Category Archives: Mobile

For the Bees

IMG_3609This past weekend we (TwelveDot Labs that is) participated in our first Ottawa Random Hacks of Kindness (RHOK) after being a sponsor for the past three years.

Algonquin’s School of Hospitality and Tourism is on a mission to better help students to understand the “food to fork” concept and the impact the changing environment is having on the human food chain. And we were happy to partner with Algonquin College on a bee hive monitoring project .

We had to do a lot over the weekend and not a lot of time to do it in (about 14 hours) but we managed to get sensors logging into our database. All of this was done with a team of only eight! Without the hard work and efforts of Kirin, Kaelan, Bernard, Ying, Cid, Jared and Alf,  this project would not have come together in such a short period. We were, and remain, truly grateful to all of them for giving up their weekend for this project. We also had significant assistance from Dave of Algonquin College who is both a chef and understudy beekeeper. He  provided very useful details on how bees live and our impact on them in general and every time we open a hive.

That said, we know that there are many other hackathons that have similar projects and even commercial monitoring solutions for monitoring bee hives right now.  We also know that there are no solutions which are purpose-built for research and non-intrusive to the bee environment. The goal of our project was to develop a solution that included these two aspects in the overall design. Over the course of the weekend we:

  1. Used an Arduino (an open-source prototyping platform based on easy-to-use hardware and software) based platform to connect our sensors.
  2. Designed a base mobile User Experience (UX).
  3. Setup and configured a time-series database.
  4. Fine tuned our sensors for data collection via the code.
  5. Created a web site to document our project.
  6. Developed a design to incorporate sensors non-intrusively to a bee hive – we actually did this in the last hour of the event!bee-plate

Our goal going forward will be to continue this work with Algonquin as bees are important to our food chain. We are doing this for bees as much as we are doing it for ourselves.

In the coming months we will be proving all the initial design and data collected for bee research and hope to have our own data available as well. If you want to know more  about our work and progress, we invite you to go to our project website.

Lastly, do not hesitate to contact us to find out if we can help your field research project.



Mobile Gaming App Security 101

Mobile Game App SecurityMobile gaming app hacks are on the rise and will only continue to grow unless developers become enlightened. Developers need to understand long term impact of mobile gaming app security. Having your gaming app hacked can have a large impact on revenue, branding and even the survival of your company.

The cost of securing a mobile gaming app is minimal in comparison the potential loss. Developers fail to understand the consequences are always focused on their time to market, 99% of the time neglecting security.

Common vulnerabilities include:

  • in-app purchases being hacked
  • reverse engineering of code
  • repackaging of application ( cloning )
  • malware
  • game assets like artwork being reverse engineered
  • piracy ( very high rates )
  • personal data theft

This all translates to lost revenue. So would it not be better to invest a few dollars now and look to securing your app and the reap the rewards of your work for the long term or generate limited revenue short term?



Cyber Canucks EP 3: Providing Mobile Services to Your Employees

We hope you enjoy episode 3 in our series of podcasts on cybersecurity

Hosts: Cid Parato and Faud Khan

Topics of this episode:

– Whitelist /Blacklist of Apps for company use – Which applications are user permitted to use and which ones should they avoid?
User Policy and User Guide – Provide details to users on expected behaviour while using mobile apps including reporting lost or stolen devices.
– App Evaluation –  Evaluate each app to ensure you understand data risk exposure.

For more details please follow us on Twitter @TwelveDotSec and if you have any questions or comments please reach out to us at

A big Thx goes out to Jack Wiles for sound editing.


Securing your device from Malware

Android and iOS devices both attempt to secure their OS from Malware and other vulnerabilities. They implement a myriad of security features in each new release, but that is just not good enough. Users still need to be vigilant and keep an eye on things.
You may not be able to adhere to everything but here is a list of things you can do to secure your device.


1. Don’t download apps from 3rd party sites

Avoid installing Android Package Files ( .apk’s) directly to your device. “Sideloading”, as it is called, installs apps not from Google Play but from 3rd party sites. The app may look exactly the same as it does from Google but may be repackaged to include malware. The signs of compromises are difficult for many users to identify, so don’t take the chance.


