ios

TikTok privacy insights via reverse engineering - Mobile Privacy Briefing 2023.084

On the more technical side, my friend Sebas creates a curated weekly summary of security (and other) topics in the Security Pills Newsletter. In Issue 27, he linked to an interesting technical write up of the great lengths TikTok has gone to obfuscate how their code works and in particular related to the sensitive personal data collected (shout our to vetias at nullpt.rs for the excellent re work and write up).

Scandinavian Airlines mobile app cyberattack - Mobile Security Briefing 2023.083

On 14 Feb 2023, Scandinavian Airlines warned users to stop using their mobile app as they were under an active cyberattack and user’s may receive incorrect data, including other customer’s personal information including: contact details previous and upcoming flights last four digits of the credit card number The incident was resolved several hours later but additional details are not available at this time. The last updated was posted in the Newsroom section of the SAS website on February 15, 2023 12:56.

Actively exploited WebKit flaw patched in iOS 16.3.1 - Mobile Security Briefing 2023.082

Apple released an emergency update to iOS, iPadOS, macOS and Safari on 13 Feb 2023 to patch a security flaw in WebKit, a web browser engine developed by Apple which powers many apps in the Apple ecosystem and beyond. The Security update page was updated on 20 Feb 2023 to include information on additional security flaws patched in the software update. If you haven’t updated your Apple devices yet, you should stop reading this article and upgrade immediately!

Mobile app privacy enforcement push from California Attorney General Bonta - Mobile Privacy Briefing 2023.081

In late January 2023, California Attorney General Rob Bonta announced a CCPA (California Consumer Privacy Act) enforcement focus on mobile apps. The enforcement focuses on “popular apps in the retail, travel, and food service industries” that don’t allow or comply with consumer opt-out requests. A recent CCPA settlement involving Sephora cost the company $1.2m in penalties and obviously compliance with CCPA plus regular reporting to the AG’s office. We’re also seeing federal enforcement of mobile app privacy issues from the FTC, most recently with a $1.

How to build an iOS app archive via command line

In my previous post, I detailed “How to export an Ad Hoc iOS ipa using Xcode” however there are advantages to exporting an iOS app archive using the command line. Top of mind reasons include: faster than using Xcode with a mouse can automate the build process (e.g. with GitHub Actions) Make sure you followed along in the previous post so all prerequisites are met or have an active iOS app that you’ve successfully built and exported at least once.

How to export an Ad Hoc iOS ipa using Xcode

There are multiple ways to distribute an iOS app including the Apple App Store as well as an Ad Hoc build of your app that you can distribute and test on physical devices or services like NowSecure Platform for automated security and privacy testing (disclosure: I’m a co-founder at NowSecure). In this blog, I’ll walk you through the steps to export an iOS app using the Ad Hoc distribution method using Xcode.

How to detect Pushwoosh hidden Russian software in your mobile supply chain

On Monday, Reuters released an article disclosing “Russian software disguised as American finds its way into U.S. Army, CDC apps”. In it, they share: Thousands of smartphone applications in Apple and Google’s online stores contain computer code developed by a technology company, Pushwoosh, that presents itself as based in the United States, but is actually Russian, Reuters has found. The article is a fascinating read, almost from a spy novel, including fake business addresses and even fake LinkedIn profiles of “two Washington, D.

How to detect OpenSSL v3.0 and Heartbleed vulnerabilities in mobile apps

On 25 Oct 2022, OpenSSL began pre-notifying organizations of two critical vulnerabilities in OpenSSL 3.0.x. On the positive side, OpenSSL 3.0 had not been widely deployed and on 1 Nov 2022, the two vulnerabilities were downgraded to a high. However, on the heels of recent highly impactful vulnerabilities like Log4j and the devastating impacts of the OpenSSL “Heartbleed” vulnerability from 2014, defenders went on high alert. Popular mobile apps with OpenSSL With the recent tutorials I’ve been sharing on Software Bill of Materials, I decided to take a look at 3,845 very popular mobile apps to see if I could determine if an app contained a direct or transient OpenSSL dependency and if so, was that version vulnerable.