Lookout

Recently, there has been a strong concern surrounding third-party mobile banking applications.  A developer named Droidheaven released a Wells Fargo mobile banking app in mid-December. Droidheaven also has a large number of other applications in the market Market, mostly Android themes.

After performing static and network analysis, our research team determined that that the Droidheaven application was not doing anything actively malicious; however, we continue to warn users to be extremely cautious of third-party mobile banking applications.  We’ve found that the application only contains boiler-plate webview functionality pointing to Wells Fargo’s mobile web site.  Additionally, the application only requests “Network communication” permissions, preventing it from performing actions typical of malware such as stealing contacts or trying to spread to people on your contact list.

There are several reasons why untrusted third-party mobile banking applications are risky:

• These apps could contain malicious code that steals your bank account info and password as soon as you type it in—all of this information is easily available to the application developer.
• You also have no way of knowing whether you are being directed to a legitimate mobile banking site or a phishing site designed to look identical.  On the standard browser, you can check to see whether the URL is correct and that the connection is encrypted with an appropriate certificate.  In a third party banking application, however, you can’t trust any indicators (if they exist), as those indicators can be set to display false information specified by the application’s developer.
• Applications that do nothing malicious today can easily be updated with a malicious version.

If your bank does not provide a mobile banking application, it’s easy to create a shortcut icon on your home screen that links to your bank’s mobile website.

Read on to see how to create a safe, mobile banking bookmark on your home screen.

(more…)

Mobile application marketplaces are a bazaar. They allow freedom for any developer to make his or her ware—legitimate or otherwise—available to the world.  Because apps created by Barclays and Bank of America are located on the same virtual shelf as apps from one-person shops from throughout the world, marketplaces act as a great equalizer, granting the same algorithmic treatment to all.  This openness has a tremendous benefit of encouraging innovation by decreasing both the friction and barrier to entry of app development.  No longer is it necessary to wade through a multi-month process just to make a single app available to consumers. The bazaar also comes with a risk: there is a greater burden on users to pass judgment on the sources of applications they choose to download—caveat emptor.  Even for marketplaces that have a vetting process, risk remains, as no vetting process can be perfect.

In December, we identified a large number of online banking applications added to the marketplace from a developer named 09Droid.  Each application was branded with a specific bank’s logo/name and, to most users, looked to be an app produced by that bank.

Our team immediately began investigating these suspicious applications and found no evidence of any malicious behavior in the 09Droid banking applications we analyzed.  We performed both static and network analysis on the applications to find that the apps are nothing more than a thin wrapper around legitimate mobile banking websites and do not have the capability to steal information.

Even though the applications are not doing anything malicious now, with a simple update, these applications could very easily have captured thousands of online banking credentials. It would be easy to develop an application that can intercept usernames and passwords as a user logs into his or her bank.

The existence of 3rd party applications from non-reputable developers handling extremely sensitive data raises an important concern: phishing applications are likely to pose a significant threat as people provide a growing incentive for attackers by using their phones to perform ever more sensitive tasks (e.g. managing their bank accounts).  Meanwhile, potentially malicious applications can use mobile application marketplaces to gain direct distribution to hundreds of millions of people.

Unsurprisingly, all of the 09Droid banking applications have since been removed from the Android Market, as the apps made unauthorized use of bank names and logos, leading users to think that the apps were officially provided by their respective banks.  There is an important lesson here: you should never entrust sensitive information, such as online banking credentials, to a 3rd party application from a non-reputable developer.  If the app wasn’t released by YOUR bank, then you probably shouldn’t use it.

Remember, if you ever see an application from an unknown developer posing as a well-known company or any other suspicious application, be sure to report it to our response team by emailing security /at/ mylookout /dot/ com.  We’ll be ready.

That’s right. What was once known as ‘Flexilis’ will now become ‘Lookout.’ So without further ado, let’s get down to it and try to answer all the big questions.

1. Why the name change?

There were quite a few reasons for this. Doesn’t it just sound cooler? In all seriousness, while we have been Flexilis for quite a long time, and it’s been such a part of our roots, at the end of the day we were noticing more and more mistypes of search queries of people looking for us, and even in conversations, we all heard “Flexi-wha?” more times than we can count on our fingers and toes. A lot of you, our Flexili—er, Lookout, fans and evangelists ran into this same issue as well when talking about the product to friends and family. We have an amazing community of beta testers and fans out there now in over 200 countries. In fact, one of the main reasons we have made the decision to change to Lookout is our tremendous growth. It only makes sense to position the company to expose our vision and products to millions more in 2010 and beyond. We’re really excited & hope this change will better enable everyone share Lookout with friends and family, and avoid those “flexi-wha?” questions.

2. What is “Lookout” and why?

We went through an extensive search for the right name, and at the end of the day, Lookout is what we fell in love with. Our vision from day one has been to protect our users and their devices. In our exploration we realized that fundamentally “Lookout” is what we do – we lookout for you. Not only does Lookout encompass our mission and vision, but it is also a name that you can tell your friends about, with no misconceptions of the spelling. Even if you hear the name in casual conversation, it’s easy to remember, even hours later when you want to look it up. With the new name comes a new logo as well, and we think this one’s a great fit.

