Apple’s #gotofail weekend


In case you spent your weekend watching closing ceremonies and not reading tech news, there was a lot of buzz around a security problem in Apple products. On Friday, Apple released an emergency update for iOS7 that fixed a severe vulnerability in their SSL/TLS implementation on the iPhone.

For those who are not technically inclined, SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are the encryption protocols underlying, among many things, the little lock icon you see in the upper right corner of your browser. This encryption protects you from eavesdroppers when logging into any secure site, like your bank account. It also protects you from actors like the NSA (and other governments) scooping up your emails in bulk when you’re … well … anywhere. After Apple released the emergency update for iPhone, security firm CrowdStrike examined the patch and reverse engineered the vulnerabilities it was addressing, only to find out that it repaired some pretty significant parts of the iPhone operating system. They also found that the same vulnerability exists in Apple’s OS X operating system meaning that the problem extends to Mac OS X laptops/desktops, not just iPhones. [Read more…]

Circumvention Tech Summit

Hong Kong | April 26-28, 2013

I participated in the third annual Circumvention Tech Summit.  This meeting of developers and activists is focused on increasing dialogue among circumvention tech developers and providing them with the knowledge and resources they need to create and develop better tools.

ACM Conference on Security and Privacy in Wireless and Mobile Networks

Budapest, Hungary | April 17-19, 2013

WiSec presents high quality research papers exploring security and privacy aspects of wireless communications, mobile networks, and their applications.

I gave a plenary talk about mobile threats to privacy. My presentation covered common threats to mobile privacy and security, focusing on what information is stored on your smartphone and what information is shared – intentionally and unintentionally – with cloud providers and third parties. I reviewed common security problems and pitfalls, as well as the privacy risks consumers assume by operating smartphones powered by a burgeoning advertising industry.

FinCapDev: Privacy, Security and Mobile App Development

I hosted a webinar with Manas Mohapatra, the Director of Mobile Policy for the Federal Trade Commission’s Mobile Technology Unit, for the FinCapDev Finalists.  We discussed security and privacy issues related to mobile app development.

Webinar is archived here.


There’s been a lot of attention around the Israeli facial recognition startup  They, amongst other things, make a mobile app called “KLIK” which lets users tag their friend’s faces in real-time, as they walk down the street. Just today, they announced that they’re being acquired by Facebook for $100M.

A few weeks ago, I noticed a different kind of excitement surrounding the startup. I found an extremely basic vulnerability in the which the app allows access to other user’s KLIK information, including private ‘authentication tokens’ (i.e keys) for user’s Facebook & Twitter accounts (KLIK relies on Facebook to use the app). essentially allowed anyone to hijack a KLIK user’s Facebook and Twitter accounts to get access to photos and social graph (which enables ‘face prints’), even if that information isn’t public.

[Read more…]

NYU/Princeton Conference on Mobile and Location Privacy: A Technology and Policy Dialog

NYU Law School, New York, NY | April 13, 2013

People routinely carry smartphones and other devices capable of recording and transmitting immense quantities of personal information and tracking their every move. Privacy has suffered in this new environment, with new reports every week of vulnerabilities and unintended disclosures of private information. New York University’s Information Law Institute and Princeton’s Center for Information Technology Policy hosted a technology and policy dialogue about the new world of mobile and location privacy.  They brought together the policy and technology communities to discuss the substantial privacy issues arising from the growth of mobile and location technologies.

I gave a technical demonstration.

NYU/Princeton Conference on Mobile and Location Privacy — Technology Demonstration: Askhan Soltani from NYU Information Law Institute on Vimeo.