This document summarizes a vulnerability in iOS that allows a malicious app installed via enterprise/ad-hoc provisioning to replace a previously installed app from the App Store if they share the same bundle identifier. It describes how an attacker could exploit this by social engineering a user to install a malicious app, which would then overwrite a legitimate app and potentially access its data or impersonate its interface. The document also outlines how this vulnerability presents a greater risk than on Android and discusses techniques used in proof-of-concept attacks, including bypassing a new alert in iOS 8 through URL scheme hijacking. It concludes with recommendations to mitigate the risk, such as always updating iOS and being wary of installing outside the App Store.
Stephanie Vanroelen - Mobile Anti-Virus apps exposedNoNameCon
Talk by Stephanie Vanroelen at NoNameCon 2019.
https://nonamecon.org
https://cfp.nonamecon.org/nnc2019/talk/ZFJFW8/
This talk is about top anti-virus apps on Mobile. An in depth look on how they work and what they do. Do they add to or break the security of the mobile OS?
This talk is about top anti-virus apps on Android. An in-depth look at how they work and what they do.
The focus will be on the top 5 android apps:
Kaspersky Mobile Antivirus
Avast Mobile Security
Norton Security & Antivirus
Sophos Mobile Security
Security Master
This talk will try to answer the following questions: Do they add to or break the security of the Android sandbox system? What type of information is being shared back to the company (if any)? Are these apps well built?
Finally, I will address the following: Do I recommend any of these apps and if so which one and why?
iOS and Android security: Differences you need to knowNowSecure
NowSecure Director of Research David Weistein recently spoke at the Security by Design Meetup in Washington, DC. This presentation offers information about risks impacting mobile and the differences between iOS and Android security.
Recap here: https://www.nowsecure.com/blog/2016/08/24/android-buckles-down-and-ios-opens-up-trends-in-platform-security-affecting-developers/
Whether you’re loyal to Microsoft’s Internet Explorer, or whether you opt for one of the the dozens of other web browsers available to download and use for free out there (such as Google Chrome, Opera, Mozilla’s Firefox or Mac Safari), you are probably using your preferred browser to access both personal and professional websites. These wondrous tools that are part of our daily (digital) lives can now replace other existing software thanks to something called an extension.
Stephanie Vanroelen - Mobile Anti-Virus apps exposedNoNameCon
Talk by Stephanie Vanroelen at NoNameCon 2019.
https://nonamecon.org
https://cfp.nonamecon.org/nnc2019/talk/ZFJFW8/
This talk is about top anti-virus apps on Mobile. An in depth look on how they work and what they do. Do they add to or break the security of the mobile OS?
This talk is about top anti-virus apps on Android. An in-depth look at how they work and what they do.
The focus will be on the top 5 android apps:
Kaspersky Mobile Antivirus
Avast Mobile Security
Norton Security & Antivirus
Sophos Mobile Security
Security Master
This talk will try to answer the following questions: Do they add to or break the security of the Android sandbox system? What type of information is being shared back to the company (if any)? Are these apps well built?
Finally, I will address the following: Do I recommend any of these apps and if so which one and why?
iOS and Android security: Differences you need to knowNowSecure
NowSecure Director of Research David Weistein recently spoke at the Security by Design Meetup in Washington, DC. This presentation offers information about risks impacting mobile and the differences between iOS and Android security.
Recap here: https://www.nowsecure.com/blog/2016/08/24/android-buckles-down-and-ios-opens-up-trends-in-platform-security-affecting-developers/
Whether you’re loyal to Microsoft’s Internet Explorer, or whether you opt for one of the the dozens of other web browsers available to download and use for free out there (such as Google Chrome, Opera, Mozilla’s Firefox or Mac Safari), you are probably using your preferred browser to access both personal and professional websites. These wondrous tools that are part of our daily (digital) lives can now replace other existing software thanks to something called an extension.
