|
Your highlights from the mobile app security world this week including: NowSecure experts weigh in on
| |
| May 19 · Issue #104 · View online |
|
|
Your highlights from the mobile app security world this week including:
- NowSecure experts weigh in on ZipperDown vulnerability
- Twitter’s new access system creates limits for 3rd party Twitter apps
- Cell location service used by law enforcement breached
- Phishing scam poses as proactive GDPR security measure
- Technical details released for LocationSmart vulnerability
- Zuckerberg to meet with European Parliament as GDPR hits
- And More!
Thanks for reading. Have a great weekend, be good, and stay safe.
|
|
Adventures in Remote Code Execution and Zip File Vulns — from Samsung and Vungle to ZipperDown | NowSecure
“In the ZipperDown scenario, the attacker and mobile app needs to be on the same wifi network or an attacker must be able to influence upstream network resources, i.e., a man-in-the-middle (MITM) attack.” Zip file download vulns are a fairly typical development error and have been around for some time. In this blog, the NowSecure team provides an overview of the ZipperDown vuln reported this week, including recommendations to best secure your mobile apps against these type of issues.
|
GDPR Phishing Scam Targets Apple Accounts, Financial Data | Threatpost
“A phishing scam fooled victims by claiming to be Apple and scooping up personal details – including financial information and Apple account information.”
It’s not surprising to see bad actors taking advantage of the hype around the GDPR deadline next week. Hopefully, your organization has been taking incremental steps to prepare. Here are 12 use cases for mobile app owners as you continue to navigate GDPR.
|
LocationSmart API Vulnerability | Robert Xiao
“On May 16th, I found a vulnerability in the LocationSmart website which allowed anyone, with no prior authentication or consent, to obtain the realtime location of any cellphone in the US to within a few hundred feet. I immediately moved to contact US CERT to coordinate disclosure, and worked with Brian Krebs to publish the story after the vulnerability was fixed this morning (May 17th).”
|
Deleted WHOIS Data: An Unintended Consequence of GDPR | SecurityWeek.Com
“GDPR will impact the availability of WHOIS data, which often serves as a trail of breadcrumbs that leads security researchers to someone obtaining domains to launch global campaigns involving spam, malware and botnets.”
|
Twitter is going to make third-party apps worse starting in August | The Verge
“The changes, which go into effect August 16th, do two main things: first, they prevent new tweets from streaming into an app in real time; and second, they prevent and delay some push notifications. Neither of these are going to break Twitter apps completely, but they could be very annoying depending on how and where you use it.”
|
Company used by police, prisons to find any mobile device breached (again) | Ars Technica
“The service, called GeoLoc, ‘provides the approximate location of the cellular device being called at both the beginning and the end of the call,’ the Securus marketing material states.”
|
Reviewing Android Webviews fileAccess attack vectors | INTEGRITY Labs
“WebViews are a crucial part of many mobile applications and there are some security aspects that need to be taken into account when using them. File access is one of those aspects. For the implementation of some checks in our security tool Droidstatx, I’ve spent some time understanding all the details and noticed that not all attack vectors are very clear, specially in their requirements.”
|
Facebook's Mark Zuckerberg to face members of European Parliament | CNN
“Facebook’s CEO Mark Zuckerberg has agreed to come to the European Parliament, according to the parliament’s top official.” It’s best to keep your organization out of the hot seat when it comes to end user privacy. NowSecure includes regulatory details for findings, including GDPR and the section to be reviewed, to help keep everyone on track with compliance.
|
|
Did you enjoy this issue?
|
|
|
|
If you don't want these updates anymore, please unsubscribe here
If you were forwarded this newsletter and you like it, you can subscribe here
|
|
|
|
|
|
