Those of you adept at penetration testing know it has traditionally been a blend of art and science. The practice is not only tricky and time consuming, but many companies also lack the in-house talent and tools to conduct pen tests of their mobile apps. And while outsourcing presents an alternative, that too takes a few weeks to complete and doesn’t scale with the ever-increasing velocity of software releases.
Enter technology. Today, automated mobile appsec testing tools conduct pen testing at DevOps speed and integrate directly into the CI/CD toolchain. Did you ever think it was possible to run complete dynamic and behavioral tests on your mobile apps in less than 15 minutes? Discover how here.
Your highlights for the week are as follows:
- Nearly 90% of analyzed Android apps harvest and share data
- Beware of some so-called security apps that may not be secure
- Apple rebuffs iPhone hacking tool popular with law enforcement
- Mobile malware stats can be scarier than the reality
- Android device makers are now required to issue regular security updates
Subscribe now to receive #MobSec5 updates each Friday in your inbox.
“The researchers found that more than 88% of free apps on Google Play shared information with firms owned by Alphabet. Nearly 43% of apps shared data with Facebook, while significant percentages shared data with Twitter, Verizon, Microsoft and Amazon firms.”
“It’s a good reminder that not all security apps will make your online movements more secure – and, in some cases, they could be worse than doing nothing at all. It’s wise to do your due diligence before you download that ad-blocker or VPN.”
The researcher notes that leading Android mobile security apps like antivirus, app lockers and ad blocking tools have access to almost all the data stored on a mobile device. In some cases, that level of data collection is unnecessary. NowSecure mobile appsec testing solutions make it easy to scan the permissions an app requests in the Activities & Services finding, and also analyzes behavioral events. As always, consider whether the requested permissions make sense.
“Multiple sources familiar with the GrayKey tech tell Forbes the device can no longer break the passcodes of any iPhone running iOS 12 or above. On those devices, GrayKey can only do what’s called a ‘partial extraction,’ sources from the forensic community said.”
“Every month, a security team at Google releases a new set of patches for Android — and every month, carriers and manufacturers struggle to get them installed on actual phones. It’s a complex, long-standing problem, but confidential contracts obtained by The Verge show many manufacturers now have explicit obligations about keeping their phones updated written into their contract with Google.”
What is mobile malware, really?
“The capacity for a breach via mobile malware exists, but it’s much more likely that an organization will suffer a data breach as a result of social engineering or network-focused attack. Stealing contacts is a concern; that’s why we saw contacts become one of the types of data that MDM can protect in iOS 11.3.”
If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now.