In the course of performing Android application security testing, I suspected that a library called libpac might be vulnerable to exploit. This vulnerability has been assigned CVE-2019-2205. Google deployed a fix and we recommend all users apply it to secure their devices against exploitation.
While corporations widely recognize the convenience and productivity enhancements that mobile applications deliver to their customers and employees, too few realize that mobile apps also can present significant security and privacy risks. It’s not difficult to find examples of mobile app data breaches that resulted in severe consequences, both in terms of money and corporate reputation. Given that smartphone apps account for 63% of total digital minutes, according to the Comscore “2019 Global State of Mobile” report, it stands to reason that attackers are going where the traffic is.
NFL teams have redesigned their mobile apps to enhance the fan experience, both in stadiums and at home. Fans can turn to their smartphones for digital ticketing, live video streaming, in-seat concession ordering, contest participation and cutting-edge features like augmented reality. However, a NowSecure analysis shows most of these apps have privacy risks, especially on iOS.
The NowSecure team is gearing up for an incredible week at Black Hat USA 2019 in Las Vegas. We’re excited to join the 22nd annual top security event to connect on all things mobile app security research, development, tools and trends.
To help you build your agenda and make the most of your time at the conference, we’ve selected several key Black Hat briefings that focus on mobile device security, enterprise mobile appsec, DevSecOps and reverse engineering. We look forward to connecting many of you with our mobile application security experts at the conference through prebooked meetings and visits to Booth #674.
Let’s examine how Android apps programmed using Kotlin could render Security By Obscurity ineffective. Kotlin is a statically-typed, general purpose language which was designed to interoperate fully with Java and the Java Virtual Machine. Android initially supported Kotlin in 2017 and it recently emerged as the preferred language Google recommends for Android app development. Kotlin Android apps offer a great example of why static analysis of binaries is better than static analysis of source code.
Mobile app developers often use deep links to improve the user experience and engagement by helping users navigate from the web to their app. However, our security testing has found an easily exploitable vulnerability when deep links are used incorrectly for authorization purposes. This blog will explain how this vulnerability can be exploited and how to safeguard your app by using the more secure version of deep links, App Links.