mobile security and privacy news
Your weekly digest of Mobile Security and Privacy News in under 9 minutes! Each digest will cover the past week of briefings so you can quickly catch up on all the important topics in mobile security and privacy.
If you have any topics you’d like me to cover in the future, just drop me a comment in the YouTube video.
Here’s links to the briefings covered in this weekly digest:
If you’re in the market for a new Android device and value your privacy, avoid purchasing it in China! While this is not likely for most folks following my content, it was eye opening to see just how much data is exfiltrated from mainland China devices.
I first came across this research in an article by The Register titled “Surprise! China’s top Android phones collect way more info”.
The researchers on the paper include Haoyu Liu (The University of Edinburgh), Douglas J.
In late January, Apple released a security update for what most folks would consider an ancient version of iOS (iOS 12.5.7). It’s rare to see an update for an iOS version that’s 4 major versions old so anyone organization with older iOS devices should take note.
I routinely check out Apple’s security updates page to monitor for bugs that require quick mitigation. You can see the specific security contents for iOS 12.
Sophos released some great analysis last month on fraudulent trading apps in Apple and Google app stores.
What really caught my interest was how the apps passed the app approval processes at both Apple and Google. As a mobile security researcher, I’ve long known that the review processes on both the App Store and Play Store are no substitute for bespoke mobile app security and privacy testing (full disclosure: I’m the co-founder of NowSecure).
“BetterHelp will be required to pay $7.8 million for deceiving consumers after promising to keep sensitive personal data private” reads the subtitle to the FTC press release on 2 Mar 2023. While BetterHelp roll out the tired response that the settlement “is no admission of wrongdoing”, it can still be true if you don’t admit it.
What exactly did they do? From the FTC complaint:
BetterHelp used and revealed consumers’ email addresses, IP addresses, and health questionnaire information to Facebook, Snapchat, Criteo, and Pinterest for advertising purposes, according to the FTC’s complaint
Your weekly digest of Mobile Security and Privacy News in under 8 minutes (shoot, 17 mins this week, sorry)! Each digest will cover the past week of briefings so you can quickly catch up on all the important topics in mobile security and privacy.
If you have any topics you’d like me to cover in the future, just drop me a comment in the YouTube video.
Here’s links to the briefings covered in this weekly digest:
Top10VPN researchers uncovered privacy violations in the top 10 unofficial ChatGPT apps on the Apple App and Android Play Stores. I say unofficial because OpenAI does not offer official ChatGPT mobile apps (you should use ChatGPT via the web interface).
It’s not surprising that a technology that exploded into the mainstream so quickly would also create an opportunity for privacy (and probably security) abuse. Many folks are probably not aware that these apps are unofficial and certainly don’t inspect what sort of data is collected.
The Cybersecurity Research Center at Synopsys analyzed the Software Bill of Material (SBOM) for 10 populars Android sports and betting apps and released their findings earlier this month. Not surprisingly, many of the apps contained outdated and vulnerable open source components.
You should take a look at the report as it’s interesting and well written. But I’d like to focus in on two important points that they made.
Exploitable Whenever a developer is presented with evidence of a vulnerable dependency, I suspect on of the first questions that comes to mind is: ok, but is that code used and exploitable?
Sam Curry (Twitter | Homepage), a Web Application Security Researcher, and a small group of friends found a staggering number of serious vulnerabilities in the mobile and web apps of nearly 20 automotive companies. He provides a fairly detailed write up on his blog “Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More” and here’s a Twitter thread about Hyundai and Genesis mobile app with starting with:
The Department of Defense’s Inspector General released a management advisory on 9 Feb 2023 titled “The DoD’s Use of Mobile Applications” (version with highlights). The advisory determined that:
“DoD personnel are conducting official business on their DoD mobile devices using mobile applications in violation of Federal and DoD electronic messaging and records retention policies” “DoD personnel are downloading mobile applications to their DoD mobile devices that could pose operational and cybersecurity risks to DoD information and information systems.