Mobile platform fragmentation, especially on Android devices, has always created unique complexities for the mobile app security community. This week, NowSecure released a new blog reviewing how Google aims to reduce mobile OS fragmentation with API levels to share expert insight on the topic and how it continues to evolve.
Moving on, here are your highlights from the mobile app security world this week, including:
- A look under the hood of a counterfeit iPhone X
- Venmo’s default public setting allowed 207,984,218 transactions to be visible via API in 2017
- Additional unlock requirement introduced to USB Restricted Mode in iOS 12 developer beta 4
- Tech giants unite to enable easier data portability between platforms
- EU ruling against Google opens up options for Android device makers
- Hackers leverage phone numbers to seize end-user accounts, including Instagram, Hulu, Amazon, eBay, PayPal, etc
- Credit card thieves use free-to-play apps to launder ill-gotten gains
- Google acknowledges Fuschia OS’s existence, still mum as to whether it will replace Android and Chrome OS
- And More!
Subscribe now to receive #MobSec5 updates each Friday in your inbox.
PayPal’s Venmo App Exposes Most Transactions via Its API
“The reason this happens is because the Venmo app’s default settings are set to ‘Public’ for all users.”
The privacy advocate that discovered Venmo’s public default setting created the Public by Default website that explores how public Venmo data could be exploited and provides instructions to quickly change end user privacy settings.
“Before the change, authorities or criminals would have an hour since last unlock to connect a cracking device, like the GreyKey box. Now, they don’t have that hour, making it that much more difficult to brute force a password attempt into a device.”
Review: A Counterfeit, $100 iPhone X
“Once I started trying some of Apple’s more recent and advanced features, though, things started going off the rails. Siri’s graphical interface has been recreated, but it doesn’t really work. My favorite thing about the phone is its “Face ID” system. I clicked over to Face ID in the settings menu, clicked “Add a Face ID,” and was hilariously bounced over to the camera, which did manage to draw a green box around my face. It said “Face Added,” and closed. I was then able to unlock the phone with my face. So was literally anyone else who put their face in front of the phone.”
“Much of the codebase consists of “adapters” that can translate proprietary APIs into an interoperable transfer, making Instagram data workable for Flickr and vice versa. Between those adapters, engineers have also built a system to encrypt the data in transit, issuing forward-secret keys for each transaction. Notably, that system is focused on one-time transfers rather than the continuous interoperability enabled by many APIs.”
Data Transfer Project is the next level of Google’s Download Your Data offering, which allows users to download a copy of their stored data across 50+ Google products. The overarching effort helps standardize practices as GDPR enforcement evolves. If you are curious whether your mobile app is compliant with GDPR, and most other compliance regimes, run a free check here.
“The EU found that the Alphabet Inc (GOOGL.O) unit illegally bolstered its dominance in the mobile business since 2011 by forcing Android device makers to pre-install Google Search and its Chrome browser together with its Google Play app store, paying them to pre-install only Google Search, and blocking them from using modified versions of Android.”
The SIM Hijackers
“In the buzzing underground market for stolen social media and gaming handles, a short, unique username can go for between $500 and $5,000, according to people involved in the trade and a review of listings on a popular marketplace. Several hackers involved in the market claimed that the Instagram account @t, for example, recently sold for around $40,000 worth of Bitcoin.”
“As we examined the database we rapidly became aware that this was not your ordinary corporate database, this database appeared to belong to credit card thieves (commonly known as carders) and that it was relatively new, only a few months old. So we dug much deeper.”
“As we’ve seen through previous software clues, the OS would represent Google’s chance to start from scratch and eliminate the baggage that comes with existing software. Both Android and Chrome OS are based on Linux, for example, which carries technology that Google might no longer need. Android in particular still has some elements of Java (currently through OpenJDK) that Google might want to jettison in light of its ongoing legal battles with Oracle. Fuchsia is also expected to scale more consistently across device types, include better hooks for voice commands and provide faster security updates than on Android.”
If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now.