Category Archives: Mobile

Stolen user data from MyFitnessPal and other services hits the dark web

Stolen user information from 16 popular apps and services including Dubsmash and MyFitnessPal is now being sold on the dark web, according to a report from The Register. A seller on the dark web marketplace Dream Market has come forward offering login details for more than 617 million accounts for just under $20,000, to be paid in Bitcoin.

Source: The Register

Adiantum will bring encryption on Android devices without cryptographic acceleration

Google announced Adiantum, a new encryption method devised to protect Android devices without cryptographic acceleration.

Google announced Adiantuma new encryption method devised to protect Android devices without cryptographic acceleration.

“Adiantum is an innovation in cryptography designed to make storage encryption more efficient for devices without cryptographic acceleration, to ensure that all devices can be encrypted.” reads the announcement published by Google.

Since Android version 6.0, user data are protected with Advanced Encryption Standard (AES) encryption, however, the feature is slow on mobile devices using low-end processors that haven’t hardware to support it.

The new encryption form has been created for devices running Android 9 and higher that doesn’t support AES CPU instructions.

For this reason, Google developed Adiantum that supports the ChaCha stream cipher in a length-preserving mode.
ChaCha allows improving security and performance in the absence of dedicated hardware acceleration.

Google experts pointed out that Adiantum encryption/decryption processes on ARM Cortex-A7 processors are around five times faster compared to AES-256-XTS.

Adiantum performance

“Unlike modes such as XTS or CBC-ESSIV, Adiantum is a true wide-block mode: changing any bit anywhere in the plaintext will unrecognizably change all of the ciphertext, and vice versa.  It works by first hashing almost the entire plaintext,” continues Google.

“We also hash a value called the “tweak” which is used to ensure that different sectors are encrypted differently. This hash is then used to generate a nonce for the ChaCha encryption. After encryption, we hash again, so that we have the same strength in the decryption direction as the encryption direction”  

Adiantum could represent the optimal solution for a wide range of devices that haven’t dedicated hardware for encryption, such as smartwatches, smart TVs, and other IoT devices running on Android OS.

“Our hope is that Adiantum will democratize encryption for all devices. Just like you wouldn’t buy a phone without text messaging, there will be no excuse for compromising security for the sake of device performance.”
wrote Eugene Liderman, Director of Mobile Security Strategy, Android Security & Privacy Team, says. 

“Everyone should have privacy and security, regardless of their phone’s price tag,”

Google published technical details about the new encryption form in the paper titled “Adiantum: length-preserving encryption for entry-level processors.”

Pierluigi Paganini

(SecurityAffairs – Android, encryption)

The post Adiantum will bring encryption on Android devices without cryptographic acceleration appeared first on Security Affairs.

Android devices could be hacked by viewing a malicious PNG Image

Google patched a critical flaw in its Android OS that allows an attacker to send a specially crafted PNG image file to hack a target device,

Opening an image file on your smartphone could allow attackers to hack into your Android device due to three critical vulnerabilities,
CVE-2019-1986, CVE-2019-1987, and CVE-2019-1988.

The flaws affect millions of Android devices running versions of the Google OS, ranging from Android 7.0 Nougat to the latest Android 9.0 Pie.

Google addressed the three vulnerabilities in the Android Open Source Project (AOSP) as part of the February Android Security Updates.

Android PNG image hack

Even if Google has addressed the flaws, each vendor will have to distribute the patch for its models and this process usually doesn’t occur on a regular basis.

Researchers at Google did not provide technical details for the flaws, the tech giant only reported that the security updates addressed a “heap buffer overflow flaw,” “errors in SkPngCodec,” and vulnerabilities in some components that render PNG images.

According to the security advisory published by Google, the most severe of the three vulnerabilities could allow a maliciously crafted .PNG image file to execute arbitrary code on the vulnerable Android devices.

“The most severe of these issues is a critical security vulnerability in Framework that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process.” reads the security bulletin.

“The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.”

Experts pointed out that an attacker could exploit the flaw by tricking potential victims into opening a maliciously crafted PNG image file on their Android.

The malicious image could be sent through a mobile message service or an email app.

Google addressed three critical flaws in The Framework component, the overall number of critical issues is 11. The tech giant addressed a total of 42 flaws, 30 of which were rated high severity.

Google fixed 4 flaws in Android components manufactured by NVIDIA and five by the chip maker Qualcomm.

The good news is that Google is not aware of active exploitation of the flaws addressed by the company in the wild.

Google reported the flaws to its partners in January.

“Source code patches for these issues have been released to the Android Open Source Project (AOSP) repository and linked from this bulletin. This bulletin also includes links to patches outside of AOSP. ” concludes Google.

Pierluigi Paganini

(SecurityAffairs – Android, PNG)

The post Android devices could be hacked by viewing a malicious PNG Image appeared first on Security Affairs.

Experts found popular beauty apps in the Play Store including malicious code

Researchers at Trend Micro discovered at least 29 malicious photo editing and beauty apps that were able to perform several malicious activities.

Crooks continue to abuse Google Play store to distribute malicious apps, this time experts at Trend Micro discovered at least 29 malicious
photo editing and beauty apps that were stealing users’ photos.

The malicious apps in the Google Play Store have been downloaded more than 4 million times before they were removed.

malicious camera beauty apps

The photo editing and beauty apps were including a code that could perform a broad range of malicious activities.

Experts estimated that 3 of the tainted applications (Pro Camera Beauty, Cartoon Art Photo, Emoji Camera) have been downloaded more than a million times. The Artistic Effect Filter was downloaded over 500,000 times and other seven rogue apps were installed over 100,000 times.

“We discovered several beauty camera apps (detected as AndroidOS_BadCamera.HRX) on Google Play that are capable of accessing remote ad configuration servers that can be used for malicious purposes.” reads the analysis published by Trend Micro.

“Some of these have already been downloaded millions of times, which is unsurprising given the popularity of these kinds of apps.”

When an Android user will download one of the malicious apps he will not immediately sees any suspicious behavior.

Once installed, some of these apps would redirect users to phishing websites others would push full-screen advertisements on the infected device for fraudulent or pornographic content every time the victims will unlock the device.

Some of the beauty apps were including a malicious code that uploads user’s photos to a remote server controlled by the author.

However, instead of displaying an edited photo, the apps display a picture with a fake update prompt in nine different languages.

“However, instead of getting a final result with the edited photo, the user gets a picture with a fake update prompt in nine different languages.” continues the analysis.

“The authors can collect the photos uploaded in the app, and possibly use them for malicious purposes — for example as fake profile pics in social media.”

Some of the beauty apps use packers to prevent them from being analyzed by security firms, they also hide the app icon from the list of installed applications to make it more difficult for users to uninstall them.

TrendMicro reported the list of malicious apps to Google that quickly removed them from the Play Store.

Experts recommend downloading mobile apps only from the official store and that were developed by known and trusted authors. Users can also check reviews for the apps and never install applications for which were reported anomalous behaviors.

Additional info, including Indicators of Compromise (IoCs) are reported in the post published by Trend Micro.

Pierluigi Paganini

(Security Affairs – beauty apps, malware)

The post Experts found popular beauty apps in the Play Store including malicious code appeared first on Security Affairs.

Security Affairs: Metro Bank is the first bank that disclosed SS7 attacks against its customers

Metro Bank has become the first major bank to disclose SS7 attacks against its customers, but experts believe it isn’t an isolated case.

A new type of cyber attack was used for the first time against the Metro Bank, threat actors are leveraging known flaws in the SS7 signaling protocol to intercept the codes sent via text messages to customers to authorize transactions.

The Signaling System 7, aka SS7, which is a set of protocols developed in 1975 that allows the connections of one mobile phone network to another. The information passed from a network to another is needed for routing calls and text messages between several networks.

The SS7 performs out-of-band signaling in support of the call establishment, billing, routing, and information exchange functions of the public switched telephone network (PSTN).

Attackers exploited the flaw in the SS7 protocol to defeat the 2FA authentication used by Metro Bank to protect its customers.

“This activity was typically only within reach of intelligence agencies or surveillance contractors, but now Motherboard has confirmed that this capability is much more widely available in the hands of financially-driven cybercriminal groups, who are using it to empty bank accounts.” reported Motherboard that first reported the attacks.

“So-called SS7 attacks against banks are, although still relatively rare, much more prevalent than previously reported. Motherboard has identified a specific bank—the UK’s Metro Bank—that fell victim to such an attack.

ss7 Metro Bank attacks

This is not an isolated case, other banks have also been affected by this specific attack. A Metro Bank spokesman confirmed that only a “small number” of the bank’s customers had been affected.

“At Metro Bank we take our customers’ security extremely seriously and have a comprehensive range of safeguards in place to help protect them against fraud. We have supported telecommunication companies and law enforcement authorities with an industry-wide investigation and understand that steps have been taken to resolve the issue.” said the Bank spokesman.

“Of those customers impacted by this type of fraud, an extremely small number have been Metro Bank customers and none have been left out of pocket as a result. Customers should continue to remain vigilant and report any suspicious activity using the number on the back of their card or on our website.”

Metro Bank immediately informed the authorities of the attacks, but many other financial institutions that were affected by SS7 attacks have not disclosed it. 

“We are aware of a known telecommunications vulnerability being exploited to target bank accounts by intercepting SMS text messages used as 2-Factor Authentication (2FA).” said National Cyber Security Centre spokesman.

“While text messages are not the most secure type of two-factor authentication, they still offer a huge advantage over not using any 2FA at all.”

