Saturday 16 August 2014

Playing with google

So I was recently having a discussion with a vendor about the insecurity versus usability of the google play store, yep there is malware there, yep there are copycat scam apps. But google will eventually get it under control, just as apple has done...

Ok so you can't trust either of them, but I think Apple is actually doing a better job of keeping the look-a-like scam apps out, at least I haven't heard of any yet, and this is coming from me a very anti-apple person.

So what do you do if you have written an Android app. Well you could host it on your own site, but then you need to reduce your customers security by making them set their device to allowing apps be installed from anywhere, opening them up to drive by downloads that are becomming prevelent in Android land (mainly due to some manufacturers enabling this setting by default).
You could host a QR code on your site and point this to your play store app...

Maybe just a link on your site back to the play store to ensure they get the right version of the app.

This got me thinking, it doesn't really protect you from those that just look through the store for apps from your company, so you should protect yourself in some other way. I use google alerts already to monitor stuff I am interested in, as well as comments about things I am interested in for security reasons.

This is where I thought I could make a search alert for: site:play.google.com appname
I wanted to try it out first, so I did: site:play.google.com commbank
Commbank is a big bank in Australia, and they have a few apps, one caught my attention; https://play.google.com/store/apps/details?id=au.com.commbank.hr.sidekick&hl=en
Looks to me like Commbank trust the store so much they trust a third party to put up an app for them for their users to access the intranet. The company that listed the app at time of writing was http://www.gpssolutionsdevelopers.com/ who's site looks like it is what is being loaded for the app;

The domain was suspiciously registered on the 28th of January this year.
I might need to reinstall this app and do a packet capture to see what web services it is trying to hit on this site, but this site is not https, and is hosted on a shared host that has unencrypted ftp, smtp and imap enabled. I let someone I have met from Commbank's IT security team know, and this was all amazingly fixed within a few hours. Props to them.
I did a packet capture post their fixes and it is all over ssl/tls now.

So anyway I guess the take-a-way is, if you want to add some security even for google play apps, you can setup a google alerts at http://www.google.com/alerts and do one for site:play.google.com appname set it for As-it-happens and hope you never get that email.

Monday 7 April 2014

Service hiding/protection

This is a bit of operational security, but it took me a lot longer than I would have liked to do, and no one had an example like the below. This command will use the open source Access control list command line utility SetACL to lockdown a service so that the user specified can't stop or start it, on testing it is even better than that the service dissapears from the services manager.

setacl.exe -ot srv -on "Service Name" -ace "n:domain\username;p:start_stop;m:deny" -actn ace





This is obviously a really good idea if you have admins of a box that you don't want to be able to stop a key service, it could also allow you to stop a malicious user from seeing a specific service, depending on the malicious users method of getting onto your server.

Feel like donating to me, Bitcoin; 1BASSxgFZ2j8VfXFrWJHNvYdQXDtJKAUuN or Ethererum; 0x2887D4B4fe1a7162D260CeA7E1131AF8926bd87F