Welcome to NowSecure’s weekly round-up of mobile security news that matters, in no particular order – the #MobSec5.
- Security researcher Luca Todesco (@qwertyoruiop) has released a code-signing bypass method that he claims is fixed in iOS 9.3. Apple made a seventh beta version of iOS 9.3 available this week, and some speculate that Apple will release iOS 9.3 to the general public sometime this spring.
- Researchers at Palo Alto Networks released details of “AceDeceiver,” which is Chinese malware capable of infecting non-jailbroken iOS devices. AceDeceiver differs from other iOS malware in that it does not use enterprise certificates to install itself on a device. Instead it exploits flaws in FairPlay, Apple’s digital rights management (DRM) technology.
- MITRE Corporation, the organization responsible for issuing Common Vulnerabilities and Exposures (CVE) identifier numbers, received 20,000 vulnerability reports in 2015″twice as many as in 2014. In an effort to keep up with the increased volume, MITRE announced a pilot of the new Federated CVE-ID Assignment Process. The program will open up the vetting of vulnerabilities and issuance of CVE numbers to a group of partners beyond just MITRE alone.
- Security researcher Chris Vickery discovered an unprotected database open to the Internet that contained email addresses, usernames, and hashed passwords for more than 198,000 users of the decommissioned Kinotopic iOS app. The app creates animated photos and GIFs and was removed from the Apple App Store in 2015.
- NowSecure researcher Ryan Welton made his Android Kernel Exploitation Playground free and open source this week. The playground mimics real-world flaws in the Linux kernel (focusing on Android) and provides a hands-on guide to exploitation.
Sign up here for #MobSec5, NowSecure’s weekly round-up of mobile security news.