We’ve got mobile security news galore for you in this week’s edition of #MobSec5:
- And the survey says…60 percent of responding organizations breached due to an insecure app
- A cute app asks for too much
- Developers need cybersecurity skills too
Thanks for reading. Have a great weekend, be good, and stay safe.
Mobile Security Gap Threatens Enterprises
“A sobering 60%, or six out of 10 of the respondents, say their organization had been breached as the result of an insecure mobile application over the past 12 months. The survey showed that less than 30% of mobile applications are tested for vulnerabilities.”
Ponemon Institute released its 2017 Study on Mobile and IoT Application Security this week. Approximately 60 percent of 593 IT and IT security practitioners told Ponemon that they “certainly,” “most likely,” or “likely” experienced a data breach because of an insecure mobile app. As part of a complete mobile security program, deploying and using secure mobile apps can significantly reduce enterprise mobility risk. Testing the security of mobile apps developed or used by the enterprise is the way to do it. Unfortunately, respondents reported that on average only 29 percent of mobile apps are tested for vulnerabilities.
“Beyond having dedicated experts, it is equally important to improve the practical security skills of all developers.”
Security isn’t solely the responsibility of any one team. In the spirit of DevOps, reducing enterprise mobility risk requires breaking down silos, spreading security awareness, and giving people the tools they need to make mobile apps more secure. That includes educating developers on secure coding, giving them tools that integrate with their workflow to provide continuous security feedback throughout the development cycle, and giving security analysts a tool for in-depth mobile app penetration testing. NowSecure Director of Services Katie Strzempka recently completed a three-part blog series about building a program that incorporates all of these aspects. Part one provides an overview of mobile app security program management, part two describes the right mobile app security testing tools for the job, and part three tells you how to establish mobile app security buy in.
We reverse engineered 16k apps, here’s what we found
“For app developers reading this, whenever you hardcode any API key/token in the app, think hard if you really need to hardcode this, understand the API usage and the read/write scope of the tokens before putting it in the apps.”
Reverse engineering an app can expose vulnerabilities you might miss via other forms of assessment. Automated code analysis can identify obvious errors, do so at scale, and provide a good starting point. But a thorough assessment of the most critical mobile apps should include manual analysis. A human can apply creativity and ingenuity when reverse engineering an app to find issues automation can’t. In a NowSecure webinar this week, Solutions Engineer Michael Krueger and Security Researcher Jake Van Dyke explained the importance of reverse engineering your mobile app, what flaws you might find, and how to get started.
The top mobile threats of 2016
“If we learned anything in 2016, it’s that mobile threats are not going away – if anything, they’re growing, multiplying and becoming increasingly sophisticated.”
“Meitu’s APK manifest asks for no less than twenty-three permissions, including full network access, the ability to change settings, exact location, MAC address, local IP, and more.”
Have you seen the photos circulating this week that depict political leaders with painted lips, rouged cheeks, and sparkling eyes? You can thank Meitu, a photo-editing app whose popularity recently surged. Like many popular apps, unfortunately, behind the cute factor hides a cesspool of potential risk. Many people that download Meitu don’t realize just how much data they’re sharing with the app and its developers. If you’re responsible for your organization’s mobile security policies, you’ll want to evaluate the many permissions requested by the Meitu app for Android.
Silence speaks louder than words when finding malware
(Android Developers Blog)
“Among others, the DOI score flagged many apps in three well known malware families— Hummingbad, Ghost Push, and Gooligan. Although they behave differently, the DOI scorer flagged over 25,000 apps in these three families of malware because they can degrade the Android experience to such an extent that a non-negligible amount of users factory reset or abandon their devices.”
App Security Improvements: Looking back at 2016
(Android Developers Blog)
“In April 2016, the Android Security team described how the Google Play App Security Improvement (ASI) program has helped developers fix security issues in 100,000 applications.”
Someone Finally Took Away Donald Trump’s Phone
(New York Magazine)
“The New York Times reports that he’s now using ‘a secure, encrypted device approved by the Secret Service with a new number that few people possess.’”
Here’s why it’s a bad idea for Trump to use an off-the-shelf smartphone.
Cortana is coming to your lock screen on Android
“It’s important to mention that Cortana on lock screen doesn’t require you to unlock your phone — so anyone would theoretically be able to access your data without having to unlock the device.”
Minnesota court on the Fifth Amendment and compelling fingerprints to unlock a phone
(The Washington Post)
“A new decision from the Minnesota Court of Appeals rules that the Fifth Amendment does not bar the government from compelling a suspect to unlock his smartphone using the fingerprint sensor.”
“While Vincenzetti’s words are predictable, they underline the tension between surveillance tech companies and the hackers who have targeted them, often working as self-appointed defenders of privacy and freedom.”
Who is Anna-Senpai, the Mirai Worm Author?
(Krebs on Security)
“If you’ve ever wondered why it seems that so few Internet criminals are brought to justice, I can tell you that the sheer amount of persistence and investigative resources required to piece together who’s done what to whom (and why) in the online era is tremendous.”
Why WhatsApp’s ‘Backdoor’ Isn’t a Backdoor
“Encryption experts concede key changes on any platform is an imperfect process, but far from a backdoor vulnerability.”
“China sees mobile app stores as an untamed frontier with too much free expression and rampant malware, and it’s determined to put a stop to both.”
Number Of Data Breach Disclosures Jumped 40% in 2016
“Though there were no mega breaches, 2016 had more breaches on record than any previous year, according to a new report.”
Samsung Investigation Blames Battery Size for Galaxy Note 7 Fires
(Wall Street Journal)
“The conclusion, which will be unveiled by Samsung on Monday, helps to explain the technology giant’s product recall that damaged its brand and will end up costing the company at least $5 billion.”
“A Tesla driver was stranded in Red Rock Canyon near Las Vegas after the car’s keyless control app suddenly stopped working.”
This is less a smartphone app failure and more a failure to realize that when you’re outside your service area you won’t be able to use mobile apps that need an Internet connection in order to function.
P.S. If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now via the NowSecure Subscription Center.