Mobile Security Weekly – iPhone 6 is Here – Mobile Security Doesn’t Stop to Wait.


Amazingly, things that aren’t related to either the iCloud Scandal or the iPhone 6 have made big impacts on the world of mobile security this week. Google is taking another step towards the enterprise, while many famous and hugely popular apps have again been discovered to be providing sub-standard security to their users.


Google unveils iOS sync security service
Google has launched an iOS Sync service for Google Apps, marking its latest attempt to push its enterprise services into mixed office environments. The feature, which will support all devices running iOS 7 or later (including the new iPhone 6 and 6 Plus), will be integrated into the Gmail and Google Drive apps for iOS and offers a variety of security services.

Among the services available will be the ability to set up management policies, configure WiFi networks so employees can only connect to the services in trusted environments, manage passwords and data-encryption protocols, and remotely wipe devices.

Why is this Significant?
This release serves as evidence that Google are both looking to increase their foothold in the enterprise market as well as attempt to simply improve enterprise application security. Both are important processes that could have an important role in the way enterprises view using Google’s different services in the future. We’re staying tuned to these releases and will continue to update you.

Instagram, Grindr, and more popular Android apps put user privacy at risk
Instagram, Grindr, OkCupid and many other Android applications fail to take basic precautions to protect their users’ data, putting their privacy at risk, according to researchers.
Using different methods, the researchers examined what and where data was being exchanged and stored.

Among the apps that came under scrutiny:
Instagram, OoVoo, MessageMe, Tango, Grindr, HeyWire and TextPlus: Discovered to have images sitting on its servers that were unencrypted and accessible without authentication.
OoVoo, Kik, Nimbuzz and MeetMe: Didn’t encrypt chat logs on the device – posing a risk if someone loses their device.
OkCupid: Doesn’t use SSL/TLS or insecurely use it. By using simple methods, chat meta data and contents can be easily obtained.

Why is this Significant?
The least we should be able to expect from established app developers is that they do their best to protect user data. Unfortunately, as these disclosures demonstrate, we cannot rely on self-defensive capabilities. What we need to start doing is placing third-party security mechanisms. This is especially important for the enterprise as these consumer apps are quickly finding themselves into the business, being introduced under the nose of the IT departments.

Facebook’s Messenger App Is Tracking a Lot of Data
An interesting report recently published by a researcher has found that Facebook’s Messenger app (in this case for iOS) is logging practically everything a user might do within the app:”..from what and where they tap, to how often a device is held in portrait versus landscape orientation; even time spent in the Messenger app, versus the time it spends running in the background..”.

The researchers goes on to say that Messenger in also tracking WiFi network data and process lists. This is specifically interesting because it exposes several new methods that theoretically could also be implemented by threat actors as part of an advanced mRAT (Mobile Remote Access Trojan) attack.

Facebook was quick to discredit these reports and released their official statement: “These accusations are completely unjustified. Privacy is core to our approach with Messenger, and like any developer, we analyze usage trends to make our apps better, faster, and more efficient.”

Why is this Significant?
It really shouldn’t come as a surprise that mobile apps run some sort of analytics on user behaviour. This can undoubtedly help them improve their offerings and serve users better. In the case of Facebook Messenger, the tracking has gone perhaps one step too far. Furthermore, even if Facebook (who have since posted a reaction to these claims, as stated above) aren’t doing anything malicious with this data, there is the potential risk of threat actors hijacking these collection methods.

Image Credit: