This week’s update focuses on the technological advancement dilemma: simplicity vs security. With some of their new updates, both Google and Apple seem to be voting firmly in one direction – and it doesn’t seem to be security. We can’t possibly ignore the FIFA World Cup that kicked off in Brazil on Thursday. We’ve tried to provide a few security tips that might help users that are planning to travel to Brazil to take part in the festivities.
iOS 8 and OSX Yosemite were announced this week. iOS 8 definitely brings in new openness to Apple’s mobile operating system. The company’s press release said it’s their biggest developer release ever with more than 4,000 new Application Programming Interface calls.
Sadly, the same openness and newfound flexibility invites security challenges:
- The new Handoff feature allows users to start working on something on a mobile device from exactly where they left off on the Mac. This has led to questions regarding how Apple plan to transmit information from one device to another.
- Password Free Hotspots Are a Threat – The Instant Hotspot aides users to share Internet connections without any password. In public, where anyone who can see and connect to the phone can wind up stealing bandwidth or worse – this can be problematic.
- Increased use of the fingerprint scanner – Apple has announced that it will be giving mobile app designers an additional option for mobile security by opening up its fingerprint ID feature that will enable them to toughen up the protection level by another layer. The fact that the scanner’s track record is far from impressive is something worth taking into account.
Why is this Significant?
This is a perfect example of the dichotomy of technological advance. Apple undoubtedly views all of these updates as positives – things that many users and developers requested. While mobile security is growing in importance within the corporate and business world – these updates shows us that there is still some way to go when identifying the neccessary attention and prioritization given to security aspects of a mobile OS.
Google developers have made a change to the automated update process of Android apps which may be dangerous to users. Following the change, Android requires next to no user interaction and provides little disclosure on the changes in permissions, such as the sudden ability to send potentially costly text messages or track a user’s precise geographic location. This can be taken advantage by attackers and users are in danger of being duped.
Due to changes implemented through the latest Google Play store app, new app privileges aren’t displayed if a user has previously accepted any other permission in the same category as the new permission. In other words, by accepting one permission from a category, users agree that every other permission in that category can be added without notification in future updates.
Two potential examples of updates that won’t be disclosed anymore are:
- An app that begins to receive access to more accurate GPS data.
- An app that acquires a newly assigned ability to send SMS messages.
Why is this Significant?
This is part of the overall effort by Google to streamline and simplify the process of installing updates. As many users don’t read and/or understand the permission system – Google are just skipping it. While this might be comfortable for many people, this poses a significant security risk to enterprises.
As mentioned, this week sees the start of the 2014 FIFA World Cup in Brazil. With hundreds of thousands of fans descending on the Copa Cabana, mobile security is definitely worth discussing.
There are several kinds of threat that tend to appear around mass events like the world cup:
- Fake Apps – Attackers are aware of the fact that during tournaments, users are prone to downloading things like games, fixture lists, news and team apps. Both 3rd party marketplaces and the official Google Play store are full of malicious, repackaged apps that aren’t what they seem. Two potentially dangerous apps – Corner Kick World Cup 2014 & Fifa 2014 Free – World Cup have already been discovered. Although one app just doesn’t do anything the other attempts to access call, text message and user data. Both could have also been more advanced malware.
- Phishing Attacks – Users should be aware of fake e-mails and text messages advertising tickets, online broadcasts and overly-attractive gambling opportunities. This kind of attack can easily leave a device infected with malware capable of advanced surveillance.
- Rogue WIFI hotspots – Although reports of this kind of attack at the Sochi Winter Olympics were discovered to be untrue – this is undoubtedly a potential risk. People crave free WIFI and attackers know this. Rogue Wifi attacks can leave mobile communications completely accessible to an attacker.