Welcome to the week’s digest of the mobile security news that matters – #MobSec5.
This week’s edition includes:
- WireX – a botnet made up of thousands of compromised Android devices
- AccuWeather catches more flack for sharing iOS app location data
- Apple expected to announce new phones and iOS 11 on September 12
Thanks for reading. Have a great weekend, be good, and stay safe.
Subscribe now to receive #MobSec5 updates each Friday in your inbox.
Tech Firms Team Up to Take Down ‘WireX’ Android DDoS Botnet
(Krebs on Security)
“This unusual level of cross-industry collaboration caps a successful effort to dismantle ‘WireX,’ an extraordinary new crime machine comprising tens of thousands of hacked Android mobile devices that was used this month to launch a series of massive cyber attacks.”
“From halting ransomware to blocking malicious apps and easing Android’s longstanding fragmentation woes, Oreo tackles some big problems.”
“Apple has sent out invites for its next big event on September 12th, where the company is expected to reveal the next iPhone, along with updates to the Apple Watch, Apple TV, and iOS software.”
Apple is expected to announce the public release of iOS 11 at an event scheduled for September 12. Join us two days later on September 14 for a webinar covering security enhancements in both Android 8 (Oreo) and iOS 11 and how they might affect your organization – REGISTER NOW.
“The upcoming iOS 11 update means you’ll never have to remember your app password again.”
“New tests reveal that while one privacy-invading feature was removed in an app update, the app still shares precise geolocation coordinates with advertisers.”
Last week we told you about claims that the AccuWeather iOS app shared location data with a third party without explicit user permission. AccuWeather since published an update to the app that removed the offending third-party SDK. Just today, we analyzed an updated version of the app and found that, with permission, it still sends GPS data to yet another advertiser. We explain the incident and some lessons to be learned from the episode on the NowSecure Blog.
“When Uber announced earlier this week it was rolling back a controversial feature that tracked users’ locations for five minutes after a ride, it may have seemed like a win for Uber’s friendlier ‘new’ image.”
Hardening the Kernel in Android Oreo
(Android Developers Blog)
“In Android 8.0 (Oreo), significant effort has gone into hardening the kernel to reduce the number and impact of security bugs.”
How to Tell if Your Android 8.0 Oreo Device Supports Project Treble
“Project Treble is arguably the most exciting change included in Android 8.0 Oreo, but not every device supports it. You can easily check if yours do!”
Google’s Project Treble is a promising new security feature in Android 8 (Oreo) that aims to help device manufacturers more easily provide updated OEM versions of Android to their devices. The hope is this will result in more devices that run OEM versions of Android get security updates more quickly to reduce the exposure window.
Untethered initroot (USENIX WOOT ’17)
“Exploiting CVE-2016-10277 for untethered jailbreak on Moto devices (and more!)”
“Apps are dominating consumers’ digital media habits, but getting people to try new ones is still a tough sell.”
“A global vulnerability in hotel keycard locks was a security disaster—and the opportunity of a lifetime for one burglar.”
“A painful reminder that a future where the internet is in every device—even the most critical one—can be disastrous.”
If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now via the NowSecure Subscription Center.