Highlights from the mobile application security world this week.
- Google Releases Major Gmail Privacy & Feature Updates
- Security Content Overview Available for iOS 11.3.1
- Amazon Extends Secure Delivery Options
- New Malware Disguised as Facebook or Chrome Apps
- Tracking Down Which Apps Have Access to Your iPhone Data
- Private Keys Could be Middle Ground for Privacy Advocates and Law Enforcement Officials
- And more!
Thanks for reading. Have a great weekend, be good, and stay safe.
Subscribe now to receive #MobSec5 updates each Friday in your inbox.
Google Ramps Up Gmail Privacy Controls in Major Update
“The ‘all new’ Gmail is available to the more than four million businesses that pay for G Suite services. People who use the email service personally for free can opt in by making the choice in settings, vice president of product management David Thacker said in a blog post.”
The Gmail updates within this G Suite release are packed with security updates and new or enhanced features. The release is available to individuals as well, but note Google has not updated all 1.4 billion Gmail users’ settings just yet. Here are a few helpful tips for updating.
“So, say the FBI needs the contents of an iPhone. First the Feds have to actually get the device and the proper court authorization to access the information it contains—Ozzie’s system does not allow the authorities to remotely snatch information. With the phone in its possession, they could then access, through the lock screen, the encrypted PIN and send it to Apple. Armed with that information, Apple would send highly trusted employees into the vault where they could use the private key to unlock the PIN. Apple could then send that no-longer-secret PIN back to the government, who can use it to unlock the device.”
“The service allows eligible Amazon Prime members throughout 37 U.S. cities to have items dropped off in their car trunks. It’s an extension of Amazon Key, a program introduced last year that lets the company’s couriers place packages inside participating users’ homes when they’re away to reduce the risk of theft.”
“‘You would be amazed how easy it is to piece together a fairly accurate profile from just a few snippets of information, and this information can be used for identity theft.'”
Tracking who has access to your personal information is a painstaking process. Adding to the complexity, mobile application developers often unwittingly share customer data via 3rd party libraries and SDKs. With heightened customer privacy expectations and GDPR enforcement coming May 25th, companies should get serious about fully testing mobile application security vulnerabilities, including understanding where customer data is being sent.
XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing
(TrendLabs Security Intelligence Blog)
“We have been detecting a new wave of network attacks that use Domain Name System (DNS) cache poisoning/DNS spoofing to distribute and install the XLoader Android malware.”
“Wardle, a former NSA hacker turned security researcher, was on a date in Moscow when he began to suspect he’d been lured away from his hotel room—and laptop—intentionally. The experience inspired him to create Do Not Disturb, a new app that will alert users if someone messes with their Mac.”
Google Accused of Showing ‘Total Contempt’ for Android Users’ Privacy
“With its baffling decision to launch a messaging service without end-to-end encryption, Google has shown utter contempt for the privacy of Android users and handed a precious gift to cybercriminals and government spies alike, allowing them easy access to the content of Android users’ communications.”
There were 197 billion mobile apps downloaded in 2017. If companies like Google are not following what most consider to be basic security best practices, what vulnerabilities may be lurking within other mobile apps your employees download everyday? NowSecure INTEL quickly vets 3rd party app risk, enabling responsible and effective BYOD policy.
About the security content of iOS 11.3.1
Apple releases security content of iOS 11.3.1., including reference links back to CVE-IDs.
If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now.