Mobile app privacy enforcement push from California Attorney General Bonta - Mobile Privacy Briefing 2023.081

In late January 2023, California Attorney General Rob Bonta announced a CCPA (California Consumer Privacy Act) enforcement focus on mobile apps. The enforcement focuses on “popular apps in the retail, travel, and food service industries” that don’t allow or comply with consumer opt-out requests. A recent CCPA settlement involving Sephora cost the company $1.2m in penalties and obviously compliance with CCPA plus regular reporting to the AG’s office. We’re also seeing federal enforcement of mobile app privacy issues from the FTC, most recently with a $1.

How to build an iOS app archive via command line

In my previous post, I detailed “How to export an Ad Hoc iOS ipa using Xcode” however there are advantages to exporting an iOS app archive using the command line. Top of mind reasons include: faster than using Xcode with a mouse can automate the build process (e.g. with GitHub Actions) Make sure you followed along in the previous post so all prerequisites are met or have an active iOS app that you’ve successfully built and exported at least once.

How to export an Ad Hoc iOS ipa using Xcode

There are multiple ways to distribute an iOS app including the Apple App Store as well as an Ad Hoc build of your app that you can distribute and test on physical devices or services like NowSecure Platform for automated security and privacy testing (disclosure: I’m a co-founder at NowSecure). In this blog, I’ll walk you through the steps to export an iOS app using the Ad Hoc distribution method using Xcode.

3 ways to install Xcode on macOS [2023]

There are multiple ways to install Xcode on macOS and in this blog we’ll walk you through the three most common techniques: Mac App Store Apple Developer website Install Xcode with brew 1. Mac App Store Perhaps the easiest way to install Xcode is to use the Mac App Store. First run the Mac App Store app (⌘+Space and type app store) and then search for xcode: Next select GET and finally INSTALL (mine shows OPEN since I’ve already installed it) .

3 ways to install Java on macOS [2023]

Java is no longer preinstalled on macOS and even if it is, there are likely security patches or new capabilities you need for software to work properly. And if you are a developer, you will most likely need to install and manage multiple versions of Java (as well as other development runtimes). This article will show you 3 different ways you can install Java on a macOS computer. A future article will walk through techniques to manage which Java JDK you are using.

How to build React Native Android app with GitHub Actions

In this post, I’m going to automate the build process (see my previous post) for a React Native Android app with GitHub Actions. This obviously ties into the the DevOps tidal wave but in a way that’s very developer friendly. Developers spend significant time in GitHub and have a great developer experience (DX). Instead of popping out to external systems, you can build, test and deploy you app within GitHub and also leverage the extensive, open GitHub Marketplace to reuse workflows and integration into other systems.

How to detect Pushwoosh hidden Russian software in your mobile supply chain

On Monday, Reuters released an article disclosing “Russian software disguised as American finds its way into U.S. Army, CDC apps”. In it, they share: Thousands of smartphone applications in Apple and Google’s online stores contain computer code developed by a technology company, Pushwoosh, that presents itself as based in the United States, but is actually Russian, Reuters has found. The article is a fascinating read, almost from a spy novel, including fake business addresses and even fake LinkedIn profiles of “two Washington, D.

How to generate an Android SBOM per build with Github Actions

If you’d like to generate an Android SBOM every time you build your app, you can combine previous techniques discussed on this blog to achieve this with GitHub Actions + NowSecure. If you’re not a NowSecure customer, first sign up for 10 free SBOMs so you can follow along in the tutorial. To brush up on the previous techniques, check out my blog+video on how to generate an Android SBOM in CycloneDX format.

How to detect OpenSSL v3.0 and Heartbleed vulnerabilities in mobile apps

On 25 Oct 2022, OpenSSL began pre-notifying organizations of two critical vulnerabilities in OpenSSL 3.0.x. On the positive side, OpenSSL 3.0 had not been widely deployed and on 1 Nov 2022, the two vulnerabilities were downgraded to a high. However, on the heels of recent highly impactful vulnerabilities like Log4j and the devastating impacts of the OpenSSL “Heartbleed” vulnerability from 2014, defenders went on high alert. Popular mobile apps with OpenSSL With the recent tutorials I’ve been sharing on Software Bill of Materials, I decided to take a look at 3,845 very popular mobile apps to see if I could determine if an app contained a direct or transient OpenSSL dependency and if so, was that version vulnerable.

How to generate an Android (React Native) SBOM CycloneDX format

Let’s walk through the steps on how to generate a mobile SBOM for an Android app and compare the results from a source code vs. binary analysis. So that everyone can follow along, I decided to use the excellent open source note-taking app Joplin. The source code is available of GitHub and there are multiple flavors of the app including Android and iOS apps. The project also has a great article on building the Joplin applications which you can follow instead of the below directions if you prefer.