As technology users increasingly rely on mobile devices, there is a need for improved mobile security testing technologies. It’s a need that entrepreneur and security expert Georgia Weidman is aiming to address with her new startup, called Shevirah.
Weidman, no stranger to the world of mobile security, was the recipient of a Defense Advanced Research Project Agency (DARPA) Cyber Fast Track grant in 2012 for her open-source Smartphone Pentest Framework project. In 2015, Weidman has been accepted into the Mach37 Cybersecurity accelerator program, which invests in security startups and provides tools and training to launch companies.
With Shevirah, Weidman’s plan is to build on the work she has already done with the Smartphone Pentest Framework and provide a professional version. “The Smartphone Pentest Framework is open source, and the professional version will have additional features, including a nice user interface and support,” Weidman told eWEEK.
Weidman had been building the Smartphone Pentest Framework as part of her other company, Bulb Security. All the work and intellectual property for the professional product will be done as part of Shevirah, but Bulb Security will continue to exist as a company for security consulting and training, she said.
Shevirah, which is both the company and the product name, is derived from an idea originally based in Jewish Kabbalah.
“Shevirah in the Kabbalistic tradition is the destruction that allows the world to be recreated in harmony,” Weidman said. “This product will hopefully be disruptive in the security space and really help to solve the mobile security problem.”
While Shevirah will be a professional product, it will still have command line functionality as well. There will be a slick graphical user interface to make the product more attractive to potential business users, she added.
The mobile attack surface today is very broad with different devices, operating systems and programming languages. Weidman is already seeing organizations asking for penetration testing services for mobile apps in the same way they have been for custom Web applications. However, there are some significant differences in the mobile space from the traditional Web space, she said.
Mobile device management (MDM) platforms claim that they can detect devices that have been jailbroken. Weidman said that she tests devices to see if there is a way to avoid the MDM platforms’ jailbreak detection.
With mobile, while the device can be attached to a corporate network, the device by default also has a backchannel over 3G/LTE that can’t be easily controlled, if at all, by the enterprise.
“I started doing research into mobile botnets over text messaging running in the background,” Weidman said. “You could have a complete botnet on a mobile device that bypasses any security controls that an enterprise has in place.”
Often when there is a mobile app security exploit, a best practice that is cited by security experts is that users shouldn’t jailbreak their devices and should only download apps from the official app stores. While that advice isn’t inaccurate, Weidman said there are still other mobile risks.
“We shouldn’t expect Apple or Google to make a device that is completely secure,” Weidman said. “If you turn the device off, melt it and bury it, then maybe it will be entirely secure—that’s the nature of things.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.