Karsten Nohl, a researcher from Security Research Labs, conducted numerous studies on the flaws affecting the SS7 protocol and confirmed that many banks suffered similar attacks.

“Some of our clients in the banking industry or other financial services; they see more and more SS7-based [requests],” Karsten Nohl, a researcher from Security Research Labs who has worked on SS7 for years, told Motherboard in a phone call. “All of a sudden you have someone’s text messages.”

Major British UK company BT confirmed that it is aware of SS7 attacks to commit banking fraud.

“Customer security is our top priority so we’re always upgrading our systems and working with the industry and banks to help protect our customers.” a BT spokesperson.

Who is behind the SS7 attacks on Metro Bank?

Experts believe there is a well-resourced and coordinate cyber criminal group of highly skilled professionals.

“[Graeme Coffey, head of sales at cybersecurity firm AdaptiveMobile] said criminals could have acquired access from legitimate providers, or are piggybacking off that access, making the SS7 requests appear somewhat more legitimate.” concludes Motherboard. “Nohl pointed to how hackers could target someone who already has SS7 access. In 2017, this reporter went undercover as an SMS routing service and was successfully offered SS7 access for around $10,000.”

Pierluigi Paganini

(Security Affairs – SS7 protocol, Metro Bank)

The post Metro Bank is the first bank that disclosed SS7 attacks against its customers appeared first on Security Affairs.



Security Affairs

Metro Bank is the first bank that disclosed SS7 attacks against its customers

Metro Bank has become the first major bank to disclose SS7 attacks against its customers, but experts believe it isn’t an isolated case.

A new type of cyber attack was used for the first time against the Metro Bank, threat actors are leveraging known flaws in the SS7 signaling protocol to intercept the codes sent via text messages to customers to authorize transactions.

The Signaling System 7, aka SS7, which is a set of protocols developed in 1975 that allows the connections of one mobile phone network to another. The information passed from a network to another is needed for routing calls and text messages between several networks.

The SS7 performs out-of-band signaling in support of the call establishment, billing, routing, and information exchange functions of the public switched telephone network (PSTN).

Attackers exploited the flaw in the SS7 protocol to defeat the 2FA authentication used by Metro Bank to protect its customers.

“This activity was typically only within reach of intelligence agencies or surveillance contractors, but now Motherboard has confirmed that this capability is much more widely available in the hands of financially-driven cybercriminal groups, who are using it to empty bank accounts.reported Motherboard that first reported the attacks.

“So-called SS7 attacks against banks are, although still relatively rare, much more prevalent than previously reported. Motherboard has identified a specific bank—the UK’s Metro Bank—that fell victim to such an attack.

ss7 Metro Bank attacks

This is not an isolated case, other banks have also been affected by this specific attack. A Metro Bank spokesman confirmed that only a “small number” of the bank’s customers had been affected.

“At Metro Bank we take our customers’ security extremely seriously and have a comprehensive range of safeguards in place to help protect them against fraud. We have supported telecommunication companies and law enforcement authorities with an industry-wide investigation and understand that steps have been taken to resolve the issue.” said the Bank spokesman.

“Of those customers impacted by this type of fraud, an extremely small number have been Metro Bank customers and none have been left out of pocket as a result. Customers should continue to remain vigilant and report any suspicious activity using the number on the back of their card or on our website.”

Metro Bank immediately informed the authorities of the attacks, but many other financial institutions that were affected by SS7 attacks have not disclosed it. 

“We are aware of a known telecommunications vulnerability being exploited to target bank accounts by intercepting SMS text messages used as 2-Factor Authentication (2FA).” said National Cyber Security Centre spokesman.

“While text messages are not the most secure type of two-factor authentication, they still offer a huge advantage over not using any 2FA at all.”

Karsten Nohl, a researcher from Security Research Labs, conducted numerous studies on the flaws affecting the SS7 protocol and confirmed that many banks suffered similar attacks.

“Some of our clients in the banking industry or other financial services; they see more and more SS7-based [requests],” Karsten Nohl, a researcher from Security Research Labs who has worked on SS7 for years, told Motherboard in a phone call. “All of a sudden you have someone’s text messages.”

Major British UK company BT confirmed that it is aware of SS7 attacks to commit banking fraud.

“Customer security is our top priority so we’re always upgrading our systems and working with the industry and banks to help protect our customers.” a BT spokesperson.

Who is behind the SS7 attacks on Metro Bank?

Experts believe there is a well-resourced and coordinate cyber criminal group of highly skilled professionals.

“[Graeme Coffey, head of sales at cybersecurity firm AdaptiveMobile] said criminals could have acquired access from legitimate providers, or are piggybacking off that access, making the SS7 requests appear somewhat more legitimate.” concludes Motherboard. “Nohl pointed to how hackers could target someone who already has SS7 access. In 2017, this reporter went undercover as an SMS routing service and was successfully offered SS7 access for around $10,000.”

Pierluigi Paganini

(Security Affairs – SS7 protocol, Metro Bank)

The post Metro Bank is the first bank that disclosed SS7 attacks against its customers appeared first on Security Affairs.

Security Affairs newsletter Round 199 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

Using steganography to obfuscate PDF exploits
Aztarna – the open-source scanning tool for vulnerable robots
Cobalt cybercrime gang abused Google App Engine in recent attacks
Dailymotion forces password reset in response to credential stuffing Attack
Hackers are targeting Cisco RV320/RV325, over 9K routers exposed online
Hackers compromise WordPress sites via Zero-Day flaws in Total Donations plugin
Authorities shut down XDEDIC marketplace in an international operation
Disable FaceTime, a bug lets you hear a persons audio before he answers
Law enforcement worldwide hunting users of DDoS-for-Hire services
Netanyahu accuses Iran of cyber attacks carried out daily
US DoJ charges Huawei sanctions violations and in technology espionage
Facebook paid teens $20 to install a Research App that spies on them
Iran-Linked APT39 group use off-the-shelf tools to steal data
Reading the ENISA Threat Landscape Report 2018
Skyscanner launches a public bug bounty program
Sofacys Zepakab Downloader Spotted In-The-Wild
Airbus data breach exposes some employeesdata
CookieMiner Mac Malware steals browser cookies and sensitive Data
Exclusive: spreading CSV Malware via Google Sheets
Imperva mitigated DDoS attack generated 500 Million Packets per Second, the largest ever
Researchers published the PoC exploit code for Linux SystemD bugs
Facebook dismantled a vast manipulation campaign tied to Iran
State Bank of India left archive with millions of Customer messages exposed
The return of the AdvisorsBot malware
US authorities aim to dismantle North Koreas Joanap Botnet
Apple issued a partial fix for recent FaceTime spying bug
Home Design website Houzz suffered a data breach
IBM experts warn of malicious abuses of Apple Siri Shortcuts
Operators of the TheMoon botnet offer it as a service

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 199 – News of the week appeared first on Security Affairs.

Security Affairs: Security Affairs newsletter Round 199 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

Using steganography to obfuscate PDF exploits
Aztarna – the open-source scanning tool for vulnerable robots
Cobalt cybercrime gang abused Google App Engine in recent attacks
Dailymotion forces password reset in response to credential stuffing Attack
Hackers are targeting Cisco RV320/RV325, over 9K routers exposed online
Hackers compromise WordPress sites via Zero-Day flaws in Total Donations plugin
Authorities shut down XDEDIC marketplace in an international operation
Disable FaceTime, a bug lets you hear a persons audio before he answers
Law enforcement worldwide hunting users of DDoS-for-Hire services
Netanyahu accuses Iran of cyber attacks carried out daily
US DoJ charges Huawei sanctions violations and in technology espionage
Facebook paid teens $20 to install a Research App that spies on them
Iran-Linked APT39 group use off-the-shelf tools to steal data
Reading the ENISA Threat Landscape Report 2018
Skyscanner launches a public bug bounty program
Sofacys Zepakab Downloader Spotted In-The-Wild
Airbus data breach exposes some employeesdata
CookieMiner Mac Malware steals browser cookies and sensitive Data
Exclusive: spreading CSV Malware via Google Sheets
Imperva mitigated DDoS attack generated 500 Million Packets per Second, the largest ever
Researchers published the PoC exploit code for Linux SystemD bugs
Facebook dismantled a vast manipulation campaign tied to Iran
State Bank of India left archive with millions of Customer messages exposed
The return of the AdvisorsBot malware
US authorities aim to dismantle North Koreas Joanap Botnet
Apple issued a partial fix for recent FaceTime spying bug
Home Design website Houzz suffered a data breach
IBM experts warn of malicious abuses of Apple Siri Shortcuts
Operators of the TheMoon botnet offer it as a service

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 199 – News of the week appeared first on Security Affairs.



Security Affairs

IBM experts warn of malicious abuses of Apple Siri Shortcuts

IBM’s security researchers demonstrated that the Siri Shortcuts introduced in the Apple iOS 12 can be abused by attackers.

Apple implemented Siri Shortcuts in the iOS 12 to allow users to rapidly access to applications and features, they can automate common tasks and can be integrated by third-party developers in their software.

Researchers at IBM Managed Security Services discovered that
Siri Shortcuts can be abused by hackers to perform malicious activities.

“This new feature can be enabled via third-party developers in their apps, or custom built by users downloading the shortcuts app from the app store. Once downloaded and installed, the Shortcuts app grants the power of scripting to perform complex tasks on users’ personal devices.” reads the analysis published by IBM.

“But accessing the phone from Siri Shortcuts also presents some potential security risks that were discovered by X-Force IRIS and reported to Apple’s security team.”

