Software Integrity Blog

Archive for the 'Mobile App Security' Category

 

What is MEMSCAN and how to use it

What is MEMSCAN? A Synopsys consultant, Grant Douglas, recently created a utility called MEMSCAN which enables users to dump the memory contents of a given iPhone app. Dumping the memory contents of a process proves to be a useful technique in identifying keys and credentials in memory. Using the utility, users are able to recover keys or secrets that are statically protected within the application but are less protected at runtime. Users can also use the utility to verify that keys and credentials are appropriately disposed of after use.

Continue Reading...

Posted in Mobile App Security, Software Architecture & Design | Comments Off on What is MEMSCAN and how to use it

 

Striking the balance: App security features and usability

Last week, I installed a new app from the Google Play store onto an Android device. While the app was downloading and installing, I took a look at a few of the user reviews and found their contents interesting. Four of the top 10 comments were both negative and related to security. The comments have been paraphrased for anonymity purposes:

Continue Reading...

Posted in Mobile App Security | Comments Off on Striking the balance: App security features and usability

 

Red teaming for a holistic view of security

Red teaming is when an independent group tests your system in the same way an attacker would to identify weaknesses that could compromise sensitive data.

Continue Reading...

Posted in Mobile App Security | Comments Off on Red teaming for a holistic view of security

 

Standard versus proprietary security protocols

Proprietary security protocols can lead to a number of security issues. We recommend using standard security protocols as much as possible.

Continue Reading...

Posted in IoT Security, Mobile App Security, Software Compliance, Quality & Standards | Comments Off on Standard versus proprietary security protocols

 

Cordova InAppBrowser remote privilege escalation

CVE-2014-0073 is a vulnerability in InAppBrowser, one of Apache Cordova’s core plugins, that allows an attacker to perform remote privilege escalation.

Continue Reading...

Posted in Mobile App Security | Comments Off on Cordova InAppBrowser remote privilege escalation

 

Understanding fragment injection

A colleague asked me about an Android vulnerability called fragment injection because of an article he read [1] and I think its worth diving into the details of the vulnerability. Fragment injection is a classic example of using reflection in an unsafe way (CWE-470) [2]. As in untrusted data from an Intent is used to determine which class is instantiated within the target Android application.

Continue Reading...

Posted in Mobile App Security, Web Application Security | Comments Off on Understanding fragment injection

 

Understanding the GnuTLS certificate verification bug

The GnuTLS certificate verification bug allows attackers to intercept SSL traffic. Learn how the vulnerability works and how to mitigate it.

Continue Reading...

Posted in Mobile App Security, Open Source Security, Web Application Security | Comments Off on Understanding the GnuTLS certificate verification bug

 

Understanding the Apple ‘goto fail;’ vulnerability

Learn more about the Apple “goto fail;” vulnerability, including vulnerability details, who it affects, and what you can do about it.

Continue Reading...

Posted in Mobile App Security | Comments Off on Understanding the Apple ‘goto fail;’ vulnerability

 

Touch ID: Yea or nay?

Is Touch ID all it’s cracked up to be? We explore the vulnerabilities of Touch ID, biometrics, and password security, including general considerations.

Continue Reading...

Posted in Mobile App Security, Software Architecture & Design | Comments Off on Touch ID: Yea or nay?

 

Mobile: Different or same sh*t different day?

Is mobile security the “same problem” as web application security? Is it just “different day”? I’ve watched organizations and mobile thought leaders argue perspectives on this question back and forth for years. The answer is, of course, both. Mobile security inherits previous problems and solutions while bringing its own unique ones. Let’s get specific about what’s different and why. I’ll break things down as usual: threats, attack surfaces, vectors, impacts, and then controls. Summarizing:

Continue Reading...

Posted in Mobile App Security, Software Architecture & Design | Comments Off on Mobile: Different or same sh*t different day?