Blog Image

Access Denied.

About the blog

Here are all my thoughts of security solution, experimentations with security solutions and architectures, experiences with security and cryptography.

Javascript on mobile devices

Development Posted on 16 Mar, 2012 10:38:22

Introduction
I was on SAI meeting last evening (15/3/2012). It was all about development on Mobile Devices using JavaScript, like Smartphones and Tablets.
This evening conference was given by ACA IT Systems. The 2 guys talking about development on mobile devices were Tom Moors (Solution Engineer) and Stijn Van Den Enden (CTO ACA It-Solutions).
They started with an overview on the mobile phone from the first GSM to the current Smartphones like Apple iPhone, Blackberry, Andriods, …
The big success for some application on the Smartphones were thanks to the introduction of AppStore(s) for Apple and Android phone. All applications tried to be number-one with the most download. Its like the time when websites tried to be number one at Google. At the end, there could be good money made with Apps. Also new was the price of Apps on mobile devices. The price of Apps weren’t around 60 – 600€, but around couple of cents to some €uros. A lot of downloads meant a lot of money.
Take Instagr.am who made a lot of money in a couple of weeks by creating an App and an infrstructure for sharing photos. 15.000.000 downloads…
The main drawback today is the performance of the mobile phones to run Javascript interpreter. This can easily be verified using the sunspider benchmark ( http://www.webkit.org/perf/sunspider/sunspider.html).
There are 2 main big web frameworks on JavaScript and each with its advantages and features: jQuery Mobile and Sencha Touch. They will be discuss in here.
There are 2 interesting frameworks for creating native Apps using JavaScript.

jQuery Mobile

jQuery mobile is HTML centric. This means it uses the HTML DOM to render the web application to ressemble as a native App on your mobile phone and it supports a lot of Smartphone platforms, like iOS, Android and Blackberry, but also WebOS, WindowsPhone, Meego, …
jQuery Mobile is limited to the HTML support for the interaction. It has all the necessary elements to give it look of a native application. jQuery Mobile also supports the development of the behaviour for the elements.
You have to be careful for the browser-support on the mobile phone, when developing with jQuery Mobile.

Sencha Touch
Sencha Touch is a framework, which is developed from Sencha ExtJS. It normally works only with JavaScript. So in the end you have no HTML elements. The framwork is a UI-framework based on MVC and has some extra support for storage, a history framework and native packaging framework for Android Market and AppStore.
It has also all elements to create a nice UI on a smartphone using its native look-and-feel. You perform you development completely in JavaScript.
It is big (320k compressed), so it can take some time to load on your mobile device.
Sencha Touch 1.1 is also incredible slow on Andriod devices. Sencha went talking with Android smartphone companies and they released Sench Touch 2.0, which is much more responsive. If you develop a mobile application with Sencha, do use Sencha Touch 2.
Sencha supports a profile system, where you can develop for tablets and mobile phone with the same codebase.
Sencha has a history support (with a back button) which works very well, because with dynamic applications the history can get corrupted when using back button of the browser.
Finally, Senach Touch 2 has the Syntactically Awesome StyleSheet (aka Super Awesome StyleSheet), which is an extension of CSS and make it easier to develop and maintain your style sheets.

This about HTML JavaScript frameworks….

How do we to create native apps using Javascript?
Sometimes it is necessary to use very device specific resources, which are not supported in HTML5 or JavaScript. This means you have to use a Native App. When developing applications, you realy want to limit the codebase dependent on the resource and reuse as much as code to support the different devices (iOS, Android).
You maybe also want to release on the AppStore to have a bigger visibility of your application.

1) PhoneGap
PhoneGap has become Apache Cordova
PhoneGap is a chromeless browser which gives you access to the native developed libraries using something like JNI-calls from the Java world. Phonegap uses Rhino or the iOS Javascript interpreter. It gives your developers the opportunitiy to stick to developing in JavaScript/HTML/CSS and your application will look like a native application (Copy protection of the source is not possible). It will also be deployed like a native application. The native libraries must be build in the native environment of the device (iOS or Android), but the UI and a behaviour can be cross-platform.

2) Titanium
In Titanium, your developer can develop in JavaScript, but the JavaScript code is recompiled to the platform you want to use iOS or Android or both. This Native package can then be distributed as a native app.

