A
access codes in Bluetooth, 293
Activities in Android, 20, 29–32
adb (Android Debug Bridge), 18–19
adbd (Android Debug Bridge Daemon), 18–19
addition functions in Windows Mobile, 102
addProximityAlert method, 37, 336
Address Space Layout Randomization (ASLR), 65
AdoptFromServer method, 219
AES key, 146
AF_BTH address family, 119
AIDL (Android Interface Definition Language), 21, 40
AJAX SDK, 52
.alx manifest files, 133
Andersen, Buzz, 69
Android, 16–17
Activities, 29–32
application sandboxing, 354
Binder interfaces, 40–42
Broadcasts, 32–34
buffer overflow, 359
conclusion, 46–47
ContentProviders, 35–36
development and debugging, 17–19
files and preferences, 38–39
geolocation, 334–336
intent reflection, 37–38
IntentFilters, 28–29
Intents, 27–29
IPC mechanisms, 20–21
mass storage, 40
permissions, 22–27
policies, 349
security model, 21–22
security tools, 42–46
Services, 34–35
SQL injection, 37
Android Activity Manager, 28
Android Debug Bridge (adb), 18–19
Android Debug Bridge Daemon (adbd), 18–19
Android Interface Definition Language (AIDL), 21, 40
AndroidManifest.xml file
BroadcastReceivers, 32
Services, 34
App Store, 50
AppAssistant, 244
Apple iPhone. See iPhone
application developers for Android, 17
application isolation, 5
Application Manager, 227
application packaging
BlackBerry, 132–134
iPhone, 62
JME, 170–175
SymbianOS, 200–206
WebOS, 246–247
Windows Mobile, 104–106
Application Permissions Manager, 135, 140
Application Profiler, 166
Application Store, 62–63
Application Web Loader, 134
applications
iPhone, 62–64
sandboxing, 352–354
signing, 354–356
SMS, 324–326
WAP and Mobile HTML, 260–273
Windows Mobile, 110–111
AppTRK device agent, 190–191
Aptana plug-in, 231
ARM architecture
arrays in Symbian C++, 194
ASLR (Address Space Layout Randomization), 65
assistants, WebOS, 230–231
asymmetric cryptography, 108
AT commands, 327–329
authentication
Bluetooth, 290–291
keyboard issues, 3
MFA, 8–9
WAP and Mobile HTML, 254–257
authorization in Bluetooth, 290–292
B
BAS (BlackBerry Attachment Service), 123
battery-draining attacks, 316–317
BBFileScout application, 144
BD_ADDR (Bluetooth device address), 283
BDM (BlackBerry Desktop Manager), 132–133
bearers in WAP, 306
Berkeley Sockets API, 118
BES (BlackBerry Enterprise Server), 123, 134, 349
Beselo.B worm, 365
bindService method, 34
BIS (BlackBerry Internet Service), 123, 148
BlackBerry, 122
application packaging and distribution, 132–134
application sandboxing, 354
buffer overflow, 359
carrier certificates and MIDLet signatures, 140–141
code security, 131
coding environment, 125–126
conclusion, 149–150
debugging, 127–128
development and security testing, 125–134
device and OS architecture, 124–125
disassembly, 129–131
encrypted and device secured storage, 146–148
geolocation, 338–339
introduction, 122–123
local data storage, 143–148
locking devices, 142–143
networking, 148–149
permissions and user controls, 134–143
programmatic file system access, 144–145
RIM Controlled APIs, 135–140
simulators, 126–127
structured storage, 145
BlackBerry Application Web Loader, 134
BlackBerry Attachment Service (BAS), 123
BlackBerry Desktop Manager (BDM), 132–133
BlackBerry Developer Zone site, 158
BlackBerry Enterprise Server (BES), 123, 134, 349
BlackBerry Internet Service (BIS), 123, 148
BlackBerry Signing Authority Tool, 135
BlackHat presentation, 123
Bluebugging, 295
Bluejacking, 295
Bluesnarfing, 295
Bluetooth, 278
alternatives, 279–281
common uses, 279
device identification, 283
future, 281
history and standards, 278–279
modes of operation, 283–284
network topology, 282–283
pairing, 288–290
profiles, 286–287
radio operation and frequency, 281–282
recommendations, 297
security features, 287–294
stack, 285–286
threats, 294–295
vulnerabilities, 295–297
and Windows Mobile, 119
Bluetooth device address (BD_ADDR), 283
Bluetooth Generic Access Profile, 293
Bluetooth Special Interest Group, 278
bondable Bluetooth mode, 284
Brador.a Trojan, 366
BROADCAST_STICKY permission, 34
broadcastIntent method, 33
BroadcastReceivers, 32
Broadcasts in Android, 20, 32–34
browsers
extensions, 377–381
WAP and Mobile HTML, 273–275
BlackBerry, 131
enterprise security, 357–360
iPhone, 57
JME, 168
Symbian C++, 192
Windows Mobile, 101–102
builds for iPhone, 62
Burns, Jesse, 42
bytecode in JME, 162
C
C development toolkit (CDT), 186
C# language, 103
C/C++ languages
BlackBerry, 131
buffer overflows, 357–358
iPhone, 60
JME, 169
Symbian. See Symbian C++
Windows Mobile, 100–103
CAB files, 104–106
CAB Provisioning File (CPF), 113
Cabir worm, 365
CabWiz.exe tool, 106
Cache Operations (CO), 310–312
caches, browser, 274
caller IDs, 257
caller permissions, 41
calling Android services, 34
Camera capture scene, 245
capabilities of SymbianOS, 207–210
CAPI (Crypto API), 117
car whispering, 295
Carbide.c++, 186–187
carrier certificates, 140–141
CAs (Certification Authorities)
Windows Mobile, 107
categories in Intents, 29
CDC (Connected Device Configuration), 154–155
CDK (C development kit), 186