Cloud Attacks: A Live Simulation of Cloud MIsconfiguration AttacksDiemShin
The leading cause of data breaches in the cloud aren’t application or OS vulnerabilities--it’s cloud misconfiguration, which are almost always due to customer error. Unfortunately, these mistakes are easy to make and extraordinarily common in enterprise cloud environments. We’ve moved beyond simple “misconfigured S3 bucket” incidents and into more advanced attacks that exploit a series of common cloud misconfiguration vulnerabilities--many of which are often missed or not even categorized as misconfigurations by security teams.
Spyware is a kind of malware on both PCs and mobile devices that collects a broad amount of data about a person or organization without their knowledge.
These slides were presented at GDG MeetUp in Bangalore which was held on 21st September 2013. Uploading the slides to help the people who wanted the slide Deck
Cloud Attacks: A Live Simulation of Cloud MIsconfiguration AttacksDiemShin
The leading cause of data breaches in the cloud aren’t application or OS vulnerabilities--it’s cloud misconfiguration, which are almost always due to customer error. Unfortunately, these mistakes are easy to make and extraordinarily common in enterprise cloud environments. We’ve moved beyond simple “misconfigured S3 bucket” incidents and into more advanced attacks that exploit a series of common cloud misconfiguration vulnerabilities--many of which are often missed or not even categorized as misconfigurations by security teams.
Spyware is a kind of malware on both PCs and mobile devices that collects a broad amount of data about a person or organization without their knowledge.
These slides were presented at GDG MeetUp in Bangalore which was held on 21st September 2013. Uploading the slides to help the people who wanted the slide Deck
This ppresentation brings out a brief over view of WireLurker,the first of a kind of malware family that has made the Apple to rot...never in the history of unquestionable iOS/Mac devices has such a thing been seen or heard...with such a severe beating...the ppt is based on a report made recently public by Palo Alto Networks®...
Hyena has built-in security, user authentication, and automated upgrades, among other features. Hyena has built-in security, user authentication, and automated upgrades, among other features. This is probably all you need to create a secure mobile app from scratch. The Hyena app includes security cover for DIY apps, enterprise apps, business apps, in-house employee apps, and more.
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Subho Halder
Mobile App Security is an issue which isn’t given much priority while your app is in the development stage, as a result of which hackers are able to target your iOS app.
This talk will feature the most common security mistake developers do, and how to fix them easily. It will also cover different security & privacy enhancements provided by Apple such as SecKey API, Differential Privacy, Cryptographic Libraries, et cetera in iOS 10 which will enable developers to ship secure applications in the Appstore
Given this, it's imperative for companies to think about mobile app security for both themselves and their customers. To do this, you must collaborate with the best mobile app development company in Bangalore that is familiar with cybersecurity.
apidays LIVE New York 2021 - Playing with FHIR without getting burned by Dav...apidays
apidays LIVE New York 2021 - API-driven Regulations for Finance, Insurance, and Healthcare
July 28 & 29, 2021
Playing with FHIR without getting burned
David Stewart, CEO at Approov
4 Ways to Build an App Without Code | AppSheetAppSheet
Interested in building powerful apps without code directly from data sources and natural language? Discover the simplicty, elegance, and feature-rich functionality of hte AppSheet platform.
AppSheet is a Forrester Wave Leader in the low/no code development platform category serving Fortune 500 leaders like Clearlink, Husqvarna, Disney (via ESPN), GE, and more.
Top Practices You Need To Develop Secure Mobile Apps.Techugo
Developers prefer to store sensitive data in the device’s local memory to protect users’ data. However, it is best not to store sensitive data, as it could increase security risks. You have two options: keep the data in encrypted containers or key chains, but if you don’t have any other choice, it is best to do so. You can also reduce the log by using the auto-delete option, which deletes data automatically after a set time.
With the growing risk of malicious activity, mobile app security has become a top concern for developers. Users are less likely to trust unreliable apps. The above best practices will answer your concerns about creating a secure mobile application by the top mobile app development company in South Africa for your customers.