2. Don’t grant administrator access or extra permissions

Many apps ask for permissions to your device that they really don’t need. Before installing an app find out what permissions are required and if you don’t feel comfortable don’t install it. Is that app absolutely necessary? If you are seeing lots of adware then its probably too late but you still have the option of uninstalling the app.


3. Install a security application

Free security apps like Lookout do a decent job of scanning your device for malware, viruses and spyware. The security app will find the apps that are causing you problems and incorporates a malicious website blocker. If possible implement a security app but make sure you do your due diligence on the security app. Check the reviews to see what others are saying about the app.


4. Keep up-to-date on OS and app updates

This is a simple step but it keeps your operating system and apps up-to-date. These updates are often patches for security leaks and known or new found vulnerabilities. You can close the door on thieves but the door needs to be locked as well.


5. Disable cookies and Javascript

This is a tough one. Many apps use cookies and javascript to run. The issue here is that the majority of the apps that use cookies and javascript also incorporate analytic engines. Analytic engines will process your personal data and send it back to a corporate server. This data is even compiled offline and then sent when you are back online. Google’s policy is to retain your data for 25 months at a minimum and longer if possible…


6. Don’t jailbreak or root your device

Many users do not know what is done to the Operating System during either a jailbreak or the rooting of a device. Once completed it becomes easier to compromise a device as many users do not have the technical savvy to be able to harden a device in this state. Your dervice becomes more open to drive-by hackings especially if your using public Wi-Fi and no, you will not get a notification that your device has been compromised.


Some of these may be tough to swallow but compare that to your personal data or your banking information being freely available to the highest bidder. Keep in mind many criminal organizations are targeting individual mobile devices as they are not securely configured. Mobile has become the low hanging fruit for identity and data thieves, don’t make it easy.


Embedded Malware in Mobile Applications

Embedded Malware in Mobile Applications Blog

Project Overview


Mobile is ripe for attack, as many people only associate cyber threats with their PCs and neglect even basic security precautions on their mobile devices. Under the Public Safety Canada Cyber Security Cooperation Program (CSCP) TwelveDot created a standardized methodology to qualitatively identify malware and vulnerabilities in mobile applications.

Given the risk of exposure to both consumers and businesses we needed to ensure that Canadians are protected from embedded malware while using mobile applications. This included the development of a standard method for mobile application developers to ensure their apps are tested and validated to minimum security levels for usage not only in Canada but globally. This methodology provides users with an easy to use grading system to determine if they are accepting of the risk of using the application.

GCAM and why a standardized method is important…

TwelveDot successfully developed a methodology to test mobile application security. This is a formalized methodology known as General Code Assessment Methodology (GCAM) which can identify, categorize and report on malware and application weaknesses for resolution by the vendor/developer.

There is a need to move towards a mobile application security standard. There are no current standards for mobile application security. Most mobile applications do not even pass basic security tests. Some organizations have mobile application security tests such as dynamic and static code analysis but these only validate the code and does not encompass mobile application behaviour nor the interaction between mobile applications, their users, cloud services and 3rd parties.

Using the GCAM methodology, we were able to identify mobile applications that indicate signs of bad coding practice and poor application design. These factors were used to derive a calculation that can be used to determine an application grade. This grade clearly indicates to a user the potential risk of security and privacy exposure.


For the data captures, a Man-In-The-Middle (MITM) proxy was used to intercept and decrypt secure network sessions and we used Wire Shark to capture all the network session traffic. The network traffic shows, from a security perspective, how someone with intent could use fingerprinting techniques to target a device/user.

Application Selection

The applications were selected from both the Apple and Google Play app stores. We did not focus on other app stores due to lack of source control over the posted apps. We wanted to focus on applications that users and business would use everyday. Applications can be broken down into two major categories, free and paid applications. We have selected applications from both major categories.


The applications are then further broken down as shown in the categories below.

