Black Hat USA 2017 ended yesterday, but “Hacker Summer Camp” continues through Sunday with DEF CON. You’ll see that a number of this week’s news items come from Black Hat talks. We’ve also included a list of mobile-security-related talks from DEF CON 25 and links to slides (where available).
This week’s digest of the mobile security news that matters includes:
- Researcher reports vulnerabilities in ApplePay
- “Broadpwn” vulnerability could have compromised one billion devices
- Half of apps for children leaked data
Thanks for reading. Have a great weekend, be good, and stay safe.
Subscribe now to receive #MobSec5 updates each Friday in your inbox.
DEF CON 25 Mobile-Security-Related Talks and Slides
- macOS/iOS Kernel Debugging and Heap Feng Shui – Min(Spark) Zheng & Xiangyu Liu
- Jailbreaking Apple Watch – Max Bazaliy
- Bypassing Android Password Manager Apps Without Root – Stephan Huber & Siegried Rasthofer
- Unboxing Android: Everything you wanted to know about Android packers – Avi Bashan & Slava Makkaveev
- Ghost in the Droid: Possessing Android Applications with ParaSpectre – chaosdata
- I Know What You Are by the Smell of Your Wifi – Denton Gentry
- The Internet Already Knows I’m Pregnant – Cooper Quintin & Kashmir Hill – privacy issues in fertility/pregnancy-tracking apps
- Radio Exploitation 101: Characterizing, Contextualizing, and Applying Wireless Attack Methods – Matt Knight & Marc Newlin
- ‘Ghost Telephonist’ Impersonates You Through LTE CSFB – Yuwei Zheng & Lin Huang
Android Spyware Still Collects PII Despite Outcry
“Shanghai Adups Technology Co. was roundly criticized Wednesday during a Black Hat session for continuing to use spyware called Adups on at least two Android handset makers’ phones. Researchers said the company was still collecting personal identifiable information without user consent despite coming under fire for the practice last year.”
Third party components in commercial or custom mobile apps can create security, privacy, or compliance problems, and security and development teams need to be aware. We recently launched NowSecure Intelligence – a cloud solution that continuously monitors the security status of mobile apps published on the Apple® App Store® and the Google Play™ store and identifies third party libraries used within those apps. Go here to learn more and apply for our early access program.
Internet of Things: Enhanced Assessments and Guidance Are Needed to Address Security Risks in DOD
(U.S. Government Accountability Office)
“The Department of Defense (DOD) has identified numerous security risks with IoT devices and conducted some assessments that examined such security risks, such as infrastructure-related and intelligence assessments.”
The report (PDF) published Thursday mentions that DOD officials said “existing DOD policies and guidance do not clearly address security risks of applications installed on DOD-issued devices.” Those risks included the unauthorized communication of data to third parties and rogue applications on DOD-issued phones.
We tested apps for children. Half failed to protect their data.
(The Washington Post)
“The apps we examined appear to regularly send potentially sensitive information—including device serial numbers, which are often paired with location data, email addresses, and other personally identifiable information—to third-party advertisers.”
“If you haven’t updated your iPhone or Android device lately, do it now. Until very recent patches, a bug in a little-examined Wi-Fi chip would have allowed a hacker to invisibly hack into any one of a billion devices. Yes, billion with a b.”
“The attack which can be performed against any device is carried out by intercepting and/or manipulating SSL transaction traffic, and allows attackers to replay or tamper with transaction data: change the amount or currency being paid, or change the delivery details for the goods being ordered.”
“Security researchers have revealed a recently discovered vulnerability in modern, high-speed cell networks, which they say can allow low-cost phone surveillance and location tracking.”
“Android O’s first developer preview brought us screen overlay notifications…Today’s release of the fourth and last O developer preview allows users to hide that notification, although there are still some other annoying ones that can’t be hidden.”
While screen overlay notifications coming to Android O may annoy some users, the notifications can prevent users from falling victim to Android overlay malware.
From Chrysaor to Lipizzan: Blocking a new targeted spyware family
(Android Developers Blog)
“Lipizzan is a multi-stage spyware product capable of monitoring and exfiltrating a user’s email, SMS messages, location, voice calls, and media. We have found 20 Lipizzan apps distributed in a targeted fashion to fewer than 100 devices in total and have blocked the developers and apps from the Android ecosystem.”
Google Play Protect scans for malicious apps
(Help Net Security)
“Google Play Protect is a security suite for Android devices, which brings together some old and some new features aimed at protecting users’ devices against harmful or malicious apps.”
“Last month, two watchdog groups sued the White House, claiming that widespread use of such apps violates the act and that the Trump Administration has failed to adopt policies to ensure that all communications about government business are retained.”
If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now via the NowSecure Subscription Center.