Does Android P private DNS really contribute to privacy? Or to Enterprise control?

Private DNS is a new feature in Android P, which allows you to globally override the DNS settings (received from your carrier, hotspot provider etc.). This means that the said carrier’s or provider’s DNS servers will not be able to log your browsing habits.

Read more here (Android Police).

Private DNS configuration (c) Android Police

This looks like privacy, but isn’t necessarily so…



iOS Trustjacking protection with EMM

Trustjacking is a new “scary” attack on iOSnew “scary” attack on iOS devices, exploiting user’s lack of understanding or what’s going on. When plugging into an unknown computer or charger user may choose to “trust” it, which allows the remote device quite a degree of access to iPhone/iPad data. Many don’t realize that this trust remains after the device is disconnected and may be exploited, for instance, via Wi-Fi, if Wi-Fi sync is enabled. Many others also think that this trust is necessary for charging.

What is really should read: “Your settings and data will be accessible from this computer even after disconnected. You DON’T need this for charging”

Basically, Apple should have looked at how Android 6+ has a “charge only” USB mode by default, fixed the wording and be done with it.

Protecting from this attack is extremely simple on Supervised (DEP) devices via EMM.

Here’s how it’s done via AirWatch, but any other major EMM will have something similar – this is Apple’s standard OS feature.

iOS Trustjacking AW
iOS Trustjacking protection: it only takes one tick

As a bonus, this will prevent not just the Trustjacking attack, but many other threats and leaks, since it blocks everything.

Wondering, how many had this configured before the Trustjacking news?

How long will it take to h@ck y3r Pa$$w0rd?

Ever been annoyed by those password policies that say “One digit, one uppercase, one lowercase” and then cap your password at, say 12 characters? Are those passwords secure these days, when cheap processing power is freely available ? A while ago I’ve stumbled upon an article where, among other info, some really interesting data was shared about how long it takes to crack standard crypto hashes used for password encryption in WLANs, web sites and operating systems. This prompted for a refresher in password security and brute-forcing performance. The numbers are worth sharing.


Bypassing Android security via backups (PSK recovery)

In my recent Android trainings and the Android security talk I gave at AppForum 2014 I was asked to provide a sort of a demo that can be easily replicated to explain the importance of maintaining a proper security posture. So I created a script that ‘recovers’ PSKs from the device and displays them.

Before moving on, a brief disclaimer: Android (or iOS, or Windows) are pretty secure, it is up to the user how much of this security is traded for convenience (or ignorance).


ShellShock and Motorola WLAN Equipment

A tech support article has been published on Motorola’s support portal regarding ShellShock vulnerability. A brief note:

  • APxxxx, RFSxxxx, WSxxxx, CBxxxx (existing and legacy) – NOT vulnerable, as they don’t have bash at all.
  • NXxxxx and VXxxxx – KIND OF. They have unpatched bash, but it’s not exposed through any APIs/UIs unless you already somehow get the shell (which defeats the purpose of this vulnerability). Nevertheless, “Never say never” and a patch will be released in due time just to be sure, but there’s no rush.

Source: What Motorola products are affected by Bash/Shellshock vulnerability?

Android multiuser model architecture and related security threats

Android-HolesI have recently bumped into a very interesting research article called “A Systematic Security Evaluation of Android’s
Multi-User Framework” and want to leave here a digest and some of my analysis in the aspect of Enterprise use. I recommend reading the paper for more details, it’s only 10 pages. The more I learn of Android, the more it reminds me of a cheese grater (other OSes are no better). This doesn’t include any of Android L enhancements, as those are not officially released yet.