Very often those applications allows you to save username/password data in phone's memory to allow automatic sign-in.
I believe that many software developers doesn't consider risk, that mostly MIDlet RMS data on phone are not encrypted. That means that someone with some knowledge could easily extract RMS data from phone. If password is not encrypted it can be easily viewed (using windows notepad!!!!).
What attacker would probably do:
- download oxygen phone manager
- while someone left their phone unattended, he will connect to it via bluetooth and extract all phone data.
- attacker will read all data that are stored in application memory.
that's it!
check - bouncy castle
No comments:
Post a Comment