Software Integrity Blog

Author Archive

Grant Douglas

gdouglas

Grant Douglas is an associate principal security consultant at Synopsys. His primary area of expertise is in mobile security and tooling. He has worked on internal SAST and DAST tools and also produced external mobile tools which are used within the industry, including memscan, which was featured in ‘The Mobile Application Hacker's Handbook’ and ‘Learning iOS Forensics.’ Grant enjoys writing code, reading, and travel during his free time.


Posts by Grant Douglas:

 

How does the TeenSafe data leak present a classic false sense of security?

Security researcher Robert Wiggins recently uncovered a serious security issue in the TeenSafe “secure” monitoring product for Android and iOS platforms.

Continue Reading...

Posted in Cloud Security, Data Breach, Software Architecture and Design | Comments Off on How does the TeenSafe data leak present a classic false sense of security?

 

Brace yourselves: Application transport security is coming

HTTP is a plaintext protocol. As such, it creates inherent security and privacy concerns when used by applications. Apple, for instance has (finally) decided to start treating the secure alternative, HTTPS, as the de facto Web protocol for iOS mobile apps. At WWDC16, Apple pointed out that enabling HTTPS doesn’t necessarily mean that you’re secure. There are many ways in which HTTPS can be improperly configured. Thus, resulting in the use of insecure connections.

Continue Reading...

Posted in Mobile Application Security | Comments Off on Brace yourselves: Application transport security is coming

 

Integrating Touch ID into your iOS applications

What is Touch ID? Touch ID is Apple’s fingerprint technology for iOS mobile devices. It allows consumers to unlock their phones and make purchases conveniently using their fingerprint(s). As of iOS version 8.0, Apple opened up Touch ID to developers by making APIs available for use in the SDK. Biometric opinions This post assumes you have performed your own risk assessment, are aware of the risks associated with biometric authentication technologies, and that you have decided that Touch ID is suitable for use in your application. Why this post then? The reason for this post is simple—I want to provide some information to allow software architects and developers to better understand Touch ID, the ways it can be included in your iOS applications and what the security benefits to the different approaches are. These are all questions I hear regularly when providing iOS security consultancy.

Continue Reading...

Posted in Mobile Application Security | Comments Off on Integrating Touch ID into your iOS applications

 

What is MEMSCAN and how to use it

What is MEMSCAN? A Synopsys consultant, Grant Douglas, recently created a utility called MEMSCAN which enables users to dump the memory contents of a given iPhone app. Dumping the memory contents of a process proves to be a useful technique in identifying keys and credentials in memory. Using the utility, users are able to recover keys or secrets that are statically protected within the application but are less protected at runtime. Users can also use the utility to verify that keys and credentials are appropriately disposed of after use.

Continue Reading...

Posted in Mobile Application Security, Software Architecture and Design | Comments Off on What is MEMSCAN and how to use it