The NowSecure team had a great time this week at RSA 2018! Many thanks to our customers who participated in our user group and also to those that took time to drop by our booth or meet individually while everyone was in San Francisco. We love hanging out with you guys!
Now, onto #MobSec5 and highlights from the mobile application security world this week.
- “Trustjacking” threat result of iOS vulnerability within iTunes Wi-Fi Sync
- Mobile banking security considerations and tips
- U.S. Computer Readiness Team (US-CERT) warns of network infrastructure exploits by Russian state-sponsored cyber actors
- Android announces DNS over TLS support now available in Android P Developer Preview
- 3rd party advertising SDKs continue to cause data leakage vulns and regulatory compliance headaches
- Netflix releases 30 second mobile previews for shows
- And more!
Thanks for reading. Have a great weekend, be good, and stay safe.
Subscribe now to receive #MobSec5 updates each Friday in your inbox.
“When we use popular apps with good ratings from official app stores we assume they are safe. This is partially true – usually these apps have been developed with security in mind and have been reviewed by the app store’s security team. However, we found that because of third-party SDKs many popular apps are exposing user data to the internet, with advertising SDKs usually to blame.”
Ikea app TaskRabbit reveals security breach
“The company has urged people to change their passwords on other websites and apps, if they have used their TaskRabbit password for other accounts.”
TaskRabbit has since confirmed that personally identifiable information was compromised. If you use the site, please heed advice to update your password, including any other sites in which you use that same password.
Should You Be Worried About Mobile Banking App Security?
“’Those apps have to do a lot of really sophisticated things in terms of working on your device and then communicating it over the air to connect back to the servers and the data centers for the banks,” says Brian Reed, chief marketing officer at NowSecure. “Because that’s all so complicated — and more complicated than a simple website — there’s lots of opportunities for things to break.'”
Bankrate highlights prudent mobile app security banking tips from NowSecure’s CMO, Brian Reed. You can read more about mobile banking security complexities in NowSecure’s white paper, Mobile Banking Applications: Security Challenges for Banks, developed in collaboration with Accenture Consulting.
“Netflix is releasing a new feature called mobile previews, which is essentially a version of stories on apps like Instagram and Snapchat that shows you previews of shows and movies on the subscription service.”
DNS over TLS support in Android P Developer Preview
(Android Developers Blog)
“Like HTTPS, DNS over TLS uses the TLS protocol to establish a secure channel to the server. Once the secure channel is established, DNS queries and responses can’t be read or modified by anyone else who might be monitoring the connection.”
iOS Trustjacking – A Dangerous New iOS Vulnerability
“This vulnerability exploits an iOS feature called iTunes Wi-Fi sync, which allows a user to manage their iOS device without physically connecting it to their computer. A single tap by the iOS device owner when the two are connected to the same network allows an attacker to gain permanent control over the device.”
“The research, recently published in the journal Proceedings on Privacy Enhancing Technologies, showed that 3,337 Android apps on Google Play were improperly collecting children’s data and potentially violating the United States Children’s Online Privacy Protection Act (COPPA), which limits data collection for kids under age 13.”
Many times, it is the mobile developer’s use of 3rd-party SDKs to save time that leads to COPPA violations, like unwittingly sharing personally identifiable information about persons under the age of 13 with ad targeting firms. NowSecure enables mobile developers to integrate rapid, continuous app vulnerability testing into the SDLC to protect against legal jeopardy and heavy fines, without slowing down release cycles. We also offer a free, detailed guide, Secure Mobile Development Best Practices, to ensure these type mobile app vulnerabilities do not make it into production.
“Since 2015, the U.S. Government received information from multiple sources—including private and public sector cybersecurity research organizations and allies—that cyber actors are exploiting large numbers of enterprise-class and SOHO/residential routers and switches worldwide. The U.S. Government assesses that cyber actors supported by the Russian government carried out this worldwide campaign.”
If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now.