Despite the best efforts of developers, operating systems, devices and apps are often released with security issues that may affect end users. This is hardly news, of course, and the threat level varies depending on the vulnerability, but part of our job as security researchers involves testing new offerings for potential security flaws.
And we find them. Often.
Once a vulnerability is discovered, there are all kinds of ways an individual researcher or company can go about bringing it to the creator’s attention. Everyone has their own disclosure philosophy, but the story below about a vulnerability we discovered in Blackphone is a good illustration of how we go about it.
Case Study: Blackphone
The Blackphone is a smartphone developed by SGP Technologies to provide encryption for phone calls, emails, texts, and internet browsing. SGP Technologies is a joint venture between the makers of GeeksPhone, and Silent Circle. The phone runs a modified version of Android called PrivatOS, forked from Android 4.4.2, and comes with a bundle of security-minded tools. Blackphone began to ship pre-orders on June 30, 2014.
Not long thereafter, viaForensics researchers Sebastiàn Guerrero and Marco Grassi discovered a compile-time issue where a Blackphone system application was included with the”debuggable” flag set to true. This could lead to privilege escalation on the device via the debug subsystem. (Note: this same vulnerability was later independently discovered by Justin Case and revealed at the Blackhat conference in Las Vegas).
The same day we discovered the vulnerability, we contacted Dan Ford, CSO of Blackphone. He thanked us for bringing the flaw to his attention and his team quickly issued a fix. Blackphone even graciously credited our researchers in the release notes.
Security for All
Our goal is a safer mobile security ecosystem. To us, responsible disclosure means privately contacting companies and giving them time to remediate flaws rather than rushing to loudly go public in hopes of getting press coverage, retweets and geek points. We believe that publicly shaming companies for releasing products that are less than perfectly secure is not the best way to go about achieving better security for all. We believe in educating consumers, but also helping enterprises by giving them the tools they need to improve their products. Indeed, SGP recently used viaLab to test its messaging app against MITM, SSL Proxy and SSL Strip attacks.
Security flaws happen. But we believe the security community and the mobile ecosystem as a whole are better served by responsible, respectful disclosure.
If you’d like more information about our security testing products and services, contact us.