Privacy is a hot-button issue today, so it’s understandable that parents and legislators are concerned about data being tracked in mobile apps for children.
A recent NowSecure analysis of 50 Android mobile apps marketed for use by young kids and their parents revealed potential compromise of personal information. Discover our findings of webview, network, Inter-Component Communication and miscellaneous issues in this new blog post.
Your highlights for the week are as follows:
- Researcher executes remote jailbreak of iPhoneX
- Insecure app leaves IoT camera vulnerable to MiTM attack
- Apple fixes FaceTime remote code execution bug
- Free Android VPN apps contain DNS leaks
- Government shutdown threatens cybersecurity
Subscribe now to receive #MobSec5 updates each Friday in your inbox.
PC Voucher UaF Remote Jailbreak Stage 2 (EN)
360 Core Security
“On the TianfuCup PWN Contest held in November last year, I demonstrated the remote jailbreak of the latest iOS system on iPhoneX. This article is about the Stage 2 of this exploit chain.”
IoT application vulnerabilities leave devices open to attack
“The Barracuda Labs team highlighted the threat of IoT credential compromise by showing that attackers could use vulnerabilities in the web applications and mobile applications used by certain IoT devices to acquire credentials, which can then be used to view the video feed, set/receive/delete alarms, remove saved video clips from cloud storage, and read account information.”
Researchers found the mobile app that controls an unnamed Internet of Things camera ignored the validity of server certificates, leaving the device vulnerable to a man-in-the-middle attack. Developers should guard against MiTM attacks by properly implementing certificate pinning in their mobile apps. Find advice for how to code Android and iOS apps to use cert pinning in this guide.
“According to Apple’s release notes about the security fixes, the FaceTime vulnerability could allow a remote attacker to ‘initiate a FaceTime call using arbitrary code execution.’ The bug affects iPhone 5s and later, iPad Air and later, and the sixth-generation iPod touch.”
Malware, User Privacy Failures Found in Top Free VPN Android Apps
“One in five apps from the top 150 free VPN Android apps in Google’s Play Store was flagged as a potential source of malware, while a quarter of them come with user privacy breaking bugs such as DNS leaks which expose user DNS queries to their ISPs.”
“Geopolitical adversaries such as North Korea, Russia, Iran and China rely on cyber as their most agile and dangerous weapon against the United States. These hostile nation-states salivate at the idea of a prolonged government shutdown.”
If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now.