CyLab-Africa researchers partner with mobile security provider for summer collaboration experience

Researchers from CyLab-Africa and the Upanzi Network recently partnered with the mobile security provider Approov to explore the security of common financial services apps used across Africa. After surveying 224 popular financial applications, the researchers found that 95 percent of these Android apps exposed secrets that can be used to reveal personal and financial data. Across these applications, approximately 272 million users have the potential to be victims of the security flaws.

The post The Security Landscape of Mobile Apps in Africa appeared first on Security Boulevard.

The Tea app breach highlights how weak back-end security can expose sensitive user data. Learn essential strategies for access control, data lifecycle management and third-party risk reduction.

The post Mobile App Platforms: Don’t Let Database Security Come Back to Bite You  appeared first on Security Boulevard.

Every year, Black Friday drives a surge of online purchases—but it also opens the floodgates for fraud. While most conversations focus on phishing emails or sketchy websites, the real cybersecurity frontline for e-commerce lies behind the scenes: mobile apps. Developers, not consumers, hold the power to stop many of these attacks—but only if they understand how today’s fraudsters exploit mobile APIs.

The post Black Friday Fraud: The Hidden Threat in Mobile Commerce appeared first on Security Boulevard.

The post The Security Landscape of Mobile Apps in Africa appeared first on Security Boulevard.

After the recent update, WhatsApp users can experience passkey-secured backups for their conversations. WhatsApp has…

WhatsApp Rolls Out Passkey-Secured Backups On Android, iOS on Latest Hacking News | Cyber Security News, Hacking Tools and Penetration Testing Courses.

As scams continue to target users via messaging apps, Meta decided to jazz up the…

WhatsApp Rolls Out Safety Overview As An Anti-Scam Feature on Latest Hacking News | Cyber Security News, Hacking Tools and Penetration Testing Courses.

Even Apple can’t escape change forever.

The famously restrictive company will allow third-party app stores for iOS devices, along with allowing users to “sideload” software directly. Spurring the move is the European Union’s (EU) Digital Markets Act (DMA), which looks to ensure open markets by reducing the ability of digital “gatekeepers” to restrict content on devices.

While this is good news for app creators and end-users, there is a potential red flag: security. Here’s what the compliance-driven change means for Apple, applications and appropriate device protection.

The DMA: Taking a Bite Out of Apple

While the DMA doesn’t come into full force until March 6, 2024, many organizations are acting now to minimize disruption, and Apple is among them. The company is apparently on track to allow users to download and install third-party app stores on their iOS devices. Apple is on the hook to comply with changes to cable connections. By 2024, the company will add USB-C ports to all iPhones.

Breaking the locks on digital gatekeeping offers benefits for both application developers and end-users. From the developer’s perspective, using a third-party app store to sell their software lets them avoid commissions taken by Apple, which can be up to 30% of user payments per app. From the user side, being able to go outside the iOS app ecosystem offers both more choice and more control. Instead of waiting for Apple to vet and approve new software, users could find versions of their favorite apps already for sale on third-party marketplaces or available directly for download.

The Risks of Removing Gatekeepers

Not surprisingly, Apple executives aren’t exactly thrilled about the shift, calling software sideloads “a cyber criminal’s best friend”.

Some of their concern is motivated by a desire to retain control over application distribution and the revenue it brings. However, they do have a point. The closed-loop nature of iOS has long been a selling point for Apple, which claims that it reduces security risk. The claim does have some merit: recent data found that 10 months after the release of Android OS version 12, 30% of federal employees were still running older, less secure versions. In the case of iOS 15, this number was just 5%. For the most part, the difference comes from control. Apple’s oversight of devices means updates are harder to avoid, while Android provides greater choice, but potentially greater risk.

However, the shift to third-party app stores and sideloaded software impacts Apple’s ability to deliver consistent security. For example, apps downloaded from non-iOS stores may include critical security vulnerabilities or even malware. If attackers can fool on-device security scans, they may be able to compromise user devices.

Since Apple won’t have any monetary stake in these apps, the company may not make protection a priority. This could offer a potential side benefit for Apple; they won’t have to spend money on third-party security, and if users get burned by rotten apps, they may come back to the iOS tree.

How Security Teams Can Prepare

Whether you see the shift to open digital borders as good or bad, change is coming. As a result, security teams are well served taking time to prepare. Here are three approaches to help bolster iOS security post-change:

Ban Third Party App Stores and Sideloading

One approach is banning both third-party app stores and sideloading on business-owned iOS devices and enforcing this policy with mobile device management (MDM) tools.

While this will provide a measure of security, it also comes with potential drawbacks. First is the pushback from staff, especially if they use personal devices to work from home or while traveling. By blocking third-party app stores on personal devices, businesses may discover that staff simply stop using these devices for work, in turn reducing total productivity.

There’s also the case of useful apps that are available sooner on third-party app stores than through official channels. A total ban means companies are waiting longer to access features or functions that could improve operations.

Leverage Additional Security Tools

Another approach is leveraging additional security tools such as next-generation web application firewalls (NGFWs) and AI-driven behavior analysis to evaluate the potential risk of third-party apps or sideloaded software. If these tools detect a problem, they can prohibit downloads. If the software is all clear, they can permit installation.

The key here is follow-up. Even if apps appear legitimate and pass initial scans, this doesn’t guarantee safety. As a result, continuous monitoring is critical to ensure both user devices and business networks remain protected.

Create New Security Guidelines

IT teams may also want to consider creating new guidelines around where users can download apps when they can sideload software and what steps they need to take to reduce total risk.

For example, teams might analyze popular app store options and only allow access to a select few based on what they offer and what (if any) security policies they have in place. Companies can also make it mandatory for staff to inform IT staff about any new downloads on their device. They might give teams a chance to analyze the apps for risk. Companies also need to lay out clear consequences if rules around app downloads aren’t followed.

Worth noting? There’s no hard-and-fast rule here. With regulations in flux, organizations need to find approaches to third-party apps and sideloading that balance device security with user autonomy and control.

From Closed Loops to Open Borders

The days of closed-loop iOS stores are ending in the EU. But with increased choice comes a higher risk of getting a malicious app that wreaks havoc on user devices — and potentially puts businesses at risk.

To reduce the chance of compromise, IT teams should consider a three-pronged approach. This should include banning shady app stores and sideloading, using additional security tools to detect potential problems and creating new security guidelines to provide clear roles and responsibilities for users.

The post Third-Party App Stores Could Be a Red Flag for iOS Security appeared first on Security Intelligence.

Posted by Brooke Davis, Android Security and Privacy Team

The App Defense Alliance launched in 2019 with a mission to protect Android users from bad apps through shared intelligence and coordinated detection between alliance partners. Earlier this year, the App Defense Alliance expanded to include new initiatives outside of malware detection and is now the home for several industry-led collaborations including Malware Mitigation, MASA (Mobile App Security Assessment) & CASA (Cloud App Security Assessment). With a new dedicated landing page at appdefensealliance.dev, the ADA has an expanded mission to protect Android users by removing threats while improving app quality across the ecosystem. Let’s walk through some of the latest program updates from the past year, including the addition of new ADA members.

Malware Mitigation

Together, with the founding ADA members - Google, ESET, Lookout, and Zimperium, the alliance has been able to reduce the risk of app-based malware and better protect Android users. These partners have access to mobile apps as they are being submitted to the Google Play Store and scan thousands of apps daily, acting as another, vital set of eyes prior to an app going live on Play. Knowledge sharing and industry collaboration are important aspects in securing the world from attacks and that’s why we’re continuing to invest in the program.

New ADA Members

We’re excited to see the ADA expand with the additions of McAfee and Trend Micro. Both McAfee and Trend Micro are leaders in the antivirus space and we look forward to their contributions to the program.

Mobile App Security Assessment (MASA)

With consumers spending four to five hours per day in mobile apps, ensuring the safety of these services is more important than ever. According to Data.ai, the pandemic accelerated existing mobile habits - with app categories like finance growing 25% YoY and users spending over 100 billion hours in shopping apps.

That’s why the ADA introduced MASA (Mobile App Security Assessment), which allows developers to have their apps independently validated against the Mobile Application Security Verification Standard (MASVS standard) under the OWASP Mobile Application Security project. The project’s mission is to “Define the industry standard for mobile application security,” and has been used by both public and private sector organizations as a form of industry best practices when it comes to mobile application security. Developers can work directly with an ADA Authorized Lab to have their apps evaluated against a set of MASVS L1 requirements. Once successful, the app’s validation is listed in the recently launched App Validation Directory, which provides users a single place to view all app validations. The Directory also allows users to access more assessment details including validation date, test lab, and a report showing all test steps and requirements. The Directory will be updated over time with new features and search functionality to make it more user friendly.

