Those of you who have endured a home renovation know it’s generally not a quick, easy process. There are blueprints to create, specialized crews to coordinate, and day-to-day decisions to make. Similarly, securing a DevOps workflow requires the right planning upfront before you start building. You can expect to encounter some discomfort and sacrifice along the way, but the resulting improvements make it worthwhile. Find out more about adopting a phased approach to securing your mobile here.
Your highlights from the week are as follows:
- Facebook breach puts data of 50 million users at risk
- Apple iOS 12 boasts five new security and privacy features
- Mobile websites tap motion, light and proximity sensors without permission
- Beware of crypto-mining apps disguised as games, utilities or ed tools
- Phishers exploit Android mobile password managers and instant apps.
Subscribe now to receive #MobSec5 updates each Friday in your inbox.
“The vulnerability stemmed from Facebook’s “View As” feature, which lets people see what their profiles look like to other people. Attackers exploited code associated with the feature that allowed them to steal ‘access tokens’ that could be used to take over people’s accounts.”
“While aesthetically not much has changed with this update, Apple really took the time to make security and privacy a priority in this new software, allowing users to use their devices knowing sensitive information is safe.”
Readying your apps for iOS 12? The new mobile OS is here. Get up to speed on the latest security enhancements and how they affect dynamic mobile appsec testing on jailed devices in our on-demand webinar.
“While Google doesn’t allow crypto-currency mining applications in Google Play, some developers have found a way to push such programs to the storefront: by hiding their true purpose. For more than a year, malicious crypto-mining has spiked globally, fueled by massive increases in crypto-currency prices, and mobile users weren’t spared either, especially those on Android, the more popular mobile operating system at the moment.”
“The researchers found that of the top 100,000 sites—as ranked by Amazon-owned analytics company Alexa—3,695 incorporate scripts that tap into one or more of these accessible mobile sensors. That includes plenty of big names, including Wayfair, Priceline.com, and Kayak.”
Phishing Attacks on Modern Android
Proceedings of the ACM Conference on Computer and Communications Security (CCS)
“This work explores how to abuse ‘modern’ features of Android to mount phishing attacks. We focus on two specific of such modern features: Password Managers (PMs) for Android and Instant Apps. We show how to abuse them when taken individually and when combining them. This work also proposes a countermeasure and it wishes to inspire a community-wide effort that is required to tackle these problems.”
If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now.