computerwoche.de

Archiv

Kenneth Van Wyk: What users can do to make their smartphones more secure

04.06.2012

Static analysis. Maybe you didn't realize it, but you can poke around an app's sandbox and take a look at what's in there for yourself. All you need are your mobile device, a USB cable and free software such as that lets you look at the files in each app on your device. (Note: These examples are primarily for 's iOS, but similar tools and methods can be used on as well.)

Connect your device to your computer (Mac or Windows) and use iExplorer to peek into its files. In each app's ~/Documents folder, you'll find files used by the app. Some common file extensions are .plist, .db, .xml and .txt. The first are "properties files," which are in an XML format and can be viewed using any text editor. Next, db files are database files -- likely SQLite3 files that can be viewed using sqlite3 on the command line. The other files are mostly text files as well. Drag them onto your main computer's desktop (or folder) and look at them one at a time. Look, for example, in the plist files for usernames, passwords and other application credentials. For SQLite files, try opening a command shell and typing "sqlite3 [filename.db]". Next, at the sqlite prompt, type ".tables" and you'll see whatever tables are present in the database. You can view those tables by typing ".dump [table_name]". Again, look for usernames, passwords, etc.

Look also in each app's ~/Library folder. In there, you'll find a Caches folder and a bunch of other stuff. Poke through there and look at the files. Again, look for properties files and database files, as well as image files. Depending on when you last ran the app, you may find some .jpg or .png files containing screenshots of your last session. View them all.

What you're looking for are some fundamental mistakes that developers commonly make. Storing usernames and passwords in properties files, database files, etc., is sloppy programming. (There are keychains that do a far better -- though not perfect -- job at securing that sort of data.)

If the app you're considering using makes such simple mistakes, you might want to avoid it. You could contact the vendor and ask it to fix it. You could also write a review for the app store you use and let other people know about the problems. I have done both, because I'm not willing to let such easily avoided mistakes go by unchallenged. If enough people do this sort of thing, I'm convinced that app security will improve.