Experts pointed out that Siri Shortcuts improve interactions between users and the device, it allows the implementation of access directly from the lock screen or through existing apps. Users can also share the Shortcuts from the apps via iCloud.

The shortcuts can be presented by developers on the lock screen or in ‘search’ field, based on time, location and context.

“The shortcut can then appear on the lock screen or in ‘search’ when it is deemed appropriate to show it to the user based on time, location and context.” continues the analysis.

“For example, a user approaches their usual coffee shop, and the relevant app pops up a shortcut on the screen to allow them to order the usual cup of java and pay for it on the app before they even enter the coffee shop.”

siri shortcuts

Experts at IBM explained that the new feature could be used to create for malicious purposes such as scareware, a pseudo ransom campaign that attempts to scare victims and trick them into paying attackers by making them believe their data were stolen by hackers.

The attackers can use native shortcut functionality, they can develop a script to provide the ransom demands to the device’s owner by using Siri’s voice. Attackers can also automate data collection from the device (user’s current physical address, IP address, contents of the clipboard, stored pictures/videos, contact information and more) and send them to the victims to scare them.

“To move the user to the ransom payment stage, the shortcut could automatically access the Internet, browsing to a URL that contains payment information via cryptocurrency wallets, and demand that the user pay-up or see their data deleted, or exposed on the Internet,” continues the post.

What’s making this attack scenario more scaring is that the attacker could configure the malicious Shortcut to spread to the victim’s contact list, with this trick they prompt potential victims to download and install the malicious Shortcut.

Below a video PoC of the hack that shows how a Shortcut can change the device’s brightness and volume, can speak a ransom note that includes convincing personal details, can turn the flashlight on and off while vibrating at the same time, can display the spoken note in a written alert, and access the URL of a page containing payment information, in addition to spreading via messages to users’ contacts.

“In our security research labs, we tested the ransom attack scenario. The shortcut we created was named ‘Ransom’ in the video, but it could easily be named any other name to entice users to run it. Lures, such as game cheats/hacking, unlocking secret functionality in apps, or getting free money, often entice users to tap on a shortcut and see where it leads,” explained John Kuhn, senior threat researcher at IBM Managed Security Services.

Siri Shortcuts open the door to a broad range of social engineering attacks, they could be abused to trick victims into installing any kind of malware on their devices.

Below some recommendations shared by the experts:

  1. Never install a Shortcut from an untrusted source.
  2. Check the permissions that the shortcut is requesting and never give permission to portions of your phone you are not comfortable with. Things like photos, location and camera could be used to obtain sensitive information.
  3. Use the show actions button before installing a third-party shortcut to see the underlying actions the shortcut might take. Look for things like messaging data to numbers you don’t recognize, emailing data out, or making SSH server connections to servers.

Pierluigi Paganini

(SecurityAffairs – Siri Shortcuts, hacking)

The post IBM experts warn of malicious abuses of Apple Siri Shortcuts appeared first on Security Affairs.

Security Affairs: IBM experts warn of malicious abuses of Apple Siri Shortcuts

IBM’s security researchers demonstrated that the Siri Shortcuts introduced in the Apple iOS 12 can be abused by attackers.

Apple implemented Siri Shortcuts in the iOS 12 to allow users to rapidly access to applications and features, they can automate common tasks and can be integrated by third-party developers in their software.

Researchers at IBM Managed Security Services discovered that
Siri Shortcuts can be abused by hackers to perform malicious activities.

“This new feature can be enabled via third-party developers in their apps, or custom built by users downloading the shortcuts app from the app store. Once downloaded and installed, the Shortcuts app grants the power of scripting to perform complex tasks on users’ personal devices.” reads the analysis published by IBM.

“But accessing the phone from Siri Shortcuts also presents some potential security risks that were discovered by X-Force IRIS and reported to Apple’s security team.”

Experts pointed out that Siri Shortcuts improve interactions between users and the device, it allows the implementation of access directly from the lock screen or through existing apps. Users can also share the Shortcuts from the apps via iCloud.

The shortcuts can be presented by developers on the lock screen or in ‘search’ field, based on time, location and context.

“The shortcut can then appear on the lock screen or in ‘search’ when it is deemed appropriate to show it to the user based on time, location and context.” continues the analysis.

“For example, a user approaches their usual coffee shop, and the relevant app pops up a shortcut on the screen to allow them to order the usual cup of java and pay for it on the app before they even enter the coffee shop.”

siri shortcuts

Experts at IBM explained that the new feature could be used to create for malicious purposes such as scareware, a pseudo ransom campaign that attempts to scare victims and trick them into paying attackers by making them believe their data were stolen by hackers.

The attackers can use native shortcut functionality, they can develop a script to provide the ransom demands to the device’s owner by using Siri’s voice. Attackers can also automate data collection from the device (user’s current physical address, IP address, contents of the clipboard, stored pictures/videos, contact information and more) and send them to the victims to scare them.

“To move the user to the ransom payment stage, the shortcut could automatically access the Internet, browsing to a URL that contains payment information via cryptocurrency wallets, and demand that the user pay-up or see their data deleted, or exposed on the Internet,” continues the post.

What’s making this attack scenario more scaring is that the attacker could configure the malicious Shortcut to spread to the victim’s contact list, with this trick they prompt potential victims to download and install the malicious Shortcut.

Below a video PoC of the hack that shows how a Shortcut can change the device’s brightness and volume, can speak a ransom note that includes convincing personal details, can turn the flashlight on and off while vibrating at the same time, can display the spoken note in a written alert, and access the URL of a page containing payment information, in addition to spreading via messages to users’ contacts.

“In our security research labs, we tested the ransom attack scenario. The shortcut we created was named ‘Ransom’ in the video, but it could easily be named any other name to entice users to run it. Lures, such as game cheats/hacking, unlocking secret functionality in apps, or getting free money, often entice users to tap on a shortcut and see where it leads,” explained John Kuhn, senior threat researcher at IBM Managed Security Services.

Siri Shortcuts open the door to a broad range of social engineering attacks, they could be abused to trick victims into installing any kind of malware on their devices.

Below some recommendations shared by the experts:

  1. Never install a Shortcut from an untrusted source.
  2. Check the permissions that the shortcut is requesting and never give permission to portions of your phone you are not comfortable with. Things like photos, location and camera could be used to obtain sensitive information.
  3. Use the show actions button before installing a third-party shortcut to see the underlying actions the shortcut might take. Look for things like messaging data to numbers you don’t recognize, emailing data out, or making SSH server connections to servers.

Pierluigi Paganini

(SecurityAffairs – Siri Shortcuts, hacking)

The post IBM experts warn of malicious abuses of Apple Siri Shortcuts appeared first on Security Affairs.



Security Affairs

Apple pulls Facebook enterprise certificate

It’s been an astonishing few days for Facebook. They’ve seen both an app and their enterprise certificate removed and revoked with big consequences.

What happened?

Apple issue enterprise certificates to organizations with which they can create internal apps. Those apps don’t end up released on the Apple store, because the terms of service don’t allow it. Anything storefront-bound must go through the mandatory app checks by Apple before being loaded up for sale.

What went wrong?

Facebook put together a “Facebook research” market research app using the internal process. However, they then went on to distribute it externally to non-Facebook employees. And by “non Facebook employees” we mean “people between the ages of 13 to 35.” In return for access to large swathes of user data, the participants received monthly $20 gift cards.

The program was managed via various Beta testing services, and within hours of news breaking, Facebook stated they’d pulled the app.

Problem solved?

Not exactly. Apple has, in fact, revoked Facebook’s certificate, essentially breaking all of their internal apps and causing major disruptions for their 33,000 or so employees in the process. As per the Apple statement:

We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization. Facebook has been using their membership to distribute a data-collecting app to consumers…a clear breach of their agreement.

Whoops

Yes, whoops. Now the race is on to get things back up and running over at Facebook HQ. Things may be a little tense behind the scenes due to, uh, something similar involving a VPN-themed app collecting data it shouldn’t have been earlier this year. That one didn’t use the developer certificate, but it took some 33 million downloads before Apple noticed and decided to pull the plug.

Could things get any worse for Facebook?

Cue Senator Ed Markey, with a statement on this particular subject:

It is inherently manipulative to offer teens money in exchange for their personal information when younger users don’t have a clear understanding of how much data they’re handing over and how sensitive it is,” said Senator Markey. “I strongly urge Facebook to immediately cease its recruitment of teens for its Research Program and explicitly prohibit minors from participating. Congress also needs to pass legislation that updates children’s online privacy rules for the 21st century. I will be reintroducing my ‘Do Not Track Kids Act’ to update the Children’s Online Privacy Protection Act by instituting key privacy safeguards for teens.

But my concerns also extend to adult users. I am alarmed by reports that Facebook is not providing participants with complete information about the extent of the information that the company can access through this program. Consumers deserve simple and clear explanations of what data is being collected and how it being used.

Well, that definitely sounds like a slide towards “worse” instead of “better.”

A one-two punch?

Facebook is already drawing heavy criticism this past week for the wonderfully-named “friendly fraud” practice of kids making dubious purchases, and chargebacks being made. It happens, sure, but perhaps not quite like this. From the linked Register article:

Facebook, according to the full lawsuit, was encouraging game devs to build Facebook-hosted games that allowed children to input parents’ credit card details, save those details, and then bill over and over without further authorisation.

While large amounts of money were being spent, some refunds proved to be problematic. Employees were querying why most apps with child-related issues are “defaulting to the highest-cost setting in the purchase flows.” You’d better believe there may be further issues worth addressing.