CDMA (Code Division Multiple Access), 300
CeAppMgr.exe (Mobile Application Manager), 106
cellular emulator, 93–94
Certificate Signing Requests (CSRs), 63
certificate stores, 108–109
certificates
carrier, 140–141
Windows Mobile, 107–110
Certification Authorities (CAs)
Windows Mobile, 107
Certified Signed category, 205
Certified Wireless USB, 279
Chaos Communication Congress 2008, 51
characteristics of executables, 97–98
checkCallingPermission method, 41
checkCallingPermissionOrSelf method, 41
checkPermission method, 24–25, 35
CheckPolicy method, 213
claimant devices in Bluetooth, 291
Clang Static Analyzer tool, 61
Clark, Chris, 354
class-dump tool, 54
class-dump-x tool, 54–55
CLDC (Connected Limited Device Configuration), 122, 153–155, 169–170
Cleanup Stack, 196–197
client/server sessions in SymbianOS, 211–216
CM (Connection Manager) component, 118
CO (Cache Operations), 310–312
Cocoa Socket Streams, 73
Cocoa Touch API, 50–51
coddec tool, 129–130
Code Division Multiple Access (CDMA), 300
code security
BlackBerry, 131
JME, 168–170
SymbianOS, 191–200
WebOS, 237–247
Windows Mobile, 100–104
CodeSigningKey class, 145
coding environments
BlackBerry, 125–126
Windows Mobile, 90–91
cold reboots in Windows Mobile, 83
com.palm buckets, 247
CommDD capability, 210
Commwarrior worm, 365
compilation
BlackBerry, 135
iPhone, 62
confidentiality in Bluetooth, 290, 292–293
configurations for JME, 153–157
Conglomco services, 69
connectability modes in Bluetooth, 284
connectable Bluetooth mode, 284
Connected Device Configuration (CDC), 154–155
Connected Limited Device Configuration (CLDC), 122, 153–155, 169–170
Connection Manager (CM) component, 118
ContactList JME class, 128
content protection in BlackBerry, 146–147
conversion functions in Windows Mobile, 102
cookies
WebOS, 248
Windows Mobile, 102–103
copy-and-paste iPhone functionality, 50
Cordless Telephony Profile, 287
Core Data API, 50–51
Core data in iPhone, 68
Core Idioms (EUserHL), 188, 193, 197
CPF (CAB Provisioning File), 113
CPolicyServer class, 215
Create function, 87
CreateEvent function, 87
CreateFile method, 89
CreatePrivatePath method, 218
CreateSession method, 212, 216
cross-site request forgery (CSRF), 7, 266–269
cross-site scripting (XSS)
WAP and Mobile HTML, 260–263
WebOS, 237
Crypto API (CAPI), 117
cryptographic APIs, 147–148
cryptography. See encryption
CryptProtectData API, 117
CryptUnprotectData API, 117
CSI files, 138
CSRF (cross-site request forgery), 7, 266–269
CSRs (Certificate Signing Requests), 63
CSystemRandom class, 220
ctypes interop package, 104
Cydia installer
iPhone, 64
for unauthorized applications, 51, 53
D
D8 debugger, 235
Dalvik virtual machine, 18
Dangerous protection level, 25
Darwin CC Tools, 53
data access in JME, 178
data caging, 218
Data Execution Protection (DEP), 160
Data Protection Act, 341
Data Protection API (DPAPI) technology, 116–117
.data section in PE files, 99
data storage. See storage
data theft, 340
DATK (Device Automation Toolkit), 92
debugging
Android, 17–19
BlackBerry, 127–128
iPhone, 52
JME, 162–167
SymbianOS, 190
WebOS, 234–236
Windows Mobile, 94–96
DebugServer profile, 127
decompilation
iPhone, 52–56
JME, 162–163
Defcon presentation, 123
delete method, 37
deleteQuery method, 35
DEP (Data Execution Protection), 160
depots in WebOS, 248–249
descriptors in Symbian C++, 192–194
Desktop-Passthrough (DTPT) connection, 118
Developer edition of SymbianOS, 186
developer mode in WebOS, 232
developers
certificates, 110
malware mitigation, 369
development
Android, 17–19
BlackBerry, 125–134
JME, 157–175
SymbianOS, 186–191
WebOS, 231–236
Windows Mobile, 90–106
BlackBerry, 124–125
SymbianOS, 183–185
Windows Mobile, 81–83
Device Automation Toolkit (DATK), 92
device drivers, insecure, 8
Device Emulator Manager (dvcemumanager .exe), 93
device emulators, 91–94
device identification in Bluetooth, 283
device mode in BlackBerry, 147
device proximity feature, 294
device security
enterprise security, 344–346
Windows Mobile policies, 113–114
device storage
BlackBerry, 146–148
SymbianOS, 185–186
Windows Mobile, 83
device theft of iPhone, 66
DeviceEmulator.exe, 93
Dial Up Networking Profile, 287
direct evaluation vulnerabilities, 238–240
disassembly
BlackBerry, 129–131
iPhone, 52–56
JME, 162–163
SymbianOS, 190–191
WebOS, 234–236
Windows Mobile, 97–100
Disassembly View in Visual Studio, 100
discoverability modes in Bluetooth, 284
disks
encryption, 350
secure data on, 3
distribution
BlackBerry, 132–134
iPhone applications, 62–63
JME, 170–175
SymbianOS, 200–206
WebOS, 246–247
Windows Mobile, 104–106
DJ Java Decompiler, 163
DLLs (dynamic link libraries), 84–85, 105
Document Object Model (DOM), 229
domains in JME, 176
Doombot worm, 367
DOS headers in Windows Mobile, 97–98
double-free bugs, 60–61
DPAPI (Data Protection API) technology, 116–117
Drewry, Will, 359
DTPT (Desktop-Passthrough) connection, 118
dvcemumanager.exe (Device Emulator Manager), 93
dynamic link libraries (DLLs), 84–85, 105
E
e-mail encryption, 350–351
