Your highlights from the mobile app security world this week including:
- NowSecure experts weigh in on ZipperDown vulnerability
- Twitter’s new access system creates limits for 3rd party Twitter apps
- Cell location service used by law enforcement breached
- Phishing scam poses as proactive GDPR security measure
- Technical details released for LocationSmart vulnerability
- Zuckerberg to meet with European Parliament as GDPR hits
- And More!
Thanks for reading. Have a great weekend, be good, and stay safe.
Subscribe now to receive #MobSec5 updates each Friday in your inbox.
“In the ZipperDown scenario, the attacker and mobile app needs to be on the same wifi network or an attacker must be able to influence upstream network resources, i.e., a man-in-the-middle (MITM) attack.”
Zip file download vulns are a fairly typical development error and have been around for some time. In this blog, the NowSecure team provides an overview of the ZipperDown vuln reported this week, including recommendations to best secure your mobile apps against these type of issues.
“A phishing scam fooled victims by claiming to be Apple and scooping up personal details – including financial information and Apple account information.”
It’s not surprising to see bad actors taking advantage of the hype around the GDPR deadline next week. Hopefully, your organization has been taking incremental steps to prepare. Here are 12 use cases for mobile app owners as you continue to navigate GDPR.
LocationSmart API Vulnerability
“On May 16th, I found a vulnerability in the LocationSmart website which allowed anyone, with no prior authentication or consent, to obtain the realtime location of any cellphone in the US to within a few hundred feet. I immediately moved to contact US CERT to coordinate disclosure, and worked with Brian Krebs to publish the story after the vulnerability was fixed this morning (May 17th).”
Deleted WHOIS Data: An Unintended Consequence of GDPR
“GDPR will impact the availability of WHOIS data, which often serves as a trail of breadcrumbs that leads security researchers to someone obtaining domains to launch global campaigns involving spam, malware and botnets.”
“The changes, which go into effect August 16th, do two main things: first, they prevent new tweets from streaming into an app in real time; and second, they prevent and delay some push notifications. Neither of these are going to break Twitter apps completely, but they could be very annoying depending on how and where you use it.”
“The service, called GeoLoc, ‘provides the approximate location of the cellular device being called at both the beginning and the end of the call,’ the Securus marketing material states.”
Reviewing Android Webviews fileAccess attack vectors
“WebViews are a crucial part of many mobile applications and there are some security aspects that need to be taken into account when using them. File access is one of those aspects. For the implementation of some checks in our security tool Droidstatx, I’ve spent some time understanding all the details and noticed that not all attack vectors are very clear, specially in their requirements.”
“Facebook’s CEO Mark Zuckerberg has agreed to come to the European Parliament, according to the parliament’s top official.”
It’s best to keep your organization out of the hot seat when it comes to end user privacy. NowSecure includes regulatory details for findings, including GDPR and the section to be reviewed, to help keep everyone on track with compliance.
If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now.