What next?

The Facebook research program app will continue to run on Android, which is unaffected by the certificate antics. There’s also this app from Google in Apple land which has since been pulled due to also operating under Apple’s developer enterprise program. No word yet as to whether or not Apple will revoke Google’s certificate, too. It could be a bumpy few days for some organizations as we wait to see what Apple does next. Facebook, too, could certainly do with a lot less bad publicity as it struggles to regain positive momentum. Whether that happens or not remains to be seen.

The post Apple pulls Facebook enterprise certificate appeared first on Malwarebytes Labs.

Security Affairs: Facebook paid teens $20 to install a Research App that spies on them

Facebook is paying teens $20 a month to use its VPN app, called Facebook Research, that monitors their activity via their mobile devices.Facebook is paying teens $20 a month to use its VPN app, called Facebook Research, that monitors their activity via the mobile devices.

2018 was a terrible year for Facebook that was in the middle of the Cambridge Analytica privacy scandal. The social network giant was involved in other cases, for example, it was forced to remove its Onavo VPN app from Apple’s App Store because it was caught collecting some of data through Onavo Protect, the Virtual Private Network (VPN) service that it acquired in 2013.

According to a report presented by Privacy International in December at 35C3 hacking conference held in Germany, the list of Android apps that send tracking and personal information back to Facebook includes dozens of apps including KayakYelp, and Shazam, Facebook

Now according to a report published by TechCrunch, Facebook is paying teenagers around $20 a month to use its VPN app that monitors their activity on via the mobile devices.

Facebook Research App Icon

Facebook is accused of using the VPN app to track users’ activities across multiple different apps, especially the use of third-party apps.

“Desperate for data on its competitors, Facebook  has been secretly paying people to install a ‘Facebook Research’ VPN that lets the company suck in all of a user’s phone and web activity, similar to Facebook’s Onavo Protect app that Apple banned in June and that was removed in August.” reads the report published by Techcrunch.

“Facebook sidesteps the App Store and rewards teenagers and adults to download the Research app and give it root access to network traffic in what may be a violation of Apple policy so the social network can decrypt and analyze their phone activity, a TechCrunch investigation confirms.”

Techcrunch reported that some documentation refers to the Facebook Research program as “Project Atlas,” it added that Facebook confirmed the existence of the app.

The news is disconcerting, despite the privacy cases in which Facebook was involved, the company has been paying users ages 13 to 35  as much as $20 per month plus referral fees for installing Facebook Research on their iOS or Android devices. The company described the ‘Facebook Research’ app as “paid social media research study.”

Facebook is distributing the app via third-party beta testing services Applause, BetaBound, and uTest that were also running ads on Instagram and Snapchat recruiting participants to install Facebook Research.

Let’s give a close look at the Facebook Research App. The app requires users to install a custom root enterprise certificate to allow the social media giant to collect private messages in social media apps, chats from in instant messaging apps, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps installed on the users’ devices.

Experts pointed out that in some case, the Facebook Research app also asked users to take screenshots of their Amazon order histories and send it back to Facebook.

Reading the Applause site it is possible to have more info on how the company could use the data:

“By installing the software, you’re giving our client permission to collect data from your phone that will help them understand how you browse the internet, and how you use the features in the apps you’ve installed . . . This means you’re letting our client collect information such as which apps are on your phone, how and when you use them, data about your activities and content within those apps, as well as how other people interact with you or your content within those apps. You are also letting our client collect information about your internet browsing activity (including the websites you visit and data that is exchanged between your device and those websites) and your use of other online services. There are some instances when our client will collect this information even where the app uses encryption, or from within secure browser sessions.” ” the terms read.

Facebook confirmed that the app was developed for research purposes, in particular to study how people use their mobile devices.

“like many companies, we invite people to participate in research that helps us identify things we can be doing better.” explained Facebook.

“helping Facebook understand how people use their mobile devices, we have provided extensive information about the type of data we collect and how they can participate. We do not share this information with others, and people can stop participating at any time.”

Facebook’s spokesperson claimed that the app doesn’t violate the Apple’s Enterprise Certificate program. Techcrunch points out that since Apple requires developers to only use this certificate system for distributing internal corporate apps to their own employees, “recruiting testers and paying them a monthly fee appears to violate the spirit of that rule,”

After the disclosure of the report, Facebook announced that it is planning to shut down the iOS version of the Facebook Research app.

Pierluigi Paganini

(SecurityAffairs – Facebook Research app, Privacy)

The post Facebook paid teens $20 to install a Research App that spies on them appeared first on Security Affairs.



Security Affairs

Facebook paid teens $20 to install a Research App that spies on them

Facebook is paying teens $20 a month to use its VPN app, called Facebook Research, that monitors their activity via their mobile devices.Facebook is paying teens $20 a month to use its VPN app, called Facebook Research, that monitors their activity via the mobile devices.

2018 was a terrible year for Facebook that was in the middle of the Cambridge Analytica privacy scandal. The social network giant was involved in other cases, for example, it was forced to remove its Onavo VPN app from Apple’s App Store because it was caught collecting some of data through Onavo Protect, the Virtual Private Network (VPN) service that it acquired in 2013.

According to a report presented by Privacy International in December at 35C3 hacking conference held in Germany, the list of Android apps that send tracking and personal information back to Facebook includes dozens of apps including KayakYelp, and Shazam, Facebook

Now according to a report published by TechCrunch, Facebook is paying teenagers around $20 a month to use its VPN app that monitors their activity on via the mobile devices.

Facebook Research App Icon

Facebook is accused of using the VPN app to track users’ activities across multiple different apps, especially the use of third-party apps.

“Desperate for data on its competitors, Facebook  has been secretly paying people to install a ‘Facebook Research’ VPN that lets the company suck in all of a user’s phone and web activity, similar to Facebook’s Onavo Protect app that Apple banned in June and that was removed in August.” reads the report published by Techcrunch.

“Facebook sidesteps the App Store and rewards teenagers and adults to download the Research app and give it root access to network traffic in what may be a violation of Apple policy so the social network can decrypt and analyze their phone activity, a TechCrunch investigation confirms.”

Techcrunch reported that some documentation refers to the Facebook Research program as “Project Atlas,” it added that Facebook confirmed the existence of the app.

The news is disconcerting, despite the privacy cases in which Facebook was involved, the company has been paying users ages 13 to 35  as much as $20 per month plus referral fees for installing Facebook Research on their iOS or Android devices. The company described the ‘Facebook Research’ app as “paid social media research study.”

Facebook is distributing the app via third-party beta testing services Applause, BetaBound, and uTest that were also running ads on Instagram and Snapchat recruiting participants to install Facebook Research.

Let’s give a close look at the Facebook Research App. The app requires users to install a custom root enterprise certificate to allow the social media giant to collect private messages in social media apps, chats from in instant messaging apps, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps installed on the users’ devices.

Experts pointed out that in some case, the Facebook Research app also asked users to take screenshots of their Amazon order histories and send it back to Facebook.

Reading the Applause site it is possible to have more info on how the company could use the data:

“By installing the software, you’re giving our client permission to collect data from your phone that will help them understand how you browse the internet, and how you use the features in the apps you’ve installed . . . This means you’re letting our client collect information such as which apps are on your phone, how and when you use them, data about your activities and content within those apps, as well as how other people interact with you or your content within those apps. You are also letting our client collect information about your internet browsing activity (including the websites you visit and data that is exchanged between your device and those websites) and your use of other online services. There are some instances when our client will collect this information even where the app uses encryption, or from within secure browser sessions.” ” the terms read.

Facebook confirmed that the app was developed for research purposes, in particular to study how people use their mobile devices.

“like many companies, we invite people to participate in research that helps us identify things we can be doing better.” explained Facebook.

“helping Facebook understand how people use their mobile devices, we have provided extensive information about the type of data we collect and how they can participate. We do not share this information with others, and people can stop participating at any time.”

Facebook’s spokesperson claimed that the app doesn’t violate the Apple’s Enterprise Certificate program. Techcrunch points out that since Apple requires developers to only use this certificate system for distributing internal corporate apps to their own employees, “recruiting testers and paying them a monthly fee appears to violate the spirit of that rule,”

After the disclosure of the report, Facebook announced that it is planning to shut down the iOS version of the Facebook Research app.

Pierluigi Paganini

(SecurityAffairs – Facebook Research app, Privacy)

The post Facebook paid teens $20 to install a Research App that spies on them appeared first on Security Affairs.

Apple Users: Here’s What to Do About the Major FaceTime Bug

FaceTime is a popular way for people of all ages to connect with long-distance loved ones. The feature permits Apple users to video chat with other device owners from essentially anywhere at any time. And now, a bug in the software takes that connection a step further – as it permits users calling via FaceTime to hear the audio coming from the recipient’s phone, even before they’ve accepted or denied the call.

Let’s start with how the eavesdropping bug actually works. First, a user would have to start a FaceTime video call with an iPhone contact and while the call is dialing, they must swipe up from the bottom of the screen and tap “Add Person.” Then, they can add their own phone number to the “Add Person” screen. From there, the user can start a group FaceTime call between themselves and the original person dialed, even if that person hasn’t accepted the call. What’s more – if the user presses the volume up or down, the victim’s front-face camera is exposed too.

This bug acts as a reminder that these days your smartphone is just as data rich as your computer. So, as we adopt new technology into our everyday lives, we all must consider how these emerging technology trends could create security risks if we don’t take steps to protect our data.

