A quick note — #MobSec5 will go on hiatus next week because of the holiday. To tide you over, we’ve collected an extra-large serving of the mobile security news that matters this week.
This edition of the NowSecure #MobSec5 includes:
- NowSecure team discovers password for backdoor in OnePlus mobile devices
- Apple iPhone X Face ID allegedly hacked using $150 mask
- iOS exploits more cost-effective than Android exploits from attacker’s POV?
Thanks for reading. Have a great weekend, be good, and stay safe.
Subscribe now to receive #MobSec5 updates each Friday in your inbox.
“Every OnePlus model except for the original shipped with ‘Engineer Mode,’ essentially a backdoor for anyone who get their hands on your device.”
The NowSecure Mobile Threat Research team combined their wits and the open-source reverse-engineering tool Radare to help identify and validate a backdoor vulnerability in OnePlus mobile devices via a factory-installed app called EngineerMode. With the password discovered by the NowSecure team, the EngineerMode app enables a debugging mode that grants full root privileges on the device via a simple Android Debug Bridge (ADB) command. OnePlus devices are more popular in Asian and European markets but are gaining popularity in the U.S. Read the full write-up on the NowSecure blog.
Apple iPhone X’s Face ID Hacked (Unlocked) Using 3D-Printed Mask
(The Hacker News)
“Hackers claimed to have hacked Apple iPhone X’s to unlock its Face ID with a simple 3D-printed mask that costs less than $150.”
Lock it up! New hardware protections for your lock screen with the Google Pixel 2
(Google Online Security Blog)
“The new Google Pixel 2 ships with a dedicated hardware security module designed to be robust against physical attacks. This hardware module performs lockscreen passcode verification and protects your lock screen better than software alone.”
Frequent Software Releases, Updates May Injure App Security
“The more frequently you release apps, the more security vulnerabilities you are likely to introduce in the code, a new study confirms.”
The authors of the study reported that Java EE applications released more than six times per year had more security vulnerabilities than applications released less frequently. While the study doesn’t focus on mobile apps, enterprises that develop mobile apps are more likely to embrace DevOps practices and deploy more apps more frequently. But, more frequent deployments doesn’t have to hinder security. Integrating security testing earlier in the SDLC and fostering a shared understanding of security best practices amongst the development, operations, and security teams can help secure and accelerate the delivery of mobile apps. To learn more, read our guide to mobile app DevSecOps.
Mobile Pwn2Own 2017 Results and the Economics of Mobile Exploits
(Zuk Avraham via Medium)
“By analyzing Mobile Pwn2Own’s results and the (limited) information disclosed we can learn what it means for mobile phone vendors, as well as us, phone owners.”
After analyzing the results of the Mobile Pwn2Own 2017 contest held a few weeks ago, the author concludes that “iOS exploits are most cost effective from an attacker’s POV.” It’s an interesting argument, but deserves additional consideration. For one, with fewer devices to worry about and having direct control over them, Apple can both develop an iOS patch and attain user adoption rather quickly – meaning a known iOS exploit doesn’t live long. In addition, finding flaws within Android and writing corresponding exploits still seems easier than doing so for iOS. And finally, it is still possible to find Android flaws that affect 100s of millions of users.
“Contacts, call logs, text messages and other information from paired phones was stored unencrypted.”
“The process is designed to balance law enforcement and U.S. intelligence desires to hack into devices with the need to warn manufacturers so that they can patch holes before criminals and other hackers take advantage of them.”
Beijing Delays Bug Reports While Hackers Exploit Flaws — Report
“Beijing Delays Bug Reports While Hackers Exploit Flaws. Recorded Future reveals time lags between Chinese and US vulnerability databases.”
10 things you might be doing wrong when using the SafetyNet Attestation API
(Android Developers Blog)
“In this post, we provide a list of the most common mistakes we have seen developers make when integrating the SafetyNet Attestation API.”
When we examined popular Android apps’ use of the Google SafetyNet Attestation API this summer, we found that less than one percent of the sample used it properly. So it’s good to see Google providing additional support for developers that want to do the right thing and use this free platform security feature.
“A few days ago, the company Armis published a proof of concept (PoC) of a remote code execution vulnerability in Android via Bluetooth (CVE-2017-0781), known as BlueBorne. Although BlueBorne refers to a set of 8 vulnerabilities, this PoC uses only 2 of them to achieve its goal.”
The author of this post used Radare – an open-source reverse-engineering tool created and maintained by a member of the NowSecure Mobile Threat Research Team – to take a deeper look at an exploit for the BlueBorne vulnerability.
“This vulnerability has currently only been patched in Android 8.0. However, due to the issue of version fragmentation within the Android ecosystem there are a number of Android devices that can’t upgrade to Android 8.0 or no longer receive updates from device vendors that would still be vulnerable.”
“The company is informing developers that if their application uses an Accessibility Service for any reason other than assisting users with disabilities, then they must remove the use of this permission within 30 days or their application will be removed from the Play Store.”
How Secure Messaging, Texting Benefit Healthcare Providers
“Healthcare secure messaging and secure texting can be critical tools for improved patient care that does not compromise ePHI security.”
Learn how the NowSecure Services team helped secure messaging provider VaporStream secure their Android and iOS apps >>WATCH the video.
“Tens of thousands of users have downloaded two newly uncovered forms of malware.”
“At least 4 percent of all Black Friday-themed apps are malicious, stealing login credentials and credit card details instead of holiday shopping help.”
“About 65 percent of Defense Department respondents agreed or strongly agreed that ‘in light of recent breaches, government agencies should be barred from using the services of anti-virus software companies, which are headquartered outside the United States.’”
If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now via the NowSecure Subscription Center.