App Store Categories:







Food & Drink


Health & Fitness





News & Video



Social Networking






There is a general trend, from the analysis of the tested mobile applications, for someone with intent to use advanced techniques to target a device or user. Security and privacy is not a primary concern when designing/coding mobile applications, and many developers do not have the necessary skills for these considerations at design time. Larger more established organizations with more resources (time and money) such as Google and Facebook, generally have better coded and designed applications, where as the smaller less process mature organizations demonstrate less skill in developing secure mobile applications. However, the larger organizations also attempt to exploit user data by creating malware and using vulnerabilities built-in to their applications. This can be demonstrated by the fact that analytic engines collect user data and behaviours without user knowledge. These include API’s and SDKs from Google, Yahoo, and Amazon. These engines are included in the majority of applications given that they are free and easy to integrate for developers.


Figure 1 iOS Embedded Malware


Figure 2 Android Embedded Malware


Our tests show that the SDKs and API’s that developers implement are not just Apple or Google APIs but 3rd party APIs that may not be securely tested or validated but just added in. Over 40% of the applications we tested contained embedded 3rd party SDK/API’s.

3rd party libraries in the SDK’s have known vulnerabilities but the majority of mobile applications have not been tested against these known vulnerabilities. Many developers don’t even now the risk of using these 3rd party APIs nor do they evaluation the source code for origin.

The vast majority of library flaws remain undiscovered and typical Java applications are likely to include at least one vulnerable library.

3rd party libraries in the SDK’s have known vulnerabilities as can be seen in the CVE database but the majority of mobile applications have not been tested against the known vulnerabilities. Nor do the developers of these libraries report the vulnerabilities to the developers.

Sample SDK Vulnerability

  • A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack.


Analytic engines are the largest threat vector in mobile environments.

These engines collect a variety of data from account names to country codes to browser versions. Data is even collected when the user is offline and saved to persistent storage on the device and forwarded on to the server during the next session. The data is retained for months if not years and the user is never advised of the storage length or uses of the data being collected. In many instances the companies that offer these services will typically sell this data to marketing companies looking to directly target advertising to these users.


An example of a popular analytic engine can be seen below in Figure 2. It shows the network traffic timestamp of the Crashlytics engine at work. Crashlytics is a popular analytic engine and it was prevalent in the applications we tested.


Figure 2 Network traffic timestamp of crashlytics data being transferred

Data found in application directories with compiled data to be sent to crashlytic analytic server.


Figure 3 – Crashlytics directory created by app on device

Looking at the directory structure pictured above (Figure 3), one can see that the data is grouped according to its processing status. The engine will process data it deems valid to send back to the server. Sendable data, data being processed, data that is prepared to send and invalid data. This data is also processed offline and can be sent back once a network connection has been established.

Fake apps mimic the actual applications they are supposed to replace. They are easily found on third party app download sites, websites and official app stores including Google Play. While outside the scope of our security testing users need to be aware these apps are prevalent and pose significant exposure risk when used.

Fake apps are available in every app category from Business to Games, Finance and Weather. These apps are not harmless copycats, they are intended to be malicious and include embedded malware.

Applications can be downloaded directly from the developer’s site. They can also be downloaded from 3rd party sites. There are thousands of sites that offer application files available for download.

Herein lies the problem. The 3rd party sites are not secure. They do not ensure the apps are secure or free from malware/vulnerabilities. Moreover some of the sites are purpose built venues for malware/vulnerabilities to be introduced to users. These sites actually repackage the application with embedded malware/vulnerabilities. The files are then unwittingly downloaded by users and installed. The user’s device is now compromised.

Cloud Services are used by a majority of the mobile applications tested. Approximately 80% of the apps tested use cloud services. The main players in this are Amazon and Google.

Sample test results from the DropBox application in iOS show both Amazon and Google Cloud services in use. Google cloud services uses Google cloud endpoints, so it can determine user location, locate nearby stores, and then provide the user relevant offers and recommendations. These usage patterns build on the users’ already growing user profile created for each and every user of these services. Many users are not aware of the metadata being collected on them at this point and once they do it is too late to remove your fingerprint.

What can you do to ensure your apps are safe?

Users and businesses need to assess risks, determine threats and mitigate threats. These threats include, threats to data, threats to availability and system integrity.

