World Cup 2018 is full throttle and more global fans than ever are watching games real-time on mobile devices. Know Your Mobile suggests these 6 sports apps to follow the action and keep up-to-date. Overall, NowSecure finds Sports mobile apps are more prone to vulnerabilities compared to others, like Finance or Travel. If you’d like extra assurance before downloading, we’re happy to provide a free security report for any of the apps listed.
It has been a busy week in the world of mobile security so let’s get to it. This week’s highlights include:
- OWASP Mobile Security Testing Guide (MSTG) 1.0 released
- Anti-trust lawsuit against Apple’s App Store commissions to go before Supreme Court
- Fake Android apps cash in on Fortnite release mania
- MysteryBot banking trojan, possibly LokiBot 2.0, ready for Android 7 and 8
- Verizon, AT&T and Sprint to stop sharing customer location data with 3rd parties
- Tapplock Smart Lock API endpoint vulnerabilities exposed
- Malware infected app uses Telegram bot API to surveil Android devices
- To combat cheating, Algeria cuts both mobile and fixed line internet service during high school diploma exams
- And More!
Thanks for reading. Have a great weekend, be good, and stay safe.
Subscribe now to receive #MobSec5 updates each Friday in your inbox.
OWASP Mobile Security Testing Guide
(The OWASP Foundation)
“We do have a message to our readers however! The first rule of the OWASP Mobile Security Testing Guide is: Don’t just follow the OWASP Mobile Security Testing Guide. True excellence at mobile application security requires a deep understanding of mobile operating system, coding, network security, cryptography, and a whole lot of other things, many of which we can only touch on briefly in this book.”
OWASP Mobile Security Testing Guide (MSTG) 1.0 is here with mobile security testing guidelines for both Android and iOS. NowSecure mobile testing experts follow OWASP requirements closely, continuously updating and automating recommendations within our mobile app testing engine. We also specifically map findings to OWASP Mobile Top 10, ensuring any issues are surfaced early and quickly.
AT&T, Sprint, Verizon to Stop Sharing Customer Location Data With Third Parties
(Krebs on Security)
“In the wake of a scandal involving third-party companies leaking or selling precise, real-time location data on virtually all Americans who own a mobile phone, AT&T, Sprint and Verizon now say they are terminating location data sharing agreements with third parties.”
Fake Fortnite for Android links found on YouTube
“The scheme goes like this: Get a couple of over-excited people salivating for a chance to play Fortnite on Android, and get paid. The more downloads that come from the website shown above, the more money the malware developers can make.”
Fortnite’s total player count has skyrocketed to 125 million after its release to mobile. The malicious version of the app is not distributed via Google Play, but via YouTube ads, so ensure you educate youngsters in your household that all that glitters is not gold – there is no early access on Android to Fortnite. The real app is releasing sometime this summer.
“The U.S. Supreme Court on Monday agreed to take up Apple Inc’s bid to escape a lawsuit accusing it of breaking federal antitrust laws by monopolizing the market for iPhone software applications and causing consumers to pay more than they should.”
Totally Pwning the Tapplock Smart Lock (the API way)
(Medium via @evstykas)
“tl:dr: Tapplocks api endpoints had no security checks other than a valid token to access any data.This results in anyone with a valid login (easily obtained by creating an account) being able to…”
Qualcomm backed in Apple patent row
(Mobile World Live)
“Qualcomm received a boost in a bid to secure an import ban on certain iPhones in the US after representatives of the International Trade Commission (ITC) backed its claim that Apple infringed at least one patent.”
“New Android banking Trojan and ransomware MysteryBot has been successful in finding a way to log user keystrokes on Android 7 and 8.”
“A new family of malware capable of comprehensive surveillance is targeting Android devices through the encrypted messaging app Telegram, according to research from antivirus vendor ESET.”
“Internet service, both mobile and fixed line, will go off for an hour after the start of each high school diploma exam to stop any leaks. Blackouts will continue throughout the exam season, from 20-25 June.”
If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now.