3. So, what’s next?

Soon the magic will begin (and yes this is just the beginning, as we have other significant announcements right around the corner). You’ll soon see the Flexilis website and blog transition over to Lookout, and you’ll then be able to access your account and data at the all new http://www.mylookout.com (don’t worry, you’ll still be able to go to flexilis.com at that time, though you’ll be redirected to myLookout). Support requests will still be answered at the old support email address, but all new requests should be directed to support@mylookout.com. You’ll soon start seeing the new name and logo everywhere almost immediately at that time, and it should be very seamless. All new and existing users will still be able to access their accounts like normal, and there should be no downtime at all.

We’re definitely excited about this, but as always, would love to hear what you think. Let us know your thoughts in the comments below, send us an email to support@mylookout.com, or Tweet us on Twitter. Please be sure to share the news with everyone you know, and if you spot any errors, things we miss, etc, let us know!

-Chris,
Community Director,
Lookout Mobile Security

If you own an iPhone, this one’s for you.

Recently a Dutch hacker took control of iPhones in the Netherlands, forcing them to display the screen you see at the right of this post, notifying users that he would remove the screen and fix the problem, for a small ransom of 5 Euro. So how did he do it?

You’ve possibly heard the terms ‘jailbreak’, ‘jailbroken’ and more when referring to the iPhone before. For those who are unfamiliar, ‘Jailbreak’ refers to unlocking key parts of the phone that prevent you from making modifications to the iPhone’s operating system, features, files, or installing software not approved by Apple. The allure of doing so is often for adding in 3rd party software not supported or approved by apple, customizing your phone’s look, themes, actions, and more. But often times jailbreaking comes with risk, unknown to the non-security conscious user. Most jailbroken phones have various forms of remote access for moving or uploading files to the phone, etc. The problem lies in the fact that the phone’s ‘root’ account (think of it like your ‘Administrator’ account on your Windows PC or Mac) is enabled and has a default password that is the same across all jailbroken devices. If an attacker is to gain access to this account, they have full control of your device, to upload what they want, modify the phone how they want and more. The hacker scanned dutch networks and found devices with this default account enabled, & took control of this very hole, which enabled him to command these devices how he chose.

While this hacker only wanted a donation to fix the hole and nothing more (and has now since stopped asking for money and started volunteering to help users fix the issue) it could have been worse.  If you have or own a jailbroken iPhone or iPod Touch, SSH into your device, and use the ‘passwd’ command to change your root password right away.

If you’re unsure how to do this, the easiest way is as follows:

1. Download ‘Mobile Terminal’ in the Cydia app on your Jailbroken device.

2. Open the Terminal app, and type in “su root” and hit enter, & provide the root password. The default password as provided by apple is “alpine”.

3. Type in “passwd” and hit enter, and then type in your new password twice (if you cant see the letters you’re typing in on the screen, that’s because they are hidden for security).

4. You should also change the password for the “mobile” (default) user as well. Type in “passwd mobile” and hit enter, and type in a new password twice, as you did above.

5. Close mobile terminal, and you should be all set!

Questions? Comments? leave em here, or feel free to send us a reply to @flexilis on Twitter, or by dropping us a line by email, at support.at.flexilis.com

Today we held an event on Twitter called “Ask Flexilis!” where we took any and all questions people on Twitter had on anything mobile, whether it was about the Carriers, Handset makers, new technologies, security, new about mobile and current events in mobile, or even questions about Flexilis.

Posted below is the transcript from the event, Enjoy!

Q: @heisenthought: ”What kind of mobile attacks do you guys worry about the most?“
A: @flexilis: “Any attack really. “If it threatens your data, your livelyhood, or your mobile experience we want to be there to stop it. The current iPhone vulnerability is one of the big ones right now, hopefully apple provides a fix soon”

Q: @jgrubbs: “will you be adding the ability to edit my contacts via the web that are then re-synced back to my phone?”
A: @flexilis: “It’s something we’re looking in to, our focus so far has been more backup than sync, & we’re making sure we’re doing that right first.”

Q: @tlrobinson: “How do you go about finding vulnerabilities in phones?”
A: @flexilis: “our security researchers are some of the best. they sift through the code, test it all in a million ways and more, they rock!” (more…)

Flexilis Beta Release 9 is now out and ready for download! This update focused on long term improvements based on extensive user feedback and testing which include major user interface/experience improvements on both the client and the web and speed/stability enhancements on the web. Notable changes include:

• New and improved mobile client user interface
• Significantly improved support for international users
• New Anti-Virus and Firewall page and security event reporting on web application
• Improved multiple device navigation on the web application
• Added additional news feed events for modifying settings, missing device actions, software updates, and restoring data

To check out all the new updates, just visit http://beta.flexilis.com/ and log in to your account. Your mobile client will automatically download and install the new updates at its next scheduled connection. If you’d like to view a full list of changes and get more details about this release, take a look at our changelog.

