Dear Reader,
Even if you followed last month's tech news only briefly, chances are you have come across the ongoing Epic Games v. Apple lawsuit that has been argued over for a few weeks. The landmark anti-trust case could have significant implications on Apple's control over its ecosystem and the way apps are distributed. However, it also poses an interesting security question: What role does your platform provider play in protecting you and your devices – and how much control are you giving up for that?
Looking for malware so You don't have to
To hear Apple tell it, the reason for restricting users installing software to the App Store only is to ensure they don't end up with loads of trackers, adware, or other kinds of malware on their devices. Undeniably, there is truth to that if effective security checks are performed before an app enters the store. And the numbers for 2020 do look impressive, with Apple claiming it stopped 1 million apps due to questionable security and privacy. Just remember that Apple is still a profit-seeking company, not the Good Samaritan some might want to see in it, so take it with a grain of salt.
A bit too much laissez-faire
How not do these app security checks was on display in Google's Chrome Store earlier this month, where a plugin from a questionable source successfully disguised as Microsoft Authenticator. Apparently, Google had missed to properly verify the identity of the developer and users ended up with unusual high loads on their CPU and redirects to a fake login page. The plugin has been pulled from the store since.
https://www.theregister.com/2021/05/19/chrome_extension_microsoft_authenticator_fake
Check locally, hack globally
It's important to note that the attack surface does not end on your local device. It might be where data is collected, but chances are it is stored centrally in some hyper-scale data center. Work by Check Point Research now revealed that even popular apps with millions of downloads fail to ensure basic protection of their backend. Even worse, some of the analyzed software came with the cryptographic keys to the cloud included.
https://threatpost.com/100m-android-users-cloud-leaks/166372
This App would like to access your entire digital life
As Brian Krebs reported earlier this month, a recent trend by phishers are third-party apps that integrate with your Office 365 account to access pretty much any information connected to it. Abusing a key functionality of Microsoft's Office suite that enables it to share data with other applications, this scheme is relying on users confirming the integration to enter into their O365 without abusing any technical vulnerabilities.
https://krebsonsecurity.com/2021/05/malicious-office-365-apps-are-the-ultimate-insiders
You cannot lose data you don't have
At Cybersecurity Magazine, we featured an article last week that is not only relevant for developers of mobile apps, but any software processing user data. While there is much talk about protecting data once it has been collected, a more fundamental question is often overlooked: Do we really need to collect all that information? Tom Madsen explains some of the basic concepts of data minimization and shares his suggestions on how to go about it.
https://cybersecurity-magazine.com/limiting-data-collection-limiting-risk
Cybersecurity Magazine Editorial Team
-----------------
For our latest video discussion on the security and production systems please see the River Publishers YouTube.
The latest journal articles from River Publishers in all areas of cyber security can be found on the River Publishers website.
https://cybersecurity-magazine.com/
https://www.linkedin.com/showcase/cybersecuritymagazine/
@magcybersec
https://www.facebook.com/Cybersecurity-Magazine-100535232117942