This week, NowSecure released a benchmark analysis of 45,000 mobile apps in both Apple App Store and Google Play Store which identified 85% violate at least one of the OWASP Mobile Top 10 guidelines – raising end-user privacy risks with insecure data storage, insecure network communications, and insecure coding practices. To review the results of the analysis, click here.
It’s been a very busy week in the world of mobile application security, so let’s get to it. Here are your highlights from this week:
- NIST releases draft of mobile app security recommendations
- Researchers find malware that spreads via open Android Debug Bridge (ADB) ports
- Twitter restricting access to APIs and removing malicious apps that violate policies
- Malicious app developers using “droppers” to sneak malware into Google Play apps
- New mobile app enables users to earn rewards by tracking ground mileage
- Putin’s soccer ball gift to Trump has a communication chip inside
- The high stakes of false positives on Amazon’s facial recognition system
- Flaw in home security monitoring mobile app allows interception of customer audio and video feeds
- And More!
Subscribe now to receive #MobSec5 updates each Friday in your inbox.
“The National Institute of Standards and Technology (NIST) is now working on updating its recommendations for how organizations and developers can keep mobile applications secure.”
The recently released draft, Vetting the Security of Mobile Applications, is a helpful overview and baseline for organizations developing and distributing mobile apps for customer use.
“‘An identification — whether accurate or not — could cost people their freedom or even their lives,’ the group said in an accompanying statement. ‘Congress must take these threats seriously, hit the brakes, and enact a moratorium on law enforcement use of face recognition.'”
Open ADB Ports Being Exploited to Spread Possible Satori Variant in Android Devices
(TrendLabs Security Intelligence Blog)
“The exploitation of open ports on devices has been an on-going problem for many IoT users. TCP port 5555, in particular, has had issues in the past due to product manufacturers leaving it open before shipping, which potentially exposes users to attackers.”
“They discovered a new vulnerability – that free software tools commonly used within the cyber-security industry could be used to intercept messages sent from OzVision’s computer servers to the Safe by Swann app.”
“Droppers can be hard to detect, because they’re basically coded into an app. It’s an infection. The dropper itself usually isn’t coded to cause any harm outright. Droppers get its foot in the door and over time downloads the malicious harmful malware to your device.”
“The move is part of a greater cleanup happening at Twitter. Earlier this month, the company announced that it was removing some suspicious accounts from people’s follower lists, and the The Washington Post reported it had recently suspended more than 70 million fake accounts entirely”
“The obvious catch here is you have to give the Miles app constant access to your location. No matter how much you love slamming back cappuccinos or saving a few bucks at Target, that’s something to seriously consider, especially in the wake of seemingly constant data breaches at companies both small and large. (You can opt to only give access to your location when the app is open, though that means you have to open the app every time you travel.)”
New, trendy mobile apps appear every minute. While it’s questionable whether getting coupons is worth letting a mobile app track your every move, it is certain that many (especially the younger, less privacy-concerned crowd) will give it a try. NowSecure INTEL allows mobile security teams to run quick vulnerability scans on new apps like this to make informed decisions about what’s okay to allow on employee devices and what might compromise the security of the organization.
“Eagle-eyes at Bloomberg noticed that this particular ball has a very specific logo — see image above — that indicates the presence of an near-field communication (NFC) chip inside.”
If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now.