Mobile Security Weekly – Just How Shellshocked is the Mobile World?


Had it not been for the new “Shellshock” vulnerability, the release of the iPhone 6 and iOS 8 would be our main focus this week. This new vulnerability is just as dangerous as Heartbleed, affects more users, and can be exploited much more easily, making it this week’s biggest issue.

Shellshock – A Serious Vulnerability That Could Affect Rooted or Jailbroken Mobile Devices

The security world is buzzing with news regarding the “Bash Bug,” also known as Shellshock. Without going into too many technical details, the flaw has been found in a software component known as Bash, which is a part of many Linux systems as well as Apple’s OSX operating system. The bug can be used to take control of almost any system remotely using Bash.

There is a potential mobile aspect to Shellshock. Neither brand new Android nor iOS devices include any Bash shells, essentially making them immune to the problem. However, once a device has been rooted (Android) or jailbroken (iOS), there is every chance that a Bash shell has been installed making the device potentially vulnerable.

Just hours after Shell Shock was announced publicly, it was already being actively exploited. The bug has been rated as very severe, but not very complex. Hackers are able to exploit it using just three lines of code.

Why is this Significant?
It goes almost without saying that much like Heartbleed, this story will spill over into headline news over the coming days. We’ll be paying close attention and will release as much information and guidance as possible once the dust settles. Click here to read more about the Shellshock bug and it’s ramifications.

Apple’s New iPhone 6 Vulnerable to Last Year’s TouchID Fingerprint Hack

Despite a variety of security updates released through iOS 8, it seems possible to create a fake fingerprint capable of fooling the TouchID fingerprint sensor on both of the latest iPhones.

Despite the addition of the secure payment app Apple Pay to the iPhone 6, making the security of the fingerprint scanner that much more imporant, Apple hasn’t done enough to secure users. The iPhone 6 can be fooled into using a cloned fingerprint lifted from a shiny surface and recreated using glue. It is worth mentioning that this isn’t a simple, feat and won’t be done by every hacker.

What’s more, Apple hasn’t implemented any additional security measures now that they enable users to make financial exchanges using just a fingerprint. Things like shorter timeout periods or some form of two-factor authentication could be used, but aren’t yet implemented.

Why is this Significant?
Apple may have identified a genuine desire for more convenient payment methods, but this cannot come at the cost of security. It probably won’t be too long before other services and items will be able to be paid for via the scanner. But at the moment, even though the hack is not easy to perform, this may be a bit risky. With many enterprises also looking at implementing different biometric systems, this should also pose a warning sign.

Third Party Keyboards Hit the Apple App Store but May Pose Security Risk

With iOS 8, Apple has finally enabled users to emulate one of Android’s best features – customizable third party keyboards. Opening up the keyboard to third-party developers allows for much more variety in the look and feel of iOS keyboards, plus innovative typing methods like Swype’s keyboard drawing method.

This does, however, open the door to several potential security issues that may pose a concern to enterprise users. These aren’t all drastic problems but some enterprises may want to think twice about using third-party keyboards. For some keyboards, “full access” is required, allowing it to transmit typing back to their servers.

Apple is quick to warn that: “Full Access allows the developer of this keyboard to transmit anything you type, including things you have previously typed with this keyboard. This could include sensitive information such as your credit card number or street address.”

Why is this Significant?
This is a classic example of the clash between user experience and security. Intelligent, more advanced services require much more data analysis and that may be a worrying fact to the more security-conscious user. The popular Android keyboard Swype was downloaded more than one million times in the first 24 hours of availability on the Apple App Store. Swype has proven to be a trustworthy service but other lesser known apps may not be.