This week’s bushel of hand-picked mobile security news includes:
- Just six percent of mobile app development spend is on security
- Dirty COW exploit plug-in for Radare2 released
- A new class of mobile pwn-age – Drammer
- And more
Thanks for reading. Have a great weekend, be good, and stay safe.
How to avoid mobile app security scares
(Microsoft Office Blogs)
“The mobile devices, apps and policies that enable mobility have created a new generation of workers. But as the electronic net widens, organizations face increased security risks.”
Developers and software companies spend $34 million on average for mobile app development, but a mere six percent of that goes toward security according to a study quoted by the article. NowSecure and the Security by Design community are correcting this imbalance by helping developers prioritize security in the SDLC. Today, NowSecure CEO Andrew Hoog spoke at the group’s inaugural conference about the fundamentals of Android and iOS app security (slides). If you seek good mobile app security resources for developers, look no further than our Secure Mobile Development Best Practices.
The Dirty COW vulnerability and mobile impact
“The Dirty COW vulnerability impacts many mobile devices. I analyzed it and its exploit and ended up writing a plugin for Radare2.”
Last week’s issue highlighted the Dirty COW vulnerability in the Linux kernel which affects the Android operating system. This week Radare creator and NowSecure Mobile Security Analyst Sergi Àlvarez i Capilla released a Radare2 plug-in that exploits the vulnerability on Linux and Android.
“Permission-less apps take only seconds to root phones from LG, Samsung and Motorola.”
Researchers released details this week (including video demonstrations) of an exploit, named Drammer, that is the first to execute the Rowhammer attack on mobile devices. The Google Project Zero blog published information about Rowhammer in March 2015, but until now there was doubt about whether it could be used to attack mobile devices. The attack exploits a hardware bug, rather than an Android vulnerability, and as a Wired article about Drammer explained, “You can’t replace the memory chip in Android phones that have already been sold, and even some of the software features Drammer exploits are so fundamental to any operating system that they are difficult to remove or alter without impacting the user experience. In other words, this isn’t easy to fix in the next generation of phones much less existing ones.”
“Using multiple Android bugs that were present even in a Nexus 6P that was equipped with the latest monthly security patches, the team managed to get a rogue app installed on the phone, accessing user data but not fully unlocking the device.”
“Researchers have discovered a number of severe flaws in IoT tracking devices linked to mobile devices.”
IoT Device Maker Vows Product Recall, Legal Action Against Western Accusers
(Krebs on Security)
“A Chinese electronics firm pegged by experts as responsible for making many of the components leveraged in last week’s massive attack that disrupted Twitter and dozens of popular Web sites has vowed to recall some of its vulnerable products, even as it threatened legal action against this publication and others for allegedly tarnishing the company’s brand.”
“Researchers say they may be able to reverse-engineer information about how Cellebrite extracts data from phones.”
“Ruxcon Hacker Wanqiao Zhang of Chinese security house Qihoo 360 has blown holes in 4G LTE networks by detailing how to intercept and make calls, send text messages and even force phones offline.”
Freeing my tablet (Android hacking, SW and HW)
“I wanted to run a Debian chroot in my tablet; and there was no open-source rooting process for it. That triggered me enough to have a deeper look at Android, and eventually completely dominate my tablet.”
Sign-up to get the #MobSec5 weekly e-mail newsletter in your inbox.