How to Spy on a Phone Without Having Access to it?XNSPY
As the world gets more digital our reliance on smartphones becomes even greater. It leads to more internet scams, fake news, bullying and harassment and threats of malware and phishing attacks. To avoid this a person may want to spy on a phone to protect the data on it and its users.
3. In July 2014, FireEye Security Company with the security
researchers Stefan Esser and Jonathan Zdziarski discovered1 that
an iOS app installed using enterprise/ad-hoc provisioning could
replace another genuine app previously installed through the
App Store, as long as both apps used the same bundle identifier.
This vulnerability exists because iOS doesn't enforce matching
certificates for apps with the same bundle identifier.
The malicious app could be downloaded and installed by a user
via social engineering attacks: once done that, the new app
overwrites the old one already installed on the device.
An exception is represented by the iOS preinstalled apps: they
can’t be substituted.
It is important to note that this attack poses iOS users at a
greater risk than the Android counterpart. In fact on Android
exists an option that disallow users to install application from
sources different from the Play Store, while on iOS this choice is
not available.
4.
5. These are the main threat scenarios of this kind of attack:
Non jailbroken iOS Apple devices are threatened too;
A user may not be conscious of having a malicious app on his
device because it replaces one that is regularly installed;
The malicious app can read all the unencrypted data stored by
the previous app, but the Keychain, and send them to their
servers;
The malicious app can mount a phishing attack mimicking the
original UI app and it can steal the related credentials;
The malicious app can be launched although the presence of an
alert prompt when launching enterprise-signed apps for the first
time;
The malicious app can hijack the URL Schemes of a legitimate
popular app in order to perform phishing attacks to steal
credentials or gather data intended to be shared between two
trusted apps.
6.
7. Environment Setup
An enterprise provisioning profile matched with a developer
certificate were used to perpetrate the attack: the public key
inside the first file is related to the private key of the certificate
installed on the host where the compilation of the app is
performed.
The app is installed on the device via OTA, using a local HTTPS
web server.
It has to be noticed the fact that developer certificates and
mobile enterprise provisioning files can be easily found on
Internet through ad-hoc Google dorks. Following a screenshot of
a website where these files can be located:
For the signing part of the created IPA, the iReSign tool was used
(https://github.com/maciekish/iReSign):
As we can see, the IPA can be signed with a smuggled developer
certificate.
8. On 19 February 2015 FireEye security researchers have
presented a new kind of Masque Attack exploiting URL Schemes
vulnerabilities2.
On iOS 8, whenever a user is launching an enterprise-signed app
for the first time, he is asked to trust or not the new signing
party, as can be seen from the following screenshot:
If a user clicks on “Don’t trust” the app does not open.
It has been discovered that this precaution is not enough:
indeed, it is possible to bypass this alert message exploiting the
present implementation of URL Schemes.
This can be demonstrated using the following setup: An Apple
device with iOS 8.1.2 installed; A widespread installed app like,
for example, Facebook; An enterprise-signed app registering
an URL Scheme identical to that used by the previous app.
So, it is possible to create an enterprise-signed app registering
an URL Schemes used by Facebook, fb://, and bypass the alert
prompt calling that URL Scheme to open the malicious app.
9.
10.
11. Update iOS on the device to a version >= 8.1.3 as suggested
above. Note that the URL Schemes Hijacking vulnerability
illustrated at the end of section 2.4 has not yet been fixed;
Don’t install apps from third-party sources other than
Apple’s official App Store or the user’s own organization;
Don’t click “Install” on a pop-up from a third-party web page;
When opening an app, if iOS shows an alert with “Untrusted
App Developer”, click on “Don’t Trust” and uninstall the app
immediately. Nevertheless note that this alert can be
bypassed as shown in section 2.4 if iOS >= 8.1.3 is not
installed.