Category Archives: Mobile Security

Entries about the security of mobile devices.

SMS-based 2-factor: Good or Bad?

Wired published recently an article about how SMS-based 2-factor authentication is not good. This article is making a buzz, and an article appeared on that topic in Fortune. The basis for these articles is that SMS-based authentication is not associated to something you have (your phone), but with something you are loosely associated to (your […]

Fiction (maybe): Who will refuse to break a secure element?

Apple is refusing to break an iPhone for the FBI. I believe that they are right to do so, but also that this position isn’t that easy to stand for everybody. So, here is a little fiction (well, I think it is fiction) about this. The iPhone is a secure device, so the best way […]

About PIN, the iPhone is about 20 years behind smart cards

I was astonished when I read this article on breaking the iPhone PIN. Some guy has built a device that can guess your iPhone PIN, and he is using a very old trick that was performed on cards years ago. Of course, the exercise is pointless; as noted in the original article, Apple can (will) […]

Did Apple just boost mobile security?

I have been working on mobile security for many years, and things haven’t moved much: justifying mobile security is always painful. Whyshould Ispend more money? There aren’t that many attacks! Some business use cases seemed like a good justification, but the economics are unclear and remain in the order of “if youget hacked, it could […]

Convenience vs. Security vs. (Perceived) Security

Yesterday, @poulpita tweeted a link to a blog explaining that convenience keeps winning against security. The main argument in this blog is about iOS6’s Passbook, which can store credit card numbers, for your convienience. The reasoning goes on with a comparison of the security merits of a credit card number stored on Passbook and a […]

Some people don’t like phone security

It seems that FBI isn’t able to perform smudge attacks very well. Apparently, they have been defeated by Android’s “pattern lock” on a Samsung phone. Well, my friends must be smarter than the FBI, because both of the guys who tried to defeat my pattern lock using a smudge attack succeeded. The fun part is […]

Protecting your contactless card

As I mentioned in NFC Payments 101, current contactless cards aren’t protected against the simple attack that consists in performing a transaction while your card is in your pocket. Since some models don’t require anything else than tapping the card, the attack is workable. Well, that may change. researchers for the University of Pittsburgh’s RFID […]

Google Wallet has a Vulnerability (not on SE)

The game has started for Google Wallet. Some guys are looking for vulnerabilities, and of course, finding some. You can read the papers to get all the details on this attack. Basically, they have been smart enough to use a salt before hashing the PIN value to avoid brute-force attacks. However, they haven’t been smart […]

No memory, no chocolate!

There has been some excitement lately about the fact that more and more phones are now getting embedded SE’s (eSE’s), associated to a NFC interface. Some of this excitement came from the ability to manage third-party applications on this embedded SE, as enabled by a whole range of GlobalPlatform specifications, and by the emergence of […]

Google’s vision of Secure Elements

Google has launched its Google Wallet service, which uses a secure element in the phone to provide some security. Of course, Java card is in every one of these secure elements, but it is not the point today. I have just stumbled upon the Google Wallet page. Initially, I was looking for information about how […]