the Smartphone has added the capability to run apps and process data (like desktops and laptops). But our Smartphones introduce an entirely new range of security challenges not faced by desktops and laptops.

The Enterpise IT group has a difficult challenge to continue delivering a secure environment for corporate data while the borders of their network dissolve and their end-users demand choice over the devices that they use.

Check out Graphite Software’s new infographic to learn how to achieve harmony between security, privacy and convenience. Meet the solution that is allowing employees to use their devices how they want without compromise, while empowering enterprise with control, compliance and increased productivity in our BYOD world.

Download the infographic here:  http://www.graphitesoftware.com/resources/BYOD%20end%20user%20vs.%20IT%20-%205.pdf

More Than A Billion Android Devices Vulnerable To Pileup Attack!

News broke this week that researchers at the University of Indiana and Microsoft had identified a vulnerability in the Android operating system that is suspected of affecting more than one billion Android devices already deployed into the market, and any future ones pending the release of a fix to this issue. For more read here (http://www.efytimes.com/e1/fullnews.asp?edid=133634)

A simple summary of the attack shows that an app downloaded by a device owner could contain bogus permissions that are simply ignored by the operating system, however if those permissions reflect features that eventually become available in a future version of Android then the permissions become active even though you as the device owner never specifically granted those permissions. What this could mean is that the app now has access to information or resources that you never intended it to have.

Of course, this attack does require that you download and install the app with these malicious permissions and perform a system update with a reboot of the device. Given that only 34% of device owners actually read the privacy policies of downloaded apps there is a strong likelihood that this type of app will make it onto a great many devices. Now specifically what the app will eventually do is up to the app and the future of Android capabilities.

At this time there is no Android fix to this issue but we expect that it will be dealt with quickly in the next Android update. If you are on an unlocked device and have control over your Android updates this is certainly good news. If you are on a device that receives infrequent updates then you are out of luck and must simply be far more diligent and watchful of the apps that you download.

However, if you are a Secure Spaces user you can rest far more comfortably. Secure Spaces divides an Android device up into "Spaces", like rooms in your house, so that you can place certain apps and data into one Space and keep them completely separate from the apps and data in another Space. So if you did download one of these apps and placed it into an isolated Space without any contacts, email accounts, Google accounts, or other sensitive information then there is very little harm that can come from the app. Secure Spaces is a consumer solution that gives the consumer control over how they want their device configured and how apps can, or can't interact with their data, like an app quarantine. Secure Spaces is ideal for consumer privacy, BYOD initiatives, device sharing with friends and family and mobile marketing initiatives.

My Mobile Phone Runneth Over

Thinking that you need two or more phones? You don't. Stop the trade-off between privacy and convenience and stop jamming everything onto one home-screen. 

We carry our phones all day long and use it for everything like work, email, banking, shopping, travel and play. We love to download new apps to see if they will make us more productive, simplify our life or allow us to have more fun. At the same time we want to be able to protect our personal information and our employer wants to protect company information.

With just one phone you are putting everything all together in one place: work apps, personal apps, game apps, downloaded apps. What does this mean? It means that we expose ourselves to malicious and over-permissioned apps that can lead to data loss and privacy breaches.

Take back control of your device, your data, and your privacy. With Secure Spaces you can organize your digital life into multiple “Spaces” on your phone, like rooms in your house.

Read more at: www.securespaces.com

Mother Sues Google After Child Buys $66 Worth Of In-App Purchases In Marvel Running Game

We all do it, those of us with kids anyway. We let our kids use our mobile devices to play games, play music or surf the Web. It seems harmless, it distracts them from the constant "Mommy, mommy" coming from the back seat of the car or the other room of the house. While many may jump onto the "bad parenting" or "digital babysitter" argument there is another reason to be concerned with the practise of sharing your mobile device.

Recently a mother in California sued Google over the in-app purchases made by her child while playing a game on her mobile device. Read more here: http://www.androidpolice.com/2014/03/11/mother-sues-google-after-child-buys-66-worth-of-in-app-purchases-in-marvel-running-game/ . Now, it appears that at some point the mother had changed her phone settings to avoid being prompted all the time for her password, likely due to the inconvenience. What she didn't realize was that this made available her Google account information and stored credit card details for use with in-app purchases, or the ability to purchase items like "Smurfberries", or "level-ups" in downloaded games. Her child likely didn't know that they were doing anything wrong but in a short period of time they had racked up a significant amount of extras that the mother had never intended or been given the opportunity to decline.

This all comes back to the ongoing trade-off between security and convenience that has plagued the online world for years. The mobile industry has done very little to change the security/privacy paradigm, in fact, they have replicated all of the challenges that have been faced by desktop and server computers for decades.

