As users wait for Android 9 Pie to come to their mobile devices, security analysts and mobile app developers are gaining familiarity with Android Network Security Configuration. Learn why and how you should use it in our new blog post.
It’s been a busy week in the world of mobile security, so let’s get to it. Here are your highlights from this week:
- Avoid these top five mobile app security failures
- Apple iOS 12 Developer Beta 8 resolves some issues that arose in the previous version
- The Anubis trojan downloader infiltrates the Google Play Store
- DevSecOps presents a cultural change for federal agencies
- Mobile point-of-sale systems have become increasingly vulnerable to attack
- Developers need to be careful about how they use external storage
- AP investigation finds some Google apps improperly store location data
- Hundreds of hacked Instagram users desperately attempt to recover their accounts
Subscribe now to receive #MobSec5 updates each Friday in your inbox.
Top 5 Mobile App Security Failures and How To Prevent Them
(Visual Studio App Center Blog)
“So we can better understand how to build secure code that will stop an attacker, let’s start with a quick view into the mobile attack surface from the point of view of an attacker. The mobile attack surface can be broken down into four areas: data at rest on the device, data in motion transmitted between the mobile app on device and backend, functionality within the mobile app code itself, and the backend APIs and endpoints the mobile app communicates with.”
“Now before you go on installing the iOS 12 Developer Beta 8 one of your iOS 12 update compatible devices, make sure that you are using a device that you don’t use on a daily basis and that the data there have been backed up as the Beta updates are notoriously famous for harming the devices’ software.”
Anubis is Back: Are You Prepared?
“Anubis trojan targets more than 70 different banking applications, built for online banking with such banks as Santander, Natwest, RBS, and Citibank. On top of that, the malware also targets some non-banking applications, such as PayPal, eBay, and Amazon.”
“DevOps, a moniker that is a combination of development and operations, is now morphing into DevSecOps as organizations and security professionals rethink how they develop, manage, and secure applications. A primary goal of DevSecOps is to break down barriers and open collaboration between development, security, and operations organizations.”
NowSecure helps public-sector agencies and commercial businesses achieve mobile app DevSecOps with an automated test engine that plugs into the CI/CD pipeline and directly integrates with issue-tracking systems. See for yourself with a demo of our NowSecure AUTO on-demand and continuous mobile appsec testing solution.
“In a live demonstration, based off their work, Positive Technologies Cyber Security Resilience Lead Leigh-Anne Galloway and Senior Banking Security Expert Tim Yunusov showcased vulnerabilities in these systems that could allow cyber-criminals to conduct man-in-the-middle attacks, send random code through a Bluetooth connection or the system’s mobile application, modify payment values for transactions authorized with a magnetic stripe card, exploit internal firmware and conduct denial-of-service (DoS) or remote code execution (RCE) exploits.”
“The permissive nature of external storage dates back to when there wasn’t much room on actual devices, necessitating SD cards to make up the difference. Now, when developers use it irresponsibly, they expose their users to potential attack.”
Storage is only one potential area of risk. Download our guide to discover more than 50 best practices for developing secure mobile apps.
“An Associated Press investigation found that many Google services on Android devices and iPhones store your location data even if you’ve used a privacy setting that says it will prevent Google from doing so. Computer-science researchers at Princeton confirmed these findings at the AP’s request.”
“Instagram hacks are not a new occurrence. With more than 1 billion users, the service has become a major target for hackers of all stripes. But it’s not clear if the company’s policies for dealing with these cases have scaled with the rest of the service.”
If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now.