Welcome to your AppSec USA 2017 edition of #MobSec5!
Dinner and fireworks at Epcot. Killer speaker sessions. Great conversations in the halls and on the exhibition floor. AppSecUSA 2017 in Orlando was a blast, and we can’t wait for next year.
On Thursday, NowSecure Solutions Engineer Brian Lawrence spoke about DevSecOps for mobile apps. If you missed it, take a look at his slides: “Overcoming Mobile AppSec Challenges with DevOps.”
This week’s roundup of the mobile security news that matters includes:
- iOS 11 is out and includes security patches – update now!
- Vuln in Equifax app for iOS is why the apps were pulled from official app stores
- POC for Blueborne on Android (CVE-2017-0785)
Thanks for reading. Have a great weekend, be good, and stay safe.
Subscribe now to receive #MobSec5 updates each Friday in your inbox.
iOS 11 is now available to download
“Today, Apple pushed out the final version of iOS 11, its latest mobile operating system release.”
San Francisco emergency services reportedly received a number of accidental 911 calls from people trying to configure the emergency SOS feature on their iPhones this week. For more information about the SOS feature and other iOS 11 security items, watch or review the slides from our webinar “Android 8 Oreo and iOS 11 Security Updates: What You Need to Know.”
“Apple released a number of patches, including a security update for iOS 11.”
You can read Apple’s iOS 11 security bulletin in full on the Apple Support web site.
“A security researcher discovered a shocking vulnerability: ‘They quite frankly didn’t know what they were doing.’”
Last week we told you that Equifax had pulled their mobile app from the Apple® App Store® and the Google Play™ store. At the time it wasn’t clear why. Evidently, a security researcher discovered that while authentication within the Equifax Mobile iOS app used HTTPS and performed certificate validation, other transactions within the app took place over HTTP. In a LinkedIn post, the researcher explains that using a rogue Wi-Fi or cellular network an attacker could intercept and modify traffic sent to the Equifax Mobile app and modify the app UX. “With the attacker now in control of the application UX, it doesn’t matter if the application was never intended to ask for sensitive information because the attacker could ask for anything, all while exploiting the user’s trust that it is a legitimate request from the application,” the researcher wrote. This issue speaks to the importance of complete coverage for mobile app security testing consisting of static, dynamic, and behavioral analysis of the app binary. If you need to certify the security of your apps’ authentication practices, network communications, and more – the NowSecure Platform for 360-degree coverage of mobile app security testing (MAST) has you covered. To learn more about how you can use the NowSecure Platform to go 3X deeper and 8X faster with your MAST, fill out our contact form.
LeakyX Update on iOS 11 testing
“I have downloaded the iOS 11 update then tried it out on leakyx.com and found that the Apple iOS 11 Mail client still dumps credentials without confirming that the mail server is an actual valid Exchange server.”
In August, James Litwin disclosed a vulnerability that caused an iPhone to send unencrypted username and password to a Microsoft Exchange server in spite of SSL having been enabled. At the time, Litwin reported that Apple asked him not to publish details until iOS 11’s release. According to Litwin, the Apple iOS 11 mail client is still vulnerable though part of that is the lack of a fix for Microsoft Exchange. Litwin states that people have said the vulnerability is low risk because the vulnerability requires users to setup an account for a mail server they do not know. “I agree that it is unlikely to be heavily exploited however I good spear phishing attacking would be successful,” he wrote.
Mobile Security News Update September 2017
(Collin R. Mulliner)
Always a great monthly round-up of mobile security news and commentary.
“Motherboard tested this behavior on an iPhone with iOS 11 installed and verified that Bluetooth and Wi-Fi remain on in the settings after turning them off in the Control Center.”
CVE-2017-0785 POC – Android Blueborne
(GitHub – ojasookert)
This week a researcher posted this proof-of-concept for Blueborne vulnerability CVE-2017-0785 on Android. In total, four Blueborne vulnerabilities affected Android: CVE-2017-0781, CVE-2017-0782, and CVE-2017-0783 in addition to CVE-2017-0785. An Android patch level of September 1, 2017 fixes those vulnerabilities, and Verizon and Samsung have issued security updates for a number of devices.
“DHS has issued a binding operational directive to all Federal, executive branch departments and agencies relating to information security products, solutions, and services supplied, directly or indirectly, by AO Kaspersky Lab or affiliated companies.”
Federal agencies have 30 days to identify the use or presence of Kaspersky products on all federal information systems, 60 days to submit a plan of action for removing them, and 90 days to discontinue their use. Kaspersky publishes mobile security apps for Android and iOS, and a number of apps include Kaspersky services within them.
“Companies can configure Android devices before they’re shipped to employees.”
“Finding stock firmware for phones can be a pain, but Chainfire is here to help. He’s launched a new website at firmware.mobi, where you can find official firmware for a variety of devices.”
“Total Google account compromise via SS7 vulnerabilities can leave bitcoin open to theft, researchers warn.”
“You need to think about your emergency strategy right now. Think about the ways you can protect your user data so that it’s useless if someone can access it.”
If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now via the NowSecure Subscription Center.