  • Always research the publisher/developer of the app. For iOS apps a user can look at the details tab of the mobile app in the Apple App Store and look at the information about the app and search the publisher/developer.
  • Read application reviews. Check around to see what others are saying (,,
  • Always check application permissions (a simple calculator app should not need access to personal information) For iOS open the Settings app and scroll down to the list of apps at the very bottom. Tap an app and you’ll see the permissions it wants. You can enable or disable individual permissions for specific apps from here. For Android apps select Menu>Settings>Applications>Manage Applications. Then choose an app and scroll to the bottom and it shows you the list of permissions.
  • Avoid installing Android Package files ( APK’s ) directly to your device. If you use the Google Play site to install apps then you should be ok. However if you download .apk files from developer sites or third party sites and install the .apk , then you are putting yourself at higher risk. Sideloading is the process of loading an .apk file directly to your device. Not all manufacturers support Google Play on their devices. Also regional restrictions imposed by Google Play may prevent you from loading an app. In order to install an .apk file you will need to enable unknown sources which allows the installation of apps from sources other than Google Play. But be forewarned do not allow apps extra permissions for the majority of these will most likely contain malware.
  • Install an antivirus app on your phone. Lookout is a quality mobile security app that is available for both iOS and Android.
  • Disable cookies and don’t allow javascripts to run to prevent analytic engines from sending your personal data. In doing, so you reduce your risk from malware, however some apps may not run properly with cookies and more specifically javascript disabled. Many apps nowadays use javascript for plugins. You will have to decide what is more important the app or the security of your data?


There is also a comprehensive list of steps developers need to address to ensure mobile application security but that is for another day…another blog.

Full report on Embedded Malware in Mobile Applications available please contact us.


IPv6 — iOS, Mac OS and IoT are we really ready?

With iOS 9 Beta and the El Camino Beta releases we can clearly see that IPv6 is on the agenda for Apple. Only one problem who is ready for this? Specifically, many corporations are not running dual stack networks nor are service providers offering many IPv6 services.

Specific to Canada, IPv6 BGPs are special order items and waiting times are long. The offerings are very basic at this time. If your lucky enough to get connected to the Google network you can run natively on IPv6 but this is not available to everyone and home users are SOL. IPv6 is further complicated by the fact that many ISP in Canada do not have the DNS infrastructure for AAAA records. While many are working on updating these services they just are not there yet.

That leaves the home user, yes many home routers do support IPv6 and can run in dual stack mode. Only issue is they don’t have the necessary security detection capabilities to identify when this implementation is being use to attack the network. Users can be opening a big hole in their network as they are not aware of what to look for when IPv6 is being used to bypass security controls and possibly stealing their data.

With IoT quickly accelerating, we are not pacing ourselves for the apparent onset of devices to be enabled. If 10,000 users tomorrow wanted to add 100K devices each using IPv6 to a network in Canada that would lead to many issues. A gateway would be required to offer the dual stacking and routing necessary. The question is who could support them in this effort? 

If industry does not quickly deal with these issues this could leave Canada behind due to competitive disadvantage to countries who can offer these services. Time will tell but I am not aware of any national initiative to accelerate IoT and relevant technologies to the point where Canada will be leader in this field.


Minimizing Your Digital Footprint

So I am not a hermit or loaner but I do like to keep my digital footprint small. I don’t feel a need to be “Liked” nor one to be “Followed”. However, I do like to share my security knowledge and expertise with companies and I am always torn between posting something on social media verses not.

I do fundamentally believe that we have a right to privacy on the web so long as your intent is not to harm another human being. If you use it as a means for entertainment, education or just communications with family and friends then you have the right to do so. I don’t like all the cataloguing of my web traffic and governments who insist our country will be safer by collecting all our web traffic — this is just irresponsible leadership.

So how does one balance between sharing and knowing when to say enough is enough. Lets put it this way, if you cross a street and did not realize you walked against traffic and were almost run over twice then maybe it is time to give social media a break. There is not a single “Like” that is worth you life.

Keys to balance:

1. Your friends will be your friends even if your not online all day and night. Reducing time on your devices will give you a chance to experience “real” life.

2. Your personal posting(s) can and will be used against you. This includes finding a new job and possibly loosing your current one. Once posted, it is not your content anymore it belongs to the site owners. Read the fine print.

3. If your mad about something it might be best to stay away from your devices for a few hours. Having a rant online is not a good outlet. See bullet 2.

4. You never know who is watching you. Strangers lurk in ever corner of the web.

5. Use technology that allows you to auto post material around the clock. It frees up your time to spend with friends and colleagues.

