Showing posts with label mobile security. Show all posts
Showing posts with label mobile security. Show all posts

Monday, 13 March 2017

iPhone Spying Bugs Revealed By Wikileaks Have Been Fixed, Apple Says

 WikiLeaks
Apple iPhone is revered as the most secure device which even government security agencies can get into. But Wikileaks has revealed a number of vulnerabilities in the iPhone which can be easily utilized by the agencies to launch ‘zero day’ attacks. Apple was quick to swing into action which resulted in fixing all the vulnerabilities before can think about using it against millions of iPhone users. Wikileaks also pointed that a number of hacking tools were exclusively developed by the GCHQ which is the infamous British spy agency.
Apple has released an statement where it confirmed to fix all the vulnerabilities present in the 8,761 pages long documentation published by the Wikileaks. These vulnerabilities were not just limited to the iPhone but also the iPad and iOS as a whole.

Some tips to secure iPhone from hackers

  • Make use of PIN or fingerprint security: This will help you in securing the smartphone against unwanted individuals getting inside your phone. 
  • Make use of longer password: Simply going to the settings followed by ‘Touch ID & Passcode’ and turn the ‘Simple Passcode’ off. Now indulge in creating a complex and longer password for your phone which consists of upper and lower case letter along with numbers & symbols. 
  • Boost your privacy settings: Carefully allot the privileges for different apps by simply turning them on/ off by going to the Settings followed by ‘Privacy’. 
  • Don’t forget to activate the self destruct: When someone tries to break into your phone then you can set it for self-destruct where all the data will be deleted instantly. This feature can be activated by simply going to the Settings followed by the enabling the ‘erase data’. This will ensure that your iPhone turns the device cleans after ten incorrect PIN guesses. 
  • Turn of the notification: One doesn’t need to unlock the device in order to read the notification and this can result in revealing too much about you than you wish.
Apple has worked towards fixing the 14 different iOS vulnerabilities and it has been found that most of it was linked to the older version of the operating system. When compared against the Google’s Android operating system Apple iPhone is always considered to be highly secured and protected device. Secondly Apple tends to offer or bring over-the-air security updates to the iPhone more quickly than Google. Android platform isn’t known to be hyper active when it comes to operating system version up-gradation and updates.

Wikileaks has given a dramatic revelation to the world wherein it stated that CIA has dedicated the whole specialized unit of the Mobile Development Branch for the iOS devices. The reason behind is pretty simple as most of the prominent figures in the field of entertainment, politics and business tend to use iPhone than the Android device. Quite incidentally Apple has been in fierce battle against FBI over creating a backdoor in it device which will help agencies get into iPhone.

Monday, 23 November 2015

Chrome for Android vulnerability Discovered by Researcher

Chrome

Chinese Researcher Discovered Susceptibilities in Android Operating System

Google, over the past few months had been busy crushing security susceptibilities in its prevalent Android mobile operating system, though several tends to remain undiscovered and some could be easily misused. Guang Gong, a Chinese researcher from Qihoo 360, demonstrated at MobilPwn2Own at the PacSec conference in Tokyo on how an Android device running the latest version of the operating system could be hijacked by exploiting JavaScript v8 vulnerability through Chrome browser.

 Gong observed JavaScript v8 susceptibility in Chrome for Android enabled him to install a random application on the affected device, a BMX Bike game in this case, without the need of user interaction. Dragos Ruiu, PacSec organizer had explained in a Google+ post. V8 is Google’s open source JavaScript engine and V8 is written in C++, used in Google Chrome which is the open source browser from Google.

Google security engineer on site had received the bug. Spotpedia had informed that `a Google engineer instantly got in touch with Gong after his presentation and rumours were on that the Chrome team had already got it fixed. Gong had commented on 9to5Google that the exploit was created by someone whose job was to find vulnerabilities and not a hacker with malicious intentions.

