ios7

Protect yourself from iOS and OS X Security breach

Posted by

0

The news over the last few days about Apple’s security bug is daunting. While we tend to hate media’s scare tactics when it comes to tech “news,” we do believe that when it comes to mobile security, especially in this case, there is much more harm in NOT updating your iPhone, iPad or Macbook than waiting.

The current security breach is said to allow a hacker to get in between the initial verification handshake connection between the user and the  server (the classic Man-in-the middle attack), enabling the bad guy to show up as  as a trusted server instead of a interfering hacker trying to steal your data. So all those connections you see as secure and encrypted (think bank, children’s school inter web, email, etc) is now open to interference and possible breach of sensitive data such as your family’s detailed information, your bank account numbers, and more.

Ashkan Soltani, who frequently writes about mobile security,  writes in his blog:

The severity of the problem doesn’t immediately come across in Adam’s blog post, but it’s pretty huge. Effectively, this vulnerability allows a moderately sophisticated attacker to monitor your communications with even the most secure sites and services. Specifically, many of the core programs on iOS and OS X rely on this library for communications, which means ANY app that relies on this library (not just Safari) was vulnerable. For example, when your Calendar or Mail.app synced to Gmail, those communications were vulnerable to eavesdroppers on the network as a result of this error.

apple-gotofail-apps

 

image from ashkansoltani.org

The iOS fix for iPads and iPhones is out now so if you use either one of the devices, we highly recommend updating to these versions to get the patch – right now.  For MacBooks, no OS X fix is out yet – so we recommend NOT using Safari until there is a fix – use Firefox or Chrome instead.

 

 

Securing your Email with S/MIME

Posted by

1

Today we start an awesome mini-series from one of our support gurus, DragonFly, about how S/MIME works in general, with following tutorials on how to implement S/MIME in TouchDown on iOS, Android and Mac platforms.  Check out today’s tutorial on iOS!

Hi,

Dragonfly from NitroDesk support here. In the following, today I’ll be describing how to import and use S/MIME in Touchdown for iOS. Using this functionality you can sign messages, proving that you are the person sending that particular message, and optionally encrypt them, meaning the email will only be readable by people who you have included in the message. Signing provides you with non-repudiation and potentially detect tampering on the fly and encryption prevents unauthorized viewing of the message. This type of functionality is great for keeping your emails safe and ensuring that information’s coming from the right source. (For more information on how S/MIME works, here’s a good tutorial: http://technet.microsoft.com/en-us/library/aa995740%28v=exchg.65%29.aspx) Just know that to send an encrypted email, you need to have the recipient’s public key and vice versa- these can be verified from within Touchdown when that person sends you a signed message. Here’s what you’ll need before you get started:

First, you’ll need a certificate for S/MIME signing and the latest version of Touchdown. To get a certificate for S/MIME, you’ll want to contact your IT team. Also, keep in mind the only two certificate types Touchdown supports is .pfx and .p12. The certificate would need to include the complete chain to the root certificate authority.

If you have your certificate already in IE, but need to export it to your desktop,Here’s how (in IE):

1. Go into the Settings>Internet Options, and clicking on the Content tab.

2. Click on Certificates, and find the one you want to export

3. Click Export. Make sure you choose the option to export the private key and also to include all certificates in the certification path.

4. Choose a file path, and save it.

5. Don’t forget to  remember the password you use to perform the export. This password prevents anyone else from being able to access the certificate. If you’re having difficulty with this process, contact your IT team and see if there’s another way you should be doing it. As with any operations like this, make sure you are staying within your IT team’s best practices so you stay in alignment with any security policies.

6. Once you have your certificate backed up to a file, send that file to your email as an attachment, and you’re ready to go.

Let’s start with the iOS version.

S/MIME for iOS

In this demo, I show how to send an encrypted email to the ‘welovenitrodesk’ account.

First, I want to ensure that I have my certificate for S/MIME, so I find the email with the attached certificate, and view it in the attachment list.

IMG_0007
The attached certificate, note the file type is .pfx. 

After downloading, I click the ‘I’ icon and choose to ‘Import for both.’

IMG_0008
Choose Import for Both.

A password prompt appears.

IMG_0009
Enter your certificate password here that was created when you generated the certificate. 

After entering the correct password (This is set up during certificate exporting from your browser, for help with this  please contact your IT team) it will tell you your certificate has been saved.

IMG_0010
Saved certificate message. 

Now that I have a certificate, I’m ready to send the account  welovenitrodesk an encrypted message:

I click on the tools/options icon and enable Encryption and signing.

IMG_0011
Tools icon to enable encryption signing.

IMG_0012
Enable signing and encryption for the email.

I send the email. If you suddenly see this message (see below), it means you didn’t validate the recipient’s public certificate key from a signed message. (This can also be done over the GAL if your company supports it.) Remember how I said earlier that to send an encrypted email, you need the recipient’s public key? Now I just need to fetch it. Thankfully, a while back welovenitrodesk sent me a signed message, which contains the key.

IMG_0016
Oops!

I find the email where welovenitrodesk sent me the key, and click on the lock icon.

IMG_0017
Welovenitrodesk sent me a signed message.

