Your highlights from the mobile app security world this week include:
- App Store stats released ahead of 10th anniversary
- Samsung Messages app erroneously sending pics to random contacts
- American Hospital Association raises concerns over using mobile apps without proper security protocols in place
- Prior to February 2018, Tinder photos were unencrypted
- The staff from those third-party apps connected to your Gmail may have permission to read your emails
- Google rolls out third beta of Android P, official Android 9.0 launch on the horizon
- 2018 Android Security Bulletin now available
- Weak password protocols confirmed as root cause of Gentoo Github takeover
- And More!
Subscribe now to receive #MobSec5 updates each Friday in your inbox.
“Apple revealed several new numbers today in a report celebrating the App Store’s 10th anniversary, including details about subscription apps.”
“According to user reports, the problem stems from Samsung Messages, the default texting app on Galaxy devices, which (for reasons that haven’t been determined), is erroneously sending pictures stored on the devices to random contacts via SMS.”
Poor coding practices often result in mobile app vulnerabilities that endanger end user privacy. NowSecure offers automated mobile app security testing solutions that can be plugged into the SDLC to automatically test in minutes mobile app binaries built by internal developers, as well as detect known vulnerable open source repositories or 3rd-party libraries used at app runtime.
Tinder user photos are now encrypted
“In January, a security firm discovered that photos exchanged on Tinder weren’t encrypted. If the firm connected to the same network as someone using the dating…”
“Google on Monday afternoon dropped the third public beta of Android P, which is supposed to be a close-to-final version of Android 9.0 that will be released at some point this summer.”
AHA to CMS: Industry needs more secure mobile apps
(Health Data Management)
“The American Hospital Association, in comments sent to the Centers for Medicare and Medicaid Services relating to the Hospital Inpatient Prospective Payment System for FY 2019, is calling attention to CMS on the need for more secure mobile apps.”
The American Hospital Association has issued a sound request to ensure appropriate security vetting protocols are in place before allowing patient-chosen mobile apps into the medical ecosystem. Luckily, vetting apps can be quick and easy with automated tools like NowSecure INTEL, which checks third-party apps for potential security vulnerabilities and compliance issues in minutes.
Gmail messages ‘read by human third parties’
“People who have connected third-party apps to their accounts may have unwittingly given human staff permission to read their messages.”
Please ensure you fully read each user agreement of apps you allow access to your accounts. If you would like to run a quick check of which apps have what type of access to your Google services, click here.
Android Security Bulletin—July 2018
(Android Open Source Project)
“The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2018-07-05 or later address all of these issues. To learn how to check a device’s security patch level, see Check and update your Android version.”
” ‘The attacker gained access to a password of an organisation administrator. Evidence collected suggests a password scheme where disclosure on one site made it easy to guess passwords for unrelated web pages,’ the incident report said.”
If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now.