Secure Spaces takes a different approach. Secure Spaces creates separate Spaces on your device, like rooms in your house, to store apps and data separately. The apps and data in one Space cannot be accessed by the apps and data in another Space. The mother in this story could have created an Open Space on her device and placed the children's games into that Space and nothing else. The games would not have access to her Google account, her credit card information, or any other contacts, phone numbers, apps, passwords, or data that she maintains in another Space.

More, more, Facebook wants more of your data!

The following article:  http://www.theregister.co.uk/2014/02/20/facebook_whatsapp_19bn_buy_also_45_for_your_phonebook/ explains the likely reason that Facebook has paid $19B to acquire WhatsApp (a contacts/chat app). Wait, Facebook already has a chat feature why spend so much on something that they already have. Or do they? Apparently, Facebook does not yet have all of your phone numbers or those of all your contacts and they want them. WhatsApp will give this to them by rifling through your address book.

Beneath the covers Facebook will replace their chat service, they'll post yet another policy update that few of us will read or try to understand, we'll simply press "ok" and continue to use Facebook. No they won't you say. Yeah, they already did change their policy last July making it acceptable to siphon your phone number off of your mobile device. This change will let them go through your entire address book.

Why do we mention this? Well, Secure Spaces is the ideal solution to this blatant affront to your privacy. With Secure Spaces you can place the nosey Facebook app into a "personal" Space that has nothing else in it, except maybe some other nosey apps. It will run perfectly well with access to an empty address book in that Space. Take back control of your personal data!

http://www.securespaces.com

Shoulder check! Is your mobile data safe?

The recent findings of an Android VPN vulnerability (http://cyber.bgu.ac.il/blog/vpn-related-vulnerability-discovered-android-device-disclosure-report) have had Samsung and Google scrambling to provide commentary on the legitimacy and level of threat posed by the vulnerability. Samsung has blamed Android and Google has said this is a known man-in-the-middle (MITM) attack. There are few details on the attack, but let’s take a closer look at the issue in general.

If an app uses a VPN, then the apps communication is passed to the VPN, which in turn encrypts the data between the VPN and the corporate network where the VPN is terminated.  The attack is on this short piece of unencrypted traffic from the app to the VPN in the mobile device. Apparently using a regular downloaded app, presumably with some explicitly allowed permissions to access the network communication  – this part is not clear – the malicious app can sniff or siphon this unencrypted traffic before it reaches the VPN client. This is not exactly a man-in the-middle attack (more a man looking over your shoulder attack), but has the same effect. Google is correct in that this is a known attack against a VPN. VPNs generally assume that the device operating system is trusted.

So what are the possible solutions? First, the app could use SSL/TLS directly which is what most browsers can do. The malicious app can still grab the message, but it is already encrypted. HTTPS on a browser is not the same as a VPN, but it does prevent the attack.

Second, the app could implement newer technology called per-app VPN – which is what a number of companies offer to address precisely this issue, including as a feature of Samsung KNOX. This encrypts the data using SSL/TLS (usually) like in the browser example above, so the malicious app can only grab encrypted data. However, per-app VPNs require the app to be modified – with either a wrapper, or a “container” in the case of KNOX.

Third, you could make sure the app is not present to do the sniffing in the first place.

MDM and EMM products alone cannot solve this issue. Mobile Application Management (MAM) can make sure that only specific apps are present, but MDM products are not security products, they are device policy management solutions that may or may not implement some security policy elements. Most solutions can limit apps in a work space, but not on the whole device – so the malicious software is still present. If the apps or group of work apps are wrapped or containerized, then the apps must be modified and choice of available apps plummets. Look at the low number of apps in the MDM app stores. Plus, there are additional steps needed for the deployment and maintenance of corporate or custom developed apps.

Hypervisor or virtualization solutions do provide the necessary security isolation without the need to modify the apps. By using a virtual instance for personal apps and a separate instance for work, then apps in the workspace can be controlled and any malicious apps excluded. Even if the malicious app exists on the device, the virtualization prevents the app from grabbing the network traffic, as well as a wide range of other attacks.

Secure Spaces provides exactly the security provided by virtualization, but without the device integration and performance overhead of traditional type 1 and type 2 hypervisors.  Secure Spaces is a light-weight system level virtualization that enables many new business opportunities beyond enterprise security, such as disposable secure spaces.

Secure Spaces enables the IT administrator to control which apps are in their employees Work Space, including the VPN. No modification of apps is needed and choice is not limited. This is the simplest solution to these kinds of vulnerabilities.

