Mobile Security Weekly – Countdown to Blackhat US

This week has been eventful for all sorts of reasons. First, we’re excited to have officially launched the Lacoon Mobile Threat Management Platform. Second, with Blackhat US around the corner, we’re all busy and set to go. If you’re around, come hear our talk or stop by at our booth at the Innovation City. Finally, there have been a number of interesting and important news items – which is what we’re all here for.

Android ‘Fake ID’ vulnerability can enable a threat actor to impersonate your trusted apps.
Every Android app has a unique identity. In short, a threat actor exploiting this vulnerability can compromise specific applications or sensitive device data by falsifying that identity so that it can impersonate your applications without your knowing. As a result, a threat actor can either access app data, access private NFC payment data or obtain device management capabilities.

We’ve known about this for a while and Lacoon customers have been protected from this kind of threat for some time. According to the researchers who discovered ‘Fake ID’, all devices running Android 2.1 to 4.4 are affected.

Our in-depth blog post covers all the relevant issues including an explanation of the source of the vulnerability, a breakdown of potential attacks and methods of mitigation.

Why is this Significant?
‘Fake ID’ potentially affects the security of millions of Android devices worldwide.The fact that an attacker can create a new digital identity certificate and enable a malicious app to obtain permissions that it never should have had, is very serious.

Researchers in Taiwan discover that XiaoMi and RedMi Android devices are relaying data back to secret Chinese servers.
The XiaoMi and RedMi phones are popular in China and South East Asia thanks to a combination of low price and great specs. Sadly, researchers have discovered that RedMi Note has been connecting to an IP address in China and transferring data back to the server upon entering WiFi mode.

Disguised as a backup service (that operates automatically and without permission), it seems that the process is hard coded into the phone – even a complete wipe of the devices didn’t stop the transmissions.

http://www.phonearena.com/news/Report-Xiaomi-Redmi-Note-sends-photos-and-texts-to-Chinese-server_id58744

Why is this Significant?
With more users in the US and Europe opting to import cheap, high-powered Android devices from China and South Korea, this type of story is critical to pay attention to. Infection via the supply chain, in this case the manufacturer, is a growing problem. Whether it’s unauthorized backups or built-in malware, in a BYOD world, it’s worth noting where a device came from.

Signal – Free iOS call encryption app set for release
Although not necessarily a technological breakthrough (Silent Circle has been around for a while), this is the first app to offer free encrypted calls between iPhones with the app installed.It uses your existing number, doesn’t require a password, and leverages privacy-preserving contact discovery to immediately display which of your contacts are reachable with Signal.

The app can also integrate with it’s sister project, Redphone, enabling encrypted calls between iPhone and Android users.

http://www.theregister.co.uk/2014/07/30/keep_your_iphone_calls_private_whispers_signal/

Why is this Significant?
In a post Snowden, eavesdropping-phobic world, this is undoubtedly a trend worth keeping track of. As this kind of service becomes more commonplace, it might have quite an effect on the way enterprises feel about work related phone calls.

Image Credit: The Guardian Newspaper