Welcome to the NowSecure #MobSec5 – your weekly dose of mobile security news.
This edition includes:
- Seventy-eight flaws patched in Android
- Can Frida help you cheat at Pokémon GO?
- Signal app developer receives its first subpoena
- A botnet of IoT cameras crashed Krebs’ site
Thanks for reading. Have a good weekend, be good, stay safe, and take it easy on our robot brethren.
Google melts 78 Android security holes, two of which were critical
The Android security update for October patches 7 critical and 40 high severity vulnerabilities. The majority of users don’t update in a timely fashion (less than 20 percent of users had adopted Android 6.0 Marshmallow as of Sept. 5). If you can’t count on the mobile devices that connect to enterprise assets being up-to-date and secure, what can you do? Make sure that corporate data isn’t exposed by the apps used by your workforce regardless of the security posture of their devices. For tips on ridding your enterprise of leaky mobile apps, join NowSecure CEO Andrew Hoog next Tuesday (Oct. 11 at 10 a.m. CT) for his webinar “Leaky Mobile Apps: Stemming the Flood of Private Data,” as a part of BrightTALK’s online Privacy and Security Summit.
David Weinstein NowSecure Research Lead Twitter Chat Next Thursday
To celebrate OWASP AppSecUSA taking place next week, NowSecure research lead David Weinstein (@insitusec) will take to Twitter to answer all the questions you can throw at him about the NowSecure research team, mobile app security, automating security testing, testing tools, and more. Join us on Twitter Thursday, October 13 at 11 a.m. CT (12 p.m. ET) and submit your questions using the hashtag #NowSecureLive.
FLOSS Weekly 406 Frida
Frida creator, and NowSecure Security Researcher, Ole André V. Ravnås joined FLOSS Weekly host Randal Schwartz to discuss what problems Frida solves and its many use cases. One such use case is for mobile app security testing: “On iOS, for example, when an app asks for GPS coordinates, we use Frida to replace that API call and say, ‘Hey, it’s this location.’ Then we’ll look at the network traffic. If we see the same position that we injected, that means the app has a privacy issue, and we report that back in the test results.” Listen in to find our whether you can also use Frida to change your iOS device’s GPS coordinates in order to cheat at Pokemon GO. Ole also just released Frida 8.0 on Tuesday.
Man in the middle attacks on mobile apps
Source Code for IoT Botnet ‘Mirai’ Released
(Krebs on Security)
Krebs reports that Mirai “spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords.” The majority of the devices involved in a record-breaking DDoS attack on Krebs’ website involving Mirai were security cameras and DVRs according to an Akamai blog post. NowSecure Researcher Jake Van Dyke evaluated the security of a number of IoT cameras and their associated mobile apps and wasn’t surprised to find a number of security issues.
Grand jury subpoena for Signal user data, Eastern District of Virginia
(Open Whisper Systems)
Password Storage In Sensitive Apps
(BBQ and 0days)
Sign-up to get the #MobSec5 weekly e-mail newsletter in your inbox.