Thank you to all of our fantastic beta testers across who have contributed feedback and bug reports. The response and positive feedback has been amazing. We have beta testers using over 500 different types of devices in over 200 countries across 400 mobile networks around the world. So, please, keep the feedback flowing! If you need help or would like to send us a report, you can e-mail support@flexilis.com or use our contact form to get in touch with us any time. Everything that you send us helps to improve Flexilis and ensure that you and your mobile device remain safe and connected.

Enjoy!

-The Flexilis Team

Flexilis Beta Release 8 is now out and ready for download! We’ve made some major performance improvements to the Anti-Virus and Firewall/Intrusion Prevention modules which keep Flexilis and your device running fast and efficient–especially when using bandwidth-intensive apps like video or audio streaming, or scanning files on a storage card for viruses. We also added a new section to the web application so you can easily view your recently backed up data all in one place. Overall this update runs smoother than ever and we’re really excited about it!

To check out the new release, just visit http://beta.flexilis.com/ and log in to your account. Your mobile client will automatically download and install the new software at its next scheduled sync. If you’d like to view a full list of changes and get more details about this release, check us out the changelog.

Thanks to everyone that contributed feedback and bug reports for this release. If you need help or would like to send us a report, you can e-mail support@flexilis.com or use our contact form to get in touch with us any time. We love hearing your feedback, and everything that you send us really helps make Flexilis better.

Enjoy!

-The Flexilis Team

Flexilis Beta Release 7 is now out and ready for download! We’ve focused on a number of performance enhancements in this update, and we were able to substantially reduce memory usage to keep Flexilis running fast and efficient on your device. We also fixed a number of bugs on the client and web, including issues related to missing device functionality and an issue that disabled Flexilis for some international users. Overall this release runs faster and more efficiently than ever, and is paving the way for some very exciting improvements that are right around the corner. We’re working hard every day to keep your devices safe and connected.

To check out the new release, just visit https://beta.flexilis.com/ and log in to your account. Your mobile client will automatically download and install the new software at its next scheduled sync. If you’d like to view a full list of changes and get more details about this release, take a look at our changelog.

Thanks to everyone that contributed feedback and bug reports for this release. If you need help or would like to send us a report, you can e-mail support@flexilis.com or use our contact form to get in touch with us any time. We love hearing your feedback, and everything that you send us really helps make Flexilis better.

Enjoy!

-The Flexilis Team

We’ve just pushed out a server release with lots of updates and bug fixes! There are a few major improvements, too, including updates to the dashboard and missing device interface which really improve the usability of the application. We also made some enhancements that many of you have been asking for, including the ability to select all of your data with 1 click and easily restore or download. Just log in at https://beta.flexilis.com/ to check out all the new features, or you can view a full list on our changelog.

You’ll also notice that the Flexilis homepage has a new face. We’ve added additional information that should give you a small preview of what Flexilis has to offer.

There are a number of very exciting things around the corner that we have been working very hard on. So, stay tuned.

As always, thanks to our beta testers for all the great feedback and bug reports you’ve sent us! Keep them coming, we love hearing your thoughts and we continually use them to improve Flexilis. Just drop us an e-mail at support@flexilis.com with questions, comments or reports at any time.

Thanks!

-The Flexilis Team

It’s Monday again, let’s take a look back at some of the major mobile milestones of the last week in mobile:

TGDaily reported that rumors of internal memo’s circulating at Palm and Sprint are stating a preliminary launch date for the Palm Pre of May 17th, though with the possibility of being pushed back to June 29th, if Palm can’t deliver enough units in time. The Palm Pre, announced at this years CES, is the first device using Palm’s new WebOS, a radically new and different UI than seen in previous Palm devices.

Joystiq also reported rumors of Microsoft somehow bringing the popular Halo franchise to Windows Mobile, citing a job posting over at job hunting supersite, Careerbuilder. With most new phones that are being designed for Windows Mobile 6.5 and 7, and starting to show 3d Graphics Chipsets from the likes of ATI and Nvidia, could I picture myself driving a warthog and fighting off the Covenant on the morning train ride to work? You betcha.

Blackberry Storm users got a new Firmware update, fixing numerous stability problems and bugs on the device, as well as adding new features like an on screen keyboard, and more.

Also out of the Microsoft camp, new details on the upcoming ZuneHD were released by WMPowerUser, including some various pictures and details. Why is this mobile related? Because it seems that the new Zune HD will be possibly running a copy of Windows Mobile 7, which makes sense based on recent rumors of some of the zune team and windows mobile team being merged together internally recently. Will we start seeing new ZuneHD Phones? Time will tell.

In Flexilis news, on Wednesday, we had our usual Waffle Wednesday, but also released the 6th Iteration of Flexilis Beta, details of which can be found by clicking HERE.

One of our Engineers, Anthony Lineberry, also spoke about Linux Security at BlackHat Europe last week, to much acclaim.

On Twitter, we also asked everyone, “what’s the biggest question you’ve always wanted to know the answer to about mobile or mobile security?” We’d still love to hear all of your questions and thoughts on this, so please reply in the comments, or if you’re on twitter, send @flexilis a reply!