Many of us at NowSecure are looking forward to convening at Black Hat USA in Las Vegas next week to learn more about latest cybersecurity research and development trends. If you’re heading there too, take a peek at our recommendations of mobile appsec-related conference sessions to attend and swing by booth #671 to say hello and nab our cool stickers.
It’s been a busy week in the world of mobile security, so let’s get to it. Here are your highlights from this week:
- Apple becomes the first U.S.-based company to reach a market valuation of $1 trillion
- Reddit hack highlights the shortcomings of using SMS messages for two-factor authentication
- Android P engineers pump up the power of mobile devices with the Adaptive Battery Feature
- Beta investigation of the 6.5-inch iPhone X(s) Plus reveals support for native apps in portrait orientation
- Hackers could leverage vulnerabilities in Samsung’s SmartThings Hub to unlock doors or spy on occupants
- Google research discovers complex malware that goes to great lengths to remain undetected
- Israeli firm’s high-tech mobile spyware was used to target Amnesty International staff
- Facebook shuts off access to user data APIs for hundreds of thousands of inactive apps
Subscribe now to receive #MobSec5 updates each Friday in your inbox.
“How do you like them apples? Apple just became the first American public company to cross $1 trillion in value. The iPhone maker achieved that big number on Thursday when the stock passed $207.04 a share.”
“There has been a large increase in mobile device malware to capture/intercept SMS messages, a major benefit for usage with mobile banking apps. SMS messages have had other risks as well, including SIM swap and unauthorized access from core telecommunications signaling environments.”
“The Adaptive Battery feature will dole out background access to only the apps you use. A new auto brightness scheme has been devised. And the Android team has made changes to how background work runs on the CPU. All together, battery life should be batter (err, better) than ever.”
While we don’t know what P stands for yet, we hear Android P is rumored to be released on Aug. 20, according to known tipster Evan Blass. Join our webinar on Thursday, Aug. 23, to learn from NowSecure experts about how the new Android P security enhancements that will affect your mobile apps.
“Now, this might change as Apple introduces a 6.5″ display on the smartphone lineup later this year. This display will prove sufficient to run apps in portrait mode. Today, after iOS 12 Beta 5’s release, we’ve got more evidence that the company will finally introduce this feature at least on its largest iPhone.”
“As IoT devices rapidly proliferate across the U.S. and around the world — a home can be “smartened” up for a few hundred bucks — hackers are increasingly looking to twist the gadgets to their own ends. Cellebrite, the world famous Israeli firm most known for cracking iPhones, is increasingly targeting IoT devices because of a rise in demand from police and intelligence agencies around the world.”
Cisco Talos discovered 20 vulnerabilities in Samsung’s SmartThingsHub, a centralized controller that enables IoT devices to be managed by a smartphone. A hacker could combine the vulnerabilities to launch an attack such as disabling locks to gain physical access to a home or using cameras to spy on occupants, for instance.
Google Researcher Unpacks Rare Android Malware
” ‘They’re using four groups of techniques for about 45 different checks. And if a single one of them fails then the application exits,’ Stone says. The rigorous checking mechanism means that the threat actors are willing to miss out on an expanded attack surface if it means keeping their code out of the hands of defenders.”
NSO Spyware Targets Saudi Human Rights Activists and Researchers
(The Hacker News)
“Pegasus has been designed to hack mobile phones remotely, allowing an attacker to access an incredible amount of data on a target victim, including text messages, emails, WhatsApp messages, user’s location, microphone, and camera—all without the victim’s knowledge.”
“Facebook this evening announced that it’s shutting off access to its application programming interface, the developer platform that lets app makers access user data, for hundreds of thousands of inactive apps. The company had set an August 1st deadline back in May, during its F8 developer conference, for developers and businesses to re-submit apps to an internal review.”
If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now.