Therefore, it’s crucial all iOS users that are running iOS 12.1 or later take the right steps now to protect their device and their data. If you’re an Apple user affected by this bug, be sure to follow these helpful security steps:

  • Update, update, update. Speaking of fixes – patches for bugs are included in software updates that come from the provider. Therefore, make sure you always update your device as soon as one is available. Apple has already confirmed that a fix is underway as we speak.
  • Be sure to disable FaceTime in iOS settings now. Until this bug is fixed, it is best to just disable the feature entirely to be sure no one is listening in on you. When a fix does emerge from Apple, you can look into enabling the service again.
  • Apply additional security to your phone. Though the bug will hopefully be patched within the next software update, it doesn’t hurt to always cover your device with an extra layer of security. To protect your phone from any additional mobile threats coming its way, be sure to use a security solution such as McAfee Mobile Security.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Apple Users: Here’s What to Do About the Major FaceTime Bug appeared first on McAfee Blogs.

Expert shares PoC exploit code for remote iOS 12 jailbreak On iPhone X

Researcher published a PoC exploit code for critical vulnerabilities that could be chained to implement an iOS jailbreak On iPhone X

The security researcher Qixun Zhao of Qihoo 360’s Vulcan Team has published a PoC exploit code for critical vulnerabilities in Apple Safari web browser and iOS that could be exploited by a remote attacker to jailbreak an iPhoneX running iOS 12.1.2 and early versions.

The exploitation of the flaw is quite simple, the attacker needs to trick victims into opening a specially crafted web page using Safari browser.

The PoC code developed by Qixun Zhao, dubbed Chaos, chains two security flaws that were demonstrated at TianfuCup hacking contest in November.

The Chaos exploit code triggers a couple of vulnerabilities, a type confusion memory corruption flaw in Apple’s Safari WebKit (CVE-2019-6227) and a use-after-free memory corruption bug (CVE-2019-6225) in iOS Kernel. Apple addressed the flaws by releasing the iOS version 12.1.3

The Safari vulnerability allowed maliciously crafted web content to execute arbitrary code on the targeted device, which then the second one allowed to elevate privileges and silently deploy a malicious application

Zhao published a blog post that includes some details for the exploit code, the expert also shared a PoC video demonstration for it.

Zhao hasn’t published the exploit code for the iOS jailbreak to prevent attacks in the wild.

“I will not release the exploit code, if you want to jailbreak, you will need to complete the exploit code yourself or wait for the jailbreak community’s release. At the same time, I will not mention the exploit details of the post exploit, as this is handled by the jailbreak community,” Zhao said.

iPhone users urge to install the latest iOS update as soon as possible,

Pierluigi Paganini

(SecurityAffairs – iOS jailbreak, Apple)

The post Expert shares PoC exploit code for remote iOS 12 jailbreak On iPhone X appeared first on Security Affairs.

Security Affairs: ES File Explorer vulnerabilities potentially impact 100 Million Users

Security expert Robert Baptiste (akaElliot Alderson) discovered a vulnerability (CVE-2019-6447) in the ES File Explorer that potentially expose hundreds of million Android installs.

The ES File Explorer is an Android file manager that has over 100,000,000 installs and more than 500 million users worldwide according to its developer.

Baptiste discovered that the application uses a local HTTP server that listen on the open port 59777.

The expert noticed that even is the app is closed the server will still run until the user will kill all the background services of ES File Explorer

An attacker can connect the server and retrieve many device info, including the list of installed apps. The scary aspect of the flaw is that a remote attacker can get a file from the victim’s device and launch an app on the phone.

“The ES File Explorer File Manager application through 4.1.9.7.4 for Android allows remote attackers to read arbitrary files or execute applications via TCP port 59777 requests on the local Wi-Fi network.” reads the description provided by the Mitre.

“This TCP port remains open after the ES application has been launched once, and responds to unauthenticated application/json data over HTTP.”

The attack works even if the victim will not actually grant the app any permissions on the Android device.

Baptiste published by PoC code on GitHub that could be used by an attacker that share the same Wi-Fi network to use to list and download files from the victim’s device and SD card, and launch apps and view device information.

With the following Proof Of Concept (POC), you can:

  • List all the files in the sdcard in the victim device
  • List all the pictures in the victim device
  • List all the videos in the victim device
  • List all the audio files in the victim device
  • List all the apps installed in the victim device
  • List all the system apps installed in the victim device
  • List all the phone apps installed in the victim device
  • List all the apk files stored in the sdcard of the victim device
  • List all the apps installed in the victim device
  • Get device info of the victim device
  • Pull a file from the victim device
  • Launch an app of your choice
  • Get the icon of an app of your choice

As reported by Bleeping Computer, a few hours after Baptiste disclosure the CVE-2019-6447 flaw, the cybersecurity expert Lukas Stefanko from ESET announced the discovery of another local vulnerability in ES File Explorer.

A local attacker could exploit this second flaw to carry out a Man-In-The-Middle (MitM) attack that will allow it to intercept the app’s HTTP network traffic and exchange it with his own.

ES File Explorer versions up to 4.1.9.7.4 are affected by this MitM flaw.

At the time the ES File Explorer’s development team announced the fix for “the http vulnerability issue,” but there are other bugs to fix.

Pierluigi Paganini

(SecurityAffairs – Liberia, DDoS)

The post ES File Explorer vulnerabilities potentially impact 100 Million Users appeared first on Security Affairs.



Security Affairs

ES File Explorer vulnerabilities potentially impact 100 Million Users

Security expert Robert Baptiste (akaElliot Alderson) discovered a vulnerability (CVE-2019-6447) in the ES File Explorer that potentially expose hundreds of million Android installs.

The ES File Explorer is an Android file manager that has over 100,000,000 installs and more than 500 million users worldwide according to its developer.

Baptiste discovered that the application uses a local HTTP server that listen on the open port 59777.

The expert noticed that even is the app is closed the server will still run until the user will kill all the background services of ES File Explorer

An attacker can connect the server and retrieve many device info, including the list of installed apps. The scary aspect of the flaw is that a remote attacker can get a file from the victim’s device and launch an app on the phone.

“The ES File Explorer File Manager application through 4.1.9.7.4 for Android allows remote attackers to read arbitrary files or execute applications via TCP port 59777 requests on the local Wi-Fi network.” reads the description provided by the Mitre.

“This TCP port remains open after the ES application has been launched once, and responds to unauthenticated application/json data over HTTP.”

The attack works even if the victim will not actually grant the app any permissions on the Android device.

Baptiste published by PoC code on GitHub that could be used by an attacker that share the same Wi-Fi network to use to list and download files from the victim’s device and SD card, and launch apps and view device information.

With the following Proof Of Concept (POC), you can:

  • List all the files in the sdcard in the victim device
  • List all the pictures in the victim device
  • List all the videos in the victim device
  • List all the audio files in the victim device
  • List all the apps installed in the victim device
  • List all the system apps installed in the victim device
  • List all the phone apps installed in the victim device
  • List all the apk files stored in the sdcard of the victim device
  • List all the apps installed in the victim device
  • Get device info of the victim device
  • Pull a file from the victim device
  • Launch an app of your choice
  • Get the icon of an app of your choice

As reported by Bleeping Computer, a few hours after Baptiste disclosure the CVE-2019-6447 flaw, the cybersecurity expert Lukas Stefanko from ESET announced the discovery of another local vulnerability in ES File Explorer.

A local attacker could exploit this second flaw to carry out a Man-In-The-Middle (MitM) attack that will allow it to intercept the app’s HTTP network traffic and exchange it with his own.

ES File Explorer versions up to 4.1.9.7.4 are affected by this MitM flaw.

At the time the ES File Explorer’s development team announced the fix for “the http vulnerability issue,” but there are other bugs to fix.

Pierluigi Paganini

(SecurityAffairs – Liberia, DDoS)

The post ES File Explorer vulnerabilities potentially impact 100 Million Users appeared first on Security Affairs.

Android apps use the motion sensor to evade detection and deliver Anubis malware

Security experts from Trend Micro have recently spotted two Android apps that use the motion sensor to evade detection and spread the Anubis banking Trojan.

Malware authors continue to improve their malicious apps to avoid detection and infect the largest number of users.

Security experts from Trend Micro have recently spotted two Android apps in the Google Play Store, Currency Converter and BatterySaverMobi, that infected thousands of users with banking malware.

motion sensor data anubis

Currency Converter masquerade as a currency exchange app and
BatterySaverMobi as a battery saver app, both use motion-sensors of infected Android devices to evade detection. The inputs from the sensors are used before installing a banking Trojan dubbed Anubis.

With this trick, vxers attempt to avoid detection because the malicious code is able to detect the absence of the motion sensor in the emulators used by researchers to detect the malware.

“We looked into this campaign and found that the apps dropped a malicious payload that we can safely link to the known banking malware Anubis (detected by Trend Micro as ANDROIDOS_ANUBISDROPPER ).”
“These apps don’t just use traditional evasion techniques; they also try to use the user and device’s motions to hide their activities. ” reads the analysis published by Trend Micro.

“As a user moves, their device usually generates some amount of motion sensor data. The malware developer is assuming that the sandbox for scanning malware is an emulator with no motion sensors, and as such will not create that type of data. If that is the case, the developer can determine if the app is running in a sandbox environment by simply checking for sensor data.”

The infection process doesn’t start if the malware determines that the device and the user are still by analyzing the sensor data.

If the app discovers the sensor data it runs the malicious code and then attempts to trick the victims into downloading and installing the Anubis payload APK with a fake system update. masquerading it as a “stable version of Android.”

