NowSecure #MobSec5 - Week of June 11th

“A single person or group may have made as much as $90,000 over 10 months by spreading 17 malicious images that were downloaded more than 5 million times from Docker Hub, researchers said Wednesday. The repository finally removed the submissions in May, more than eight months after receiving the first complaint.”

It’s appalling to see 5 million additional exposures to malicious activity after yet another months-long delayed response to issues repeatedly reported by the users. For names of the 17 malicious images, scroll to mid-point of Kromtech’s original article.   

“If you’ve loaded any apps onto your Amazon Fire TV or Fire TV Stick that let you watch pirated movies and TV shows, you could be at risk from a cryptocurrency-mining Android virus.”

“If ever there were a case for rejecting requested device permissions, it’s made by an Android app with more than 10 million downloads from Google Play. The official app for the Spanish soccer league La Liga was recently updated to seek access to users’ microphone and GPS settings. When granted, the app processes audio snippets in an attempt to identify public venues that broadcast soccer games without a license.”

“Before creating this article I did the best I could to apply The General Data Protection Regulation (GDPR) to my products. I created granular consent, age consent, an option to delete all user data, a clear and explicit explanation of what data was being used, I removed libraries and changed features to adhere to GDPR. After creating this article my strategy has changed and I think yours might too. Below I take a look at the UK’s top downloaded apps in April 2018 and see how they handle GDPR.”

“Apple is trying to make it harder for developers to abuse users’ information collected through apps. According to a report from Bloomberg, Apple updated its App Store Review Guidelines last week with more detailed rules on what developers can do with users’ Contacts address book information. Now, developers cannot make databases using address book information collected from iPhone users, nor can they share or sell such databases to third parties.”

“This vulnerability allows local attackers to escalate privileges on vulnerable installations of Samsung Notes. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of ZIP files. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to escalate privileges to resources normally protected from the application.”

“Back in April, I detailed four things that Android does better than the iPhone when it comes to notifications. With iOS 12, Apple has taken care of three of them. Notifications can be grouped, it’s easier to make them silently appear, and, most importantly, you can directly manage settings from the notification itself. Android P still claims to do a better job of prioritizing notifications, but three out of four isn’t bad.”

“At Mozilla, we closely track threats to users’ privacy and security. This is why we’ve added tracking protection to Firefox and created the Facebook container extension. In today’s cartoon intro, …”