Weekly Mobile Security News Roundup

Busy week? We have you covered with the summary of the most important and relevant mobile security news items.

1. 1. Separate researches highlight mobile app vulnerabilities. Whether the apps are financial-oriented or super popular, they leak sensitive data.
   1. a. 40 top iOS home banking apps are vulnerable –
      http://blog.ioactive.com/2014/01/personal-banking-apps-leak-info-through.html?m=1
   2. b. Starbucks’ mobile app stores passwords in clear text –
      http://threatpost.com/starbucks-app-stores-user-information-passwords-in-clear-text/103649

   Why should you care? Your mobile security strategy needs to consider the different layers of mobile (the device itself, operating system and mobile apps), and how they interact with one another. It is not enough to simply look at each of these layers separately, rather, it is important to understand how the security – and flaws – of each layer can affect the other layer.

2. 2. Samsung and Google addressed a Knox vulnerability disclosure from two weeks ago. The disclosure itself contained scarce details but mentioned that the vulnerability enables “easy interception of data communications between the secure container and the external world including file transfers, emails and browser activity.” Samsung’s response, in turn, claimed the flaw is actually a classic Man-in-the-Middle of unencrypted app data.
   http://blogs.computerworld.com/mobile-security/23395/security-researchers-sometimes-get-it-wrongWhy should you care? Considering the case of a Man-in-the-Middle attack, it’s incredible to think that this attack has been around since the early days of encryption – it’s a well-known traditional network attack, discussed over and over again in context of Web apps and mobile apps are treated similarly. Yet, this vulnerability continues to crop up. Looking at mobile apps, this widespread security issue is further demonstrated in the same banking app survey presented in news item (1) above. There, the researchers found that 20% of the banking apps sent account activation codes in plaintext.
   As for the Samsung’s response, this is clearly not the end of the story. We’re awaiting to see the response from the researchers and we’ll keep you updated.
3. 3. Evasi0n Jailbreak leaves a vulnerability on the device –
   http://winocm.com/projects/research/2014/01/12/evading-ios-security/Why should you care? Jailbreaking the device is a big no-no in terms of security. It removes all the built-in security measures of the device. And, as this case shows, if you’re jailbreaking your device – you’re never knowing what you might get as well.
4. 4. Study by Mobile Work Exchanges shows that more than 30% of government employees use a Public Wi-Fi connection, 15% downloaded a non-work related app on their mobile device used for work, and a quarter of them do not use passwords on their device.
   http://www.darkreading.com/end-user/feds-failing-to-secure-their-mobile-devi/240165345/Why should you care? This survey brings together a lot of the risks as stated in the former news items – from susceptibility to MitM attacks on open Wifi connections, to downloading a vulnerable app and easing the attack path to access data. The survey results pertain to Fed – agencies considered to have stricter policies than in the private sector. It’s troubling to think what happens at general organizations.