If the user accepts the bogus system update, the dropper uses requests and responses over legitimate services such as Twitter and Telegram downloads the Anubis banking Trojan from the C2 and install it.

“Then, it registers with the C&C server and checks for commands with an HTTP POST request. If the server responds to the app with an APK command and attaches the download URL, then the Anubis payload will be dropped in the background.” continues the analysis.

Experts pointed out the Anubis banking Trojan uses a built-in keylogger to steal credentials and it is also able to take screenshots of the users’ screen while inserting credentials into any banking app.

Experts observed infections in 93 different countries, the latest variant of the Anubis banking Trojan targets at least 377 variations of financial apps.

The banking Trojan is also able to access to contact lists and location, send spam messages to contacts, call numbers from the device, record audio, and alter external storage.

Further details on the malware, including IoCs are reported in the analysis published by Trend Micro.

Pierluigi Paganini

(SecurityAffairs – Anubis banking Trojan, motion sensor)

The post Android apps use the motion sensor to evade detection and deliver Anubis malware appeared first on Security Affairs.

Twitter fixed a bug in its Android App that exposed Protected Tweets

A bug in the Twitter app for Android may have had exposed tweets, the social media platform revealed on Thursday.

The bug in the Android Twitter app affects the “Protect my Tweets” option from the account’s “Privacy and safety” settings that allows viewing user’s posts only to approved followers.

People who used the Twitter app for Android may have had the protected tweets setting disabled after they made some changes to account settings, for example after a change to the email address associated with the profile.

“We’ve become aware of an issue in Twitter for Android that disabled the “Protect your Tweets” setting if certain account changes were made.” reads the security advisory published by the company.

“You may have been impacted by this issue if you had protected Tweets turned on in your settings, used Twitter for Android, and made certain changes to account settings such as changing the email address associated with your account between November 3, 2014, and January 14, 2019.”

The vulnerability was introduced on November 3, 2014, and was fixed on January 14, 2019, users using the iOS app or the web version were not impacted. 

Twitter has notified impacted users and has turned “Protect your Tweets” back on for them if it was disabled.

“We are providing this broader notice through the Twitter Help Center since we can’t confirm every account that may have been impacted. We encourage you to review your privacy settings to ensure that your ‘Protect your Tweets’ setting reflects your preferences,” continues the advisory.

Recently Twitter addressed a similar bug, in December the researcher Terence Eden discovered that the permissions dialog when authorizing certain apps to Twitter could expose direct messages to the third-party.

In September 2018, the company announced that an issue in Twitter Account Activity API had exposed some users’ direct messages (DMs) and protected tweets to wrong developers.

Twitter is considered one of the most powerful social media platforms, it was used in multiple cases by nation-state actors as a vector for disinformation and propaganda.

In December Twitter discovered a possible nation-state attack while it was investigating an information disclosure flaw affecting its platform.

Pierluigi Paganini

(SecurityAffairs – Twitter app, Android)

The post Twitter fixed a bug in its Android App that exposed Protected Tweets appeared first on Security Affairs.

Where Can IT Get Expert Guidance for Managing Android in the Enterprise?

Over the past decade, Android has taken the enterprise by storm. In each new operating system (OS) version update, its capabilities continue to become more business-friendly as the strength and depth of its mobile security functionality improves. With these changes considered, it’s clear Google is committed to delivering an OS that transcends the consumer world into the enterprise. For this reason, it’s no surprise that one of the world’s most popular platforms appears on IT’s shortlist for new device investments and bring-your-own-device (BYOD) programs.

Despite its extensive improvements over time, one of the biggest questions that remains for IT decision-makers is, “How can I be certain I am managing and securing Android with the best tools and technical resources available to me?”

Register for the webinar

The Android Enterprise Recommended Program

With its introduction of the Android Enterprise Recommended program earlier this year, Google has improved this decision-making process for IT leaders, making it possible to zero in on the vendors that meet specifications across a broad range of stringent criteria. The limited number of vendors that achieve this validation have not only taken appropriate steps to support the full gamut of Android’s specifications — they have also gone the extra mile to partake in Google-led trainings that enable them to deliver an exceptional experience for partners and customers.

Android Enterprise Recommended

Up until this point, the Android Enterprise Recommended program has been available to help IT teams select smartphones, tablets and ruggedized devices that are well-suited for the enterprise setting. However, customers and partners have had to conduct independent research and assessments to determine which enterprise mobility management (EMM) solutions should be used to manage Android devices in the enterprise.

These evaluations cannot be taken lightly; enterprise use cases for Android have grown in number, and organizations need to ensure that their EMM of choice has what it takes to support them. Furthermore, security threats have evolved and become more complex, and endpoints and their users remain their biggest targets. The less careful organizations are about who they partner with in supporting their environment, the consequences become more severe.

These reasons considered, at minimum EMMs should be able to prove their ongoing commitment to delivering same-day support for the latest OS updates. As Android continues to roll out new functionality for Android in the enterprise — most recently zero-touch enrollment, managed Google Play, Verify Apps and SafetyNet APIs — the onus is also on EMMs to keep up.

A Program Expansion for Enterprise Mobility Management Vendors

To stay ahead of the evolving threat landscape and more effectively manage Android devices, IT decision-makers need to fast-track the EMM selection process. That’s why Google expanded its Android Recommended Program to help security leaders gain confidence in their EMM selection, streamline deployment and deliver up-to-date support for the latest updates.

IBM MaaS360 with Watson is a validated solution in the Android Enterprise Recommended program for EMMs, placing it among the select few EMMs that meet these new comprehensive program requirements.

Recognizing the value of the overall Android Enterprise Recommended program, MaaS360 delivers support for all Android Enterprise Recommended OEM devices, including both categories of knowledge worker and rugged use cases.

To learn more, register for our Jan. 31 webinar, “IBM Joins Google in Announcing Android Enterprise Recommended Program for EMMs” or watch it on-demand thereafter.

Register for the  webinar

Google and Android are trademarks of Google LLC.

The post Where Can IT Get Expert Guidance for Managing Android in the Enterprise? appeared first on Security Intelligence.

Pre-Installed Malware Targets Critical System Apps on Mobile Devices

Several new types of pre-installed malware are targeting critical system apps on mobile devices, making them difficult to remove.

Researchers at Malwarebytes came across two instances of pre-installed malware targeting applications in /system/priv-app/, where critical apps such as settings and system UI reside. The first infection occurred on a THL T9 Pro device. The malware repeatedly installed variants of Android/Trojan.HiddenAds, which is known for displaying lock screen advertisements that take up the device’s entire screen. In this particular case, the infection wrapped itself up in the critical system Android app System UI.

The second infection occurred on a UTOK Q55. In that case, the threat came hardcoded in the device’s Settings app. It fit the “monitor” category of potentially unwanted programs (PUP), which are capable of collecting and reporting users’ information.

The Pre-Installed Malware Problem Persists

These two instances of pre-installed malware aren’t the first detected by Malwarebytes. In March 2017, researchers at the security software provider observed mobile devices manufactured by BLU being shipped out with Android/Adware.YeMobi. Then in December of that year, the researchers found an auto-installer known as FWUpgradeProvider pre-installed on devices bought from legitimate phone carriers in the U.K. and elsewhere.

Other security firms have detected pre-installed malware more recently. For instance, Check Point discovered RottenSys disguised as a system Wi-Fi service; the threat targeted nearly 5 million users for fraudulent ad revenues as of March 2018. A few months later, Avast Threat Labs found adware known as Cosiloon pre-installed on hundreds of Android device models.

How to Protect Mobile Devices From Pre-Installed Malware

Security professionals can protect mobile devices from pre-installed malware and other threats by using a unified endpoint management (UEM) solution to monitor how these devices report to the corporate IT environment. They should also use behavioral analysis to help defend mobile devices against zero-day threats.

The post Pre-Installed Malware Targets Critical System Apps on Mobile Devices appeared first on Security Intelligence.

The new landscape of pre-installed mobile malware: malicious code within

Here’s a scary thought: Mobile devices may soon come with pre-installed malware on required system apps. While it might sound like a grim foretelling, pre-installed mobile malware is an unfortunate reality of the future.

In the past, we’ve seen pre-installed malware with the notorious Adups threat, among others. “Pre-installed” means the malware comes already installed on a device at the system level, thus, it cannot be removed; only disabled. However, remediating these iterations of pre-installed malware is possible by using a work-around to uninstall apps for the current user. This method involves connecting the mobile device to a PC and using the ADB command line tool. Follow our guide, removal instructions for Adups, to find out more.

Although this method is a bit tedious, it works to remediate the malware. In contrast, remediating newer versions of pre-installed malware has become much more difficult. We are now seeing malware authors target system apps that are required for the device to function properly. By injecting malicious code within these necessary apps, threat actors have reshaped the landscape of pre-installed malware for the worse.

Types of pre-installed apps

There are two types of preinstalled apps, based on the apps’ location on the device. This location also determines the importance of the app.

The first location is /system/app/. Apps in this location are typically something you want to have, but not critical for the device to run. For example, apps that contain functionally for the camera, Bluetooth, FM radio on the device, or photo viewing are stored in this location. This location is also where device manufactures cache what some may consider bloatware. Uninstalling some of these apps may degrade the user experience, but it isn’t going to stop the device from functioning.

The other location is /system/priv-app/. This is where significantly important apps reside. For instance, apps like settings and system UI, which include the functionality for the back/home buttons on Android devices, are stored here. In other words, apps you absolutely cannot uninstall these without essentially breaking the phone. Sadly, the latest pre-installed malware is targeting this location.