Vulnerability in JavaScript Engine in Chrome

As long as Chrome is utilised in navigating to a malicious site an attacker has set up, the device could be infected.This was demonstrated on a Google Project Fi Nexus 6 operating the latest Android 6.0 Marshmallow build with all applications updated. The vulnerability was also demonstrated by the researcher which could provide an attacker with total control of the device and success of the exploitation does not need chaining in multiple susceptibilities.

Ruiu informs that this particular shot exploit had been exposed after three months of work, though the exact details on the security flaw had not been publicly known. The exploit had been tested on other devices too and worked on all of them, according to Ruiu.Considering that the vulnerability is in the JavaScript engine in Chrome, it is said to affect the entire Android version with the new version of the browser which is installed. Ruiu had announced through Twitter that the details on the vulnerability had been handed over to Chrome engineer at the conference.

Series of Critical Android Vulnerabilities Observed

However, unfortunately for Gong, his presentation at the conference did not gain him an immediate reward for his efforts though probably Google would reward him for the discovery of the vulnerability, since the company has a bug bounty program set up for Chrome and Chrome OS. According to The Register, Ruiu would fly Gong to the CanSecWest security conference next year.

Google would most probably handle this vulnerability soon, even though the details on the exploit have not been made public so far. A series of critical Android vulnerabilities have been discovered by security researchers this year comprising of the Stagefright flaw which has affected almost a billion devices and a Stagefright2issue alleged to have affected devices running all Android version, began with the initial release.

Tuesday, 1 September 2015

Certifi-gate Vulnerability

Certifi-gate

Certifi-gate Vulnerability – Disclosed at Black Hat Conference

Mobile application manipulating the Certifi-gate vulnerability which was disclosed at Black Hat conference in Las Vegas earlier this month has been removed from the Google Play store. Although the number of Recordable Activator downloads, which is a screen recorder app for Android devices soars between 100,000 and a half million, researchers at Check Point Software Technologies discovering the vulnerability stated that it would be successfully manipulated on only three devices.

The company had mentioned in a blog post, that the data seems to come from Check Point’s home-based Certifi-gate scanner application. Data from scans utilising the scanning app portray that LG devices the most are at a risk, together with Samsung and HTC, and 16% of the devices responding to scans indicate that they host vulnerable plugins. Certifi-gate which was revealed at Black Hat, three weeks ago and when misused, enables an attacker to take complete control of the device by using malicious mobile app or SMS message. The weakness is due to the third party remote support tools which are either pre-installed on Android devices by the developers and/or carriers, or are available to be downloaded.

Mobile Remote Support Tools – mRST

Mobile remote support tools – mRST tend to be generally signed with OEM certificates proving them system level privileges for the purpose of handling remote support tasks. It was revealed by Check Point at Black Hat that there are authentication problems which could be bypassed by malicious app utilising one of these mRST tools.

The issue with Recordable Activator is that it tends to download vulnerable form of TeamViewer as well as abused insecure communication between the app and system-level plugins. App that are signed with OEM certificates are treated as trusted and evade native Android restriction avoiding app like Recordable Activator in obtaining excessive permissions.

It could then be utilised in exploiting the prevailing authentication vulnerability as well as connect with the plugin in order to record whatever is happening on the screen, according to Check Point. Ohad Bobrov, researcher of Check Point, had explained at Black Hat that a malicious app tends to impersonate the original mRST to obtain access to everything on the device.

Tools Pre-installed with No UI

Bobrov stated during a press conference at Black Hat that the reason of this problem was that on several devices, these tools are preinstalled and in many cases since these tools do not have a UI, one is not aware of its existence on the device since one does not see an icon and it is not visible on the device to show that it exists.

Thus it tends to get easier for an attacker to take control of it. Check Point states that to patch up this problem is not easy since the tools which are generally preinstalled, may need manufacturers to push updated ROMs to vulnerable devices. Though new versions of remote support tools like TeamViewer tend to be released, the older versions could still be likely to be in circulation for a while.

He further adds that it would take a long time till a new version comes up though but the more problematic issue is not the bug but its architecture. The vendors and OEMS have signed this vulnerable mRST with their certificate and one cannot withdraw or else the plugin will not function.