How goes it?
Welcome to the week’s anthology of the mobile security news that matters – The NowSecure MobSec5.
This week’s edition includes:
- Android security update now available
- Banking apps vulnerable to man-in-the-middle attacks
- Jailbreak community abuzz over a tweet
Thanks for reading. Have a great weekend, be good, and stay safe.
Subscribe now to receive #MobSec5 updates each Friday in your inbox.
Android Security Bulletin—December 2017
(Android Open Source Project)
“The most severe of these issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.”
“Google patched a critical encryption bug found on its Pixel, Pixel 2 and Nexus phones this week along with delivering 49 other fixes, part of its December Pixel / Nexus Security Bulletin.”
These 8 banking apps left millions of users vulnerable to getting hacked
“Researchers have discovered a flaw in a commonly-used security mechanism that allows an attacker to steal login information. This left many popular banking apps vulnerable.”
A research paper [PDF] published this week identified 8 public mobile apps that were vulnerable to man-in-the-middle (MITM) vulnerabilities as a result of failing to pin certificates properly and verify certificate hostnames. Unfortunately, some reporting on the subject has suggested that the paper exposes flaws in certificate pinning itself, which is fundamentally wrong. Certificate pinning is one of the best ways to protect mobile apps and their users from MITM attacks — the reported flaw is in the implementation of certificate pinning rather than the use of certificate pinning itself as a core mobile app security strategy. Fortunately for NowSecure customers, we’ve long known of this vulnerability and automated checks for the flaw have been a part of the NowSecure Platform for years. Read our blog post to learn more about the issue and compare your pinning practices with our recommendations.
“A Google researcher announced that he is planning to release a powerful tool for iOS 11 that the security community thinks it can use to jailbreak the iPhone.”
With a single tweet earlier this week, Ian Beer of Google Project Zero set off a flurry of speculation within the jailbreak community about what exactly he has up his sleeve. Beer’s tweet read “If you’re interested in bootstrapping iOS 11 kernel security research keep a research-only device on iOS 11.1.2 or below. Part I (tfp0) release soon.”
“A critical vulnerability has been discovered in all major Android Development and reverse engineering tools that leads to remote code execution attack.”
Android flaw lets attack code slip into signed apps
“The vulnerability, dubbed Janus, would allow a malicious application to add bytes of code to the APK or DEX formats used by Android applications without affecting the application’s signature. In other words, a scumbag could pack an app with malicious instructions, and still have it read by Android as a trusted piece of software.”
Google Cracks Down On Nosy Android Apps
“Google beefs up privacy protections on apps distributed via third-party Android marketplaces and Google Play that collect personal data without user consent.”
Gathering explicit user consent for the collection of personal data will become more and more prevalent in 2018 with the EU General Data Protection Regulation’s (GDPR) looming May 25 enforcement date – one of the trends discussed during our webinar this week “5 Mobile App Security MUST-DOs in 2018.” See what else our security experts recommend for 2018 by watching a recording or reviewing the slides.
Virtual Keyboard Developer Leaked 31 Million Client Records
“31 Million Client Registration Files Leaked by Personalized Keyboard Developer.”
I’ll read your palm and tell you what your phone password is
“Samsung might be developing a bizarre security feature that can read your palm and give you a hint for what your password is in case you don’t remember it.”
BlueSteal: Popping GATT Safes
(Two Six Lab)
“Remotely Cracking Bluetooth Enabled Gun Safes: In this blog post, we will detail BlueSteal, or the ability to exploit multiple security failures in the Vaultek VT20i.”
Don’t Buy Anyone an Echo
“Three years ago, we said the Echo was ‘the most innovative device Amazon’s made in years.’ That’s still true. But you shouldn’t buy one. You shouldn’t buy one for your family. You definitely should not buy one for your friends. In fact, ignore any praise we’ve ever heaped onto smart speakers and voice-controlled assistants.”
If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now via the NowSecure Subscription Center.