While developing a tool for evaluating mobile application security, researchers at Sudo Security Group Inc. found out something unexpected.
Seventy-six popular applications in Apple's iOS App Store, they discovered, had implemented encrypted communications with their back-end services in such a way that user information could be intercepted by a man-in-the-middle attack. The applications could be fooled by a forged certificate sent back by a proxy, allowing their Transport Layer Security to be unencrypted and examined as it is passed over the Internet. The discovery was initially the result of bulk analysis.Read more
The hacker says this demonstrates that when organizations make hacking tools, those techniques will eventually find their way to the public. In January, experts reported that a hacker had stolen 900GB of data from mobile phone forensics company Cellebrite.
The data suggested that Cellebrite had sold its phone cracking technology to oppressive regimes such as Turkey, the United Arab Emirates, and Russia. Now the hacker responsible has publicly released a cache of files allegedly stolen from Cellebrite relating to Android and BlackBerry devices, and older iPhones, some of which may have been copied from publicly available phone cracking tools.Read more
Apple is introducing a new analytics section to its iOS privacy settings where it will ask for permission to analyze iCloud account data to improve Siri and other smart features.
Apple has been critical of Silicon Valley's addiction to harvesting and monetizing user data for ads, but it appears Apple sees some sense in accessing user data and will be seeking to use more of it in the near future. An iOS 10.3 beta released last week contained a note under the title 'iCloud Analytics & Privacy', explaining that Apple wants to analyze iCloud account data to improve intelligent features such as Siri.Read more
A three character-long text message can temporarily disable iPhones, a hacker has shown. On receiving the message, iPhones instantly freeze for around a minute, and sometimes users are forced to restart.
Besides blocking the number that the malicious messages come from the victim has no way of preventing the attack, although its effects are temporary and do not work on the most recent version of iOS. The bug is the latest in a series of strange text-message vulnerabilities that have affected iPhones in recent years. The offending message appears to contain just three characters - a white flag emoji, a “0” and a rainbow emoji.Read more
A lock is only good at protecting things if it actually stays locked. The activation lock in iOS, for example, makes it very hard for someone other than the owner to wipe an iPhone or iPad and set it up as a new device. Very hard, but not impossible.
Two different bugs have recently been discovered that could allow someone to bypass Apple’s activation lock. One impacts devices running iOS 10.1 and another on the most current version of the software, iOS 10.1.1. Expert workaround exploited a weakness in the iOS device setup process, and he tested it on a locked iPad he purchased from eBay.Read more
A team of computer hackers have demonstrated how the Tesla Model S can be located, unlocked and driven away without the key. By compromising the car's companion smartphone application, they used a laptop to remotely unlock the doors, start the electric car and 'steal' it from a colleague.
The hack exposes the internet weaknesses of products which can be accessed via apps and the internet. The Tesla app is commonly used by owners to check the battery level and charging status, see the location of their car, as well as set the climate control before getting in, and flash the lights to help find the car in a car park.Read more
A corrupted video being shared online will crash any iPhone or iPad it is played on, and in some cases causes the device to switch off and become unresponsive. The video is a file which can be played in the iOS Safari web browser, but quickly slows the device to a crawl, before causing it to lock up and freeze.
The flaw is being described as "completely crazy" and will crash any iOS device. It comes a year after a certain text message was discovered to crash and reboot iPhones whenever it was received. But where the text bug caused the iPhone to reboot, the newly discovered video file crashes the phone to such an extent that only a hard reset will bring the phone back to life.Read more
Setting a passcode on your iPhone is the first line of defense to help prevent other people from accessing your personal details. However, it's pretty much easy for anyone with access to your iPhone to bypass the passcode protection and access your personal photos and messages.
A new critical security flaw discovered in iOS 8 and newer, including 10.2 beta 3, allows anyone to bypass iPhone's passcode and gain access to personal information using the benevolent nature of Apple's personal assistant Siri. The security glitch has been discovered by EverythingApplePro and iDeviceHelps and now that they have gone public with a video.Read more
Security researchers have discovered a way to target a huge number of Android and iOS apps that could allow them to remotely sign into any victim's mobile app account without any knowledge of the victim.
A group of three researchers – Ronghai Yang, Wing Cheong Lau, and Tianyu Liu – from the Chinese University of Hong Kong has found that most of the popular mobile apps that support single sign-on (SSO) service have insecurely implemented OAuth 2.0. It is an open standard for authorization that allows users to sign in for other third-party services by verifying existing identity of their Google, Facebook, or Chinese firm Sina accounts.Read more
An analysis of transactions originating from devices protected by Zscaler security products reveals that iOS applications leak private user information in more situations than Android apps.
The result of this study shows that the generally accepted theory of iOS being more secure than Android doesn't necessarily apply to the apps running on these two platforms. According to data gathered in the last quarter, Zscaler says it detected around 200,000 transactions from a total of 45 million, where an app has leaked user data. The type of leaked information includes personally identifiable information, geo-location data, and device metadata.Read more