The teams are selected. The brackets are set. The first round of March Madness has tipped off, and the NCAA basketball tournament is underway. While America is captivated by college basketball, what’s happening on the mobile security front?
I’m glad you asked.
This week on #MobSec5 includes:
- WhatsApp stops sharing user data with Facebook
- A payment app requires root access
- Alexa could become your bank teller
Thanks for reading. Have a great weekend, be good, and stay safe.
Subscribe now to receive #MobSec5 updates each Friday in your inbox.
“Google wants you to know that it’s really progressing well on Android security. Here’s a look at the key lessons learned, but save the rather futile debate over Android vs. Apple iOS on security.”
WhatsApp Agrees to Stop Sharing User Data with Facebook
“After an injunction from the UK’s Information Commissioner’s Office (ICO), WhatsApp has said that it will no longer share personal data with its parent company, Facebook, until the upcoming EU General Data Protection Regulation (GDPR) rules can be met.”
Concerned if the apps you use/develop meet GDPR requirements? Compliance checks for GDPR, along with other regulatory requirements like HIPAA, FFIEC, PCI, FISMA, and NIAP, are baked into the checks and report generation for the NowSecure Platform. Get a free report for an Android or iOS app of your choice here.
“Software company Daon has developed a way for you to send money to other people via voice assistant. Banks may adopt the new tech as soon as this year.”
“But the question raised by the Twitter user is why does Paytm need this? Because with root access, the Paytm app can do anything it wants on the phone, read a user’s messages or go through his call history.”
Luckily, root access checks are a part of NowSecure’s automated testing assessments. It’s important to know your risk so you can better determine whether root access is required or not for your applications, and also for 3rd party applications.
Reverse Engineering APIs: Coffee Meets Bagel
(Medium via Nik Patel)
“Let’s get into how I reverse engineered the APIs of the popular dating app Coffee Meets Bagel, and how sniffing the network traffic on my mobile device led to a surprising find.”
Pre-Installed Malware Found On 5 Million Popular Android Phones
(The Hacker News)
“Advanced Malware Discovered Pre-installed on 5 MILLION Android Devices from Honor, Huawei, Xiaomi, OPPO, Vivo, GIONEE and Samsung.”
Frida 10.7 Released
“iOS users rejoice: Frida is now compatible with the latest Electra jailbreak on iOS 11!”
iOS Static Analysis and Recon
“Reconnaissance is one of the most important and fun parts of pentesting, be it network, mobile or web applications. This series of posts will be a primer on how to assess iOS application security statically and dynamically, also to extract information about the target passively.”
13 Critical Flaws Discovered in AMD Ryzen and EPYC Processors
(The Hacker News)
“Security researchers have discovered 13 critical vulnerabilities in AMD’s Ryzen and EPYC secure processors that could allow attackers to access sensitive data, install persistent malware inside the chip.”
DJI Spark hijacking
“We have managed to get the DJI Spark drone and to find a vulnerability that makes the bleak picture above as real as it gets.”
If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now.