Ask Google when they will support a simple MDM and device OEM agnostic domain isolation solution. In the meantime, try out one of our custom Android images that have been only modified to include Secure Spaces. For more information visit www.securespaces.com or contact us at info@graphitesoftware.com.

Reprinted from: http://insights.wired.com/profiles/blogs/shoulder-check-is-your-mobile-data-safe?xg_source=msg_appr_blogpost

A room with a view. The future of content on your mobile device.

This following post is re-printed from Alec's guest blog account at Wired Insights.

Read more: http://insights.wired.com/profiles/blogs/a-room-with-a-view-the-future-content-on-your-mobile-device#ixzz2rEDfPySL 

What if your mobile device provided you with exactly the information that you wanted, when you wanted and only for as long as you wanted it? What if it was possible to create a room on your phone or tablet that is dedicated to a purpose just as rooms in your house are dedicated. You have a kitchen for cooking, a bedroom for sleeping, a bathroom for ... well you get the idea. What if you could isolate rooms on your phone or tablet for very specific purposes? You could create a room that is dedicated to your personal activities like banking, shopping and music and another room for work.

These are some of the more common ways people currently think about separate rooms on their device. But what if this concept was expanded and you could also create a room on your device that is dedicated to your favorite brand or activity. This room would not have access to any of your personal or work apps and data. It would be accessible by you when you want to see that information rather than cluttering up your device’s home screen. It would contain apps and content that is published by an administrator thus reducing your need to search and guess at which apps to use to see the content that you want. That administrator could not see anything else on your device and, unless you signed up for something, wouldn’t even know who you are. And when you don’t want the room on your device anymore you can simply delete it without affecting anything else on the device.

Rooms such as these have a place in our modern lives because we want information from our favorite brands, but we don’t necessarily want the data sharing that can sometimes be required. And there is no reason why such rooms have to be permanent. What if we created rooms on our mobile device that are temporary. The rooms would last only for the duration of an event or activity. Once you have finished the activity or event, that room is closed and on you go to the next. For example, you are attending a trade show; wouldn't it be great to have a room on your phone that is dedicated to the event? It would contain apps and data with the trade show agenda, venue information, city guides, transit schedules, hotel and restaurant guides, and more. And the content is updated regularly by the show organizer. At the end of the show the space disappears from your mobile device.

Sporting events like the Olympics would be an ideal use for a room on your device. The Olympics last for two weeks every other year (if you include the Summer and Winter Olympics). As the medal standings change you’d be immediately aware, as venues for events change you’d be immediately informed. At the end of the two weeks the Olympic room would disappear but all of your photos would remain in your personal room. Even shorter events like a football, basketball or hockey game could have a dedicated room that is loaded over the air to your device as you enter the stadium. During the game you can load apps to see the team rosters, view food outlets, purchase merchandise, and more. As you leave the stadium the temporary room disappears, all without ever having access to your personal or work apps and data.

You spend more time with your mobile device than any other device that you own, it is always with you and it is typically always on. Why limit the mobile experience to just email and web browsing? Why not allow your mobile device to provide a portal to any number of dedicated, curated experiences that appeal to your personal taste but also remain completely in your control while protecting your privacy. This is the future of how you will receive content on your mobile phone  -- a future that is closer than ever.

Google Play! At your own risk!

Our last three blog posts have been about Trust, or the lack of it. Well, it seems that the matter of Trust has taken another hit while we were all enjoying the holidays. Please read: http://techcrunch.com/2014/01/02/developer-spams-google-play-with-ripoffs-of-well-known-apps-again/ . A quick summary of the article is that a developer(s) has loaded fake apps onto the Google Play! App store and has made them appear to be legitimate apps by slightly modifying the app names. The issue is how these apps were able to make it through the review process to make it onto the app store at all. Was it the reduced staffing at Google to validate the claims of the developer and verify the operation of the app?

There are several victims in this case:

- The impact to the consumer, in this situation, is having paid for an app that does not work and clearly does not have a means to recuperate their payment from the developer … unless Google steps in to reimburse those impacted by this fraud.

- We suspect that the original, valid app developers were impacted by support calls for an app that looked like theirs on the app store but was, in fact, not theirs and now have to deal with a consumer who is likely upset and perhaps demanding reimbursement.

-  Other app developers are now victims as it is certain that Google will raise the bar for entry to their app store and will put legitimate developers through additional effort and expense to get their apps placed.

-  Google is also a victim of a weakness in their own process that was exploited by an individual(s) and has called into question their diligence process and unfortunately the validity of all other apps that have gone through the process.