The Google Play Store is the first commercial app store to recognize and display a badge for any app that has completed an independent security review through ADA MASA. The badge is displayed within an app’s respective Data Safety section.

This MASA program launched in beta earlier this year and is now available for all developers. We’ve seen strong early developer interest with leading apps across a diverse set of categories completing validation including Roblox, Uber, PayPal, Threema, Google Photos, YouTube and many more. On average, developers have completed validation within a month and resolved two outstanding issues identified by a security lab.

To learn more about the program and to help developers get started, there’s a Play Academy course dedicated to independent security review. Check out the interactive guidance on the Academy for App Success and get started today!

Cloud App Security Assessment (CASA)

As the industry continues to evolve and software connects more systems through complex cloud-to-cloud integrations, focusing on the security of cloud applications and their supporting infrastructure becomes increasingly critical. CASA (Cloud App Security Assessment) leverages the work set forth in OWASP’s Application Security Verification Standard ASVS to provide a consistent set of requirements to harden security for any application. The CASA framework provides multiple assurance levels in which low-risk cloud applications can be evaluated using either a self assessment or automated scan. For applications which present higher risk (such as a large user base, recent security breach, or processes highly sensitive data), an Authorized Lab may perform an assessment.

Further, the CASA accelerator provides developers with a workflow that minimizes the required checks depending on the developer's current valid certifications. The CASA checks have been mapped to 10 certifications and frameworks which eliminate redundant testing while lowering the cost of the assessment. Google is continuing to invest in this space with plans to use ASVS more proactively with the developer community next year.

It's been amazing to see the ADA grow this year and we are excited for the continued progress and expansion around the alliance’s mission.

Security is too often an afterthought in the software development process. It’s easy to understand why: Application and software developers are tasked with getting rid of bugs and adding in new features in updates that must meet a grueling release schedule. 

Asking to include security testing before an update is deployed can bring up problems needing to be fixed. In an already tight timeline, that creates tension between developers and the security team. 

If you’re using traditional pentesting methods, the delays and disruption are too great to burden the development team, who are likely working a continuous integration and continuous delivery process (CI/CD). Or if you’re using an automatic scanner to detect potential vulnerabilities, you’re receiving a long list of low-level vulns that obscures the most critical issues to address first. 

Instead, continuous pentesting, or even scanning for a particular CVE, can harmonize development and security teams. And it’s increasingly important. A shocking 85% of commercial apps contain at least one critical vulnerability, according to a 2021 report, while 100% use open-source software, such as the now infamous Log4j. That’s not to knock on open-source software, but rather to say that a critical vulnerability can pop up at any time and it’s more likely to happen than not. 

If a critical vulnerability is found–or worse, exploited–the potential fines or settlement from a data breach could be astronomical. In the latest data breach settlement, T-Mobile agreed to pay $350 million to customers in a class action lawsuit and invest additional $150 million in their data security operations.

This is why many companies are hiring for development security operations (DevSecOps). The people in these roles work in concert with the development team to build a secure software development process into the existing deployment schedule. But with 700,000 infosec positions sitting open in the United States, it might be hard to find the right candidate. 

If you want to improve the security of your software and app development, here are some tips from Synack customers: 

• Highlight only the most critical vulns to the dev team. The development team has time only to address what’s most important. Sorting through an endless list of vulns that might never be exploited won’t work. Synack delivers vulnerabilities that matter by incentivizing our researchers to focus on finding severe vulnerabilities.

• Don’t shame, celebrate. Mistakes are inevitable. Instead of shaming or blaming the development team for a security flaw, cheer on the wins. Finding and fixing vulnerabilities before an update is released is a cause for celebration. Working together to protect the company’s reputation and your customers’ data is the shared goal. 

• Embrace the pace. CI/CD isn’t going away and the key to deploying more secure apps and software is to find ways to work with developers. When vulns are found to be fixed, document the process for next time. And if there’s enough time, try testing for specific, relevant CVEs. Synack Red Team (SRT) members document their path to finding and exploiting vulnerabilities and can verify patches were implemented successfully. SRT security researchers can also test as narrow or broad a scope as you’d like with Synack’s testing offerings and catalog of specific checks, such as CVE and zero day checks.

Security is a vital component to all companies’ IT infrastructure, but it can’t stand in the way of the business. For more information about how Synack can help you integrate security checkpoints in your dev process, request a demo.

The post Testing Early and Often Can Reduce Flaws in App Development appeared first on Synack.