E32Image format, 200
EABI (Embedded Application Binary Interface), 200
ECC (Elliptical Curve Cryptography), 146
ECDH (Elliptic Curve Diffie-Hellman), 289
Eclipse
JME, 157
WebOS, 231–232
8.3 file format, 105
802.11 technologies
Bluetooth, 280
GPS geolocation, 333–334
Elliptic Curve Diffie-Hellman (ECDH), 289
Elliptical Curve Cryptography (ECC), 146
Embedded Application Binary Interface (EABI), 200
emulator certificates, 110
emulators
BlackBerry, 125
JME, 160–162
SymbianOS, 188–190
WebOS, 233–234
encryption
BlackBerry, 146–148
enterprise security, 350–351
iPhone, 66
SymbianOS, 220–221
WAP and Mobile HTML, 257–259
Windows Mobile, 107–108, 116–117
Encryption API, 188
end users
geolocation risks, 340–341
malware mitigation, 369–370
Enhanced Data Rate, 282
enterprise security, 344
application sandboxing, 352–354
application signing, 354–356
buffer overflow protection, 357–360
conclusion, 360–361
device security options, 344–346
encryption, 350–351
feature summary, 360
file permissions, 356–357
local storage, 347–348
policies, 348–350
Entitlements in iPhone, 69
entropy in iPhone, 70–71
ESOCK component, 210
EUserHL Core Idioms Library, 188, 193, 197
eval statement, 238–240
evalJSON method, 239–240
Executable Image capabilities, 209
Executable Image Format, 200–202
eXecute-in-Place (XiP) DLLs, 84–85
executeSQL method, 249
exploit mitigation in iPhone, 65
Export Table, 98
Express Signed category, 205
Extensible Messaging and Presence Protocol (XMPP) service, 250
EZPass systems, 340
F
fake firmware, 367
FasTrak systems, 340
file handles, 219
file headers, 97–98
File Transfer Profile, 287
FileConnection API, 144
FileOutputStream class, 39
files
Android, 38–39
BlackBerry, 144
encryption, 351
iPhone, 66–71
permissions, 356–357
SymbianOS, 218–219
WebOS, 249–250
Windows Mobile, 114–115
filters, IntentFilters, 28–29
Firebug browser extension, 381
firmware, fake, 367
fixed storage in SymbianOS, 185
FLAG_GRANT flags, 36
flash memory, 125
Flawfinder tool, 61
Flocker worm, 366
format string attacks, 58–59
FoxyProxy browser extension, 377–379
frameworks, SymbianOS, 184–185
free function, 60
Freeman, Jay, 63
frequency-hopping schemes, 294
FTP for iPhone, 72
full disk encryption, 350
fuzzing
Android, 45
frameworks, 387
SMS, 309
G
GameKit, 74–75
GAP (Generic Access Profile), 286
GCCE compiler, 195
gdb debugger, 52
general discoverable mode, 284
Generic Access Profile (GAP), 286
GeoCities website, 124
geolocation, 332
Android, 334–336
best practices, 341–342
Blackberry, 338–339
methods, 332–334
risks, 339–341
SymbianOS, 337–338
Windows Mobile, 337
GET_TASKS permission, 45
getCallingPid method, 41–42
getCallingUid method, 41–42
getDir method, 38
getFilesDir method, 38
getFileStreamPath method, 38
Gizmo tool, 386
GKPeerPickerController class, 74
GKSession class, 74
GKVoiceChatService class, 74
Gowdiak, Adam, 168
GPS geolocation method, 333–334
GPSGetPosition API, 337
GPSOpenDevice API, 337
grantUriPermission method, 36
GUIDs for iPhone, 65
H
Hachoir tool, 388
HAL (Hardware Abstraction Layer)
SymbianOS, 184
Windows Mobile, 82
handles in SymbianOS, 217, 219
Hands-Free Profile, 287
hard resets, 83
Hardware Abstraction Layer (HAL)
SymbianOS, 184
Windows Mobile, 82
hardware layer
SymbianOS, 184
Windows Mobile, 81
hashes in Windows Mobile, 108
HCI (Host Controller Interface), 286
heap for iPhone, 65
HiperLAN standard, 280
hives, registry, 115
HKEY_CURRENT_USER (HKCU) hive, 115
HKEY_LOCAL_MACHINE (HKLM) hive, 115
HMAC verifier, 221–222
HomeRF specification, 281
Host Controller Interface (HCI), 286
host layers in Bluetooth, 286
HRESULTs, 101–102
HTML
innerHTML injection, 240–241
security. See Wireless Application Protocol (WAP) and Mobile HTML
HTTP
headers, 9
iPhone, 72
redirects, 270–271
Windows Mobile, 119
HTTPOnly flag, 274
HTTPS for iPhone, 72
HyperTerminal program, 327
I
IAT (Import Address Table), 98
id command, 19
Identified Third Party protection domains, 176
identity checking in Android, 41
IDeviceEmulatorManager interface, 93
images
Executable Image Format, 200–202
Windows Mobile, 92
IMEI (International Mobile Equipment Identity) numbers, 205, 366
Import Address Table (IAT), 98
Import Table, 98
IMSI (International Mobile Subscriber Identity), 366
Industrial Science and Medical (ISM) band, 280
.INF (Information File), 106
Infojack code, 366
information disclosure, 5
Information File (.INF), 106
Infrared Data Association (IrDA)
Windows Mobile, 118
wireless communications, 280
infrared ports, 118
initWithFormat function, 59
injection
programmatic data, 240–246
innerHTML injection, 240–241
input validation, 10
insecure device drivers, 8
install warnings, 22
Installer program, 64
installing Android applications, 24
integer operations in Windows Mobile, 102
integer overflows
iPhone, 57–58
JME, 168
Symbian C++, 195
Windows Mobile, 101–103
Intent Fuzzer tool, 45–46, 375–376
Intent Sniffer tool, 45, 374–375
IntentFilters, 28–29
Intents, Android, 20
reflection, 37–38
uses, 27–29
International Mobile Equipment Identity (IMEI)
