More than a decade’s worth of good deeds were recently memorialized with Microsoft’s announcement that Michael Howard and Steve Lipner’s book The Security Development Lifecycle (PDF) is now available for free online. What a great contribution by Michael, Steve, and Microsoft to the community; and cheers to the continued growth of software and application security as a discipline!
On Wednesday, the Federal Communications Commission (FCC) announced it would investigate use by cellular carriers use of legacy mobile phone technology vulnerable to attack.
Posted in Mobile Application Security | Comments Off on FCC to investigate SS7 mobile phone vulnerabilities
What is the difference between “application security” and “software security”? We examine the question and explain when to use each discipline.
Communications via Apple’s popular iMessage are vulnerable with a software flaw that could allow attackers to decrypt a photo stored on the company’s iCloud backup system, according to Matthew D. Green, a computer science professor at Johns Hopkins University. Green led the research team that found the bug in Apple’s encryption that would enable an attacker to decrypt photos and videos sent as secure instant messages. It would not, according to the WashingtonPost.com, allow an attacker to decrypt an entire iPhone, however.
Posted in Mobile Application Security | Comments Off on Apple iMessage vulnerability patched in iOS 9.3
While researching certificate pinning, I stumbled upon a ‘generic’ implementation flaw allowing remote attackers to bypass the protection that certificate pinning can offer to an application. Summary If your Java or Android application uses the checkServerTrusted() or getPeerCertificates() APIs to implement certificate pinning, there is a very good chance that your pinning implementation is completely ineffective.
Posted in Mobile Application Security | Comments Off on An examination of ineffective certificate pinning implementations
It would appear that Apple’s security strategy to protect user data is so effective that even the FBI can’t decrypt an iPhone in the midst of a terror attack investigation. The ruling came down yesterday from the federal magistrate, ordering Apple to help the FBI unlock the iPhone used by San Bernardino shooter, Syed Farook. Investigators believe unlocking the phone will lead them to more clues as to why Farook, along with his wife, killed 14 people and injured dozens at a holiday party in December of last year. Apple’s not giving in so easily. But why? Apple CEO, Tim Cook, has made it clear that he has no intention of complying with the order in a statement released yesterday. Within the statement, Cook writes that Apple doesn’t have a solution readily available, and that building the backdoor to the iPhone, as demanded by authorities, is “too dangerous to create.”
Posted in Mobile Application Security | Comments Off on In the name of data security, Apple is fighting back
As people become more reliant on their smartphones, mobile applications become an important focus for many organizations. There are many articles about adapting your software security group (SSG) to handle the new risks posed by new technology. But, are you confident that you are tracking your organization’s progress and performance effectively? What story do your mobile metrics tell? Are you confident that you are able to show the impact your SSG has when addressing mobile security? Metrics optimization A useful security metric tells a story around the impact and value the SSG adds to the organization at large. Rather than reporting how many mobile applications your organization has enrolled in dynamic scanning, there is more value in reporting how many high severity findings your dynamic scanning discovered and/or how many findings were remediated due to the scanning efforts. This shows the impact of dynamic scanning on the quality of the code.
What is the best form of cyber security defense? Well, as I always maintain, it’s user awareness! The implementation of a comprehensive user awareness policy carries a lot of weight and, when abided by, effectively complements the many technological solutions available.
Since a WebView is a browser control in an app, it invites traditional attacks associated with the web. We examine how to protect against these attacks.
This year has been another banner year both in terms of security and vulnerability discovery. There have been many leaks and attacks, most of which were probably executed with older techniques. But, there are also a few new attack patterns worth highlighting which were revealed this year. Reflected file download (RFD) Let’s say that one morning you wake up and try to print some last minute work notes out on your home printer. Without luck, you decide to re-install the print driver. While browsing the Internet, looking for a driver, you find that someone has linked to a file on a forum that may suit your needs. As a good internet user, you check where the link really leads and find that it does point to a legitimate site. You click and run the file; however, your computer is compromised and an attacker gets in. What happened? The site was legit. There’s no way your manufacturer would host malware on their site, and you weren’t redirected to a malicious domain. Instead, you were hit by a reflected file download (RFD).