Wipe Leaves Crumbs, Android App Tampering, SMS iPhone Crash – Mobile Security Weekly

Both iOS and Android had several problematic issues this week, making it clear (once again!) that device vendors are failing millions of users from a security perspective. We also reiterate the fact that there are many different areas of “the mobile ecosphere” that can be the source of major security issues.


Factory Reset Leaves Android Master Cookie Crumbs

A new  study reveals just how much data and information remains on an Android device after a factory reset. According to the research performed on 21 Android smartphones from five vendors running Android versions v2.3.x to v4.3, the factory reset function on most Android phones doesn’t work properly and more than 340 million phones are vulnerable.

The problem ranges from not properly sanitizing the data partition where credentials are stored to failing to wipe the internal SD card where multimedia files are generally saved. This means a threat actor can recover Google account information, Wi-Fi credentials, browsing history, email, texts, photos and third-party app information. An attacker could also retrieve the ‘Google master cookie’ from many of the devices – meaning the attacker could gain access to a user’s Gmail account with relative ease.


Why is this Significant?

With the modern trends of both BYOD and the buying and selling of second hand devices, this issue gains much more traction than you might think. Despite Android 5 (Lollipop) having automatic encryption, there are still several areas, backup for instance, that require attention from the vendors. It’s obvious to see that a factory restored device, in the wrong hands, can expose both personal and enterprise data.

Android App Tampering With a Single Click

A severe security flaw has been discovered within device APIs used to develop Android applications. This “major” security issue was discovered in Apache Cordova, an API platform developed by The Apache Software Foundation. Mobile app developers use Cordova to access native device functions including cameras and accelerometer from JavaScript.

The security vulnerability “…allows attackers to modify an Android app’s behavior via remote exploit if a victim clicks a malicious link. This is due to a lack of explicit values set in Config.xml by Android apps built using the Cordova framework, therefore creating an opportunity for threat actors to set undefined secondary configuration variables…”.  This can cause unwanted dialogs to appear in applications as well as changes in app behavior that can include the app force-closing.

Why is this Significant?

The majority of Cordova-based apps, which accounts for 5.6 percent of all apps in Google Play, are vulnerable to this exploit. Despite the fact that Apache are aware of the problem and is due to release fixes and updates, it’s a worry that this problem ever existed in the first place. This again proves that there are multiple “levels” of responsibility for mobile security – it isn’t just the developers of the apps, vendors and the users. Danger can come from several others directions.

Simple SMS Message Crashes iPhones

Users on Reddit have discovered that an iPhone can be disabled by a string of English and Arabic characters, and there’s currently no fix. Receiving the text will cause an iPhone with its screen locked to reboot without warning, or, if the iPhone is on, freeze or crash when a notification banner is displayed. Unfortunately, if the notification is displayed again when the phone restarts, it can get into a cycle of repeated crashes, effectively making your iOS device unusable.


Why is this Significant?

The hack is trending worldwide so it won’t be long before Apple release a fix for this issue. Despite being mainly an annoyance at the moment, this shows that iOS is a lot more vulnerable than people like to believe. Another factor is that  there’s a definite possibility that the mechanism of the text attack could evolve into something much more dangerous.