International Mobile Subscriber Identity (IMSI), 366
INTERNET permission, 23
interprocess communication (IPC)
Android, 20–21
SymbianOS, 211–217
IntSafe.h file, 101–102
intuitive URLs, 13–14
IOCollector class, 143
IPC (interprocess communication)
Android, 20–21
SymbianOS, 211–217
iPhone, 50
application format, 62–64
application sandboxing, 354
conclusion, 77
development, 52–56
history, 50–52
networking, 71–75
permissions and user controls, 64–66
policies, 349
push notifications, 75–76
security testing, 56–62
SMS, 325
iPhone Dev Team, 51
ipkg (Itsy Package Manager System), 246–247
IrDA (Infrared Data Association)
Windows Mobile, 118
wireless communications, 280
ISM (Industrial Science and Medical) band, 280
isolation of application, 5
issues overview, 2–9
Itsy Package Manager System (ipkg), 246–247
J
J2ME geolocation APIs, 338
jad (Java application decompiler), 163
JAD (Java Application Descriptor) files, 132, 171–173
jailbreaking in iPhone, 51, 64
JARs (Java archive files), 163
Java application decompiler (jad), 163
Java Application Descriptor (JAD) files, 132, 171–173
Java archive files (JARs), 163
Java Community Process (JCP), 152
Java Development Environment (JDE), 125
Java Mobile Edition (JME), 152
application packaging and distribution, 170–175
code security, 168–170
conclusion, 179
configurations, profiles, and JSRs, 153–157
development and security testing, 157–175
emulators, 160–162
permissions and user controls, 175–179
reverse engineering and debugging, 162–167
standards development, 152–153
Java native invocation (JNI), 124, 169
Java Runtime Environment (JRE), 173
Java Specification Requests (JSRs)
adding and removing, 161
CLDC, 169
profiles and configurations, 153–154
standards, 152–156
Java Verified program, 173
Java virtual machines (JVMs), 124, 153
JavaScript Object Notation (JSON), 239–240
JCP (Java Community Process), 152
JDE (Java Development Environment), 125
JME. See Java Mobile Edition (JME)
JNI (Java native invocation), 124, 169
JPG overflow, 326
JRE (Java Runtime Environment), 173
JSON (JavaScript Object Notation), 239–240
JSRs. See Java Specification Requests (JSRs)
Just Works association model, 289
JVMs (Java virtual machines), 124, 153
K
KDWP (KVM Debug Wire Protocol), 165
kernel architecture in Windows Mobile, 83–90
Kernel Layer, 82
kernel mode, 88–90
Kernel Object Manager (KOM), 87
kernel services layer in SymbianOS, 184
key pairs in Windows Mobile, 108
keyboards
and strong authentication, 3
WAP and Mobile HTML, 254–255
keychain-access-groups, 69
Keychain Access tool, 63
Keychain storage, 68–69, 347–348
keys
Bluetooth, 295–296
JME, 173
registry, 115
SymbianOS, 220–221
Windows Mobile, 107–108
kill switch in iPhone, 63
Kilobyte Virtual Machine, 168
Kleer company, 280
KOM (Kernel Object Manager), 87
Kouznetsov, Pavel, 163
KVM Debug Wire Protocol (KDWP), 165
L
L2CAP (Logical Link Control and Adaptation Protocol), 286
Large Memory Area (LMA), 84–85
launch parameter script injection, 244–245
Lawler, Stephen, 129
LCleanedupXXX classes, 197–199
least privilege model, 11
leaves in Symbian C++, 195–199
libraries
SymbianOS, 189
limited discoverable mode, 284
link time verification, 136
Linux for WebOS, 232–233
_LIT_SECURITY_POLICY macros, 211–212
Live HTTP Headers browser extension, 379–380
LMA (Large Memory Area), 84–85
LManagedXXX classes, 197–199
LoadLibrary function, 189
local data injection, 243–246
local data storage
BlackBerry, 143–148
enterprise security, 347–348
iPhone, 66–71
Windows Mobile, 114–117
Location Manager, 37
location privacy and security, 8
Location Services JSR, 175
location tracking in Bluetooth, 294
LocationManager service, 335
locking devices
BlackBerry, 142–143
Windows Mobile, 111–112
Logical Link Control and Adaptation Protocol (L2CAP), 286
Luna, 227–228
M
M2M (Mobile2Market) program, 109
MAC (Mandatory Access Controls), 64
mitigating, 369–370
past, 364–367
threat scenarios, 367–368
WebOS, 246
managed code, 103
managedQuery method, 37
Mandatory Access Controls (MAC), 64
Manifest Explorer tool, 43, 372–373
manifest files, 133
manifest permissions in Android, 22–27
manual deployment in Windows Mobile, 106
Manufacturer capabilities in SymbianOS, 209
Manufacturer protection domains, 176
MapCallerPtr API, 85
MapPtrProcess API, 85
mass storage in Android, 40
master devices in Bluetooth, 282
master keys in Bluetooth, 296
MDS (Mobile Data System) component, 122–123
memory
BlackBerry, 124–125
iPhone, 57
Windows Mobile, 84–85
Memory Cleaner daemon, 146–147
Memory window in Windows Mobile, 95
MFA (multifactor authentication), 8–9
MicroSD, 3
Microsoft Device Emulator, 91–94
Microsoft Intermediate Language (MSIL), 103
MIDlet-Certificate-X-Y attribute, 172
MIDlet-Jar-RSA-SHA1 attribute, 172
MIDLet signatures in BlackBerry, 140–141
MIDlet-Touch-Support option, 172
MIDP (Mobile Information Device Profile), 122
MIDP 2.1, 156
MIDP 3.0, 156
permission errors, 141–142
MIDP2 RecordStores, 145
Miller, Charlie, 325
MMS (Multimedia Messaging Service), 50, 300–301
