Mobile Security Recap–August 2012
It’s a little late, but I’m first now catching up on some of the recent news. :-) With the BlackHat and DefCon conferences in Las Vegas recently completed, there was a flurry of security news happening last few months. Here is a brief run-down of some highlights I found as it possibly affects the mobile computing world.
Slow patching puts Android users at further risk:
Take away: Android Beam (via NFC or Bluetooth) vulnerabilities to execute files, down-level OS and apps still being used by mobile operators.
Tools released at Defcon can crack widely used PPTP encryption in under a day:
Take away: Stop using PPTP VPN and WPA2 Enterprise, use IPSec or OpenVPN and don’t use WPA2 for WiFi if using MS-CHAPv2 authentication..
Inside how Google scans for Malware:
Whitepaper of their findings: https://media.blackhat.com/bh-us-12/Briefings/Percoco/BH_US_12_Percoco_Adventures_in_Bouncerland_WP.pdf
Take away: Google bouncer app verification holes, how to make your internal or public applications more secure.
BTW, Google has now updated their Developer policy per August 1st 2012 (unknown if Trustwave helped pushed this along): http://play.google.com/about/developer-content-policy.html.
Google now is combatting spam, malware, and SMS/email usage. Any app updates after 30 days of this new policy and don’t comply are subject to warning or removal from Google Play immediately. This is excellent news!
Devices scanned on Mobile Networks:
Takeaway: If deploying on a public mobile network, especially M2M devices, make sure the devices can be locked down in some fashion. Reminds me of the old modem war-dailing days. :-)
Advanced Android Exploitation with AFE (Android Framework for Exploitation):
Takeaway: The Android platform could quickly become infested with bot networks as the current Windows platform. Understand malware and secure against it.
Apple iOS SMS Security Vulnerability
Takeaway: Careful to take basic communications as granted, SMS spoofing exists on any platform. Apple states it’s iMessage verifies addresses.