 Don't use a mobile authenticator app on an old smartphone, because the app is only as secure as the operating system in which it's running, two security researchers said at the RSA Conference here earlier this week. Aaron Turner and Georgia Weidman emphasized that using authenticator apps, such as Authy or Google Authenticator, in two-factor authentication was better than using SMS-based 2FA. But, they said, an authenticator app is useless for security if the underlying mobile OS is out-of-date or the mobile device is otherwise insecure. "You don't want the risk associated with 32-bit iOS," said Turner, adding that you should use only iPhones that can run iOS 13. "In Android, use only the Pixel class of devices. Go to Android One if you can't get Pixel devices. I've had good experiences with Motorola and Nokia Android One devices." And he warned the audience to stay away from one well-known Android brand. "[German phone hacker] Karsten Nohl showed that Samsung was faking device updates last year," Turner said. "Stop buying their stuff." To be fair, Samsung was far from the worst offender among phone makers in the study Turner cited, and the study authors later said "they got it wrong" regarding Samsung's issues, without going into further detail. (Slides for Turner and Weidman's presentation are available on the RSA website.) The problem is that if an attacker or a piece of mobile malware can get into the kernel of iOS or Android, then it can do anything it wants, including presenting fake authenticator-app screens. "One of my clients had an iPhone 4 and was using Microsoft Authenticator," Turner said, indicating another authenticator app. "All an attacker would need to do is to get an iPhone 4 exploit. My client was traveling in a high-risk country, his phone was cloned and then after he left the country, all sorts of interesting things happened to his accounts." And don't think iOS devices are safer than Android ones -- they're not. There are just as many known exploits for either one, and Weidman extracted the encryption keys from an older iPhone in a matter of seconds onstage. The iPhone's Secure Enclave offers "some additional security, but the authenticator apps aren't using those elements," said Weidman. "iOS is still good, but Android's [security-enhanced] SELinux is the bane of my existence as someone who's building exploits." "We charge three times as much for an Android pentest than we charge for an iOS one," Turner said, referring to an exercise in which hackers are paid by a company to try to penetrate the company's security. "Fully patched Android is more difficult to go after."Looking for more details on this, visit OUR FORUM.  As Huawei takes the initiative to create its own homegrown alternative to the Play Store, Google has reportedly pleaded with the White House to offer it an exemption to again work with the Chinese tech giant. Huawei's inclusion on the Trump administration's Entity List has had dramatic consequences for the company's handset business, preventing it from using Google Mobile Services (GMS) on its latest phones and tablets. According to German wire service Deutsche Press Agentur, Android and Google Play veep Sameer Samat has confirmed that Google has applied for a license to resume working with Huawei. It's not clear when a decision will be made, or indeed if Google will get its wish. Other firms, most notably Microsoft, have been given a pass. This has allowed Huawei to ship its latest crop of laptops, including the freshly updated Matebook X Pro, with Windows 10. Huawei has said that if Google got an exemption, it would promptly update its newest phones to use Google Mobile Services. Earlier this month, Huawei released its latest flagship, the Mate 30 Pro, in the UK. Due to the embargo, this comes with the open-source version of Android, with punters encouraged to download apps from the Huawei AppGallery, or a separate third-party app store like Amazon's. That said, Huawei's strategy has focused on hoping for the best, but preparing for the worst. These preparations have seen the firm invest over $1bn on its app ecosystem, with more than 3,000 engineers working on the AppGallery, according to a statement from the company released earlier this week. It has also made deals with Western app developers and content providers, most notably Sunday Times publisher News UK, to make its services appear less barren. Huawei has also introduced the ability to download progressive web apps, dubbed "Quick Apps" by the firm, through the AppGallery, which should bump up the app availability numbers – even if they lack the sophistication of a dedicated native app. It's likely this that has motivated Google to take the initiative. Although losing Huawei as a customer is a significant financial body blow to Mountain View, given its enduring popularity in Europe and Asia, it would pale compared to the damage caused by a new product that starts to loosen its stranglehold on the Android sphere. For more turn to OUR FORUM.  It has been a tough few weeks for online payments giant PayPal. First came the confirmation that an authentication hack would enable an attacker to access an account once credentials had been phished, bypassing the financial firm’s authentication tools. And now another security report claims the entire authentication process can be bypassed, enabling an attacker to gain access to an account with nothing but stolen credentials, available for purchase on the dark web “for as little as $1.50.” The report comes from the research team at CyberNews and includes a complaint that the findings were not taken seriously by PayPal or by the team at HackerOne who field such reports. “When our analysts discovered six vulnerabilities in PayPal,” CyberNews said, “ranging from dangerous exploits that can allow anyone to bypass their two-factor authentication, to being able to send malicious code through their SmartChat system—we were met with non-stop delays, unresponsive staff, and lack of appreciation.” For its part, PayPal told me it always takes such submissions seriously, “and reviews each with an appropriate sense of priority.” I was assured the team had investigated this in detail, but, after review, “found that the submissions did not pose a threat and that the assertions being advanced by CyberNews are inaccurate and misleading.” “We would like PayPal to take this vulnerability more seriously,” CyberNews told me. “At the moment, [PayPal is] writing it off as something ‘out-of-scope’ just because it involves stolen credentials.” The research team went to great lengths to show me the exploit working. While there is no way of knowing the state of the back-end algorithm checking the process, it did appear at face value to bypass the check. To understand the debate between PayPal and CyberNews, it’s critical to understand some of the ways in which PayPal safeguards your account. First, PayPal is in the somewhat unique position of knowing everything about both sides of every transaction, including the behavioral track record, login environment, recent activity, and risk potential that a transaction may be fraudulent. The detail is closely held, but there are numerous data points captured by the company’s systems. That becomes apparent when you log in from a new device or location as identified by the IP address of your connection. PayPal will then seek to ensure it’s you—they have a successful username and password login, but they will run a system check to look for further assurance that it’s you. Once in, the company will then run further checks on each transaction that you attempt, again to determine whether to approve or challenge. Read the full report on OUR FORUM. |
Latest Articles
|