The evidence

In the light of this new, frightening pre-installed malware, let’s look at two case studies.

Case study 1: Riskware auto installer within System UI

The device is a THL T9 Pro. The infection is Android/PUP.Riskware.Autoins.Fota.INS. Although the code looks similar to the well-known preinstalled malware Adups, it’s entangled within the critical system app System UI, instead of being in a standalone app like a UpgradeSys. The infection causes headaches, as it repeatedly installs variants of Android/Trojan.HiddenAds. It’s unknown if this is the doing of Adups themselves, or on the other hand, if code was taken from the Adups Auto Installer and inserted into System UI. Neither scenario is good.

Case Study 2: Monitor within settings

This time, the device is a UTOK Q55. The infection is Android/Monitor.Pipe.Settings. The category “Monitor” is a subset of Potentially Unwanted Programs (PUPs). As the name implies, Monitor apps collect and report sensitive information from the device. Furthermore, this particular Monitor app is hardcoded in the highly-important Settings app. In effect, the app used to uninstall other apps would need to be uninstalled itself to remediate—pure irony.

Attempting to remediate

Here lays the biggest problem with these infections—there is currently no good way to remediate. I have worked with several customers with these infections, but despite my attempts, I have yet to find a good work around. However, I can offer some guidance. If a clean version of the system app can be found to replace the malicious version, you might be able to replace it. You will want to look for system apps that match the current Android OS version of the device.  If found, you can try using the following method:

  • Read the disclaimer from the removal instructions for Adups.
  • Follow the steps under Restoring apps onto the device (without factory reset) in the removal instructions for Adups to save the proper <full path of the apk> of the system app to be replaced.
  • Download a clean version of the system app to your PC.
    • You can use the popular site VirusTotal to determine if it’s clean or not.
  • Move the system app from your PC to your device.
    • adb push <PC file path>\<filename of clean version.apk> /sdcard/Download/<filename of clean version.apk>
  • Uninstall the old, malicious version of the system app.
    • adb shell pm uninstall -k –user 0 <package name of malicious system app>
  • Install the new version of the system app.
    • adb shell pm install -r –user 0 /sdcard/Download/<filename of clean version.apk>
  • See if it works.
    • Common failure errors:
      • [INSTALL_FAILED_VERSION_DOWNGRADE]
      • [INSTALL_FAILED_UPDATE_INCOMPATIBLE]
      • [INSTALL_FAILED_OLDER_SDK]
    • If the new version fails to install, you can revert to the old system app.
      • adb shell pm install -r –user 0 <full path of the apk saved from second step>

As noted above, I have yet to find a version of any of the infections encountered that successfully installs. If you need assistance, feel free to post on our forum Mobile Malware Removal Help & Support.

What really can be done?

Currently, the best method to deal with these infections is to:

  1. Stay away from devices with these infections. Here are the manufacturers/models we have seen so far that have been impacted:
    • THL T9 Pro
    • UTOK Q55
    • BLU Studio G2 HD
  2. If you already bought one, return the device.
  3. If you already bought the device and can’t return it, contact the manufacturer.

Extreme frustration

As a mobile malware researcher, it pains me to no end to write about malware we can’t currently remediate.  However, the public needs to know that these types of infections exist in the wild. No one should have to tolerate such infections on any mobile device regardless of its price point and/or notoriety. I will continue to look for methods to deal with these infections. In the meantime, stay safe out there.

APK samples

Detection: Android/PUP.Riskware.Autoins.Fota.INS
MD5: 9E0BBF6D26B843FB8FE95FDAD582BB70
Package Name: com.android.systemui

Detection: Android/Monitor.Pipe.Settings
MD5: DC267F396FA6F06FC7F70CFE845B39D7
Package Name: com.android.settings

The post The new landscape of pre-installed mobile malware: malicious code within appeared first on Malwarebytes Labs.

Beers with Talos EP 43: Espionage, Encryption, and CISO Square One



Beers with Talos (BWT) Podcast Ep. #43 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Ep. #43 show notes: 

Recorded Dec. 7, 2018.

Several of us are under the weather, but the show must go on. We did our best, as always. After running through some recent research, we spend a good bit of this EP looking through the lens of a recent breach at the first things a new security leader should get a handle on - what questions need to be answered? What information and practices are day-1 vital? We wrap up taking a look at a slew of vulns Talos uncovered in secure messaging apps.

The timeline:

The topics

01:00 - Roundtable - we talk about the Reds, death by IoT lawnmowers, and the special Spam we get
12:40 - DNSpionage campaign and DNS redirection attacks
20:50 - Day One as CISO - Handling Inherited Risk as a Leader
50:45 - (in)Secure messenger apps - Ranging responses to vuln disclosures
1:02:36 - Closing thoughts and parting shots

The links

(in)Secure messaging blog post

==========

Featuring: Craig Williams (@Security_Craig), Joel Esler (@JoelEsler), Matt Olney (@kpyke) and Nigel Houghton (@EnglishLFC).
Hosted by Mitch Neff (@MitchNeff).
Find all episodes here.

Subscribe via iTunes (and leave a review!)

Check out the Talos Threat Research Blog

Subscribe to the Threat Source newsletter

Follow Talos on Twitter

Give us your feedback and suggestions for topics:
beerswithtalos@cisco.com

Top Ten Tips for Securing Your Mobile Devices

Do you have employees who bring mobile phones to work and use those devices on the corporate network? Do they store company data on these “Bring Your Own Devices (BYOD)”?? Does your company have a policy in place for this?

First, the moment a person brings in their personal phone to work, there is a fusion of personal and business tasks that occur. And, equally as bad, company issued devices are used for personal use as much, if not more than the employees own devices. Not sure you believe this? Here are some stats:

A recent survey asked 2,000 office workers about their habit of using their personal mobile devices at work. Here’s what it found:

  • 73% of people admit to downloading personal apps to tablets they got from their company.
  • 62% of people admit to downloading personal apps to mobile phones they got from their company.
  • 45% of people admit to downloading personal apps to notebooks they got from their company.
  • The people who were most likely to do this were in the 25 to 38-year-old age group.
  • 90% of people use their personal mobile devices to conduct business for work.

As you can see, a lot of people are using their mobile devices on the job, and this could not only put your company data at risk, but also the data associated with your clients. Do you have a plan to minimize or even totally prevent how much sensitive company data is wide open to hackers?

Solutions to Keep Sensitive Business Information Safe

Decision makers and business owners should always consider their personal devices as equal to any business device. You definitely don’t want your sensitive company information out there, and this information is often contained on your personal mobile or laptop device. Here are some things that you can do to keep this information safe:

Give Your Staff Information About Phishing Scams

Phishing is a method that cybercriminals use to steal data from companies. Studies show that it is extremely easy for even the smartest employees to fall for these tricks. Here’s how they work: a staff member gets an email with a sense of urgency. Inside the email is a link. The body of the email encourages the reader to click the link. When they do, they are taken to a website that either installs a virus onto the network or tricks the employee into giving out important company information.

Inform Your Staff that the Bad Guys Might Pose as Someone They Know

Even if you tell your staff about phishing, they can still get tricked into clicking an email link. How? Because the bad guys make these emails really convincing. Hackers do their research, and they are often skilled in the principles of influence and the psychology of persuasion. So, they can easily create fake emails that look like they come from your CEO or a vendor, someone your staff trusts. With this in mind, it might be best to create a policy where employees are no longer allowed to click email links. Pick up the phone to confirm that whatever an email is requesting, that the person who sent it is legitimate.

Teach Employees that Freebies aren’t Always Goodies

A lot of hackers use the promise of something free to get clicks. Make sure your staff knows to never click on an email link promising a freebie of any kind.

Don’t Buy Apps from Third-Party Sources

Apps are quite popular, and there are many that can help to boost productivity in a business setting. However, Apple devices that are “jailbroken” or Android devices that are “rooted” are outside of the walled garden of their respective stores and susceptible to malicious viruses. Make sure your employees know that they should never buy an app from a third-party source. Only use the official Apple App Store or the Google Play Store.

Always Protect Devices

It’s also important that you advise your employees to keep their devices protected with a password. These devices are easy to steal since they are so small. If there is no password, there is nothing stopping a bad guy from getting into them and accessing all of the accounts that are currently logged into the device.

Install a Wipe Function on All Mobile Devices Used for Business

You should also require all employees to have a “wipe” function on their phones. Even if they are only doing something simple, like checking their work email on their personal mobile device, it could get into the wrong hands. With the “wipe” function, the entire phone can be cleared remotely. You should also require employees to use the setting that erases the phone after a set number of password attempts.

Require that All Mobile Devices on the Company Network Use Anti-Virus Software

It’s also important, especially in the case of Android devices, that all mobile devices on the network have some type of anti-virus software.

Do Not Allow Any Jailbroken Devices on Your Company’s Network

Jailbroken devices are much more vulnerable to viruses and other malware. So, never allow an employee with a jailbroken phone to connect to your network.

All Employees Should Activate Update Alerts

One of the easiest ways to keep mobile devices safe is to keep them updated. So, make sure that all employees have update alerts enabled, and make sure that they are updating their devices when prompted or automatically.

Teach Employees About the Dangers of Public Wi-Fi

Finally, make sure your staff knows the dangers of using public Wi-Fi. Public Wi-Fi connections are not secure, so when connected, your devices are pretty open. That means, if you are doing things that are sensitive, such as logging into company accounting records, a hacker can easily follow. Instead, urge employees to use a VPN. These services are inexpensive and they encrypt data so hackers can’t access it.

