Tag: mobile security risk

Mobile security risk to Android devices could impact almost 1 billion

| August 3, 2015

A bug that can infect that operating system can spread itself with nothing more than one text message.

Smartphones that run on the Android operating system are now at risk of an important mobile security flaw that could allow a properly infected text message to take over the device.

It is currently estimated that nearly 1 billion devices around the world are vulnerable to this bug.

According to mobile security experts, this flaw is now considered to be “the word Android vulnerability in the mobile OS history.” Zimperium researchers that focus on this type of issue were among those who initially released details regarding this threat, which has been called “Stagefright.” This threat is dangerous enough that it can infect an Android based smartphone simply through the receipt of an MMS message, regardless of whether or not the device user actually opens it.

Once the text is received, the mobile security bug activates a code which releases full control of the device to an attacker.

Mobile Security - Large Crowd of PeopleThis Android bug gives the attacker control over everything from the camera and microphone to the data on the device, which can then be copied. In their blog releasing information about Stagefright, the Zimperium researchers explained that “These issues in Stagefright code critically expose 95 per cent of Android devices, an estimated 950 million devices.”

While Google has already issued a repair for the security flaw for its Android operating system, many carriers and phone makers haven’t yet released the update to consumers.

The problem, itself, was first spotted back in April by Zimperium’s Joshua Drake. Drake received recognition for this discovery by Google, when the company released a statement saying “We thank Joshua Drake for his contributions. The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device.”

Google also took care to point out the mobile security steps that are already in place for devices that run on its operating system. It pointed out that the majority of Android based devices, including all of the ones running on the newer versions of the OS, include a number of different technologies that have been “designed to make exploitation more difficult.” Among them is an app sandbox that is meant to help to keep user data and other device apps protected.

Mobile security flaw places millions of app users at risk

| June 24, 2015

Researchers in Germany have now identified a common weakness in programming practices.

A research team in Germany has now stated that they have found a common poor programming practice that has left a flaw that could lead to a mobile security exposure that risks data breaches for millions of app users.

The method of authenticating users could potentially place the personal data of those individuals at risk.

The flaw in the programming could potentially expose the personal data of the users of the apps in which the developers used those mobile security practices. The reason is because of the method by which the app developers authenticate users during the data storage and retrieval processes with cloud databases, such as the Amazon Web Services and Parse at Facebook. The reasearchers are from the Darmstadt University of Technology and the Fraunhofer Institute for Secure Information Technology.

The researchers identified the mobile security flaw by looking into 750,000 Google Play and Apple Store apps.

Mobile Security threat to many usersWhat the researchers found was that many of them use mobile authentication strategies by way of basic API-tokens, despite the fact that there are other methods readily available that are considered to be notably more secure.

This app development strategy is in direct opposition to the advice for best practices that has been issues by cloud storage providers. According to a statement made by Amazon Web Services, they have been advised of a “small number” of mobile app developers who have apps that hold AWS credentials. It said that it is their belief that those developers have “inadvertently embedded their own AWS credentials within their mobile applications, which could lead to unauthorized use of the developer’s AWS services and data.”

The statement also pointed out that AWS took the step to communicate directly with each of those developers in order to offer them guidance for the removal of their credentials from the apps. They also took the step to “encourage them to carefully examine their AWS resources for unauthorised activity and provide assistance as needed.”

The German team’s leader, Professor Eric Bodden said that this was a significant mobile security issue, as they were able to identify 56 million unprotected data sets.