Mobile Security Weekly: Uber’s Literally Malware, WhatsApp Crashes Hard, iOS Jailbroken – Again

Lacoon Mobile Security.” width=”115″ height=”75″ /> Ohad Bobrov is co-founder and CTO at Lacoon Mobile Security.

This week’s issue highlights just how careful users need to be, even when using popular and well-known apps. Uber and WhatsApp are installed on huge numbers of devices, yet they both have severe security issues. And the newest version of iOS has already been jailbroken – which is always bad new for the enterprise.

Uber for Android Exhibits Malware-like Behavior

The hugely popular ride-sharing service Uber has been hit by various controversies lately, but things are seemingly moving from bad to worse, with some researchers describing the app as ‘literally malware.”

Uber has been called out for the surprising amount of user data it collects from its Android app. A partial list of the data collected includes email accounts, app activity data, GPS, call and message data, Wi-Fi network data, device info and cell network data. Not only does it collect even more data than other apps that have been previously criticized, it also relays it back to a company server – just like an mRAT (Mobile Remote Access Trojan).

http://thehackernews.com/2014/11/ubers-android-app-is-literally-malware_28.html

Why is this Significant?

Apps being installed willfully from Google Play that collect more information than they need isn’t a new concern. But Uber is undoubtedly one of the year’s hottest apps, and has a very large user base, especially throughout the US. The fact that it’s behaving just like malware raises a red flag because it’s exposing a lot of information (including enterprise data), that Uber arguably has no business collecting.

WhatsApp Vulnerability Enables Remote Crashing of the App

A new vulnerability discovered in the popular messaging app WhatsApp enables anyone to remotely crash WhatsApp on Android by sending a specially crafted message.

Researchers in India managed to produce a 2000 word (2kb in size) message in special character set that automatically crashes the app. It was previously know that sending a very large message (greater than 7mb in size) via WhatsApp could crash both the victims’ device and app, but the new vulnerability only requires a tiny message in comparison.

At the moment, it seems that this vulnerability can be used to temporarily prevent others from sharing a messaging thread with others, or to forcefully remove specific users from group chats.

http://bgr.com/2014/12/03/whatsapp-crash-and-delete-chat-records/

Why is this Significant?

WhatsApp has hundreds of millions of users worldwide, so any significant security problem in the app matters — a lot. Perhaps today the concern is only the “disturbance,” but could this escalate into something much more severe that exposes data on the device? It’s definitely an issue worth paying attention to.

New Jailbreak Released for iOS 8.1.1

Unlike previous version of iOS, when users had to wait several months to download reliable jailbreaks for their iPhones and iPads, jailbreaks for the newest iOS and the latest firmware upgrade have been rolling out at unprecedented speed.

TaiG, a Chinese hacking team, has released a new jailbreak for iOS 8.1.1 which has rendered the Pangu Jailbreak obsolete. In an effort to make communication with non-Chinese speakers better, the team has also launched a Twitter account, available in English as well.

http://www.idownloadblog.com/2014/12/03/taig-jailbreak-and-website-now-available-in-english-team-launches-official-twitter-account/

Why is this Significant?

The jailbreak process has become much easier than it was several years ago. Coupled with the fact that jailbreaking is one of the the biggest security issues on iOS, this poses a major problem for enterprises that allow employees to use their own devices. iOS is far from 100% secure to begin with, but once a device has been jailbroken there are endless ways for attackers to target and access a device.