Mobile security, MWR Briefing june 2014, London

First impressions

On a sunny Thursday morning on the 5th of June 2014, we arrived at Tobacco Dock in London, via an early flight from the Netherlands.

Initially, it seemed like suit-and-tie event, regardlessly, it was a nice, relaxing atmosphere. Several friendly Men-In-Black types with walkie talkies were also present at the event, this is probably the standard procedure for security conferences, nonetheless I felt reassured that preparations were made to guarantee our physical security.
The attendees were a mixed bunch ranging from hardcore tech geeks to managerial types.

The Briefing

The first presentation started at 10am sharp, these were the presentations

  • Awareness-Driven Secure Development – A streamlined secure development lifecycle (SDLC) – presented by Donato Capitella
  • iOS Data Security – A look at how iOS apps can secure your data – presented by Andy Waugh
  • Software Defined Radios – Attacking wireless communications with low cost SDRs – presented by Jahmel Harris
  • Red Team: Live-fire Security Testing – From hacktivism to corporate espionage; advancing security assessments to meet the evolved attacker – presented by Stuart Passé (MWR), Marc Briggs & Peter Connolly (GHT Global)
  • Mobile Platform Comparison – A comparison of attacks against the four main mobile platforms and the security features available to mitigate them – presented by Henry Hoggard
  • Anomaly vs. Signature Based Attack – Helping defenders keep up with the ever changing attacker methodology – presented by Howard Marshall




The presentations were very interesting. I was familiar with many of the topics that were discussed, but it was good to hear another perspective on them. Most sessions were an overview of a particular aspect of security. We will delve into some of these subjects in-depth later in our security-related blog posts. Software defined radio’s in particular were a topic that was interesting to hear about, given the proliferation of wireless add-ons and internet of things devices. The availability of low-cost hardware that can easily be programmed to intercept and manipulate radio signals (bluetooth, zigbee, Ant+) promises to be a real concern in the future. Bluetooth controlled pacemakers were an example of potentially serious consequences of radio exploits.

More about these topics later…..

Thanks to the MWR staff for a pleasant and well organised conference.


And for those interested in architecture…. the venue:



Security testing and hardening Android apps

Interesting talk by Scott Alexander-Bown on Android security and hardening at the second day of

The OWASP mobile security project provides guidance on threats, testing and patterns to make static and dynamic analysis of apps harder for hackers.


How to develop native apps for easy porting to other platforms

Today i spoke at 2013 about: “How to develop native android apps for easy porting them to iOS and HTML5”


For the last four years Itude mobile has developed on iOS and ported to Android or developed on Android and ported to iOS or something else. We have created a succesful method and toolset for that.

Our strategy lets developers code native apps and then port efficiently. Without having to resort to html5 cross platform tools.
The tried and tested iOS, JSF and Android libraries we use for this will become open source in Q4 2013.

The PDF is here: device fragmentation 2013

The video is here:


How to debug deep linking in iOS

What is deep linking?

Deep linking basically enables you to open an app from another app or a website while passing on parameters. This mechanism works with custom URL schemes which you can define in the .plist of your app.

Why deep linking?

If you have an app with lookup functionality (e.g. an app for finding song lyrics) you might want to perform a lookup without having to navigate to the designated screen and typing in the query. This can be achieved by opening the following example URL MyAppScheme://myAction=lookup&myQuery=What%20is%20the%20meaning%20of%20life in another app of the browser. In this case the app is programmed to read the ‘myAction’-parameter on startup to determine the action and the ‘myQuery’-parameter for the search query. Often, deep linking doesn’t go as planned and you might need to debug your app.

Why is debugging this difficult?

Deep linking might occur in three kinds of scenarios:

  1. The app hasn’t been installed yet
  2. The app is running in the background (or foreground for that matters)
  3. The app is installed but not running at all

Scenario 1 is irrelevant in this case, so we’ll skip this one. Scenario 2 should be no problem since the app is running on the device (or simulator) while in a debug session. Scenario 3 requires you not to have the app running, but you need the debug session to be able to debug. This is a problem because Xcode starts the app automatically when starting a debug session. Instead of letting Xcode start the app, you want to do it yourself using the deep link URL.

So… tell me how to do this

There is a convenient option which enables you to start a debug session by manually starting the app. To achieve this, go to the ‘Edit scheme’ screen and tick the ‘Wait for to be launched manually’ option on in the ‘Run’ configuration.


Whenever you run the target in Xcode, the app doesn’t automatically starts and the debug session will only start when you manually start the app.

So start kicking some bugs ass!

Annoying App store bug on iPad and iPad mini since iOS 6

The other day we found a very annoying bug in the App store that only appears on the iPad and iPad mini since the release of iOS 6. Under normal circumstances you would expect to find any app on the App Store iPhone or iPad app alike. Unfortunately this is not the case.

In our example we use the app ‘BeFrank- Mijn Pensioen’, an app we developed for iPhone and Android.

1. Open the App store and start typing ‘befra’. As you can see in the screenshot below the autocompletion suggests ‘BeFrank’ as one of the options.

2. Click on the suggestion ‘BeFrank’. To our surprise no results appear for either iPad nor iPhone apps (see screenshot below).


3. That’s weird!? Let’s try on an iPhone. We repeat step one et voila! As the screenshot below demonstrates the ‘Befrank’ app is the only result. 

4. So it is on the App Store!? Ok, let’s try again on the iPad! This time we search for the keyword ‘pensioen’ (which means pension in dutch). As you can see in the screenshot below we get some iPad results as expected but no ‘BeFrank’ app.

5. Ok, lets switch to iPhone apps. Voila! There it is!  


We tried this with some other apps and here is our conclusion. There must be iPad apps within the results or the iPhone apps won’t show up! This means that you are likely to miss out on some good apps that just won’t show up in the results. Very frustrating!

What do I think about the iPad mini?

The iPad mini has been around for a few days now, giving us a chance to play with it. To be honest I was sceptical wasn’t sure if I should buy one. After all, I’m very satisfied with my iPad third generation. But all the reviews and positive words made curious and wonder about how the apps that I had helped develop will look on this smaller screen. Will text be readable and can users still press the buttons easily? Those questions and a dozen others persuade me to buy one.

After unboxing the first thing I noticed is how amazingly light it is compared to its 10 inch brother. The finish of the iPad mini looks and feels nice and solid. It feels like an iPad, yet smaller and easier to hold. After playing with it for a while I must say that the user experience is excellent! The whole UI feels very smooth and is sometimes even faster than the iPad third generation. I now understand why Apple decided to upgrade the iPad third generation. I haven’t played with a fourth generation iPad yet but I’m convinced that the user experience will feel similar to the iPad mini.

The screen size is just right. Any smaller and it would feel like a big iPhone. The only downside is the lower resolution and that the colors are less vivid than on the iPad third generation. It is clearly noticeable if you’re used to the iPad third generation but way better than the iPad 2. Below is a screenshot comparison of some apps I worked on. From left to right: iPad mini, iPad 2, iPad third generation.

If you enlarge the thumbnails you can see that text is still clear and buttons can be pressed with ease. I would not replace my iPad third generation, but If I had an iPad 2, I would definitely replace it. Over all I’ve used the mini more often than I expected and I’m very satisfied with it.