Andreas Kurtz studied Medical Computer Science at Heidelberg University and graduated in 2007 with distinction. Since then he has been working as a full time professional in the information security industry. In 2011 he co-founded NESO Security Labs - a security research and consulting company based in Heilbronn, Germany - together with Tobias Klein (author of “A Bug Hunter’s Diary”). On a regular basis, he is conducting security assessments and penetration tests for large-scale enterprises as well as public authorities and is delivering application security lectures and trainings.
Alongside his industry activities, Andreas is also engaged in the academic field. In 2016 he received his PhD degree in Computer Science (Information Security) from the Friedrich-Alexander-University Erlangen-Nürnberg. During his recent research activities on the security and privacy of mobile applications, particularly on Apple’s iOS platform, he uncovered a wide range of vulnerabilities in Apple’s iOS, in iOS system apps, as well as in popular third-party apps (e.g., WhatsApp Messenger, iPin, Telekom, etc.) including their web service interfaces. On a regular basis, Andreas is presenting his research results in various magazines and journals as well as on both academic and industry conferences (OWASP, DeepSec, Shakacon, Privacy Enhancing Technologies Symposium, etc.).
PhD in Information Security, 2016
Friedrich-Alexander University Erlangen-Nuernberg
Dip. in Medical Computer Science, 2007
Heidelberg University
or the False Sense of Security of Dropbox’s Passcode Protection Since the release of iOS 8, the Touch ID fingerprint sensor can now also be used in third-party apps. The Local Authentication framework provides an API via which users can conveniently deploy their biometric fingerprint to authenticate themselves in both apps from the App Store and enterprise apps. In the medium term, we anticipate that more and more apps will switch to the fingerprint method of user authentication.
A comparison before and after iOS 8 was released As part of one of our recent research projects, we evaluated how malicious third-party apps could affect user privacy, despite the various security controls and the solid security architecture of the iOS platform. Therefore, we reviewed the iOS app sandbox model for weaknesses – and, indeed, made some finds. Some of these defects, which Markus Troßbach and I disclosed to Apple a while back, have been addressed with yesterday’s release of iOS 8 (CVE-2014-4361, CVE-2014-4362).
A few weeks ago, I noticed that email attachments within the iOS 7 MobileMail.app are not protected by Apple’s data protection mechanisms. Clearly, this is contrary to Apple’s claims that data protection “provides an additional layer of protection for (..) email messages attachments”. I verified this issue by restoring an iPhone 4 (GSM) device to the most recent iOS versions (7.1 and 7.1.1) and setting up an IMAP email account1, which provided me with some test emails and attachments.