Your highlights from the mobile app security world this week include:
- Spanish soccer league leverages mobile app locational data and audio recording privileges to catch copyright violators
- Case study shows how each of U.K.’s top 10 mobile apps are handling GDPR
- Apple restricts developers use of individual’s iPhone address book data to create and sell contact databases
- In shocking news, loading shady android apps that pirate movies and tv shows on your Amazon Fire TV or Fire TV Stick may infect you with malware
- Apple phasing out trust of Symantec certificate authorities by fall 2018
- Docker Hub takes 10 months to remove images that include surreptitious code for mining cryptocurrencies
- Again, several months after notification, ZIP file traversal vulnerability patched on Samsung Notes
- And More!
Thanks for reading. Have a great weekend, be good, and stay safe.
Subscribe now to receive #MobSec5 updates each Friday in your inbox.
“A single person or group may have made as much as $90,000 over 10 months by spreading 17 malicious images that were downloaded more than 5 million times from Docker Hub, researchers said Wednesday. The repository finally removed the submissions in May, more than eight months after receiving the first complaint.”
It’s appalling to see 5 million additional exposures to malicious activity after yet another months-long delayed response to issues repeatedly reported by the users. For names of the 17 malicious images, scroll to mid-point of Kromtech’s original article.
“If you’ve loaded any apps onto your Amazon Fire TV or Fire TV Stick that let you watch pirated movies and TV shows, you could be at risk from a cryptocurrency-mining Android virus.”
Apple to distrust Symantec certificate authorities
“This summer, Apple will gradually begin to no longer trust the Symantec CA, and will initially cease trusting the Symantec CA in the fall of 2018. Sites that deploy Symantec SSL/TLS certificates (dates prior to June 1, 2016, or December 1, 2017) need to migrate certificates to Apple-trusted root certificates.”
Additional insight from Apple regarding actions being taken to distrust Symantec certificate authorities by fall.
“If ever there were a case for rejecting requested device permissions, it’s made by an Android app with more than 10 million downloads from Google Play. The official app for the Spanish soccer league La Liga was recently updated to seek access to users’ microphone and GPS settings. When granted, the app processes audio snippets in an attempt to identify public venues that broadcast soccer games without a license.”
Over-permissioned apps are prevalent, whether due to sloppy development or organizations leveraging mobile apps to collect data over and above what end-users would reasonably consider appropriate. NowSecure INTEL quickly vets 3rd party mobile app risks, including requests for sensitive locational data and background mode permissions.
The UK’s top mobile apps and the GDPR
(Medium via @clearfaun)
“Before creating this article I did the best I could to apply The General Data Protection Regulation (GDPR) to my products. I created granular consent, age consent, an option to delete all user data, a clear and explicit explanation of what data was being used, I removed libraries and changed features to adhere to GDPR. After creating this article my strategy has changed and I think yours might too. Below I take a look at the UK’s top downloaded apps in April 2018 and see how they handle GDPR.”
“Apple is trying to make it harder for developers to abuse users’ information collected through apps. According to a report from Bloomberg, Apple updated its App Store Review Guidelines last week with more detailed rules on what developers can do with users’ Contacts address book information. Now, developers cannot make databases using address book information collected from iPhone users, nor can they share or sell such databases to third parties.”
(Pwn2Own) Samsung Notes ZIP File Directory Traversal File Write Vulnerability
(Zero Day Initiative)
“This vulnerability allows local attackers to escalate privileges on vulnerable installations of Samsung Notes. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of ZIP files. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to escalate privileges to resources normally protected from the application.”
ZIP file vulnerabilities in mobile apps, and the manner in which bad actors can exploit them, should be taken seriously. NowSecure researchers found similar issues previously with both Android and Samsung and we include tests to protect against ZIP file traversal vulns before mobile apps release.
“Back in April, I detailed four things that Android does better than the iPhone when it comes to notifications. With iOS 12, Apple has taken care of three of them. Notifications can be grouped, it’s easier to make them silently appear, and, most importantly, you can directly manage settings from the notification itself. Android P still claims to do a better job of prioritizing notifications, but three out of four isn’t bad.”
A cartoon intro to DNS over HTTPS
“At Mozilla, we closely track threats to users’ privacy and security. This is why we’ve added tracking protection to Firefox and created the Facebook container extension. In today’s cartoon intro, …”
If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now.