Weekly Mobile Security News Roundup

Happy New Year!

As a way to kick-start 2014, we’re going to start releasing a weekly summary of the important events and trends in the Mobile Security world.

1. 1. The latest chapter in the series of NSA leaks, shines new light on the NSA’s methods for collecting material from mobile devices & networks.
   According to the leak, since 2008, the NSA has had the capability to deploy software implants on Apple’s iPhone that grants remote access to various assets such as text messages, location data and microphone audio. Named DROPOUT JEEP, the tool previously required physical access with remote implementation to be developed asap. Seeing as the document is 5 years old, one would think this is a bridge that has probably been crossed.What’s the significance? Other than the fact that that NSA was capable of carrying this out and actually had carried it out (noting that Apple denied this allegation). But this further highlights two two important factors:
   1. a.   iPhone is just as susceptible to attacks – even if the NSA didn’t receive Apple’s granted collaboration
   2. b.   Nations lower the attack barrier. In 2008, it was the NSA. In 2011, publications discussed the sale of mobile targeted attacks – incl. those of iPhones – by private firms. In 2013, in parallel to a talk regarding the NSA’s capability at CCC, the Hacking Team – a firm focused on providing interception capabilities – showcased their product video which has the capabilities to infect mobile devices, including iOS-based phones.
2. 2. Hackers managed to access  Snapchat’s database, a popular photo messaging application that states user privacy as one of its’ key features.
   At first it was released that Snapchat had a security vulnerability that could divulge users’ personal information. After Snapchat supposedly dealt with the problem, a group of hackers managed to access the same vulnerability and have uploaded a vast database of what appeared to be 4.6 million Snapchat users’ mobile numbers and users names.What’s the significance? This is another wakeup call.  Mobile apps that are entirely innocent can be just as dangerous as malware. Sandboxing (compartmentalizing app permissions and resources) will only get you so far. Innocuous apps like Snapchat can be leveraged by attackers  and pose as much a security threat to a business as any other app.
3. 3. There’s a new Android Injection vulnerability.
   This vulnerability affects many apps, including Settings (found on every Android device),  Gmail, Google Now, DropBox and Evernote. The vulnerability essentially enables a malicious app to abuse the permissions of apps with more privileges.
   The vulnerability, which has now been patched in Android Kitkat (4.4), still affects android 4.3 and below.What’s the significance? In the grand scheme of things, this underlines the fact that even the biggest and most sophisticated developers have, and will continue, leaving holes that can be exploited.
4. 4. Leading into the new year, mobile security is emerging as a major threat to enterprise security.
   A recent study by the Ponemon institute shows that most security professionals believe that Mobile security will pose the greatest challenge in 2014. It’ll be up to us to stay ahead of the curve.