Thursday, May 14, 2009

Nokiagate: Nokia busy to fix the solution

Today I had an open and honest discussion with Nokia's representative about the Nokiagate. They have been working hard first to analyze the problem scope and then to fix it. As anyone who has been involved with mobile development surely understands, there is a huge number of different variants (operator, language, region) available for every device and also many variants of the email wizard itself. All the combinations must be fixed. When this job is done, terminal fixes will be published using the suitable channel, which is also device and market dependant. Some devices are likely to require a firmware update to fix the wizard.

The fixed email wizard will no longer send your password data to Nokia's deployment server and there will also be an offline option so that you can create an email account without any communications happening from your terminal to Nokia. To prevent future man-in-the-middle attacks, email wizard will enforce certificate validation that will prevent this kind of network traffic analyzing I've done when investigating this case. This of course raises a question how we will be able to verify that password is removed from the data...

They have also been fixing the server side implementation and current setup no longer tries to log in to your email server. Also a special security audit has taken place to ensure that confidential data really hasn't been stored to the servers. I was told that the result of the audit was that confidential data hasn't been stored, also the logs were not storing the passwords. In addition to that, some server locations have been changed.

I have a feeling that now things are moving to the right direction. There is a bug, nobody denies that. Bug has been analyzed and fixes will be deployed as soon as possible. I'm sure there will be a strict privacy audit for new solutions and hopefully we will not see problems like this again.


No comments: