Software Integrity Blog

Archive for the 'Mobile Application Security' Category

 

The timeless truth of software security fundamentals

More than a decade’s worth of good deeds were recently memorialized with Microsoft’s announcement that Michael Howard and Steve Lipner’s book The Security Development Lifecycle is now available for free online. What a great contribution by Michael, Steve, and by Microsoft to the community; and cheers to the continued growth of software and application security as a discipline! […]

Continue Reading...

Posted in Internet of Things, Mobile Application Security | Comments Off on The timeless truth of software security fundamentals

 

FCC to investigate SS7 mobile phone vulnerabilities

On Wednesday, the Federal Communications Commission (FCC) announced it would investigate use by cellular carriers use of legacy mobile phone technology vulnerable to attack. The global mobile network known as Signaling System No. 7 or SS7 is known to be vulnerable to remote attacks that allow others to eavesdrop on phone calls anywhere in the […]

Continue Reading...

Posted in Mobile Application Security | Comments Off on FCC to investigate SS7 mobile phone vulnerabilities

 

Application security vs. software security: What’s the difference?

What is the difference between “application security” and “software security”? We examine the question and explain when to use each discipline. The terms “application security” and “software security” are often used interchangeably. However, there is in fact a difference between the two. Information security pioneer Gary McGraw maintains that application security is a reactive approach, taking place […]

Continue Reading...

Posted in Mobile Application Security, Web Application Security | Comments Off on Application security vs. software security: What’s the difference?

 

Apple iMessage vulnerability patched in iOS 9.3

Communications via Apple’s popular iMessage are vulnerable with a software flaw that could allow attackers to decrypt a photo stored on the company’s iCloud backup system, according to Matthew D. Green, a computer science professor at Johns Hopkins University. Green led the research team that found the bug in Apple’s encryption that would enable an […]

Continue Reading...

Posted in Mobile Application Security | Comments Off on Apple iMessage vulnerability patched in iOS 9.3

 

An examination of ineffective certificate pinning implementations

While researching certificate pinning, I stumbled upon a ‘generic’ implementation flaw allowing remote attackers to bypass the protection that certificate pinning can offer to an application. Summary If your Java or Android application uses the checkServerTrusted() or getPeerCertificates() APIs to implement certificate pinning, there is a very good chance that your pinning implementation is completely […]

Continue Reading...

Posted in Mobile Application Security | Comments Off on An examination of ineffective certificate pinning implementations

 

In the name of data security, Apple is fighting back

It would appear that Apple’s security strategy to protect user data is so effective that even the FBI can’t decrypt an iPhone in the midst of a terror attack investigation. The ruling came down yesterday from the federal magistrate, ordering Apple to help the FBI unlock the iPhone used by San Bernardino shooter, Syed Farook. […]

Continue Reading...

Posted in Mobile Application Security | Comments Off on In the name of data security, Apple is fighting back

 

What story do your mobile metrics tell?

As people become more reliant on their smartphones, mobile applications become an important focus for many organizations. There are many articles about adapting your software security group (SSG) to handle the new risks posed by new technology. But, are you confident that you are tracking your organization’s progress and performance effectively? What story do your […]

Continue Reading...

Posted in Mobile Application Security, Software Security Initiative (SSI) | Comments Off on What story do your mobile metrics tell?

 

How to mitigate your third-party mobile keyboard risk

What is the best form of cyber security defense? Well, as I always maintain, it’s user awareness! The implementation of a comprehensive user awareness policy carries a lot of weight and, when abided by, effectively complements the many technological solutions available. Mobile devices are used regularly within enterprise operations, and by nearly all consumers. The […]

Continue Reading...

Posted in Mobile Application Security, Software Architecture and Design, Software Security Initiative (SSI) | Comments Off on How to mitigate your third-party mobile keyboard risk

 

Android WebViews and the JavaScript to Java bridge

Since a WebView is a browser control in an app, it invites traditional attacks associated with the web. We examine how to protect against these attacks. Introduction It’s been several months since I presented on Android WebViews at OWASP AppSec EU 2015 in Amsterdam, and I finally have the chance to put the content into […]

Continue Reading...

Posted in Mobile Application Security | Comments Off on Android WebViews and the JavaScript to Java bridge

 

The top hacking techniques of 2015 and how they work

This year has been another banner year both in terms of security and vulnerability discovery. There have been many leaks and attacks, most of which were probably executed with older techniques. But, there are also a few new attack patterns worth highlighting which were revealed this year. Reflected file download (RFD) Let’s say that one […]

Continue Reading...

Posted in Mobile Application Security, Software Architecture and Design, Web Application Security | Comments Off on The top hacking techniques of 2015 and how they work