...stuff I do and things I like...

Tuesday, August 30 2016

Mobile Security News Update August 2016

Conferences
    Black Hat EU November: ARMAGEDDON: HOW YOUR SMARTPHONE CPU BREAKS SOFTWARE-LEVEL SECURITY AND PRIVACY by Clementine Maurice and Moritz Lipp. DETACH ME NOT - DOS ATTACKS AGAINST 4G CELLULAR USERS WORLDWIDE FROM YOUR DESK by Bhanu Kotte, Siddharth Rao and Silke Dr Holtmanns. POCKET-SIZED BADNESS: WHY RANSOMWARE COMES AS A PLOT TWIST IN THE CAT-MOUSE GAME by Federico Maggi and Stefano Zanero. STUMPING THE MOBILE CHIPSET by Adam Donenfeld.

    DerbyCon September: Beyond The ?Cript: Practical iOS Reverse Engineering by Michael Allen. AWSh*t. Pay-as-you-go Mobile Penetration Testing by Nathan Clark. Breaking Android Apps for Fun and Profit by Bill Sempf.

    AppSec USA November: QARK: Android App Exploit and SCA Tool by Tushar Dalvi and Tony Trummer. SecureMe - Droid: Android Security Application by Vishal Asthana and Abhineet Jayaraj. OWASP Reverse Engineering and Code Modification Prevention Project (Mobile) by Dave Bott and Jonathan Carter. ShadowOS: Modifying the Android OS for Mobile Application Testing by Ray Kelly.

Apple now has a bug bounty program. Details were presented at Black Hat in Ivan Krstic's talk BEHIND THE SCENES OF IOS SECURITY. Also see Starting this fall, Apple will pay up to $200,000 for iOS and iCloud bugs (via Ars).

Motorola confirms that it will not commit to monthly security patches. This is pretty bad since I actually liked their Pure Edition devices (devices that basically are just AOSP).

Protecting Android with more Linux kernel defenses. They added some features from Grsecurity. This makes me happy.

Google's Android has gotten so out of control that $55 billion Salesforce had to take drastic measures, basically Salesforce in the close future will only support specific Samsung Galaxy and Nexus devices. This is an interesting way to deal with the very diverse Android ecosystem.

Pegasus Spyware / Trident for iOS was based on 3 vulnerabilities unsurprisingly a WebKit memory corruption, a Kernel info leak, and a kernel memory corruption. The spyware was capable of accessing text messages, iMessages, calls, emails, logs, and more from apps including Gmail, Facebook, Skype, WhatsApp, Viber, Facetime, Calendar, Line, Mail.Ru, WeChat, Surespot, Tango, Telegram, and others. (Source: Lookout Technical Report).

Oversec.io seems to implement our idea of mobile OTR on top of any messenger app. Oversec still looks very beta and I haven't tried it out. If anybody has tried it I would like to hear about it.

Pictures of the month:
(source: @raviborgaonkari)

(source: @marcwrogers)

Links