Symbian Platform Security – hacked?

Hacked

(Via: Gábor Török and Antony Pranata)

Well, hacked – sort of. Apparenlty it is possible to obtain AllFiles capability for your applications by changing a few lines in Nokia Software Update files and flashing your phone, as described here.

For developers that means that with certain amount of effort they will be able to make their life a bit easier and explore previously hidden features of SymbianOS.

For hackers that means that they can access data cages of all applications on a stolen phone (e.g. with Y-Browser with AllFiles capability) and extract passwords from configuration files (e.g. e-mail, IM client, browser, virtually all applications that access internet services and store passwords on the mobile without encryption)

This is the first publicly available evidence of a possibility for 3rd parties to obtain AllFiles and other capabilities available only to phone manufacturers. Symbian Platform Security was considered to be “unbreakable” by far, and technically it still is – the blunder is really on NSU part.


Comments

2 responses to “Symbian Platform Security – hacked?”

  1. “For hackers that means that they can access data cages of all applications on a stolen phone (e.g. with Y-Browser with AllFiles capability) and extract passwords from configuration files (e.g. e-mail, IM client, browser, virtually all applications that access internet services and store passwords on the mobile without encryption)”

    Nice idea, but I don’t think it would work… All that private data will be wiped as the hack uses NSU.. however you may be able to backup to memory card and then restore, but I don’t think that would restore the caged data…

  2. User data (jncluding applciaiton private data) is left intact during firmware upgrade. Backup/restore also preserves user data (including data cages) – otherwise you’ll have to completely reconfigure your phone after each firmware update.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.