He is the founder of Safr.me a cybersecurity speaking and consulting firm based in Massachussets. http://www.safr.me

Robert Siciliano is a Security and Identity Theft Expert. He is the founder of Safr.me a cybersecurity speaking and consulting firm based in Massachussets. See him discussing internet and wireless security on Good Morning America.

Fortnite: When Dollars and Cents Trumps Security!

When Epic Games recently announced and subsequently released Fortnite for Android, it took the decision to bypass the Play Store and ask users to side-load the app. After I read that Epic Games’ brilliant idea was to ask Android users to essentially downgrade the security on their devices, there was a lot of head-on-desk action.

Side-loading an app onto an Android device is essentially asking the user to download it from a website instead of the Play Store and then ignore the Android warnings about installing apps from untrusted locations. In more recent Android versions this safety net is called “Install unknown apps” and when a user tries to install an app directly from a website, the operating system will ask them a few times if they really want to do this. Note that this is does not affect users on Apple iOS devices as Apple locks down app distribution to the App Store.

Don’t get me wrong, I understand both the business reason and the developer logic that drove Epic Games to release the Android version in this way. For developers, Android’s lack of homogeneity means they often have to validate their app across multiple stores, each with its own constraints and minimum requirements. Thus, what should be a simple app release can gain an Nth degree of complexity; increased time to develop and associated maintenance, leading to increased cost. This is not an attractive prospect for any vendor wanting to deliver a product. Added to the fact that the Play Store takes a 30% cut on all transactions, you can see why an app vendor would look to avoid this if they could! Let’s face it, gaming companies have to make money in order to recuperate the investment in the development and maintenance of the game.

You may be reading this wondering why incentivising users to side-load popular games is really a problem. Fundamentally, it introduces bad habits to users. These bad habits break down the general foundations of mobile device security. The Fortnite game has a huge following and we can’t neglect the message being sent not only to users but also other app developers.

In InfoSec, we constantly argue the benefits of teaching users about safe and secure principals when using electronic devices, browsing the web and installing applications. The Epic Games Android installation is the antithesis of these teachings, instead sending a clear message to users – especially a younger generation that will one day enter the workforce – that it is ok to install apps from any location.

The fact is, Epic Games is inadvertently making  it easier for a malicious party to trick users into downloading fake apps and providing an opportunity for these malicious parties to introduce fake apps in the official store. This has been seen before, especially in the banking industry, and was even the case for Fortnite itself during the beta period. Google Pay Protect is one element of sanity in this situation as it will scan the apps on the device. Unfortunately this is only a recent addition to Android and is not always available depending on the version or the manufacturer of the device.

The issues continue even after the app is installed and being used. Fortnite, like many games, is free to play but relies extensively on in-app purchases – the pay to win paradigm. By not using the Play Store to deliver the app originally, the vendor needs to set-up its own payment infrastructure and ensure it is safe. This in itself is not an easy task and can be thwart with errors and potential for data loss.

Stepping back and analysing the situation, where does one place blame? I think a majority of us in the industry, myself included, will scorn the vendor for not doing the right thing and promoting bad habits to users. Looking beyond the initial rapid shame response from the industry, I think it is interesting to put oneself in the vendor’s shoes. I can see how the lack of standardisation, draconian process and exorbitant fees would make it unattractive to go to market via the various app stores in the “proper way”. Perhaps it is time for companies like Apple and Google to rethink the app distribution model, so all can benefit from a secure platform?

Realistically, I believe that this situation just boils down to the ability for a business to make a profit and you know what, this isn’t the first time or place where security has been compromised or downgraded because of money. Let’s face it, we see it all the time – most recently in IoT security and more generally in corporate security when a security risk is accepted instead of investing time and funds in fixing it.

This is why we can’t have secure things!

Update: Seems like fake Fortnite apps are already in the wild, more here

Thanks to Hannah Finch for the editorial review

The post Fortnite: When Dollars and Cents Trumps Security! appeared first on Liquidmatrix Security Digest.

The Evolution of Mobile Security

Today, I posted a blog entry to the Oracle Identity Management blog titled Analyzing How MDM and MAM Stack Up Against Your Mobile Security Requirements. In the post, I walk through a quick history of mobile security starting with MDM, evolving into MAM, and providing a glimpse into the next generation of mobile security where access is managed and governed along with everything else in the enterprise. It should be no surprise that's where we're heading but as always I welcome your feedback if you disagree.

Here's a brief excerpt:
Mobile is the new black. Every major analyst group seems to have a different phrase for it but we all know that workforces are increasingly mobile and BYOD (Bring Your Own Device) is quickly spreading as the new standard. As the mobile access landscape changes and organizations continue to lose more and more control over how and where information is used, there is also a seismic shift taking place in the underlying mobile security models.
Mobile Device Management (MDM) was a great first response by an Information Security industry caught on its heels by the overwhelming speed of mobile device adoption. Emerging at a time when organizations were purchasing and distributing devices to employees, MDM provided a mechanism to manage those devices, ensure that rogue devices weren’t being introduced onto the network, and enforce security policies on those devices. But MDM was as intrusive to end-users as it was effective for enterprises.
Continue Reading

IAM for the Third Platform

As more people are using the phrase "third platform", I'll assume it needs no introduction or explanation. The mobile workforce has been mobile for a few years now. And most organizations have moved critical services to cloud-based offerings. It's not a prediction, it's here.

The two big components of the third platform are mobile and cloud. I'll talk about both.

Mobile

A few months back, I posed the question "Is MAM Identity and Access Management's next big thing?" and since I did, it's become clear to me that the answer is a resounding YES!

Today, I came across a blog entry explaining why Android devices are a security nightmare for companies. The pain is easy to see. OS Updates and Security Patches are slow to arrive and user behavior is, well... questionable. So organizations should be concerned about how their data and applications are being accessed across this sea of devices and applications. As we know, locking down the data is not an option. In the extended enterprise, people need access to data from wherever they are on whatever device they're using. So, the challenge is to control the flow of information and restrict it to proper use.

So, here's a question: is MDM the right approach to controlling access for mobile users? Do you really want to stand up a new technology silo that manages end-user devices? Is that even practical? I think certain technologies live a short life because they quickly get passed over by something new and better (think electric typewriters). MDM is one of those. Although it's still fairly new and good at what it does, I would make the claim that MDM is antiquated technology. In a BYOD world, people don't want to turn control of their devices over to their employers. The age of enterprises controlling devices went out the window with Blackberry's market share.

Containerization is where it's at. With App Containerization, organizations create a secure virtual workspace on mobile devices that enables corporate-approved apps to access, use, edit, and share corporate data while protecting that data from escape to unapproved apps, personal email, OS malware, and other on-device leakage points. For enterprise use-case scenarios, this just makes more sense than MDM. And many of the top MDM vendors have validated the approach by announcing MAM offerings. Still, these solutions maintain a technology silo specific to remote access which doesn't make much sense to me.

As an alternate approach, let's build MAM capabilities directly into the existing Access Management platform. Access Management for the third platform must accommodate for mobile device use-cases. There's no reason to have to manage mobile device access differently than desktop access. It's the same applications, the same data, and the same business policies. User provisioning workflows should accommodate for provisioning mobile apps and data rights just like they've been extended to provision Privileged Account rights. You don't want or need separate silos.

Cloud

The same can be said, for cloud-hosted apps. Cloud apps are simply part of the extended enterprise and should also be managed via the enterprise Access Management platform.

There's been a lot of buzz in the IAM industry about managing access (and providing SSO) to cloud services. There have even been a number of niche vendors pop-up that provide that as their primary value proposition. But, the core technologies for these stand-alone solutions is nothing new. In most cases, it's basic federation. In some cases, it's ESSO-style form-fill. But there's no magic to delivering SSO to SaaS apps. In fact, it's typically easier than SSO to enterprise apps because SaaS infrastructures are newer and support newer standards and protocols (SAML, REST, etc.)

My Point

I guess if I had to boil this down, I'm really just trying to dispel the myths about mobile and cloud solutions. When you get past the marketing jargon, we're still talking about Access Management and Identity Governance. Some of the new technologies are pretty cool (containerization solves some interesting, complex problems related to BYOD). But in the end, I'd want to manage enterprise access in one place with one platform. One Identity, One Platform. I wouldn't stand up a IDaaS solution just to have SSO to cloud apps. And I wouldn't want to introduce an MDM vendor to control access from mobile devices.

The third platform simply extends the enterprise beyond the firewall. The concept isn't new and the technologies are mostly the same. As more and newer services adopt common protocols, it gets even easier to support increasingly complex use-cases. An API Gateway, for example, allows a mobile app to access legacy mainframe data over REST protocols. And modern Web Access Management (WAM) solutions perform device fingerprinting to increase assurance and reduce risk while delivering an SSO experience. Mobile Security SDKs enable organizations to build their own apps with native security that's integrated with the enterprise WAM solution (this is especially valuable for consumer-facing apps).

And all of this should be delivered on a single platform for Enterprise Access Management. That's third-platform IAM.

Is MAM Identity and Access Management’s next big thing?

Mobile Application Management is making waves. Recent news from Oracle, IBM, and Salesforce highlight the market interest. It's a natural extension of what you've been hearing at Identity trade shows over the past few years (and this year's Gartner IAM Summit was no exception). The third platform of computing is not a future state. It's here. And Identity and Access solutions are adapting to accommodate the new use case scenarios. ...onward and upward.

[Update - interesting discussion of the IAM technology stack for mobile by SIMIEO]