NowSecure #MobSec5 - Week of May 14th

“In the ZipperDown scenario, the attacker and mobile app needs to be on the same wifi network or an attacker must be able to influence upstream network resources, i.e., a man-in-the-middle (MITM) attack.”

“A phishing scam fooled victims by claiming to be Apple and scooping up personal details – including financial information and Apple account information.”

It’s not surprising to see bad actors taking advantage of the hype around the GDPR deadline next week. Hopefully, your organization has been taking incremental steps to prepare. Here are 12 use cases for mobile app owners as you continue to navigate GDPR.

“On May 16th, I found a vulnerability in the LocationSmart website which allowed anyone, with no prior authentication or consent, to obtain the realtime location of any cellphone in the US to within a few hundred feet. I immediately moved to contact US CERT to coordinate disclosure, and worked with Brian Krebs to publish the story after the vulnerability was fixed this morning (May 17th).”

“GDPR will impact the availability of WHOIS data, which often serves as a trail of breadcrumbs that leads security researchers to someone obtaining domains to launch global campaigns involving spam, malware and botnets.”

“The changes, which go into effect August 16th, do two main things: first, they prevent new tweets from streaming into an app in real time; and second, they prevent and delay some push notifications. Neither of these are going to break Twitter apps completely, but they could be very annoying depending on how and where you use it.”

“The service, called GeoLoc, ‘provides the approximate location of the cellular device being called at both the beginning and the end of the call,’ the Securus marketing material states.”

“WebViews are a crucial part of many mobile applications and there are some security aspects that need to be taken into account when using them. File access is one of those aspects. For the implementation of some checks in our security tool Droidstatx, I’ve spent some time understanding all the details and noticed that not all attack vectors are very clear, specially in their requirements.”

“Facebook’s CEO Mark Zuckerberg has agreed to come to the European Parliament, according to the parliament’s top official.”