As organizations incorporate security in the dev pipeline, DevOps teams have some fears that mobile application security testing is going to slow them down and impede their progress. But done correctly, DevSecOps can help speed the release cycle.
Read this blog to gain some actionable advice for choosing a mobile appsec testing tool that meets the needs of developers, operations and security teams alike and tips for integrating it directly into the CI/CD build.
This marks the final #MobSec5 issue of 2018 — #MobSec5 will go on hiatus for the next two weeks. Enjoy your holidays, and we’ll see you again in the new year on Friday, January 4, 2019.
Your highlights for the week are as follows:
- Location tracking industry grows more intrusive
- Android malware tricks users to steal PayPal funds
- Consumers are reluctant to adopt mobile payments
- Android Pie gains new cryptographic capabilities
- Mobile health app vulnerable to attack
Subscribe now to receive #MobSec5 updates each Friday in your inbox.
Your Apps Know Where You Were Last Night, and They’re Not Keeping It Secret
The New York Times
“‘Location information can reveal some of the most intimate details of a person’s life — whether you’ve visited a psychiatrist, whether you went to an A.A. meeting, who you might date,’ said Senator Ron Wyden, Democrat of Oregon, who has proposed bills to limit the collection and sale of such data, which are largely unregulated in the United States.”
To analyze the location tracking industry, the New York Times downloaded mobile apps and used several tools to examine data collection practices, including the Frida open-source dynamic instrumentation toolkit developed by NowSecure researchers.
“The malware isn’t just a run of the mill banking trojan, it smartly takes advantage of Google’s Accessibility Services, which are designed to help people with disabilities, to trick users into giving criminals some control of the phone.”
Disguised as a battery optimization tool, the malicious app is offered by third-party app stores but not by Google Play. NowSecure strongly advises against installing apps outside official app stores and recommends thoroughly vetting mobile apps as part of your enterprise risk management strategy. Get a free security report for an Android or iOS app of your choice here.
Data: The reality of mobile payments
“News about fraud on payment cards and e-commerce is increasing confusion about the actual risks of using mobile payments, particularly among infrequent or occasional users of the technology, Simon-Kucher found in its survey.”
“The Android Keystore provides application developers with a set of cryptographic tools that are designed to secure their users’ data. Keystore moves the cryptographic primitives available in software libraries out of the Android OS and into secure hardware.”
Feds, Philips Warn of Security Flaw in HealthSuite mHealth App
“Philips and the Department of Homeland Security are alerting users of the Philips HealthSuite Health Android app that the mHealth app is not sufficiently encrypted and could be susceptible to hacking.”
If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now.