Hello #MobSec5 readers!
The Spectre & Meltdown spectacle continues this week, among other mobile security news including:
- Strangers potentially adding themselves to encrypted group chats
- Industrial IT systems at risk due to flaws in ICS mobile apps
- Apps disguised as security tools bombard users with ads and track users’ location
Thanks for reading. Have a great weekend, be good, and stay safe.
Subscribe now to receive #MobSec5 updates each Friday in your inbox.
Update, update, update – remain vigilant about security updates. Companies like Apple and Google made statements last week with their steps of mitigation, some requiring customer action. Webkit released an update on Monday and has advised app developers to switch to the Modern Webkit API as a defense against attacks exploiting these flaws.
Even with security updates, though, the widespread exposure to Spectre and Meltdown emphasizes the need for a layered approach to cybersecurity. We’ve shared some thoughts on a layered approach for mobile. Read “Defense in Depth: A Layered Approach to Mobile Security with MDM, MAM & Mobile App Vetting” on the NowSecure blog.
“A new report from security firms IOActive and Embedi reveals that flaws in mobile industrial control system applications could be exposing industrial IT systems to risks.”
Our team found that 85% of third-party mobile apps, including some industrial control system apps, have major risks, violating at least one of the OWASP mobile top 10 criteria. >>>REGISTER to learn more on January 23 at 1pm CT: “85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?”
Attack of the Week: Group Messaging in WhatsApp and Signal
(A Few Thoughts on Cryptographic Engineering)
“…due to flaws in both Signal and WhatsApp (which I single out because I use them), it’s theoretically possible for strangers to add themselves to an encrypted group chat.”
First Kotlin-Developed Malicious App Signs Users Up for Premium SMS Services
(TrendLabs Security Intelligence Blog)
“The malicious app, which has 1,000-5,000 installs as of writing, is capable of remote command execution, information theft, SMS sending, URL forwarding, and click ad fraud. It can also sign up users for premium SMS subscription services without their permission.”
Detecting screen capturing in iOS 11
(@abhimuralidharan via Medium)
“We were working on an iOS app which provide paid video content. So the possibility of getting the video being recorded using the iOS 11 screen capture feature was something that needs to be handled. Here is how I did it.”
“Users are, of course, prompted for permission to access their microphones, but one expert quoted in the piece argues the wording is still misleading.”
“A bug report submitted on Open Radar this week has revealed a security flaw in the current version of macOS High Sierra that allows the App Store menu in System Preferences to be unlocked with any password.”
Apps Disguised as Security Tools Bombard Users With Ads and Track Users’ Location
(TrendLabs Security Intelligence Blog)
“They also advertised a variety of capabilities: scanning, cleaning junk, saving battery, cooling the CPU, locking apps, as well as message security, WiFi security, and so on. The apps were actually able to perform these simple tasks, but they also secretly harvested user data, tracked user location, and aggressively pushed advertisements.”
Even mobile security apps need to be scrutinized for leaking sensitive data and violating the OWASP Mobile Top 10 criteria. Add to your layered defense strategy by vetting third-party apps. Join our webinar on January 23 to understand what the real risk posed by third-party app. >>> REGISTER HERE for “85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?”
“In this article I will give you a primer on the Advanced Encryption Standard (AES), common block modes, why you need padding and initialization vectors and how to protect your data against modification.”
“Backups of virtual machines on some hosts could be accessed or altered by an attacker.”
“Microsoft has paused distributing its Meltdown and Spectre security updates for some older AMD machines after reports of PCs not booting.”
“The groups said they believe such a bill should establish a standard for data protection and a process to notify breach victims, law enforcement and applicable regulatory agencies.”
If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now.