Weekly Mobile Security News Roundup

The release of iOS 7.1 can serve as a metaphor for this week’s summary. Perhaps the most substantial part of Apple’s update was a major security patch that dealt with more than 40 issues. The patch addresses a vast range of different security flaws, signifying how diverse the world of malware is.

It also says a lot about the security of iOS (presumed to be the more secure of the two main OSs) as well as about the robustness of the major players in the mobile world. Even (or maybe, especially) Apple and Google aren’t invulnerable to malware, let alone the smaller developers.

As mentioned, Apple released iOS 7.1 earlier this week.

Apple have published the list of security flaws that they’ve fixed. The list covers many issues – ranging from App Store bugs to authentication, data security and malicious configuration profiles. It really shows how many different ways iOS can be attacked.


Why is this Significant?

While Apple’s efforts are laudable and should be encouraged, it is important to note that there are two problems that cannot be patched:

  1. In the iOS world, IT managers have no visibility into exploits of actual vulnerabilities.
  2. There are some inherent key vulnerabilities that do not provide the complete required solution. Although Apple addressed specific related vulnerabilities, these only touch the problem, but not the underlying design issues which cannot be fixed.

For more information, read our corresponding blog entry.

Details of a serious security flaw with Google’s PlayStore

were published by a security researcher . Essentially, the vulnerability allows an app to install any number of other apps with any permissions without the user’s explicit consent. As a result:

  1. A user can install an app from Google Play using just the browser, even the PC’s browser.
  2. An app can embed a browser and automatically login into the user’s Google account without any notification, using a few permissions.


Why is this Significant?

This vulnerability is so simple to implement, the researcher preferred to publish the details of his PoC. It means the app is capable of obtaining access to all permissions without the user ever having approved it. Then, it can subscribe the user to services that cost money, manage accounts, disable the mobile device or pretty much anything else. Unfortunately, this vulnerability doesn’t exist in a third-party marketplace, but in Google’s official marketplace.

Whatsapp conversations can be accessed and extracted without too much effort.

A researcher has discovered a way to take advantage of Android’s data sandboxing system and use it to target Whatsapp.

On Android, WhatsApp stores conversations on the phone’s SD card, which is accessible by many other apps on the phone as long as the user gives those apps the permissions they ask for (many apps ask for full access to the phone). As mentioned, this is an infrastructure issue for Android more than a gaping security flaw on the part of WhatsApp.

Even though WhatsApp has begun encrypting its database to the point where it cannot be opened by SQLite, it has proven quite simple to decrypt.


Why is this Significant?

Facebook will surely be improving WhatsApp security in the next few months following the $19 billion acquisition. But this brings up, yet again, lingering questions about Android infrastructure. This is a similar example of underlying design issues that are much more significant than any specific security issue.

A backdoor that exists in almost all the Samsung Galaxy devices

(old and new)
has been discovered by researchers at Replicant (a free alternative to Android OS) The backdoor allows the modem to remotely access and open files on the device’s storage.

Since the modem runs proprietary software, it is likely that it offers over-the-air remote control that could then be used to issue incriminated RFS messages (which the modem uses to communicate) and access the phone’s file system.


Why is this Significant?

Firstly, it’s a potentially serious issue in a very popular and widespread line of mobile phones and tablets. It also highlights the different ways an attacker can approach a device. There are always new ways to access, control or eavesdrop on a device – more often than not, because of an oversight by the manufacturer.

Almost 80% of apps exhibit behavior that poses some form of enterprise risk.

An interesting report on iOS and Android security concludes that Android has more malware, but iOS apps pose greater risk of leaking user data. While a tiny percentage (0.4) of iOS and Android Apps can actually be classified as malware, 80% of paid and and free apps are likely to have risky procedures that range from GPS tracking, Contact List Access, Leakage of private data and more.


Why is this Significant?

This report shows that mobile threats are not relegated just to malicious “viruses”. Apps that may not be classified as run-of-the-mill malware might pose almost as much of security risk as the apps that most AntiViruses are looking for.