Hundreds of insecure mobile apps found, guidance for securely creating software and an uproar over American police cellphone tracking.
Welcome to Cyber Security Today. It’s Friday September 2nd, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Just over 1,800 poorly-created mobile apps for the iPhone/iPad and Android platforms have been discovered by security researchers. The problem: Almost three-quarters of the apps included valid tokens that allowed access to Amazon AWS servers. And many had tokens that would also have given full access to millions of private files held in Amazon S3 storage buckets. The tokens were buried in the code of the apps and could have been found and exploited by hackers. The victims would have been companies the developers were creating the apps for. In one case over 300,000 digital fingerprints were leaked by five mobile banking apps. Access to the IT infrastructure of 16 online gambling apps were also open to be hacked.
Researchers at Symantec, who made the discovery, believe these hard-coded access keys were inadvertently added to the apps by developers who inserted what they thought were trusted components to their software code. Or they may have needed to use a hard-coded access key for a function but forgot to time-limit the key for security. Mistakes like this can be avoided if software developers use security scanning tools before finally releasing an application. If a company uses an outsourced provider the developer should have to submit a mobile app report card showing how the app was tested. It’s vital that third-party software development kits and frameworks be examined before being included in applications.
This and other kinds of software supply chain problems can be limited if developers follow guidance released this week by the U.S. National Security Agency and the Cybersecurity and Infrastructure Security Agency. The 64-page guidance lists best practices for securely creating applications, verifying third-party components they include and hardening an app to prove it hasn’t been tampered with.
Instagram users are being suckered into giving away their passwords and personal information. How? They are falling for an offer to have their profile verified with a blue checkmark badge. That’s a sign beside their name that shows the person doing the posting is the real John Smith and not an impersonator. The victim thinks the offer comes from Instagram and clicks a link to fill in the attached form. However, researchers at Vade Secure point out the email of the sender and grammatical errors show this is a scam. Neither Instagram nor Facebook will contact users for creating a blue badge. People have to apply.
Finally, police in nearly 24 American jurisdictions have been using a cellphone tracking tool allowing them to create a history of people’s movements. Sometimes, according to the Associated Press, police don’t get a search warrant to access the location data. That’s because the data is captured by cellphone apps like Waze, Starbucks and others and sold by them to a company called Fog Data Science. That company calls the data ‘advertising identification numbers’ that are put on individuals’ smartphones by these mobile apps. That’s different, the company says, from the ID numbers assigned by cellphone carriers when you buy a phone. The implication is this isn’t a violation of people’s rights under the U.S. Constitution because they knowingly install apps on their phones. It isn’t clear if that’s true, or if this violates state privacy laws. It isn’t known if police in Canada use this service.
The Electronic Frontier Foundation also released a report on this. It notes that while the so-called advertising identification data that police scan doesn’t have a device users’ name or address, that can be figured out by following the data that shows a device regularly stops at a residence at night.
Later today the Week in Review edition will be out. Guest commentator Terry Cutler of Montreal’s Cyology Labs will talk about women in cybersecurity and more.
Links to details about podcast stories are in the text version at ITWorldCanada.com.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.