APPropriate Behaviour
The book about all the things software writers do that aren't writing software.
FSF
Category Archives: Encryption
Security consultancy from the other side
I used to run an application security consultancy business, back before the kinds of businesses who knew they needed to consider application security had got past assessing creating mobile apps. Whoops! Something that occasionally, nay, often happened was that clients … Continue reading
Posted in Crypto, Encryption, Policy
Leave a comment
On explaining stuff to people
An article that recently made the rounds, though it was written back in September, is called Apple’s Idioten Vektor. It’s a discussion of how the CCCrypt() function in Apple’s CommonCrypto library, when used in its default cipher block chaining mode, … Continue reading
Posted in books, Crypto, documentation, Encryption, iPad, iPhone, Mac, PCAS
Leave a comment
On the top 5 iOS appsec issues
Nearly 13 months ago, the Intrepidus Group published their top 5 iPhone application development security issues. Two of them are valid issues, the other three they should perhaps have thought longer over. The good Sensitive data unprotected at rest Secure … Continue reading
Posted in buffer-overflow, code-level, Crypto, Data Leakage, Encryption, iPad, iPhone, ssl, Updates, user-error, Vulnerability
2 Comments
What happens when you jailbreak an iPad
Having played around with an iPad running a jailbreak OS yesterday, I thought it would be useful to explain one possible attack that doesn’t seem to get much coverage. As I’ve discussed in numerous talks, the data protection feature of … Continue reading
Posted in Encryption, iPad, iPhone, ssh
2 Comments
On the broken(?) Mac App Store
A day after the Mac App Store was launched, people are reporting that it has been cracked. There are two separate stories here, a vapourware circumvention of the FairPlay DRM used to generate the receipts and a report that certain … Continue reading
Posted in Business, Crypto, Encryption, Mac, Vulnerability
1 Comment
Protecting source code
As I mentioned on the missing iDeveloper.tv Live episode, one of the consequences of the Gawker hack was that their source code for their internal software was leaked into the Internet. I doubt any of my readers would want that … Continue reading
Posted in Business, code-level, Data Leakage, Encryption, Policy, Responsibility, software-engineering
5 Comments
On the Mac App Store
I’ve just come off iDeveloper.TV Live with Scotty and John, where we were talking about the Mac app store. I had some material prepared about the security side of the app store that we didn’t get on to – here’s … Continue reading
Posted in AAPL, Business, code-level, Encryption, government, iDeveloper.TV, Mac, Policy, Talk
1 Comment
On how to get crypto wrong
I’ve said time and time again: don’t write your own encryption algorithm. Once you’ve chosen an existing algorithm, don’t write your own implementation. Today I had to look at an encryption library that had been developed to store some files … Continue reading
Posted in code-level, Crypto, Encryption
1 Comment
Why passwords aren’t always the right answer.
I realised something yesterday. I don’t know my master password. Users of Mac OS X can use FileVault, a data protection feature that replaces the user’s home folder with an encrypted disk image. Encrypted disk images are protected by AES-128 … Continue reading
Posted in Encryption, Keychain, Mac, password
3 Comments
Integrating SSH with the keychain on Snow Leopard
Not much movement has occurred on projects like SSHKeychain.app or SSHAgent.app in the last couple of years. The reason is that it’s not necessary to use them these days; you can get all of the convenience of keychain-stored SSH passphrases … Continue reading
Posted in Encryption, Keychain, Mac, ssh
8 Comments
