What a week! We’ve gathered gobs of great reading material for your perusal this weekend.
This week’s digest of mobile security news includes:
- Slaughtering Dirty COW in Android
- Devs, get yer ATS in gear!
- Not a lot of Nougat
Thanks for reading. Have a great weekend, be good, and stay safe.
Android Security Bulletin—December 2016
(Android Open Source Project)
“The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Alongside the bulletin, we have released a security update to Google devices through an over-the-air (OTA) update.”
This bulletin includes an Android patch for the Dirty COW vulnerability (CVE-2016-5195). Great news for owners of Pixel and Nexus devices, but what about everybody else? There’s no telling how long it might take for a fix to filter down to devices manufactured by other vendors. In a blog post, Mobile Security Analyst Sergi Àlvarez I Capilla explains the update and the dangers of Dirty COW and also demonstrates in a video that the vulnerability can be exploited even on non-rooted devices.
“All mobile devices — smartphones, tablets, wearable tech — are targets, but Android, the phone OS reportedly used by the president-elect, has some serious security issues, mainly those allowing for ‘escalation of privilege’ attacks.”
“The last distribution numbers for 2016 are in and show slow growth for 7.0 Nougat, but a big boost that makes Marshmallow the most commonly used version of Android.”
“Application developers for Apple’s iOS platform are running against an end-of-the-year deadline to encrypt all communications to and from iOS apps using the platform’s encryption standard, known as App Transport Security or ATS”
During a panel discussion in August about 2016 trends in Android and iOS security, Director of Research David Weinstein reported that 80 percent of the top 50 free iOS apps he analyzed opted out of App Transport Security (ATS) via the NSAllowsArbitraryLoads flag. The January 1, 2017 App Transport Security (ATS) deadline is Apple’s attempt to enforce some minimum level of secure communications between iOS apps and back-end services via HTTPS. We consider implementing App Transport Security (ATS) a secure mobile development best practice. Apple will allow for exceptions with justification. In MoPub’s (a hosted mobile ad-serving provider owned by Twitter) interpretation of Apple ATS documentation, an acceptable justification for exception is “loading web content from a variety of sources (for ads).”
Corporations Cite Reputational Damage As Biggest Cyber Risk
“New data analyzing SEC disclosures found 83% of publicly traded companies worry most about the risk of brand damage via hacks exposing customer or employee information. Public businesses fear the possibility of losing customer or employee’s personally identifiable information (PII) and the subsequent brand-damage fallout more so than other risks.”
Mobile devices and apps collect massive amounts of personally identifiable information (PII) and metadata that reveal an incredible level of detail about customers’ and employees’ personal and work lives. And we know for a fact that mobile apps are a point of leakage — see for yourself in the 2016 NowSecure Global Security Report. The data trickling out of apps contributes to the risk of a data breach or security incident. Enterprises looking to reduce brand and regulatory risk and avoid financial loss and recovery costs need to train their developers on secure mobile development best practices, perform security assessments on the apps they develop for customer and internal use, and get visibility into the risk profiles of the apps used by their workforce.
“The Commission’s report makes clear that cybersecurity is one of the greatest challenges we face as a nation.”
Late last week the commission provided President-elect Donald Trump 90-some pages, six imperatives, 16 recommendations, and 53 action items about how to strengthen cybersecurity in the public and private sectors. In an article elaborating on the report, commission member Dr. Herb Lin writes that by recommending the consideration of liability relief in some circumstances, the report implies that manufacturer liability for attacks involving IT products – Internet-of-Things (IoT) devices for example – is coming.
Researchers Find Fresh Fodder for IoT Attack Cannons
(Krebs on Security)
“Researchers in Austria have unearthed a pair of backdoor accounts in more than 80 different IP camera models made by Sony Corp. Separately, Israeli security experts have discovered trivially exploitable weaknesses in nearly a half-million white-labeled IP camera models that are not currently sought out by Mirai.”
“Tricking people into downloading malicious mobile apps is a con as old as time itself (or at least as old as smartphones). Don’t fall for it.”
Two-Year Google Study Validates 2SV Security Keys
(Mobile ID World)
“The kinds of second-factor security keys for which the FIDO Alliance advocates are valuable tools for securing user devices, suggests a new report from Google.”
The study compared the ease-of-use, security, and support costs of hardware tokens, phone-based one-time password (OTP) generators, and two-step verification over SMS for the purposes of a second-factor in authentication. The researchers concluded that “Security Keys provide the strongest security with the best mix of usability and deployability.”
“Hacks of phone-based fingerprint readers and facial recognition software underscore the need for multifactor identification.”
“Your trusted contacts will be able to see your activity status — whether you’ve moved around recently and are online — to quickly know if you’re OK.”
“EFF is dismayed by the cavalier attitude by law enforcement over warrantless searches of trillions of phone records and its refusal to turn over documents.”