I click ‘verify signature’ and it verifies.

IMG_0018

Now I can send that encrypted message!

The second time, I attempt to send the encrypted message again. This time it comes through.

Back in welovenitrodesk, after having imported the public certificate and the welovenitrodesk certificate, I check the encrypted message, and am able to successfully decrypt it.

IMG_0020

The signed and encrypted email.

Clicking on the lock icon, I can confirm that it is indeed signed and encrypted.

Hope this helps you get a better understanding on how to use S/MIME functionality with Touchdown for  iOS. If you have any questions, please feel free to contact us at  iossupport@nitrodesk.com for any iOS queries. Be sure to check in on Monday for Part II, SMIME for Android. Thanks for reading!

Hot off the Press – new version of TouchDown for iOS

Posted by

1

Yes, yes, yes, it’s a holiday present for you !  Fresh in the iOS App Store, you will find the newest iOS release of TouchDown (3.6.2) with these updates:

  • SMIME support fixes
  • Updated layout for the iPad
  • Updated supported for Themes

How to access these fun new themes?  Simply go to Setting—->General—>Themes.

Pick the one of your choice, and exit out of  the app and reopen to see the changes. Here’s a few shots:

Forest Color Palette

Forest Theme of iOS

Dawn Color Palette with calendar event pop-up

TouchDown for iOS Dawn Theme

Ocean Color Palette in Contacts

Ocean Theme TouchDown for iOS

**In order to see everything change to the new theme, you will need to CLOSE the App, then reopen, and you will see the theme applied to each element.

Have fun!

Why TouchDown will never be Fingerprint Scan Enabled

Posted by

5

Those who know TouchDown, NitroDesk’s secure email and productivity client, know that we are obsessed with the security of your data – both corporate and personal.  With the new shiny iPhone5S coming out, a lot of users have asked us if we’ll incorporate the new fingerprint scan measures into our iOS app.  (Disclaimer – I do use an iPhone  as one of my devices, and love it, so I’m not just hating on the iPhone.)

Currently, Apple has not released any of its information to developers, so development of apps to include this technology is not possible , our developer says, until Apple decides to let developers in on its new feature.  For us at TouchDown however, there are more security-related issues to be concerned about.

Security usually works in two ways:  to protect your data, you either utilize something you know in your head, like a pin or password for example, or something you have – like a card that needs to be scanned, or in this case, your finger.  But what happens when the item is out of the control of the user? In the case of biometrics, specifically a user’s finger, there are several thoughts that come to mind..

Lets say you are just a bit too drunk at a corporate dinner, on a fabulous first date, or at that fabulous party sponsored by one of the tech companies after a long conference.  If you’re drunk enough it is not too difficult to ‘help you’ place your finger on your device.  Don’t drink too much, you say? There are plenty of substances out there meant to incapacitate you mentally by dropping a little something in said beverage.

Perhaps you are walking down the street with your new biometrically secured phone and “slam!” you are rendered unconscious by a blow to the head by a mugger.  Now that you are no longer in control of your finger, it is incredibly easy for said mugger to utilize your digit to unlock all your data.

Even if you are just in a super deep sleep, it would not take much to pick up the ever-present finger and touch it to your device with a bit of pressure.

So you see, the inherent problem lies in utilizing a security measure that is not in your head, but is instead something you have, especially when that something is attached to your body and fairly easy to get to (versus your pupil, for example).  As soon as you are mentally incapacitated, your fingerprint is just to easy to use. So, while we don’t think evil-doers will start cutting off fingers, it’s not to hard to imagine owners of high-in-demand fingerprint-secured devices being drugged, encouraged to inebriate themselves, knocked unconscious or otherwise forced to lose control over their digits.

Which all boils down to the fact that information in your head is still just safer.  Especially when unconscious.  Now, I did read somewhere that the fingerprint technology in the 5s is designed to detect a live finger from a dead one… If that technology gets to a point where it can detect an inebriated finger, it would be a completely different story of course. Until then…

 

Dr. Ferdico

Backing up your iPhone before you install iOS7

Posted by

0

Many iPhone users are giddy with excitement today, feverishly refreshing their ‘check for updates’ or checking the App store, waiting to install the new iOS7. And although all has gone well for those of us who have beta tested it, I always, always encourage you to back up your old OS before jumping to the new.  So, while you wait for the magic time (10am Pacific time perhaps??) that has yet to be announced, heres a quick refresher of how to back up your iPhone to your computer.  Thank me later !

 

itunes-store-ios-7-icon-256

Backing up to iTunes:

#1: Connect your iPhone to your desktop/laptop with your USB cable.

#2:  iTunes will launch automatically   and start the sync process, and if your phone is set-up for auto back-up, this will start the back-up process. If not, go on to the next step.

#3: Click on the “Summary” button for your iPhone. Click on the Back Up Now button.  Ta-da!!

Backing up to iCloud:

#1: Connect to Wifi

#2: Tap on your Settings icon

#3: Tap on iCloud

settings

 

#4: Tap on “Storage and Back-up” , then “Back up now.”  The back-up process will start immediately.

storagebackup    backupnow

Now that you are backed up,  install what you like.