The first day of Spring has finally come! Check out NOAA’s satellite view of the Vernal Equinox from sunset to sunrise. Before we celebrate longer days and discover more reasons to fire up that grill, let’s send you into the weekend with what’s happened in the mobile security world this week.
This week on #MobSec5 includes:
- Rogue researchers harness the power of Facebook’s personal data treasure trove
- Chinese smartphone maker loses Best Buy order
- New app lets you (almost) skip the line at Macy’s
Thanks for reading. Have a great weekend, be good, and stay safe.
Subscribe now to receive #MobSec5 updates each Friday in your inbox.
Facebook’s Role in Data Misuse Sets Off Storms on Two Continents
(The New York Times)
“The data was obtained in 2014, when Cambridge Analytica, through an outside researcher, paid users small sums to take a personality quiz and download an app, which would scrape some private information from their profiles and from those of their friends — activity that Facebook permitted at the time. The approach was based on a technique pioneered at Cambridge University by data scientists who claimed it could reveal more about a person than even their parents or romantic partners knew.”
If you’re wondering how to continue to enjoy Facebook yet maintain some semblance of privacy, Wired’s Complete Guide to Facebook Privacy is a good start.
GrayKey iPhone unlocker poses serious security concerns
“Ever since the case of the San Bernadino shooter pitted Apple against the FBI over the unlocking of an iPhone, opinions have been split on providing backdoor access to the iPhone for law enforcement. Some felt that Apple was aiding and abetting a felony by refusing to create a special version of iOS with a backdoor for accessing the phone’s data. Others believed that it’s impossible to give backdoor access to law enforcement without threatening the security of law-abiding citizens.”
Managing Healthcare Apps for Better Mobile Device Security
“Application management can offer more controlled mobile device security for healthcare organizations by avoiding device management hangups.”
“The code-hosting site says by December 1 project owners had cleaned up 450,000 of the four million vulnerabilities found by its scan, either by updating to a secure version or removing the dependency.”
Protecting Security Researchers
(Dropbox Tech Blog)
“Anything that stifles open security research is problematic because many of the advances in security that we all enjoy come from the wonderful combined efforts of the security research community. Motivated by recent events and discussions, we’ve realized that too few companies formally commit to avoiding many of the above behaviors.”
Kudos to Dropbox for revisiting and updating their Vulnerability Disclosure Policy (VDP) to better ensure the security research community can operate openly and without fear of retribution for reporting vulns. DropBox leveraged HackerOne’s VDP guidelines, US DoJ Cyber Security unit’s VDP framework, and recent Senate testimony as resources to make the update.
Dynamic analysis of iOS apps without Jailbreak – ver 1.2
(Medium via @ansjdnakjdnajkd)
“Frida (GitHub: /frida/frida) One of the few Frameworks that is actively developing today and allows to implement JS code inside the process, to monitor the application launch and patch it before the launch is over. Its advantages are easy extensibility for tasks, the ability to script and a simple client. By adding only Frida gadget to the project, even without doing anything, you can already find out what calls are happening inside the program and later apply it in static analysis (r2+frida).”
“Macy’s plans to later this year rollout an upgrade to its mobile app letting customers pay for items with their smartphone.”
“Best Buy, the nation’s largest electronics retailer, has ceased ordering new smartphones from Huawei and will stop selling its products over the next few weeks, according to a person familiar with the situation. Best Buy made the decision to end the relationship, the person said.”
Almost all of our customers want to know where mobile applications are sending data. It is especially important to do a thorough analysis because many 3rd-party libraries, especially those linked to advertising or analytic SDKs, may send data to unexpected locations. NowSecure INTEL detects these network connections during dynamic analysis and provides on-demand reports that include domain, IP, organization and location of all network connections. Request a free INTEL report here if you’d like to get an idea of the breadth of 3rd-party app risk coverage it provides.
“A new variant of the Fakebank malware can intercept Android users’ banking-related incoming and outgoing calls.”
“Popular secure messaging service Telegram loses battle with Russian courts and now must hand over encryption keys or face being blocked from the country.”
If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now.