Your highlights from the mobile app security world this week include:
- Apple accepts Telegram updates that were previously delayed due to Russian ban
- Researchers explain steps to bypass’s Apple’s device protections for iOS 11.3.1
- New Android App Bundle leverages Dynamic Delivery to simplify submission process for developers
- Google releases encryption attack protection strategy for Google Pixel 2 devices
- What to expect at Apple’s World Wide Developer Conference (WWDC) next week
- The U.S. State Department releases cyber threat protection recommendations to the President
- And more!
Thanks for reading. Have a great weekend, be good, and stay safe.
Subscribe now to receive #MobSec5 updates each Friday in your inbox.
“In this blog, we will introduce Apple’s new mitigation incurred in iOS 11.3 that prevents root filesystem from being remounted as RW, and also propose a brand-new mitigation bypass technique. According to our research, our new mitigation bypass will work with Ian Beer’s incoming tfp0 on iOS 11.3.1. That means, you can get a jailbreak on iOS 11.3.1!”
“As we reported yesterday, Telegram’s CEO said that Apple was blocking the company from releasing updates to the messaging service since Russian authorities deemed the app illegal. Now, Apple and Telegram have come to some sort of solution.”
“It’s that time of year again. The days are long, the sun is shining, and Apple is getting ready to take the stage at its annual developer conference to unveil a look at the future of its iOS, macOS, tvOS, and watchOS operating systems.”
iOS 12 is rumored to make updates to performance and reliability, as well as security. Join our discussion the Tuesday after WWDC as we discuss learnings from iOS 11, predictions coming from the live event, and the implications on mobile app security.
“Instead of going through the effort of compiling APKs for a mountain of different device options, Android App Bundles let developers hand over all their software assets to Google in one go. Then Google uses Dynamic Delivery with the Play Store to sort through that bundle and make sure your phone gets the right pieces for your needs.”
“Efforts to deter state and non-state actors alike are also hindered by the fact that, despite significant public and private investments in cybersecurity, finding and exploiting cyber vulnerabilities remains relatively easy. Those defending networks must be near perfect in their efforts, while malicious cyber actors may only need to find a single vulnerability to gain a foothold in a network.”
Staying ahead of malicious hacking is a daunting task and of constant concern throughout the cyber security community. NowSecure offers fully automated tools that enable fast and accurate mobile app security testing to help aid in this effort. Our platform is fueled by our elite, ethical threat research team and updated continuously to stay ahead of bad actors of all kinds – whether it is one person in a basement or an entire nation state.
“I wanted to see HTTPs traffic of Viber 220.127.116.11 on iOS 11.0.1 with Electra 1.0.4. I tried SSLKillSwitch2, but it didn’t disable SSL pinning. I have no idea why. Anyway, I did a research and wrote a simple script to disable SSL pinning in Viber by hooking just a single iOS Security framework function SecTrustEvaluate(…).”
How spies can use your cellphone to find you – and eavesdrop on your calls and texts too
(The Washington Post)
“The letter, dated May 22 and obtained by The Washington Post, described surveillance systems that tap into a global messaging system that allows cellular customers to move from network to network as they travel. The decades-old messaging system, called SS7, has little security, allowing intelligence agencies and some criminal gangs to spy on unwitting targets — based on nothing more than their cellphone numbers.”
Insider Attack Resistance
“Our smart devices, such as mobile phones and tablets, contain a wealth of important personal information that needs to be kept safe. Google is constantly trying to find new and better ways protect that valuable information on Android devices. From partnering with external researchers to find and fix vulnerabilities, to adding new features to the Android platform, we work to make each release and new device safer than the last. This post talks about Google’s strategy for making the encryption on Google Pixel 2 devices resistant to various levels of attack—from platform, to hardware, all the way to the people who create the signing keys for Pixel devices.”
Mobile device security is extremely important – kudos to Google for continued improvement and focus. In order to ensure devices are fully secured, organizations should subject mobile apps downloaded to the device to the same level of testing and scrutiny.
Encrypting for Apple’s Secure Enclave
“Encryption, once you have a safe and well-implemented algorithm, is all about the keys. Lose control of your keys, and it’s “Game over, man!” What if we could put our keys somewhere completely out of reach, where even their owner can’t get to them? Yibikeys and HSMs can provide that security, but they’re external devices. However, recent iOS devices and MacBook Pros have something just as good: the Secure Enclave (SE).”
If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now.