Modern mobile device users often have their devices tightly integrated into daily life. From banking apps to social media feeds, these applications are high visibility targets for hackers and thieves looking to exploit weaknesses or hijack vulnerabilities. By ramping up mobile app security, vendors ensure the safety and security of their users and their infrastructure.
Recent mobile attacks and vulnerabilities
The latest high-profile mobile threat is the Broadpwn attack. This threat targets the Broadcom chipset used in many popular mobile devices. Broadpwn takes advantage of low-level communications combined with flaws in the Android platform. Thus, allowing a malicious payload to travel from one phone to the next virtually undetected. Fuzz testing tools are an ideal method of detecting this type of flaw.
Posted in Mobile App Security | Comments Off on 3 tips to ramp up your mobile application security
There’s been a fair share of attention paid to the security inside the connected car. There’s also been a significant uptick in new devices and apps that communicate with the vehicle from afar. These devices and apps use traditional means of communication (e.g., Bluetooth, Wi-Fi, etc.). They also make some very common software mistakes. For instance, lacking proper authentication of users and commands, potentially putting the end user at risk, both for physical harm and data loss.
Posted in Automotive Cyber Security, Mobile App Security | Comments Off on Automotive security goes beyond the car
Smartphone, tablet, and other hand-held device sales have skyrocketed in recent years. It’s now critical for businesses to provide a mobile option or experience to customers. Additionally, many companies are even created for the sole purpose of making services and entertainment available to their customers’ fingertips—literally.
Posted in Mobile App Security, Security Training & Awareness | Comments Off on Here are the top 10 best practices for securing Android apps
Stealing credentials from locked machines shouldn’t work. And yet, it does. The main reason for this is that the operating system automatically loads device drivers if it has access to them. This is true even when a machine is locked. In the case of locked machines, USB Ethernet adapter drivers ship with every major operating system (e.g., Windows, Mac OS X, Linux).
Posted in Mobile App Security | Comments Off on Stealing authentication tokens from locked machines with a mobile phone
HTTP is a plaintext protocol. As such, it creates inherent security and privacy concerns when used by applications. Apple, for instance has (finally) decided to start treating the secure alternative, HTTPS, as the de facto Web protocol for iOS mobile apps. At WWDC16, Apple pointed out that enabling HTTPS doesn’t necessarily mean that you’re secure. There are many ways in which HTTPS can be improperly configured. Thus, resulting in the use of insecure connections.
Posted in Mobile App Security | Comments Off on Brace yourselves: Application transport security is coming
More than a decade’s worth of good deeds were recently memorialized with Microsoft’s announcement that Michael Howard and Steve Lipner’s book The Security Development Lifecycle (PDF) is now available for free online. What a great contribution by Michael, Steve, and Microsoft to the community; and cheers to the continued growth of software and application security as a discipline!
Posted in IoT Security, Mobile App Security | Comments Off on The timeless truth of software security fundamentals
What is the difference between “application security” and “software security”? We examine the question and explain when to use each discipline.
Posted in Mobile App Security, Web Application Security | Comments Off on Application security vs. software security: What’s the difference?
While researching certificate pinning, I stumbled upon a ‘generic’ implementation flaw allowing remote attackers to bypass the protection that certificate pinning can offer to an application.
If your Java or Android application uses the checkServerTrusted() or getPeerCertificates() APIs to implement certificate pinning, there is a very good chance that your pinning implementation is completely ineffective.
Posted in Mobile App Security | Comments Off on An examination of ineffective certificate pinning implementations
It would appear that Apple’s security strategy to protect user data is so effective that even the FBI can’t decrypt an iPhone in the midst of a terror attack investigation. The ruling came down yesterday from the federal magistrate, ordering Apple to help the FBI unlock the iPhone used by San Bernardino shooter, Syed Farook. Investigators believe unlocking the phone will lead them to more clues as to why Farook, along with his wife, killed 14 people and injured dozens at a holiday party in December of last year.
Apple’s not giving in so easily. But why?
Apple CEO, Tim Cook, has made it clear that he has no intention of complying with the order in a statement released yesterday. Within the statement, Cook writes that Apple doesn’t have a solution readily available, and that building the backdoor to the iPhone, as demanded by authorities, is “too dangerous to create.”
Posted in Mobile App Security | Comments Off on In the name of data security, Apple is fighting back
Optimizing your mobile app security metrics will reveal the impact your SSG has on the security of your mobile applications, and where you can improve.
Posted in Mobile App Security | Comments Off on What story do your mobile app security metrics tell?