Good to see you again!
It was a long two weeks without you, and we’re glad to be back serving up the mobile security news that matters with #MobSec5.
This week’s digest of the mobile security news that matters – #MobSec5 – includes:
- What does 2018 hold for cybersecurity in general and mobile app security specifically?
- Cryptocurrency mobile apps not as secure as you might hope
- Bypassing security controls in a secure messaging app
Thanks for reading. Have a great weekend, be good, and stay safe.
Subscribe now to receive #MobSec5 updates each Friday in your inbox.
“2018 cybersecurity predictions about attacks on the US government, authenticity in the age of fake news, privacy and GDPR, IoT and AI, cryptocurrencies and biometrics, the deployment of enterprise IT and cybersecurity, and the cybersecurity skills shortage.”
It’s beginning to look a lot like cybersecurity speculation season. Recognized NowSecure mobile security authors and experts Andrew Hoog and Katie Strzempka will get in the spirit next Tuesday, December 5 during a lively webinar and panel discussion covering the year in mobile security and what’s to come in 2018 “5 Mobile App Security MUST-DOs in 2018.” Compare your 2018 mobile app security plans with our mobile security veterans’ recommendations. >>REGISTER NOW
Exposing Your “Privates!”
(Exception Level One)
“The article suggests several apps for this type of activity including Privates! which is the focus of this post. Up until this article I had not heard of this app and so I decided to check it out.”
Motherboard recently published a guide to practicing safe sexting that recommended secure messaging app Privates!. The author of this blog post took interest in the app and explains how they bypassed a number of the app’s security features with help from Frida – created and maintained by the NowSecure Mobile Threat Research Team.
“Top executives at Uber Technologies Inc used the encrypted chat app Wickr to hold secret conversations, current and former workers testified in court this week, setting up what could be the first major legal test of the issues raised by the use of encrypted apps inside companies.”
iOS 11 Horror Story: the Rise and Fall of iOS Security
“We loved what Apple used to do about security. During the past years, the company managed to build a complete, multi-layer system to secure its hardware and software ecosystem and protect its customers against common threats.”
A key plot point in the security horror story told by the author is an attacker having physical access to the iOS device and knowing the passcode for said device. Possession of the device and passcode has always given an attacker access to a whole lot of data. Yes, Apple did make some changes that make it easier to reset a password and remove back-up encryption, and that could be considered a reduction in security. However, an attacker possessing the device and knowing the passcode has always kind of been game over.
The state of Android enterprise in 2017
“Android enterprise was created (originally as Android for Work) to end fragmentation and up-level Android device management. Is it living up to its vision?”
“Researchers built a custom platform to root out trackers in mobile apps. They discovered 44 different varieties in 300 apps downloaded by billions of people.”
“The White House may ban its employees from using personal mobile phones while at work, raising concerns among some staffers including that they’ll be cut off from family and friends, according to seven administration officials.”
“Google researchers Hee Jung Ryu and Florian Schroff have been developing software on a Pixel phone that uses the front-facing camera to spot someone looking over your shoulder at the screen.”
Creating mobile security standards
“There is a need to speed the app approval process, which NIAP Director Janine Pedersen said will benefit from industry input on testing requirements.”
If you need help speeding up your mobile app testing and approval processes for custom, third-party, or business critical apps, contact us to learn how our customers leverage the automation within the NowSecure Platform™ to test and approve 8X faster (and automatically map findings to the NIAP mobile app vetting standards).
Tizi: Detecting and blocking socially engineered spyware on Android
(Google Online Security Blog)
“This blog post covers Tizi, a backdoor family with some rooting capabilities that was used in a targeted attack against devices in African countries, specifically: Kenya, Nigeria, and Tanzania.”
Configuring and running Radare2 on Android mobile phones
This PDF document provides step-by-step instructions for getting Radare2 – created and maintained by members of the NowSecure Mobile Threat Research Team – up-and-running on an Android phone.
Xender to shell using python and mitmf
(iQube via Medium)
“Here is a way to compromise a victim’s android phone using web.xender.com. I have chained multiple things to achieve this.”
How secure are cryptocurrency mobile apps?
(Help Net Security)
“The apps in question were divided in three groups: apps with up to 100,000 downloads, up to 500,000 downloads, and more than 500,000 downloads. In all three categories, the most often encountered vulnerabilities are improper platform usage, insecure data storage, and insufficient cryptography.”
“In August 2016, a mysterious entity calling itself ‘The Shadow Brokers’ began releasing the first of several troves of classified documents and hacking tools purportedly stolen from ‘The Equation Group,’ a highly advanced threat actor that is suspected of having ties to the U.S. National Security Agency.”
Additional protections by Safe Browsing for Android users
(Google Online Security Blog)
“As part of this expanded enforcement, Google Safe Browsing will show warnings on apps and on websites leading to apps that collect a user’s personal data without their consent.”
If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now via the NowSecure Subscription Center.