notifications, 313–316
overview, 304–307
MMSC (Multimedia Messaging Service Server), 314–315
Mobile Application Manager (CeAppMgr.exe), 106
Mobile Data System (MDS) component, 122–123
Mobile HTML. See Wireless Application Protocol (WAP) and Mobile HTML
Mobile Information Device Profile (MIDP), 122
permission errors, 141–142
Mobile Safari application, 55
Mobile Tools for Eclipse plug-in, 157
Mobile2Market (M2M) program, 109
Model-View-Controller (MVC), 230
modes of Bluetooth operation, 283–284
module layers in Bluetooth, 285
Mojo framework, 228–229
Motorola MotoDev site, 158
Motorola RAZR JPG overflow, 326
MSIL (Microsoft Intermediate Language), 103
Mulliner, Collin, 325
multifactor authentication (MFA), 8–9
Multimedia Messaging Service (MMS), 50, 300–301
notifications, 313–316
overview, 304–307
Multimedia Messaging Service Server (MMSC), 314–315
multiple-user support, 4
multiplication functions in Windows Mobile, 102
MVC (Model-View-Controller), 230
N
name-squatting, 34
native code in Windows Mobile, 101
NDAs (nondisclosure agreements), 52
Near Field Communication (NFC) mechanism, 289
.NET Compact Framework (.NET CF), 103
NetBeans for JME, 157–159, 165
NetBeans Mobility Pack, 157–158
Netscape Plugin API (NPAPI), 228
network monitors, 165–167
networking
BlackBerry, 148–149
Bluetooth, 282–283
iPhone, 71–75
JME, 178
penetration testing tools, 381–384
WebOS, 250
Windows Mobile, 117–119
NFC (Near Field Communication) mechanism, 289
No eXecute bit (NX Bit), 359
Nokia, 183
non-bondable Bluetooth mode, 284
non-connectable Bluetooth mode, 284
non-discoverable Bluetooth mode, 284
non-SSL logins, 273
nondisclosure agreements (NDAs), 52
Normal-level processes in Windows Mobile, 88
Normal M2M tier, 109
Normal privileges in Windows Mobile, 104, 106–107
Normal protection level in Android, 25
notifications
iPhone, 75–76
MMS, 313–316
voicemail, 308
NPAPI (Netscape Plugin API), 228
NSInteger class, 58
NSLog class, 59
NSPasteBoard API, 50
NSStream class, 73–74
NSStreamSocketSecurityLevel class, 74
NSString class, 56–59
NSURLConnection function, 72–73
NSURLDownload function, 72
NSURLProtocol class, 72
Numeric Comparison association model, 289
NX Bit (No eXecute bit), 359
O
OAL (OEM Abstraction Layer), 81–82
obfuscation in JME, 164–165
Object Store, 83
Objective-C
objects in Windows Mobile, 86–88
OEM Abstraction Layer (OAL), 81–82
OEM edition of SymbianOS, 186
on-device debugging, 190
onServiceConnected method, 35
onTransact method, 40–41
OOB (out-of-band) association model, 289–290
opcodes in Java, 162
Open function in Windows Mobile, 87
Open Handset Alliance, 16
open platforms, 16
open redirects, 270–271
Open Signed Offline category, 205
Open Signed Online category, 205
Open Web Application Security Project (OWASP), 260
OpenC language, 199–200
openDatabase method, 249
openFileInput method, 38
openFileOutput method, 38
operating systems security, 4
Operator protection domains, 176
Optional headers in Windows Mobile, 98
optional packages in JME, 156–157
OS architecture for BlackBerry, 124–125
OS services layer for SymbianOS, 184
OS X and iPhone, 51
OS X Terminal, 54
OTA. See Over-The-Air (OTA)
otx tool, 55
out-of-band (OOB) association model, 289–290
Over-The-Air (OTA)
BlackBerry browser installation, 132–133
MIDP, 175
settings attacks, 318–321
SMS deployment, 106
overflows
BlackBerry, 131
enterprise security, 357–360
iPhone, 57–58
JME, 168
Motorola RAZR JPG, 326
Symbian C++, 195
Windows Mobile, 101–103
OWASP (Open Web Application Security Project), 260
P
P2P (Peer to Peer) networks, 74–75
Package Play tool, 44, 373–374
package UIDs (pUIDs), 202
packaging
Android, 36
BlackBerry, 132–134
iPhone, 62
JME, 170–175
SymbianOS, 200–206
WebOS, 246–247
Windows Mobile, 104–106
pairability/bondability modes, 284
pairing Bluetooth, 288–290
Palm Bus, 228–229
Palm Devices, 247
Palm Inspector, 235–236
Palm Pre, 226
PAN Profile, 287
parameterized queries
SQLite, 67
WebOS, 249
Parcelable interface, 40
Passkey Entry association model, 290
passthrough networking, 117
Password Keeper application, 143
passwords
iPhones, 68
root, 3
signatures, 173–174
SQL Server, 116
storing, 11
pasteboards, 76
patching issues, 6
PBAP (Phone Book Access Profile), 287
Pbstealer worm, 367
PC-based deployment in Windows Mobile, 106
PCRE (Perl Compatible Regular Expression) library, 325
PDA-style phones, 254
PDUs (protocol data units), 303, 324, 327–329
PE (Portable Executable) format, 97–99
Peach fuzzing framework, 387
Peer to Peer (P2P) networks, 74–75
PendingIntent class, 37–38
penetration testing, 372
attack tools and utilities, 372–376
browser extensions, 377–381
fuzzing frameworks, 387
general utilities, 388–389
networking tools, 381–384
web application tools, 384–386
Perl Compatible Regular Expression (PCRE) library, 325
permissions, 11
Android, 22–27
BlackBerry, 134–143
files, 356–357
iPhone, 64–66
SymbianOS, 207–210
WebOS, 247–250
Windows Mobile, 106–114
persistence
pasteboard, 76
SymbianOS data, 217–222
persistent object handles in BlackBerry, 124
