Full Report
This week, Charl van der Walt and I (Saurabh) spoke at Mobile Security Summit organized by IIR (http://www.iir.co.za/detail.php?e=2389). Charl was the keynote speaker and presented his insight on the impact of the adoption of mobile devices throughout Africa and the subsequent rise of security related risks. During his talk, he addressed the following: Understanding the need for mobile security to be taken seriously in Africa Analysing the broader implications for the user and the company The types of attacks occurring against mobile devices What does the future of mobile security look like and what are the potential threats to users? Understanding the particular threats posed by smartphones and other portable devices, e.g. tablets The presentation can be accessed via link below:
Analysis Summary
# Industry News: SensePost Keynote Highlights Rapid Mobile Security Risks in Africa and Tool Release
## Summary
SensePost executives presented at the Mobile Security Summit 2011, focusing on the rapidly increasing mobile security risks associated with device adoption across Africa and detailing specific vulnerabilities in iOS and Android. A key announcement was the release of **Manifestor.py**, a new Python script designed to aid penetration testers in identifying permission-based flaws within Android applications.
## Key Details
- Date: 01 November 2011 (Approximate publication date)
- Companies Involved: SensePost, IIR (Organizer)
- Category: Industry speaking engagement, Tool/Proof-of-Concept Release
## The Story
SensePost, represented by Charl van der Walt (Keynote Speaker) and Saurabh, participated in the Mobile Security Summit organized by IIR. Charl van der Walt’s keynote addressed the imperative for serious mobile security consideration in Africa, analyzing the downstream implications for users and businesses as mobile device penetration grows, and forecasting future threats. Saurabh’s presentation conversely focused on the technical vulnerabilities, detailing the architecture, permission models, and practical attack vectors for both iPhone and Android platforms. Crucially, Saurabh released an early-stage proof-of-concept tool, **Manifestor.py**, intended to help security professionals automate the discovery of permission-related security flaws in Android apps.
## Business Impact
### For the Companies Involved
- **SensePost:** The presentations and tool release position SensePost as a leading voice and technical authority in emerging mobile security threats, particularly in high-growth regions like Africa. This enhances brand recognition, drives consultancy demand, and showcases their technical R&D capabilities.
### For Competitors
- Competitors focusing solely on traditional enterprise security may be perceived as lagging, as SensePost successfully highlighted the critical nature of mobile security adoption, especially in developing markets.
### For Customers
- Organizations operating or expanding into Africa need to immediately address comprehensive mobile security strategies, as outlined by the keynote. For technical teams, the release of Manifestor.py offers a new (albeit early-stage) resource for proactive security testing of Android deployments.
### For the Market
- This emphasizes that mobile exploitation is moving beyond theoretical risk to practical, regionalized business challenges, particularly regarding the security implications of widespread smartphone adoption in emerging economies.
## Technical Implications
The session directly addressed the technical underpinnings of major mobile platforms:
1. **iPhone Security:** Focused on application layout, decryption techniques, and what security researchers can achieve by reverse-engineering apps.
2. **Android Security:** Deep dive into architecture, the permission model, sandboxing, and practical demonstrations of attacks.
3. **New Tooling:** Manifestor.py provides a specific utility for analyzing Android's permission system, often a weak point in application security design.
## Strategic Analysis
- **Market Positioning:** SensePost strategically positioned itself at the intersection of regional market growth (Africa's mobile adoption) and cutting-edge technical analysis, differentiating them from vendors focused only on mature markets.
- **Competitive Advantage:** Demonstrating practical exploitation and releasing supporting tools (even in early stages) provides a tangible competitive edge over firms that only offer policy or high-level consulting.
- **Challenges:** The tool, being in an "early stage," requires further development and validation to become a stable, industry-standard tool, which presents an ongoing development commitment.
## Industry Reactions
- **Expert Commentary:** The emphasis on Africa suggests a growing recognition that mobile security issues are not confined to developed nations but are critical wherever adoption rates are spiking fastest.
- **Market Response:** The immediate availability of presentation materials and a downloadable tool suggests a healthy, open dialogue around advancing mobile defense mechanisms.
## Future Outlook
- Mobile security discussions will increasingly focus on specific geographical markets and the unique regulatory/infrastructure landscapes they present (the African context).
- Expect rapid evolution in tooling designed to test platform-specific vulnerabilities, especially around application permissions models on both major operating systems.
## For Security Professionals
Practitioners must enhance their focus on mobile application security testing, especially regarding Android's permission model. The themes discussed underscore the necessity of integrating mobile risk assessments into existing security frameworks, moving beyond basic device management compliance.