6. What is the message you want to send to the world? Think about this for a while as it should help you gauge what you post or consider posting.

7. Reducing your time with device gives your body a break from low level radiation. Remember grade 9 physics and waves? What do you think your exposing yourself too all day?

As always, I recommend staying secure while connected to the Internet. Using a VPN just makes sense today especially if your a hard core coffee shop hopper. And make sure your HD is encrypted in the event your laptop is lost or stolen.


IoT Security – Need Some Basics

With more and more IoT products and services being announced by the hour and new engineers and developers racing to get products out the door, security unfortunately remains the last consideration.

We need to ensure that IoT leads to a security by design model. While everyone considers this one of the critical issues for both implementation and adoption for IoT, not many vendors are talking about the security model being used for product/service creation.

Some of the key elements to consider when securely designing a new IoT solution are sensors, applications and servers. Get your developers thinking about the following:

  1. What is the threat model? Once you have your product concept you need to understand and develop this model. Only then can you determine what security controls will be required to secure your solution.
  2. Do you need secure communications to your sensor/actuators? What did your threat model identify?
  3. Remove all embedded authentication or testing backdoors. Or better yet, train your developers to not use them at all. I am still surprised at how many device manufacturers use admin:admin as the user id/password combination today.
  4. Ensure that code analysis is conducted at each major development coding stage. This will ensure that vulnerabilities are quickly identified and eliminated prior to shipment.
  5. Perform end-to-end pen testing of your solution, both in the lab and in the field, to ensure you’re finding the bugs before the hackers do…..because they will!

Start-ups can easily setup these process improvements to ensure a stronger security model and use them as selling features for their solutions. Don’t be afraid to educate customers on all the effort you have invested to ensure the products/services being created are secure. At a minimum, your organization should look to implement an SDLC based on ISO 27034 Application Security as this will help to implement all the elements recommended.


bv02 + TwelveDot Labs = Evolutions

Last fall we started a project with our partner bv02 and The Canadian Museum of Nature to explore using iBeacons in a museum environment. This pilot project called “Evolutions” was located in the Mammal Gallery and was launched Dec. 23. TwelvedDot worked with the design team at bv02 to create a mobile application that would demonstrate the value that iBeacons can bring to a museum environment.

“Evolutions” tracked user’s journey through an exhibit by interacting with the iBeacons to take blobs and evolving them into creatures. Users had to discover the full exhibit or risk their creature dying. At the end of the game users were rewarded with fully developed creatures if they find all the iBeacons.

The pilot spanned a three-week period and demonstrated that users were willing to download the app and use it immediately. Users were able to find the beacons easily and fun interacting with their creatures too.

If you are planning an iBeacon deployment of your own here are some tips to make it a smooth project:
1. Setting the scope early and understand what data is “required” and “needed” to be collected on users.
2. Design an app that users can identify with and that leverages your organizations brand. Find a digital creative agency that can create a UX and graphics that give the app personality! This is key to the overall success of your iBeacon based app.
3. Do a physical site visit as soon as possible and determine possible locations for beacons. Consider possible EMI that might be caused by other electrical devices including WiFi APs. If you have a complicated setup, you may need to conduct a spectrum analysis on your site. This can be costly but might not be required.
4. Initial testing should include tuning beacon signal strength and analytics engine is properly collecting data.
5. Collect application data to get a sense how users are using the app.

As a final point, respect your users privacy and only collect data that is required to monitor your app. Once collected it is best to just keep the trend data and securely delete the rest. Always make users aware of your data collection practices and privacy policy.

More details on this project are located on the bv02 site.

For this project we chose Estimote iBeacons.


Introduction to Bluetooth Low Energy Security

As we continue building solutions utilizing BLE and our focus on security. We thought it would be important to share some of our lessons learned about how to secure your BLE implementation.

Data communication was, and will continue to be a problem. Luckily, more and more interesting methods of data transmission are surfacing each year. A new popular wireless transmission protocol is the Bluetooth Low Energy (BLE) specification which is being increasingly deployed within iBeacon and Maker (open source hardware) communities.

Continue reading Introduction to Bluetooth Low Energy Security