PersistentObject interface, 143
PersistentStore class, 145
personal identification numbers. See PINs (personal identification numbers)
personal information manager (PIM) data, 134
PGP (Pretty Good Privacy), 351
phishing
overview, 7
WAP and Mobile HTML, 272
Phone Book Access Profile (PBAP), 287
physical security, 2–3
piconets, 282–283
PIDs (process identifiers), 41
PIM (personal information manager) data, 134
PINs (personal identification numbers)
Bluetooth, 296
enterprises, 345
Numeric Comparison association model, 289
WAP and Mobile HTML, 255–257
P.I.P.S. layer, 199–200
Platform Builder, 91
plug-ins in WebOS, 228
policies
enterprise security, 348–350
Windows Mobile, 110–114
polling servers, 122
Portable Executable (PE) format, 97–99
pre-verification in JME, 170
preferences in Android, 38–39
Pretty Good Privacy (PGP), 351
preverify.exe tool, 126
private pasteboards, 76
Privileged M2M tier, 109
privileges in Windows Mobile, 88, 104, 106–107
process identifiers (PIDs), 41
processes
SymbianOS capabilities, 209–210
Windows CE, 85–86
Professional edition of SymbianOS, 186
profilers in JME, 166–168
profiles
BlackBerry, 127–128
Bluetooth, 286–287
JME, 153–157
programmatic data injection, 240–241
programmatic file system access, 144–145
programming practices, secure, 10
ProPolice protector, 359
protection levels in Android, 25
protocol attacks, 308–324
protocol data unit (PDUs), 303, 324, 327–329
prototype templates, 243
public keys
Windows Mobile, 107–108
pUIDs (package UIDs), 202
push technology
BlackBerry, 122
iPhone notifications, 75–76
Wap, 310–313
pushScene method, 246
pySimReader tool, 376
Python S60 library, 188
PythonCE language, 103–104
query method, 37
R
radio operation and frequency in Bluetooth, 281–282
random access memory (RAM) in Windows Mobile, 83–84
random keys in SymbianOS, 220–221
random number generators
Bluetooth, 296
iPhone, 70–71
ransomware, 368
RArray class, 194
RAZR JPG overflow, 326
RBB (RIM BlackBerry Apps API), 135
RChunk class, 217
RCR (RIM Cryptographic Runtime), 135, 139
.rdata section in PE files, 99
READ_CONTACTS permission, 23–24
read-only memory (ROM)
SymbianOS, 185
Windows Mobile, 83–84
readStrongBinder method, 42
reboots in Windows Mobile, 83
RECEIVE_SMS permission, 33
receiving Broadcast Intents, 32–33
Record Management Store (RMS), 179
record stores in JME, 179
Redbrowser worm, 365
redirects, HTTP, 270–271
reflection
BlackBerry, 124
intent, 37–38
registry for Windows Mobile, 114–115
relative virtual addresses (RVAs), 97
Remote File Viewer (RFV), 95–96
Remote Heap Walker (RHW), 96
remote procedure call (RPC) interface, 228
Remote Registry Editor (RRE), 96
Remote Spy, 96
Remote Tools package, 95
remote wipe, 346
removable media protections, 147
removable storage, 185–186
requestUpdates method, 336
Research In Motion (RIM), 122
Restricted capabilities in SymbianOS, 208
reverse engineering
iPhone, 55–56
JME, 162–167
Remote Spy, 96
SymbianOS, 190–191
revokeUriPermission method, 36
revoking applications, 110
RFV (Remote File Viewer), 95–96
RHandleBase class, 217
RHW (Remote Heap Walker), 96
RIM (Research In Motion), 122
RIM BlackBerry Apps API (RBB), 135
RIM Controlled APIs, 134–140
RIM Cryptographic Runtime (RCR), 135, 139
RIM Runtime API (RRT), 135
RIM simulator, 126–127
RIMlets, 122
RMS (Record Management Store), 179
RNG (random number generator) strength, 296
ROM (read-only memory)
SymbianOS, 185
Windows Mobile, 83–84
RPC (remote procedure call) interface, 228
RPointerArray class, 194
RPositioner class, 338
RPositionServer class, 338
RRE (Remote Registry Editor), 96
RRT (RIM Runtime API), 135
RSessionBase class, 212
RSqlDatabase class, 219–220
RSqlSecurityPolicy class, 219
.rsrc section in PE files, 99
run time verification, 137
running applications in Windows Mobile, 110–111
RuntimeStore class, 145
RVAs (relative virtual addresses), 97
S
S60 framework, 183
Safari browser, 325
safe browsing environments, 4
Samsung Mobile Innovator, 157
application, 352–354
iPhone, 65
Sanity-check pasteboard, 76
satellite signals for GPS geolocation, 333–334
Scapy tool, 384
scatternets, 282
scenes in WebOS, 230–231, 245–246
SChannel (Secure Channel), 119
SCM (Service Configuration Manager), 86
script injection, 237–238
SDKs. See software development kits (SDKs)
SDL (secure development life cycle), 369
SDP (Service Discovery Protocol), 286
seatbelts in iPhone, 65
SecItemAdd function, 68–69
SecItemCopyMatching function, 68
SecItemUpdate function, 68
SecRandomCopyBytes API, 70
sections in Windows Mobile, 98
Secure Channel (SChannel), 119
secure data storage, 3
secure development life cycle (SDL) processes, 369
SECURE flag, 274
Secure IDs, 210–212
secure programming practices, 10
Secure Simple Pairing, 288–290
Secure Sockets Layer (SSL), 6–7, 10
Blackberry, 148
e-mail, 351
iPhone, 70
WAP and Mobile HTML, 257–259
Windows Mobile, 119
secure URLs, 13–14
Security Configuration Manager PowerToy, 113
Security Configuration Manager tool, 105
security levels in Windows Mobile, 118
security models in Android, 21–22
security modes in Bluetooth, 293–294
security policies in Windows Mobile, 110–114
Security Support Provider (SSP), 119
Security Support Provider Interface (SSPI)
functions, 119
security testing
BlackBerry, 125–134
iPhone, 56–62
JME, 157–175
SymbianOS, 186–191
WebOS, 231–236
Windows Mobile, 90–106
Security Warrior, 97
SecurityException class, 26, 177
sendBroadcast method, 32
sending Broadcast Intents, 33
SendReceive method, 212
sensitive information storage, 11
Serial Port Profile, 286–287
Service Configuration Manager (SCM), 86
Service Discovery Protocol (SDP), 286
Service Indication (SI), 310–311
Service Loading (SL), 310–313
service providers, geolocation risks to, 341
service requests in WebOS, 246
service security levels in Bluetooth, 292
services
WebOS, 228
Windows Mobile, 86
session fixation, 272–273
sessionIDs in iPhone, 74–75
setAllowsAnyHTTPSCertificate function, 72
SetKMode function, 88–89
setPermissions method, 39
SetProcPermissions API, 85
SetSessionToPath method, 218
_setup.xml file, 104–106
shared handles, 217
shared Keychain storage, 69
shared master keys, 296
shared sessions, 216–217
ShareProtected method, 219
Short Message Service (SMS), 300
application-level attacks, 324–326
battery-draining attacks, 316–317
conclusion, 329–330
MMS notification, 313–316
Multimedia Messaging Service, 304–307
OTA settings attacks, 318–321
overview, 301–304
PDUs, 327–329
protocol attacks, 308–324
silent billing attacks, 318
short message service center (SMSC), 301
SI (Service Indication), 310–311
Signature Tool, 138–139
SignatureOrSystem protection level, 25
Android, 25
applications, 354–356
code, 12
JME, 172–174
SymbianOS, 203–206
silent billing attacks, SMS, 318
simulators for BlackBerry, 126–127
SIS files, 202–204
Skulls worm, 367
Skyhook Wireless, 333–334
SL (Service Loading), 310–313
slot-based memory architecture, 84
Smartphones, 182–183
SMIL (Synchronized Multimedia Integration Language), 326
SMS. See Short Message Service (SMS)
SMS.Python.Flocker worm, 366
SMSC (short message service center), 301
software development kits (SDKs)
Android, 17
iPhone, 52
SymbianOS, 187–188
Windows Mobile, 90–91
Sony Ericsson Developer World site, 158
sprintf function, 101
spyware, 6
SQL injection
Android, 37
WAP and Mobile HTML, 264–266
SQLCipher, 68
SQLite database, 67–68
SRAM for BlackBerry, 124–125
SSL. See Secure Sockets Layer (SSL)
SSP (Security Support Provider), 119
SSPI (Security Support Provider Interface)
functions, 119
stack
Bluetooth, 285–286
iPhone, 65
Stack Cookie protection, 102–103
StackMap, 170
StageAssistant, 244
stages in WebOS, 230–231
standards
Bluetooth, 278–279
JME, 152–153
standby time in SMS, 316
startActivity method, 31–32
static analysis tools, 61–62
sticky broadcasts, 33–34
stolen Windows Mobile devices, 116
storage
Android, 40
BlackBerry, 143–148
enterprise security, 347–348
iPhone, 66–71
issues, 3
WebOS, 247–250
stream ciphers, 296
stringByAppendingFormat function, 59–60
stringWithFormat function, 59
strncat function, 101
strncpy function, 101
strong authentication, 3
StrSafe.h file, 101
structured storage
BlackBerry, 145
SymbianOS, 219–220
Windows Mobile, 116
subtraction functions in Windows Mobile, 102
Sulley fuzzing framework, 387
Sun Mobile Development Network, 157
SWInstall process, 206
Symbian C++, 191–192
arrays, 194
descriptors, 192–194
integer overflows, 195
leaves and traps, 195–199
Symbian Foundation, 183
Symbian Signed process, 204–205
SymbianOS, 182
application packaging, 200–206
code security, 191–200
conclusion, 223–224
debugging, 190
development and security testing, 186–191
emulators, 188–190
Executable Image Format, 200–202
geolocation, 337–338
introduction, 182–186
malware, 367
OpenC, 199–200
permissions and user controls, 207–210
persistent data storage, 217–222
SDKs, 187–188
shared handles, 217
shared sessions, 216–217
signatures, 203–206
symbolic names in JME, 164
Synchronized Multimedia Integration Language (SMIL), 326
system calls in Windows Mobile, 89–90
System capabilities in SymbianOS, 207
system developers for Android, 17
SysTRK device agent, 190
T
T-Mobile, 51
talk time in SMS, 316
TamperData browser extension, 379
tcpdump tool, 382–384
TDesC class, 192–193
template injection, 242–243
terminal programs, 327
.text section, PE files, 99
texting. See Short Message Service (SMS)
theft
geolocation risks, 340
iPhone, 66
Windows Mobile devices, 116
threads
SymbianOS, 210
Windows Mobile, 86
threats
Bluetooth, 294–295
models, 13
scenarios, 367–368
thunks, 89
TLS (Transport Layer Security), 10
BlackBerry, 148
e-mail, 351
WAP and Mobile HTML, 257–259
tower triangulation geolocation method, 332–333
TPosition class, 338
TPositionInfo class, 338
transact method, 40–42
TransferToClient method, 219
Transport Layer Security (TLS), 10
BlackBerry, 148
e-mail, 351
WAP and Mobile HTML, 257–259
TRAP macro, 195–196
TRAPD macro, 195–196
traps in Symbian C++, 195–199
Trojan.Redbrowser.A worm, 365
trust levels in Bluetooth, 291
TrustedBSD framework, 65
TSecurityPolicy class, 212
U
Ubuntu virtual machines, 18
UDHs (User Data Headers), 303–304
UDP packets, 317
UI System Manager, 227
UIDs (user identifiers)
SymbianOS, 202
UIPasteboard class, 76
UIPasteboardNameFind pasteboard, 76
UIPasteboardNameGeneral pasteboard, 76
Ultra-Wideband (UWB), 281
unauthorized applications with Cydia, 51
_UNICODE macro, 192
Unidentified Third Party protection domain, 176
Uniform Resource Identifiers (URIs), 36
unsigned code for iPhone, 51, 64
update injection, 240–241
update method
Android, 37
WebOS, 241
updateQuery method, 35
updating
issues, 6
process, 12
URIs (Uniform Resource Identifiers), 36
URL Loading API, 72–73
URLs, 13–14
User Agent Switcher browser extension, 377
User Application Layer, 83
user applications for SymbianOS, 184–185
user capabilities for SymbianOS, 207
BlackBerry, 134–143
iPhone, 64–66
JME, 175–179
SymbianOS, 207–210
WebOS, 247–250
Windows Mobile, 106–114
User Data Headers (UDHs), 303–304
user identifiers (UIDs)
SymbianOS, 202
USER key in Windows Mobile, 117
user mode in Windows Mobile, 88–90
UWB (Ultra-Wideband), 281
V
V8 JavaScript engine, 227–228
validation
input, 10
SymbianOS, 206
VBinDiff tool, 388–389
Vendor IDs in SymbianOS, 210–212
vendors, malware mitigation by, 369
verifier devices for Bluetooth, 291
VeriSign certificates, 140
VFAT file system, 218
viewing PE Files, 99
views in WebOS, 230–231
Virtual Memory Manager (VMM), 85
VirtualAlloc function, 189
viruses, 6. See malware Visual Studio
and Microsoft SDKs, 90–91
VMM (Virtual Memory Manager), 85
voicemail notifications, 308
vulnerabilities
Bluetooth, 295–297
WebOS, 238–240
W
WAE (Wireless Application Environment), 306
WAP. See Wireless Application Protocol (WAP) and Mobile HTML
WAP Binary XML (WBXML) binary format converting XML to, 329
SMS, 311
WAP gateway (WAP gap), 259
wap_provisioning format, 104
WAP Push, 310–313
warm reboots in Windows Mobile, 83
WASC (Web Application Security Consortium), 260
Watch window in Windows Mobile, 95
Watson, Robert, 65
WBXML (WAP Binary XML) binary format converting XML to, 329
SMS, 311
wbxml2xml.exe tool, 329
WDP (Wireless Datagram Protocol), 306
Web Application Security Consortium (WASC), 260
web application tools for penetration testing, 384–386
Web Developer extension, 380
Web Loader for BlackBerry, 134
WebKit, 248
WebOS, 226
application packaging, 246–247
architecture, 227–229
code security, 237–247
conclusion, 250
debugging and disassembly, 234–236
development and security testing, 231–236
direct evaluation vulnerabilities, 238–240
emulators, 233–234
introduction, 226–227
local data injection, 243–246
networking, 250
permissions and user controls, 247–250
programmatic data injection, 240–241
script injection, 237–238
stages and scenes, assistants and views, 230–231
template injection, 242–243
WebScarab network proxy, 384–386
Wi-Fi support, 323
widgets, 231
WinCE malware, 366
Windows CE platform, 80–81, 84–86
Windows Mobile, 80
application packaging and distribution, 104–106
application sandboxing, 354
Authenticode, signatures, and certificates, 107–110
buffer overflow, 358
code security, 100–104
coding environments and SDKs, 90–91
conclusion, 119–120
debugging, 94–96
development and security testing, 90–106
device emulators, 91–94
device security policies, 113–114
disassembly, 97–100
files, 114–115
geolocation, 337
introduction, 80–83
kernel architecture, 83–90
local data storage, 114–117
locking devices, 111–112
networking, 117–119
permissions and user controls, 106–115
Windows Mobile MMS, 325–326
Windows Mobile SDK, 110
WINE emulator, 125
WinSock, 118
wipe, remote, 346
Wireless Application Environment (WAE), 306
Wireless Application Protocol (WAP) and Mobile HTML, 252
application attacks, 260–273
authentication, 254–257
basics, 253–254
browser weaknesses, 273–275
conclusion, 275
cross-site request forgery, 266–269
cross-site scripting, 260–263
encryption, 257–259
HTTP redirects, 270–271
limitations, 275
non-SSL logins, 273
phishing, 272
session fixation, 272–273
SMS, 306–307
SQL injection, 264–266
WAP 1.0, 258–259
WAP 2.0, 259
Wireless Datagram Protocol (WDP), 306
Wireless Markup Language (WML), 252–253, 258, 306
Wireless Session Protocol (WSP), 306
Wireless Transport Layer Security (WTLS)
BlackBerry, 148–149
WAP and Mobile HTML, 258
Wireshark tool, 381–382
WML (Wireless Markup Language), 252–253, 258, 306
writeStrongBinder method, 42
WSP (Wireless Session Protocol), 306
WTLS (Wireless Transport Layer Security)
BlackBerry, 148–149
WAP and Mobile HTML, 258
X
XiP (eXecute-in-Place) DLLs, 84–85
XML
converting to WBXML, 329
manifest files, 133
Windows Mobile, 104–105
xml2wbxml.exe tool, 329
XmlHTTPRequest class, 250
XMPP (Extensible Messaging and Presence Protocol) service, 250
XSS (cross-site scripting)
WAP and Mobile HTML, 260–263
WebOS, 237
Y
Yarrow Pseudo-Random Number Generator, 70
Yxes.A worm, 366–367
Z
Zbikowski, Mark, 97
Zero Day Initiative (ZDI), 326
ZigBee technology, 280
Zygote system, 41