Conclusion: Access Granted smiley -> No Security information
A very interesting evening of all the UI features the biggest frameworks provide in JavaScript. It was slso very instructive how to decide between a JavaScript/HTML5 application and a native App.
Not one word about security, which is normal. The evening was mainly about the features of the frameworks and was very instructive.
But this is also dangerous, because al those features of UI are used in dynamic applications, which sometimes work with confidential data (even a username/password). Nobody in the evening had any questions about the security implications of their mobile applications.
Nevertheless I asked some question on the side about the authentication mechanisms and secure development, which they (ACA) gave very interesting answers of using OAuth for authentication with 2-way and 3-way. SSL is ofcourse a minimum. They also mentioned to very careful about code injection. Also protecting your sourcecode in JavaScript is almost impossible.

Links:
SAI: http://www.sai.be/content/javascript-je-broekzak-js-mobile-devices
jQuery Mobile: http://jquerymobile.com/
Sencha Touch: http://www.sencha.com/products/touch/
PhoneGap: http://phonegap.com/
Apache Cordova: http://incubator.apache.org/callback/index.html

Some other frameworks mentioned:
Sproutcore: http://sproutcore.com/
Enyo: http://enyojs.com/



OWASP Belgian Chapter Meeting 06/02/2012

Security Posted on 07 Mar, 2012 09:17:58

Yesterday,

it was the OWASP Chapter meeting and it was as always very interesting to see Ken van Wyck and Jim Manico. Some whitehats from the USA speaking about application security issues.

1) OWASP intro by Seba

As always the same introduction to the OWASP organisation and asking to become member of the Belgian chapter.

2) Common iOS Pitfalls vs. OWASP’s iGoat (by Ken van Wyk, KRvW Associates)

Ken van Wyck talked about security issues when developers write applications for iOS phones (most are the same for android also). The session is recorded, so please check the OWASP site.

At OWASP, Ken has started a project to identify the top 10 most problems of iOS Apps (we are talking about Application and not Web Apps).

It is unbelievable what kind of information applications store on your mobile phone, like username/passwords (facebook, twitter, …), geo-locations,… Applications want to interact with those services, but doesn’t want the user always to re-enter their credentials, so they keep it in a XML file on the phone -> And they are mostly not protected. So when you loose the iPhone -> don’t forget wipe it remotely with the service of Apple.

Android is worse, because the control on the applications are less and they have an SDcard, where the unsecured data can be stored.

Second big problem…: UNSECURED Wifi. He tells how he can intercept the communication through MITM attacks or Sniffing on the Wifi. Starbucks coffee-shot have free and unsecured Wifi access. When the App has to logon a server SSL is not always used and the credentials and session tokens are send in clear.

He also gave some demonstrations of iGoat and how easy it is to write bad application (also how easy it is to do it right).

People interested in helping Ken to develop iGoat can contact him directly by mail (keep me also informed, please! You knowledge can be used within Smals also).

Check link 2)

There is also a project called Goatdroid.

3) Jim Manico. He was as always very excentric in his presentation about Access Control.

You have vertical access control and horizontal access control. Vertical is the assignation of the role to the user and the access that role has on resources. The horizontal access control is the differentiation of access to resources of users with the same role.

Can a user has edits to its own user information? If so, can the user edit another user’s user information. He still has the same role….

He described that you have can implement an Access Control system this using the “Command pattern”.

Also use a Filter in the WebApps to verify the access. In the filter you can check this using a boolean value to redirect the user to a page. On the backend you use assertions, because this should never happen. Last but not least, he even proposes to check it on the DAO layer.

Check link 3) for the slides.

Some Links:

1) OWASP Belgium chapter meeting

https://www.owasp.org/index.php/Belgium#Chapter_Meetings

2)

https://www.owasp.org/index.php/OWASP_Mobile_Security_Project

3)

http://secappdev.org/handouts/2012/Jim%20Manico%20&%20%20Eoin%20Keary/Final%20-%20Access%20Control%20Module%20v4.1.pdf



Homomorhic encryption POC @ Microsoft

Security Posted on 11 Sep, 2011 19:56:24

Thought:

This is a nice concept. You are able to perform calculations or logic on data, which is encrypted, without decrypting the data. For example, you can let a cloud service add two numbers, which you personally now, without the cloud service knowing what it is adding. Now, this exists already some time now, but I never have seen any implementation or usage of it.

This blog is going to be continued, because I’m going to investigate how they do that.

http://www.technologyreview.com/computing/38239/