Software Integrity Blog

Archive for the 'Mobile App Security' Category

 

Samsung Galaxy phone hack: Making sense of the “Samsung” RCE vulnerability

The Samsung Galaxy phone hack was not caused by “one bug.” It was due to a chain of several failures, which makes it difficult to say who is at fault and how the Samsung hack could have been avoided. Don’t jump to conclusions! How did the Samsung Galaxy get hacked? Issue 1: Samsung uses a white-label version of the popular SwiftKey 3rd-party keyboard app as the default keyboard in recent Android devices. In order to do that, it repackages it and installs it into the system partition. This gives the keyboard app “system” privileges.

Continue Reading...

Posted in Mobile App Security, Software Architecture & Design

 

How to overcome the hurdles to mobile application security

Mobile apps are juicy targets for hackers. Consider the rich data that is captured by a mobile device, including call logs, SME messages and location information. Then, consider the rapidly evolving mobile platforms and frameworks that are new to many development organizations.

Continue Reading...

Posted in Mobile App Security, Software Architecture & Design, Web Application Security

 

What is MEMSCAN and how to use it

What is MEMSCAN? A Synopsys consultant, Grant Douglas, recently created a utility called MEMSCAN which enables users to dump the memory contents of a given iPhone app. Dumping the memory contents of a process proves to be a useful technique in identifying keys and credentials in memory. Using the utility, users are able to recover keys or secrets that are statically protected within the application but are less protected at runtime. Users can also use the utility to verify that keys and credentials are appropriately disposed of after use.

Continue Reading...

Posted in Mobile App Security, Software Architecture & Design

 

Striking the balance: App security features and usability

Last week, I installed a new app from the Google Play store onto an Android device. While the app was downloading and installing, I took a look at a few of the user reviews and found their contents interesting. Four of the top 10 comments were both negative and related to security. The comments have been paraphrased for anonymity purposes:

Continue Reading...

Posted in Mobile App Security

 

Red teaming for a holistic view of security

Red teaming is when an independent group tests your system in the same way an attacker would to identify weaknesses that could compromise sensitive data.

Continue Reading...

Posted in Mobile App Security

 

Standard versus proprietary security protocols

Proprietary security protocols can lead to a number of security issues. We recommend using standard security protocols as much as possible.

Continue Reading...

Posted in IoT Security, Mobile App Security, Software Compliance, Quality & Standards

 

Cordova InAppBrowser remote privilege escalation

CVE-2014-0073 is a vulnerability in InAppBrowser, one of Apache Cordova’s core plugins, that allows an attacker to perform remote privilege escalation.

Continue Reading...

Posted in Mobile App Security

 

Understanding fragment injection

A colleague asked me about an Android vulnerability called fragment injection because of an article he read [1] and I think its worth diving into the details of the vulnerability. Fragment injection is a classic example of using reflection in an unsafe way (CWE-470) [2]. As in untrusted data from an Intent is used to determine which class is instantiated within the target Android application.

Continue Reading...

Posted in Mobile App Security, Web Application Security

 

Understanding the GnuTLS certificate verification bug

The GnuTLS certificate verification bug allows attackers to intercept SSL traffic. Learn how the vulnerability works and how to mitigate it.

Continue Reading...

Posted in Mobile App Security, Open Source Security, Web Application Security

 

Understanding the Apple ‘goto fail;’ vulnerability

Learn more about the Apple “goto fail;” vulnerability, including vulnerability details, who it affects, and what you can do about it.

Continue Reading...

Posted in Mobile App Security