Archive for the 'security' Category

Mitigating Tap Jacking

Tuesday, August 26th, 2014

You might have heard very recent press saying it’s possible to hack into apps such as GMail. The source of this is a presentation from the 23rd USENIX Security Symposium on Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks.
While the use of shared memory to discover app use […]

Listening in on Android Apps

Thursday, August 21st, 2014

FireEye has a new post on Android man in the middle (MITM) vulnerabilities on Android. While it covers Android, the coding flaws are just as applicable to iOS. FireEye found that 68% of 1000 most downloaded apps had one of three SSL vulnerabilities. For the avoidance of doubt, these are vulnerabilities introduced through app coding, […]

Severe Security Flaws Found In Security Apps

Friday, August 1st, 2014

Trend Micro has a post on how flaws have been found in some file locker apps. The problem is that developers have mistakenly thought that hiding sensitive information makes it secure. Unfortunately, you can’t get security through obscurity. The scary thing is that consumers have been trusting these apps with their particularly sensitive information. One […]

Android Security Perfect Storm Pending?

Tuesday, July 29th, 2014

Last January I reflected on my Android-only strategy and commented that a worrying area is Android security. The severity and number of vulnerabilities has since grown. For example, only today, the FakeId bug was publicised that affects all versions of Android from 2.1 to 4.4. Allied to this is poor security in top used apps. […]

Has Your Android App Been Repackaged as Malware?

Friday, July 25th, 2014

Trend Micro have an interesting recent article on repackaged Android apps. That is, apps that have been downloaded, reverse engineered, modified and re-uploaded to app stores to look like the original app. Modifications often include malware to capture private data and/or generate income from advertisements. Trend Micro found that nearly 80% of the top 50 […]

Facebook Mobile SDK Vulnerability

Thursday, July 17th, 2014

Last week I came across a post by MetaIntell regarding a Facebook SDK vulnerability under iOS and Android "affecting billions of installations". I have used the Facebook SDK in multiple Android apps so dug deeper.
There’s more information on the MetaIntell blog. On iOS, the Facebook SDK is storing access tokens in the app’s .plist and […]

What You Ought To Know About Android WebViews

Friday, July 11th, 2014

Do you use WebViews in your Android app? If you say ‘no’, are you sure? What about 3rd party libraries/SDKs that you have included? Many such as ad libraries, Facebook and LinkedIn use WebViews.
In researching references for AndroidSecurity.guru I realised the use of WebViews is probably the area most overlooked when it comes to security. […]

Android Malware War of Words

Friday, July 4th, 2014

Google’s head of Android security, Adrian Ludwig, has said that people buying anti-malware software for Android will probably get no extra protection over that already provided by Google Play services. The risk of potentially harmful applications ending up on users’ devices is significantly overstated and the actual risk of a damaging app being installed is […]