Mobily Security Weekly – Pain-gu? How dangerous is the new iOS jailbreak?

This week’s edition poses questions about the future of both mobile and mobile security. Google’s i/o conference always serves as a glimpse into the future of all aspects of mobile – and it’s good to see security as one of those aspects this year. The release of a new iOS jailbreak raises the question if this is the last version that can and will be jailbroken. Finally, a massive security loophole in a popular new app provides a worrying outlook on the future of mobile apps.

Screen Shot 2014-06-28 at 10.22.20 PM

There’s a new jailbreak for iOS 7.1 – and it’s presents a major leap in attacker’s capabilities. Named Pangu, it was released by a Chinese team on Monday. Apart from allowing all iOS users to jailbreak their devices, which is dangerous in itself, it publicly exposed two iOS security bugs that might be used to make a future jailbreak unless solved.

Pangu is essentially an attack that uses an Apple enterprise certificate to jailbreak and potentially gain control of iOS devices. Pangu should definitely concern enterprises and users as it represents a major technological leap that ultimately lowers the barrier for attackers to create sophisticated targeted mobile attacks.

Read our dedicated post here

Why is this Significant?

As we elaborate in our blog post, attackers can leverage the tool easily, quickly and efficiently as part of a targeted attack.
Most importantly, Pangu also has the potential of being run remotely as an app. The consequence is that this would be the first time since iOS 4 that a jailbreaking tool can be remotely executed. Enterprises will undoubtedly need to address many of these issues in the near future.

Secondly, unlike previous jailbreak methods, Pangu does not require the installation of the Cydia app (an unofficial iOS marketplace) and therefore can easily go undetected both during installation and beyond.

Researchers Reveal Privacy Hole in the newest cool messaging app – ‘YO’
After receiving quite a bit of hype upon release, a glaring privacy hole was uncovered in the app which lets users text one word (Yes, “Yo”) to each other. Unbeknown to the developer, the app also allowed hackers to harvest any user’s phone number, spam users with large numbers of messages and impersonate a user when sending messages.

Why is this Significant?
This is the latest illustration of the fact that some mobile apps, created in mad rushes to attract investors and users, pay little to no attention to security until it is too late. That is a risk for consumers who install the apps, especially in a BYOD environment.

Similar vulnerabilities were previously discovered in the massively popular Tinder and Snapchat and it seems that this is a growing trend. Perhaps more worrying than anything else, is the fact that the hack was discovered just as Yo cracked the top 5 free apps on the iOS App Store, ahead of Snapchat, Instagram, YouTube, and Facebook.

Google announces several new security updates at the Google i/o conference in San Fransisco.
Google held their yearly conference which serves as the venue for all their big announcements. Besides news on Google Wear, Android 5 and Google TV – they also had some important updates regarding security:

  1. Knox, Samsung’s security platform will be integrated in the next version of Android. Samsung says the version of Knox that is being made available to all Android devices will include some key parts of the platform, including a “container” that allows users to house proprietary information in a separate secure space on a device. Other core security features of Knox won’t be shared with rival Android vendors.

    This is undoubtedly part of Google’s active effort promote Android more broadly as “the leading choice for businesses”. Potentially, this move could bring some level of enterprise-grade security to all devices in the Android eco-system.
  2. Google Play Services 5.0 will arrive shortly with new security tools. Google Play Services is that app on your google uses to roll out new services and features to the core of Android without a full OS update. Part of the update will integrate the new Dynamic Security Provider . This should offer an alternative to the platform’s secure networking APIs that can be updated more frequently, for faster delivery of security patches.

Why is this Significant?
We can see two distinct examples of Google’s increasing recognition of the importance of mobile security. Although not without issues of its own, a service like Knox is definitely an integration worth considering. On the whole it’s good to see the Google are addressing security as part of their main agenda. All that’s left is to wait and see how effective their methods are.