Mobile Application Security

The Internet of Things is connecting more devices every day, and we're headed for a world that will have 24 billion IoT devices by 2020.This growth carries several benefits, as it will change the way people carry out everyday tasks and potentially transform the world. Having a smart home is undoubtedly cool and will draw oohs and aahs from your guests, but smart lighting can actually reduce overall energy consumption and lower your electric bill.New developments would allow connected cars to link up with smart city infrastructure to create an entirely different ecosystem for the driver, who is simply used to the traditional way of getting from Point A to Point B.And connected healthcare devices give people a deeper and fuller look at their own health, or lack thereof, than ever before.But with all of these benefits comes risk, as the increase in connected devices gives hackers and cyber criminals more entry points.Late last year, a group of hackers took down a power grid in a region of western Ukraine to cause the first blackout from a cyber attack. And this is likely just the beginning, as these hackers are looking for more ways to strike critical infrastructure, such as power grids, hydroelectric dams, chemical plants, and more.And aside from these security issues, the average consumer is concerned about his or her privacy. After all, if so much of the consumer's life is connected, then what is off limits?Below, we've compiled a list of some of the biggest IoT security and privacy issues as we head toward this truly connected world.

As daunting as securing your Linux system might seem, one thing to remember is that every extra step makes a difference. It's almost always better to make a modest stride than let uncertainty keep you from starting.Fortunately, there are a few basic techniques that greatly benefit users at all levels, and knowing how to securely wipe your hard drive in Linux is one of them. Because I adopted Linux primarily with security in mind, this is one of the first things I learned. Once you have absorbed this lesson, you will be able to part with your hard drives safely.As you might have deduced, the usual way of deleting doesn't always cut it. The most often-used processes for deleting files -- clicking "delete" in the operating system or using the "rm" command -- are not secure.When you use one of these methods, all your hard drive does is mark the area where the deleted file used to be as available for new data to be written there. In other words, the original state of the bits (1s and 0s) of the deleted file are left intact, and forensic tools can recover the files.This might seem like a bad idea, but it makes sense. Hard drives are designed to optimize hardware integrity, not security. Your hard drive would wear out very quickly if it reset the bits of a deleted file to all 0s every time you deleted a file.Another process devised with hard drive lifespan in mind is "wear leveling," a firmware routine that saves each new file in a random location on the drive. This prevents your drive from wearing out data cells, as those near the beginning of the drive would suffer the most wear if it saved data sequentially. However, this means it is unlikely that you ever would naturally overwrite a file just through long-term use of the drive.

Before the comments board gets going about it, let me make a preemptive strike about something that may occur to you.You may say to yourself, "Huh... Look what else is here in the OS categories... Several varieties of Unix, MacOS, and... Hey! Several varieties of Windows! And those categories have projects in them! I'm going to submit my Windows taskbar weather applet!"No, sorry; I'm afraid not. We would just delete it. Even if we had the staff to keep thousands and thousands of Unix project records and thousands and thousands of Windows project records up to date, Windows software is just not who we are, and there are plenty of Windows download sites around if you need them.So why do we have some Windows software in our database? Well, we do allow some things in if they meet one of two conditions. We'll accept a project if it:is a Windows branch of an application that's also available for Unix systems. In other words, if it only runs on Windows, we're not going to include it. If it runs on Windows, Linux, and Solaris, we will.is used for Unix-Windows interoperation. In other words, if it's a defragmenter for NT partitions, we don't want it. If it lets you access NT partitions from Linux, we do.

Security researchers discovered multiple memory safety issues affecting Firefox. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit these to cause a denial of service via application crash. Atte Kettunen discovered that Firefox could perform an out-of-bounds read while rendering GIF format images. An attacker could exploit this to crash Firefox. Boris Zbarsky discovered that Firefox did not properly handle some wrapped WebIDL objects. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit this to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox.Bobby Holley discovered vulnerabilities in Chrome Object Wrappers (COW) and System Only Wrappers (SOW). If a user were tricked into opening a specially crafted page, a remote attacker could exploit this to bypass security protections to obtain sensitive information or potentially execute code with the privileges of the user invoking Firefox. Frederik Braun that Firefox made the location of the active browser profile available to JavaScript workers. A use-after-free vulnerability was discovered in Firefox. An attacker could potentially exploit this to execute code with the privileges of the user invoking Firefox.Michal Zalewski discovered that Firefox would not always show the correct address when cancelling a proxy authentication prompt. A remote attacker could exploit this to conduct URL spoofing and phishing attacks. Abhishek Arya discovered several problems related to memory handling. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit these to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox.

Expanding the already-rigorous MASPTv2 training, the refreshed version takes the course even further by covering new topics and adding more content:Android:User-installed or Device Admin API-installed certificate management on API level 24+ and how to bypass the restrictions it introducesNetwork Security ConfigurationManually bypassing certificate pinningiOS:App Transport Security (ATS)Application keychain entries management on iOS 10.3+Manually bypassing certificate pinning

We know it, you know it: things go by at warp speed in the mobile world. Everything – from the hottest smartphone models, the latest operating systems, to the freshest apps – becomes prehistoric and replaced with something faster/stronger/flashier/shinier almost as soon as it launches. With the good comes the bad, however, and along with each of these new technologies are new attack vectors and exploits springing about just as rapidly.Last September, we UNLOCKED the Mobile Application Security and Penetration Testing version 2 training course. As an essential instrument for someone looking to get into security and a great reference for anyone working in the mobile field, it is imperative for MASPT to keep up with the tide. This is why, six months on, we believe that a refresh is in order.