NowSecure #MobSec5 - Week of November 6

“The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2017-11-06 or later address all of these issues.”

A highlight of this month’s Android security update is patches for the KRACK Wi-Fi vulnerabilities included in the 2017-11-06 patch level. Exploiting the KRACK vulnerabilities on an Android device would allow an attacker to execute man-in-the-middle attacks and intercept and decrypt data transmitted by a vulnerable device over Wi-Fi.

“Apple today released iOS 11.1.1, the sixth official update to the iOS 11 operating system.”

Apple released iOS 11.1.1 on Thursday. Just a day later Keen Lab Researcher Liang Chen allegedly demonstrated a successful iOS 11.1.1 jailbreak on the iPhone X at Korean security and hacking conference POC2017 (YouTube video). Apple’s iOS 11.1.1 security bulletin doesn’t appear to include any security content but does fix an autocorrect bug that annoyed some users.

“Up to 180 million smart phone owners are at risk of having some of their text messages and calls intercepted by hackers because of a simple coding error in at least 685 mobile apps.”

Developers of a combined 685 apps on the Apple App Store and Google Play store hardcoded their Twilio API credentials in their apps. Twilio is a cloud service that allows developers to embed real-time communications functionality within their apps. This was not a vulnerability in Twilio, but a result of poor coding practices and developers’ failure to follow Twilio documentation. Attackers could simply search out apps that use Twilio, search for the string “twilio”, and, in vulnerable apps, find the developer’s username and password. From there, the attacker could log-in to the developer’s account and access app-user data that might include sensitive communications about contract negotiations, proprietary technology discussions, and more. If you’re concerned about 3rd-party mobile app risk, this week we announced an extension of the NowSecure Platform™ to provide the world’s most advanced 3rd-party mobile app security vetting – NowSecure INTEL™. For a limited time until November 30, we’re offering qualifying organizations one free NowSecure INTEL security report for one Apple App Store or Google Play store app of their choice – request your report now.

“Security’s efforts to bridge the talent gap mean little when workers don’t want to stay in the industry.”

In a survey of 300 security professionals, a mere third reported feeling professionally challenged in their role. “There’s so much in processes that is so mundane to do hours and hours on end, day after day, especially things that could be automated by now,” the social scientist in charge of the survey said. “You could see how that leads to burnout.” Are you an app security manager concerned about losing good team members overwhelmed with mundane mobile app security testing chores? Or, are you a security professional looking to automate monotonous mobile app security testing tasks so you have more time for more interesting work? NowSecure Workstation can help. NowSecure Workstation is a mobile app penetration testing kit that our customers use to automate the tedious aspects of mobile app security testing so they can test mobile apps 8X faster and 3X deeper. Contact us to learn more.

“The newest form of Marcher pairs credential and credit card phishing with banking Trojans into one scheme, targeting Android users who are also customers of large Austrian banks.”

“A new Android malware has been uncovered that uses an updated methodology to abuse the previously patched Toast overlay vulnerability found in the Android operating system that once installed can download additional malware in addition to using various permissions to access the phone.”

“On Oct. 6, the first version of the Android edition of Ragebooter was put on sale at Google’s Play Store.”

“With its latest iOS app update released last week, Tesla quietly added Siri integration to its mobile app bringing access to the app’s controls with voice commands via Apple’s AI assistant.”

“Indeed, it appears Apple’s offer of expedition and its proactive approach were an attempt to avoid another protracted and costly legal battle with the feds after the San Bernardino debacle, in which investigators were criticized for failing to take swifter action on retrieving information from the terrorist’s device.”

“Officials said…it would be inconceivable for Trump’s device to ever reach a Chinese network.”