NowSecure #MobSec5 - Week of Dec. 4

“The most severe of these issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.”

“Google patched a critical encryption bug found on its Pixel, Pixel 2 and Nexus phones this week along with delivering 49 other fixes, part of its December Pixel / Nexus Security Bulletin.”

“Researchers have discovered a flaw in a commonly-used security mechanism that allows an attacker to steal login information. This left many popular banking apps vulnerable.”

A research paper published this week identified 8 public mobile apps that were vulnerable to man-in-the-middle (MITM) vulnerabilities as a result of failing to pin certificates properly and verify certificate hostnames. Unfortunately, some reporting on the subject has suggested that the paper exposes flaws in certificate pinning itself, which is fundamentally wrong. Certificate pinning is one of the best ways to protect mobile apps and their users from MITM attacks — the reported flaw is in the implementation of certificate pinning rather than the use of certificate pinning itself as a core mobile app security strategy. Fortunately for NowSecure customers, we’ve long known of this vulnerability and automated checks for the flaw have been a part of the NowSecure Platform for years. Read our blog post to learn more about the issue and compare your pinning practices with our recommendations.

“A Google researcher announced that he is planning to release a powerful tool for iOS 11 that the security community thinks it can use to jailbreak the iPhone.”

“A critical vulnerability has been discovered in all major Android Development and reverse engineering tools that leads to remote code execution attack.”

“The vulnerability, dubbed Janus, would allow a malicious application to add bytes of code to the APK or DEX formats used by Android applications without affecting the application’s signature. In other words, a scumbag could pack an app with malicious instructions, and still have it read by Android as a trusted piece of software.”

“Google beefs up privacy protections on apps distributed via third-party Android marketplaces and Google Play that collect personal data without user consent.”

“31 Million Client Registration Files Leaked by Personalized Keyboard Developer.”

“Samsung might be developing a bizarre security feature that can read your palm and give you a hint for what your password is in case you don’t remember it.”

“Remotely Cracking Bluetooth Enabled Gun Safes: In this blog post, we will detail BlueSteal, or the ability to exploit multiple security failures in the Vaultek VT20i.”

“Three years ago, we said the Echo was ‘the most innovative device Amazon’s made in years.’ That’s still true. But you shouldn’t buy one. You shouldn’t buy one for your family. You definitely should not buy one for your friends. In fact, ignore any praise we’ve ever heaped onto smart speakers and voice-controlled assistants.”