What users can do to make their smartphones more secure

It's really not all that difficult to do a little self-vetting of the apps you install on your mobile devices

By Kenneth van Wyk, Computerworld |  Security, Mobile Security

Static analysis. Maybe you didn't realize it, but you can poke around an app's sandbox and take a look at what's in there for yourself. All you need are your mobile device, a USB cable and free software such as iExplorer that lets you look at the files in each app on your device. (Note: These examples are primarily for Apple's iOS, but similar tools and methods can be used on Android as well.)

Connect your device to your computer (Mac or Windows) and use iExplorer to peek into its files. In each app's ~/Documents folder, you'll find files used by the app. Some common file extensions are .plist, .db, .xml and .txt. The first are "properties files," which are in an XML format and can be viewed using any text editor. Next, db files are database files -- likely SQLite3 files that can be viewed using sqlite3 on the command line. The other files are mostly text files as well. Drag them onto your main computer's desktop (or folder) and look at them one at a time. Look, for example, in the plist files for usernames, passwords and other application credentials. For SQLite files, try opening a command shell and typing "sqlite3 [filename.db]". Next, at the sqlite prompt, type ".tables" and you'll see whatever tables are present in the database. You can view those tables by typing ".dump [table_name]". Again, look for usernames, passwords, etc.

Look also in each app's ~/Library folder. In there, you'll find a Caches folder and a bunch of other stuff. Poke through there and look at the files. Again, look for properties files and database files, as well as image files. Depending on when you last ran the app, you may find some .jpg or .png files containing screenshots of your last session. View them all.

What you're looking for are some fundamental mistakes that developers commonly make. Storing usernames and passwords in properties files, database files, etc., is sloppy programming. (There are keychains that do a far better -- though not perfect -- job at securing that sort of data.)

If the app you're considering using makes such simple mistakes, you might want to avoid it. You could contact the vendor and ask it to fix it. You could also write a review for the app store you use and let other people know about the problems. I have done both, because I'm not willing to let such easily avoided mistakes go by unchallenged. If enough people do this sort of thing, I'm convinced that app security will improve.


Originally published on Computerworld |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness