Low- and no-code mobile app development tools provide drag-and-drop graphical user interfaces, forms and visual workflows to enable businesses to quickly build mobile apps with little to no coding. The downside of empowering new ranks of citizen developers is that security may not be looped into some of these initiatives.
Whether they are developed in-house or outsourced, all apps must be thoroughly tested for security, privacy and protection of sensitive data. Learn best practices for safely incorporating these app dev platforms into your organization in this blog.
Your highlights for the week are as follows:
- Google Play removes 22 malicious apps
- Beware of the security risks of third-party app stores
- Fitness tracking iOS apps scam payments
- GSA aims to blend mobility into DevSecOps
- End-to-end fuzzing finds bugs in WebRTC
Subscribe now to receive #MobSec5 updates each Friday in your inbox.
22 apps with 2 million+ Google Play downloads had a malicious backdoor
Ars Technica
“Almost two dozen apps with more than 2 million downloads have been removed from the Google Play market after researchers found they contained a device-draining backdoor that allowed them to surreptitiously download files from an attacker-controlled server.”
Mobile device management platforms alone aren’t sufficient for protecting businesses from security, compliance and privacy risks of mobile apps. The NowSecure professional services team can help organizations identify mobile app security gaps through in-depth analysis of mobile apps installed on corporate and BYOD devices connected to the enterprise. Our analysis can cover anywhere from 100 to tens of thousands of apps.
What are the security risks of third-party app stores?
TechTarget
“Epic Games’ Fortnite can be installed via third-party app stores with the Fortnite Installer, unlike most apps, which are developed in major app stores. Learn about the security risks of apps that operate outside the Google Play Store and Apple’s App Store.”
Scam iOS apps promise fitness, steal money instead
We Live Security
“Multiple apps posing as fitness-tracking tools were caught misusing Apple’s Touch ID feature to steal money from iOS users. The dodgy payment mechanism used by the apps is activated while victims are scanning their fingerprint, seemingly for fitness-tracking purposes.”
GSA looking to bake mobility into its DevSecOps in 2019
Fedscoop
“GSA CIO David Shive said Tuesday that after exploring the productivity gains that could be achieved by giving employees work access through mobile devices, the agency will incorporate it in its DevSecOps process for future development.”
Project Zero: Adventures in Video Conferencing Part 1: The Wild World of WebRTC
Project Zero
“Chrome, Safari, Firefox, Facebook Messenger, Signal and many other mobile applications use WebRTC. WebRTC seemed like a good starting point for looking at video conferencing as it is heavily used, open source and reasonably well-documented.”
If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now.