Software Integrity Blog

Archive for the 'Mobile App Security' Category

 

Android WebViews and the JavaScript to Java bridge

Since Android WebViews are browser controls in an app, they invite traditional web attacks. Learn how to protect against Android WebView attacks.

Continue Reading...

Posted in Mobile App Security | Comments Off on Android WebViews and the JavaScript to Java bridge

 

The top hacking techniques of 2015 and how they work

This year has been another banner year both in terms of security and vulnerability discovery. There have been many leaks and attacks, most of which were probably executed with older techniques. But, there are also a few new attack patterns worth highlighting which were revealed this year.

Continue Reading...

Posted in Mobile App Security, Software Architecture & Design, Web Application Security | Comments Off on The top hacking techniques of 2015 and how they work

 

Jailbird: A cautionary tale of mobile application security awareness

For all the technology and solutions out there, the number one protection against cybercrime is still user awareness and the ability to understand when you are at risk—even as a consumer.  Our greatest exposure is when we use our smart phones. These devices carry not only all our favorite photos and music playlists, but also address books, emails, our health information, some credit card data and even passwords in all those “secure” vaults you can download for free.  Of course, often times we find ourselves at the mercy of the great, life-saving utility these apps provide and what’s the risk anyway, right?

Continue Reading...

Posted in Mobile App Security | Comments Off on Jailbird: A cautionary tale of mobile application security awareness

 

Using the SafetyNet API

The SafetyNet attestation API is a Google Play Services API that any developer can use in order to gain a degree of assurance that the device their application is running on is “CTS compatible.” CTS stands for Compatibility Test Suite, which is a suite of tests a device must pass, prior to release, to be allowed to include Google Play Services. Traditionally, it was used by device manufacturers to ensure that their devices met Google’s requirements. The term is now overloaded with more meanings, like ‘the device is in a non-tampered state’ after release. Tampered state has multiple definitions and includes ‘being rooted,’ ‘being monitored’ and ‘being infected with malware’.

Continue Reading...

Posted in Mobile App Security | Comments Off on Using the SafetyNet API

 

Developers targeted in Apple’s iOS malware attack

Apple is currently taking measures to eradicate hundreds (potentially thousands) of malicious apps recently discovered in the iOS App Store. It has come to light that hackers distributed a modified version of Apple’s developer toolkit, Xcode, which embedded malware known as XcodeGhost into iOS apps as they were being compiled.

Continue Reading...

Posted in Mobile App Security | Comments Off on Developers targeted in Apple’s iOS malware attack

 

Integrating Touch ID into your iOS applications

What is Touch ID? Touch ID is Apple’s fingerprint technology for iOS mobile devices. It allows consumers to unlock their phones and make purchases conveniently using their fingerprint(s). As of iOS version 8.0, Apple opened up Touch ID to developers by making APIs available for use in the SDK. Biometric opinions This post assumes you have performed your own risk assessment, are aware of the risks associated with biometric authentication technologies, and that you have decided that Touch ID is suitable for use in your application. Why this post then? The reason for this post is simple—I want to provide some information to allow software architects and developers to better understand Touch ID, the ways it can be included in your iOS applications and what the security benefits to the different approaches are. These are all questions I hear regularly when providing iOS security consultancy.

Continue Reading...

Posted in Mobile App Security | Comments Off on Integrating Touch ID into your iOS applications

 

Samsung SwiftKey: The latest AppSec vulnerability highlights

The Samsung smartphone SwiftKey security slip-up grabbed headlines in mid-June when it was discovered that 600 million Samsung smartphones were vulnerable to remote code execution (RCE) attacks.

Continue Reading...

Posted in Mobile App Security, Software Architecture & Design | Comments Off on Samsung SwiftKey: The latest AppSec vulnerability highlights

 

Cloud storage security storm: When it rains, it pours

What’s the state of cloud storage security? Not great. Cloud storage vulnerability research found 56 million records of unprotected data in cloud databases.

Continue Reading...

Posted in Cloud Security, Mobile App Security | Comments Off on Cloud storage security storm: When it rains, it pours

 

Samsung Galaxy phone hack: Making sense of the “Samsung” RCE vulnerability

The Samsung Galaxy phone hack was not caused by “one bug.” It was due to a chain of several failures, which makes it difficult to say who is at fault and how the Samsung hack could have been avoided. Don’t jump to conclusions! How did the Samsung Galaxy get hacked? Issue 1: Samsung uses a white-label version of the popular SwiftKey 3rd-party keyboard app as the default keyboard in recent Android devices. In order to do that, it repackages it and installs it into the system partition. This gives the keyboard app “system” privileges.

Continue Reading...

Posted in Mobile App Security, Software Architecture & Design | Comments Off on Samsung Galaxy phone hack: Making sense of the “Samsung” RCE vulnerability

 

How to overcome the hurdles to mobile application security

Mobile apps are juicy targets for hackers. Consider the rich data that is captured by a mobile device, including call logs, SME messages and location information. Then, consider the rapidly evolving mobile platforms and frameworks that are new to many development organizations.

Continue Reading...

Posted in Mobile App Security, Software Architecture & Design, Web Application Security | Comments Off on How to overcome the hurdles to mobile application security