HackDig : Dig high-quality web security articles for hacker

Android exfiltration, OpenSSL, and iOS app memory handling

2015-03-19 01:15
Android exfiltration, OpenSSL, and iOS app memory handling

I’ll try not to rant on yet again Google’s squirming on security issues – especially in the context of malware – but it’s not been an altogether happy few weeks in Android security. According to Fox a 9-year-old boy was able to demonstrate how to steal contacts, call logs and messages within just 15 minutes at the Security B-sides conference. I wasn’t there and certainly can’t say how convincing the demonstration was, but it clearly attracted attention.

Meanwhile, FireEye claimed that

1228 (11.2%) [Android apps] are vulnerable to a FREAK attack because they use a vulnerable OpenSSL library to connect to vulnerable HTTPS servers.

Not that Apple fared much better on this occasion – according to FireEye:

On the iOS side, 771 out of 14,079 (5.5%) popular iOS apps connect to vulnerable HTTPS servers.

I don’t know if this has any bearing on the forthcoming OpenSSL updates, for which the ‘highest severity defect fixed by these releases is classified as “high” severity.’  Or indeed on Google’s announcement that it will augment its automatic checking of apps submitted to Google Play with a manual review process, but that’s welcome news anyway, in the opinion of many.

Commentary by Graham Cluley on the FireEye article here, and on Google Play’s announcement here.

More on the iOS front: Prateek Gianchandani offers analysis of memory handling in appsiOS Application Security Part 39 – Sensitive information in memory

He states that:

iOS applications may store sensitive information like passwords, session IDs etc in the memory of the application without releasing them. In some cases, releasing these variables may not be an option.

I’ve had material published by Infosec Institute in the past and been unhappy with both the publishing process and some of the correspondence that followed publication, but there is some interesting analysis and speculation here. A pity it wasn’t better proofed and edited. He does refer to the first article in an interesting series by Mark Beard: iOS Tutorial – Dumping the Application Heap from Memory and iOS Tutorial – Dumping the Application Memory Part 2.

David Harley
Small Blue-Green World


Source: /gnildnah-yromem-ppa-soi-dna-lssnepo-noitartlifxe-diordna/30/5102/ku.oc.ytirucesti

Read:2367 | Comments:0 | Tags:David Harley Android FREAK iOS OpenSSL IOS

“Android exfiltration, OpenSSL, and iOS app memory handling”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud