I hosted a webinar with Manas Mohapatra, the Director of Mobile Policy for the Federal Trade Commission’s Mobile Technology Unit, for the FinCapDev Finalists. We discussed security and privacy issues related to mobile app development.
There’s been a lot of attention around the Israeli facial recognition startup Face.com. They, amongst other things, make a mobile app called “KLIK” which lets users tag their friend’s faces in real-time, as they walk down the street. Just today, they announced that they’re being acquired by Facebook for $100M.
A few weeks ago, I noticed a different kind of excitement surrounding the startup. I found an extremely basic vulnerability in the which the app allows access to other user’s KLIK information, including private ‘authentication tokens’ (i.e keys) for user’s Facebook & Twitter accounts (KLIK relies on Facebook to use the app).
Face.com essentially allowed anyone to hijack a KLIK user’s Facebook and Twitter accounts to get access to photos and social graph (which enables ‘face prints’), even if that information isn’t public.
TechCrunch TV | May 3, 2012
TechCrunch TV had me on to discuss Path, Apple’s collection of location information, and the various other privacy issues with mobile devices.
Why You Should Treat Your iPhone Like a Toddler: The State of Mobile App Security Techcrunch, May 3, 2012
Mobile apps and the services they provide have been one of the most exciting areas of innovation in recent years. Many of these new services have been successful because they enable consumers to use data to connect, discover and accomplish in new ways, but the collection and use of consumer data in the complex mobile environment has caused a rise in privacy concerns. To maintain the consumer trust necessary to continue the pace of innovation, the key participants in the app ecosystem need to work together.
To better understand their respective roles in this new ecosystem, platforms, app developers, carriers, consumers and policymakers are gathering to address current and pressing consumer privacy issues. The Application Developers Alliance and the Future of Privacy Forum, along with the Stanford Law School Center for Internet and Society, hosted the App Developer Privacy Summit on April 25, 2012.
I was one of the panelists/presenters.
Go to 2 hours, 32 minutes for details.
OWASP AppSec USA 2011 Conference
Minneapolis, MN | September 20 – 23, 2011
In this talk, Gerrit Padgham and I talked about the current state of online tracking and highlight current practices such as “cookie respawning” and non-cookie based tracking that popular websites and mobile applications engage in. We discussed theories on why the platforms we use do not adequately protect users from these threats and highlight the proposed solutions, such as additional transparency tools and Do-Not-Track that are intended to help mitigate these issues. We also demonstrated MobileScope, a technical solution we have been developing to give the end user ultimate visibility into the traffic their device is sending. Finally, we discussed open questions surrounding the ability to adequately assess risk drawing from behavioral economics and risk management theories for cues as to potential outcomes in this space.