Unfortunately, in this particular case, it is a “buyer beware” situation and Google will do their best to remove the fraudulent apps and to make things right. But imagine if those apps were malicious to your device and its data, rather than non-operational. Imagine if the apps were free and available over the Holidays to all of the new Android device users. How many people truly read the “app permissions” dialog that appears just before hitting OK to download? Just how much damage could there have been to devices and data. Not to mention the damage to the Trust that consumers and businesses place on their use of the Google Play Store!

There is an opportunity here for a simple solution to help Consumers and Business take further control over their own protection and privacy. A solution that does not rely on the inspection and understanding of the permission requirements of each and every app. A solution that can prevent even a malicious app from gaining access to the other apps and data that are important to you or your business. There is a solution and it is called Secure Spaces.

Industry Watch: A matter of trust - By David Rubinstein (Editor-in-Chief, SD Times), Dec. 27, 2013

Eight technology companies last month sent a letter to U.S. President Barack Obama to push for legislation to scale back the amount of data government agencies can gather, to help restore trust in the government as well as a measure of personal privacy.

But it’s not just the government that’s grabbing our personal information. More and more, regular old consumer applications are asking for more permission to drill through your information. This is even exacerbated by our personal relationship with our devices, which led virtualization startup Graphite Software CEO Alec Main to remark, “We spend more time with our devices than with our wives.”

This relationship has fueled the workplace BYOD phenomenon, in which workers tell their companies which devices they want to use. In the past, companies would assign walkie-talkies or other communicators to all workers so they could control what data was on them and how it was used. But with the proliferation of devices today, people want to use what they’re comfortable with everywhere they are.

Today’s workers want a convergence of work and personal applications on their devices, if for no other reason than to reduce the number of devices they have to carry around all day. And while companies are doing a commendable job of protecting their sensitive data on worker devices, these same solutions do not protect consumer data nearly as well.

“It’s not about malware,” Main explained. “It’s not about slowing it down or running bots. It’s about legitimate apps sitting in app stores that you can download that are trolling through your contacts.

“We’ve all had those experiences. It’s amazing with LinkedIn, right? You have LinkedIn and suddenly it’s saying, ‘Do you want to connect with this guy?’ And you’re like, ‘Who IS that guy?’ It’s like somebody you had one e-mail with 10 years ago and now it’s asking if you want to connect with the guy. Or when they connect the lines in the background. I’ve been on some of these things, you connect in, and then it asks, ‘Do you want to connect with your sister-in-law?’ Well, how do they know my sister-in-law? I’m not connected to any of my family, but now it’s asking me if I want to connect with my sister-in-law?”

One indicator of the importance device users place on privacy is the kerfuffle over Google’s removal of the AppOps privacy settings software, which it says it inadvertently included with Android 4.3 but removed in 4.4.2. Google said this is because the software wasn’t fully baked.

Even so, Main said that solution was too complicated to become mainstream. “If you’re going to click on the OK OK [popup permission boxes]—going back to your saying people are just resigned to it—well I want that app. I’m not going to read what the permission are, I’m just going to click OK. So we need something really simple.”

Graphite Software’s approach is to create buckets, to separate apps and data into places where control can be better maintained. “It’s not fine-grained control, more of a macro control,” Main said. “If I put stuff in a certain bucket, or sometimes we talk about it as a room...you have your kitchen, you have your media room, your bathroom at your house. When you’re in your bathroom, that’s fine, you don’t put your bathroom in your kitchen. You live your life in different spaces already. On the weekend, you kinda want to relax, you go into the media room, you don't want to be bothered by your home office.”

To create separate spaces, some companies take a virtualization solution. Those, Main asserted, are too heavy for mobile devices in terms of performance and memory usage. So Graphite Software has created what it calls service-level virtualization that is built directly into Android and lets users create different containers (or spaces, as Graphite calls them) on the device. Main said, “You can have as many spaces as you want because it’s very lightweight. You can delegate management of those spaces to a third party such as your enterprise IT, or you can create your own spaces on the phone.

“If you do that, you can now segregate apps into different groups. You can put all your gaming apps and accounts into one place, you can have an open space that’s for your kids so you can share your device. You can also have a personal space for yourself. And then you can also delegate a portion of it to enterprise IT, and they can enforce their own policies, but only on their space. Not on your space and not on your data. They can’t see your data either. It’s really isolated. One space can’t access another space in any way.”

In the end, for people to use these applications and devices, it’s a matter of trust. Most of us are resigned to giving up some privacy for things we want on the Web, because some personal data is required for that. But Main maintains—and I concur—that when apps on a phone device start requesting too much personal data, things are getting out of hand. This time, it’s personal.

David Rubinstein is editor-in-chief of SD Times.