This week’s #MobSec5 includes these topics and more!
- TLS 1.3 internet secrecy protocol approved
- Cryptojackers inject malware via app for mining power
- iOS 11 native camera now scans QR codes
- Life Storage introduces AI powered storage bot, Howie
- U.K. actions ignite individual mobile data privacy rights and criminal investigations discussions
Four out of five topics above are true. One is an early prank pulled from CNET’s compilation of early April Fool’s Day pranks the internet has to offer thus far. Can you guess which one? Some are pretty clever, more internet shenanigans are surely to come.
Thanks for reading. Have a great weekend, be good, and stay safe.
Subscribe now to receive #MobSec5 updates each Friday in your inbox.
“TLS 1.3 won unanimous approval (well, one “no objection” amid the yeses), paving the way for its widespread implementation and use in software and products from Oracle’s Java to Google’s Chrome browser.”
Broken TLS can leave mobile apps vulnerable to man-in-the-middle (MITM) attacks. Be sure to include tests in your mobile app assessments to detect vulns like broken TLS/SSL and keep your user data secure. See how NowSecure provides fast, accurate mobile app security tests like these and more in under an hour.
“The message pops up when you try to log in to Google’s services, which usually happens during the device setup. Users who purchased the device are warned that ‘the device manufacturer has preloaded Google apps and services without certification from Google,’ and users aren’t given many options other than to complain to the manufacturer.”
New Android Cryptojacker Can Brick Phones
“ANDROIDOS_HIDDENMINER is currently being delivered through a fake Google Play update app.”
Managed Google Play for enterprise provides additional options for security professionals. For highlights of the new service, brianmadden.com offers an introduction to managed Google Play.
“Indian Prime Minister Narendra Modi has been accused of spying on his citizens through his office’s official smartphone app.”
The mobile app under fire in this article sends data to a 3rd-party server in an unexpected location. How do you know the mobile apps that you use on a daily basis don’t do the same? NowSecure INTEL detects these network connections and provides on-demand reports that include domain, IP, organization and location of all network connections. Want to see what INTEL can do? Request a free report here.
iOS camera QR code URL parser bug
“This is pretty cool, until now you needed special apps to do that for you on iOS.”
“Researchers said that when police confiscate physical possessions, the owner is entitled to an inventory of those items, but when departments confiscate someone’s data the owner may not be aware the information was ever taken.”
The complex debate over mobile data privacy rights and law enforcement needs continues. Apple appears to hold firm that they feel it makes no sense to weaken security for device makers to create backdoor access for officials, given it provides more opportunity for bad actors as well.
LG Releases webOS Open Source Edition Optimized for Raspberry Pi 3
(CNXSoft – Embedded Systems News)
“The idea is to for a community around the open source version webOS, and let different categories of developers or users contribute to the project.”
Android Security Bulletin March 2018: What you need to know
“There are nine issues marked Critical for March 01—four of which affect the media framework (no surprise there), four that affect the System, and one that affects a Qualcomm closed-source component.”
Are the apps your Android or iOS users download safe? Want to dig deeper? Get a free NowSecure risk report for an app of your choice here.
“Apple’s ‘Everybody Can Code’ program, focused on mobile apps, recently expanded to 70 more colleges, and iPad devices host Swift Playgrounds, a code education platform. Apple said it plans to expand that curriculum on Tuesday to support broader creative activities.”
How to see what hidden APIs apps are using in Android P
“Android P restricts apps from accessing hidden APIs and non-SDK interfaces. Using Logcat, it’s easy to see what non-SDK APIs that apps are using in the new release of Android.”
If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now.