Cyber ​​Security Today, September 2, 2022 – Hundreds of insecure mobile apps found, tips for building software safely, and outcry over US police cellphone tracking

Hundreds of insecure mobile apps found, advice on building software safely and an outcry over US police cellphone tracking.

Welcome to Cyber ​​Security Today. Today is Friday, September 2, 2022. I’m Howard Solomon, Contributing Cybersecurity Reporter for ITWorldCanada.com.

Just over 1,800 poorly-created mobile apps for iPhone/iPad and Android platforms have been discovered by security researchers. The problem: Nearly three-quarters of applications included valid tokens that allowed access to Amazon AWS servers. And many had tokens that would also have given full access to millions of private files held in Amazon S3 storage buckets. The tokens were buried in the code of the applications and could have been found and exploited by hackers. The victims were allegedly companies for which the developers were creating the apps. In one case, more than 300,000 digital fingerprints were leaked by five mobile banking apps. Access to the IT infrastructure of 16 online gambling applications was also open to hacking.

The Symantec researchers, who made the discovery, believe that these hard-coded access keys were inadvertently added to applications by developers who inserted what they believed to be trusted components into their software code. Or maybe they needed to use a hard-coded access key for a function but forgot to time limit the key for security reasons. Such errors can be avoided if software developers use security scanning tools before finally releasing an application. If a business uses an outsourced vendor, the developer must submit a mobile app report card showing how the app was tested. It is essential that third-party SDKs and frameworks are reviewed before they are included in applications.

This and other types of software supply chain issues may be limited if developers follow guidelines released this week by the US National Security Agency and the Cybersecurity and Infrastructure Security Agency. The 64-page guide lists best practices for building apps securely, verifying the third-party components they include, and hardening an app to prove it hasn’t been tampered with.

Instagram users are being tricked to disclose their passwords and personal information. How? They are coming across an offer to have their profile verified with a blue tick badge. It’s a sign next to their name that shows the person posting is the real John Smith and not an impersonator. The victim thinks the offer is from Instagram and clicks on a link to fill out the attached form. However, Vade Secure researchers point to the sender’s email and grammatical errors show that it is a scam. Neither Instagram nor Facebook will contact users to create a blue badge. People have to apply.

To finish, Police in nearly 24 US jurisdictions use a cellphone tracking tool that allows them to create a history of people’s movements. Sometimes, according to the Associated Press, police don’t get a search warrant to access location data. This is because the data is captured by mobile phone apps such as Waze, Starbucks and others and sold by them to a company called Fog Data Science. This company calls the data “advertising ID numbers” that are put on individuals’ smartphones by these mobile apps. This is different, according to the company, from the identification numbers assigned by mobile operators when you buy a phone. The implication is that it’s not a violation of people’s rights under the US Constitution because they knowingly install apps on their phones. It’s unclear if this is true or if it violates state privacy laws. It is not known if the police in Canada use this service.

The Electronic Frontier Foundation has also released a report on this. He notes that even if the so-called advertising identification data that the police scans does not have the name or address of the users of the device, it can be determined by tracking data that shows that a device s regularly stops at a residence at night.

Later today, the Week in Review edition will be released. Guest commentator Terry Cutler from the Montreal Cyology Laboratories will talk about women in cybersecurity and more.

Links to podcast story details are in the text version at ITWorldCanada.com.

Follow Cyber ​​Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.