How the heck are ya?
Served up hot ‘n’ fresh just for you, this week’s digest of the mobile security news that matters – the NowSecure #MobSec5 – includes:
- Security highlights from this week’s Google developer conference
- iOS update patches 47 vulnerabilities
- Netflix says no to root
Thanks for reading. Have a great weekend, be good, and stay safe.
Subscribe now to receive #MobSec5 updates each Friday in your inbox.
“Today at the annual Google I/O developer conference, we learned about all the updates coming to the latest version of Google’s mobile operating system, dubbed Android O for now—at least until its official release later this year.”
At the Google I/O conference this week, two talks focusing on security were of particular interest. Android Security Director Adrian Ludwig and Product Manager Xiaowen Xin presented “What’s New in Android Security” which, among other items, included details about the new Google Play Protect service focused on device, data, and app security for Android users. In another session, software engineer Darren Kahn discussed “Security for IoT on Android Things” and how the Android IoT platform helps developers balance the costs of building security into IoT devices and the risks of not doing so.
About the security content of iOS 10.3.2
“This document describes the security content of iOS 10.3.2.”
The bulletin lists 23 fixes in the update that patch 47 vulnerabilities.
“Carriers and OEMs should be cut out of this part of the process.”
Google recently announced Project Treble – a new interface in Android O between the base Android OS and vendor implementations of it. Google claims the vendor interface will make it easier, faster and less costly for manufacturers to update devices to new Android versions. It seems that the initiative could be a win for mobile security. This op-ed, however, questions the project’s effectiveness based on the argument that carriers and device manufacturers benefit more from selling new devices than they do from supporting older ones. The author’s suggested solution is “Starting with Android O, Google should begin releasing Android’s monthly security updates to phones directly, cutting out carriers and phone makers entirely.”
“This is a good security feature as it’s possible for apps to fool you with overlays.”
Last week’s #MobSec5 included an item about an Android app permission, SYSTEM_ALERT_WINDOW, that allows an app to display over the top of another app without user notification. Attackers can abuse such a feature to display phony log-in screens to harvest user credentials. Mark Murphy of CommonsWare explained in a blog post that:
- Originally users were notified when an app requested the permission during installation
- Then in Android 6.0 users had to grant the permission manually in Settings
- Finally in Android 6.0.1 apps requesting the permission received it without user intervention or notification
Android O will notify the user when an app is displaying on top of another. Unfortunately, it seems users of Android 6.0.1, at the least, still won’t be notified of overlay screens and could be duped.
“This scares plenty of CIOs. Will apps written by citizen developers using rapid mobile app development tools be secure?”
“The U.S. Department of Health and Human Services, taking a cue from Congress, has begun developing principles and best practices for cybersecurity in health care, officials said Tuesday.”
At the Cybersecurity Framework Workshop 2017 event hosted by the National Institute of Standards and Technology (NIST) this week, an HHS official said “cybersecurity in the health sector is something we have to lean in on. The sector is looking to HHS.” The WannaCry ransomware attack that forced the UK National Health Service to direct patients elsewhere for medical care last Friday has reinforced the material effects of health care cybersecurity. On the NowSecure blog this week, CEO Andrew Hoog explained WannaCry and what needs to be done to secure wireless/Internet-connected medical devices.
Debating Codification of the VEP
“Today a bipartisan group of lawmakers introduced in both the House and Senate a bill that would formalize the Vulnerability Equities Process (VEP) into law.”
“Senate staffers can now use what is widely considered the world’s most secure messaging app.”
“If you have a rooted Android device, be aware that you may no longer be able to use the Netflix app going forward. The streaming company confirmed that its latest app update will block devices that are not ‘Google-certified or have been altered’ from accessing the mobile service.”
Netflix probably took this step to prevent the circumvention of Google’s Widevine digital rights management (DRM). Jailbroken/rooted devices are a controversial topic. Implementing jailbreak/root detection in mobile apps isn’t always a best practice in all situations. You might exclude some of your more passionate mobile users and in some cases it can lead to a false sense of security. We think a developer’s efforts are best focused on making sure their app is secure regardless of whether or not it resides on a jailbroken/rooted device. For more about jailbreak/root detection in mobile apps, read our explanation for why we don’t include it it as part of our Secure Mobile Development Best Practices.
“Volvo and Audi are looking to do more with Android in its forthcoming connected vehicles, the companies announced on Monday ahead of this week’s Google I/O.”
Kevin Beaver, information security consultant and NowSecure guest contributor, has security and privacy questions for carmakers and explains why we need to pay attention to data security for connected cars in a post on the blog this week.
Don’t Click This Mysterious WhatsApp Link
“A malicious WhatsApp link is cropping up across social media and in inboxes everywhere.”
Cyber Kid Stuns Experts Showing Toys Can be ‘Weapons’
“11-year-old Reuben Paul stunned an audience of security experts by hacking into their bluetooth devices to manipulate a teddy bear and show how interconnected smart toys ‘can be weaponized.’”
“World’s largest smartphone maker faces stiff competition with launch of contactless system in UK.”
If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now via the NowSecure Subscription Center.