Gentle reminder to pay attention to headlines and what’s trending each week as hackers certainly do, and like to, take advantage of increased searches and traffic. Last week, it was the Fortnite mobile app craze. This week it’s a political hot button issue. Either way, opportunistic scammers go where the attention and money are, so keep vigilant and tell others to be aware.
Your highlights from the mobile app security world this week include:
- California rushes to pass more moderate consumer privacy bill before stricter privacy ballot initiative put out to voters
- Attacker replaces ebuilds with malicious code on Github Gentoo
- Anti-tampering DRM added to Play Store apps
- AsiaHitGroupGang strikes again with fake Android app installer, Sonvpay.C
- Warrants to be required to get mobile device location data
- RAMpage exploit breaks down barriers between mobile apps and operating systems
- Mobile apps to help you map the stars
- And More!
Subscribe now to receive #MobSec5 updates each Friday in your inbox.
“‘Whilst the malicious code shouldn’t work as is and GitHub has now removed the organisation, please don’t use any ebuild from the GitHub mirror obtained before 28/06/2018, 18:00 GMT until new warning,’ Gentoo developer Francisco Blas Izquierdo Riera wrote.”
Click here for Gentoo’s incident updates.
“California lawmakers unanimously passed a new privacy bill on Thursday that would give residents of the state more control over the information businesses collect on them and impose new penalties on businesses that don’t comply. It is the first law of its kind in the United States.”
NowSecure mobile app testing includes regulatory compliance checks to ensure mobile apps don’t escape into production with data privacy leaks. If you’d like to review your mobile app’s compliance with regulatory regimes like HIPAA, GDPR and more, click here for a free report.
“There’s also the chance that a developer could force you to move to a newer version of an app by altering the metadata and preventing you from installing earlier versions that you might prefer. As good as this may be for mobile app security, it’s possible that developers will misuse this to exert more control over how you use their software.”
McAfee Finds Fake Android Apps That Steal Your Money
“The problem with carrier billing and this type of fraudulent charge is that it’s typically not discovered until the victim receives a monthly statement. These charges are typically subscription-based as well, so victims must figure out how to unsubscribe from the premium service…The list includes Qrcode Scanner, Cut Ringtones 2018, and Despacito Ringtone.”
Bad actors will always find ways to load fake apps into the legit marketplace. It only takes a few clicks get a full security report on a 3rd-party app through NowSecure INTEL, including vulnerability severity ratings determined by industry standard CVSS scores.
“Apple is a perpetual battle to stay ahead of hackers and secure its devices but a new bug discovered by a security researcher and reported by ZDNet shows the passcode that protects iOS devices can be bypassed through a brute force attack, leaving iPhones and iPads vulnerable to being exploited.”
“As for what kind of secrets RAMpage could access, the paper notes that ‘this might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.'”
For more details on RAMpage, click here for the original research by the academics that originally discovered it.
Supreme Court: Police Need Warrant for Mobile Location Data
(Krebs on Security)
“At issue is Carpenter v. United States, which challenged a legal theory the Supreme Court outlined more than 40 years ago known as the “third-party doctrine.” The doctrine holds that people who voluntarily give information to third parties — such as banks, phone companies, email providers or Internet service providers (ISPs) — have ‘no reasonable expectation of privacy.'”
“SkySafari 6 and the Cosmos Collection for Android devices are expected to be released later this year. After spending some time listening to tours and hearing the pronunciations, you will be ready to act as the astronomer the next time you join friends or family under the stars. Or, if you’re shy, just pull out your device and turn up the volume.”
“Facebook knows the historical app audit it’s conducting in the wake of the Cambridge Analytica data misuse scandal is going to result in a tsunami of skeletons tumbling out of its closet.”
Google backs feature phone platform player
(Mobile World Live)
“While stating its platform is ‘not Firefox OS’, KaiOS is based on the original Mozilla project with staff from that team working on its engineering and user experience. It said the OS has ‘developed into something much more robust and expanded’ than the Firefox platform.”
If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now.