Archive for the ‘Mobile Security’ Category

Indecent disclosure: Gay dating app left “private” images, data exposed to web

February 7th, 2019
The Jack'd dating app allowed men to upload "private" photos--but stored them open to public viewing, the same as the rest.

Enlarge / The Jack'd dating app allowed men to upload "private" photos--but stored them open to public viewing, the same as the rest.

Amazon Web Services' Simple Storage Service powers countless numbers of web and mobile applications. Unfortunately, many of the developers who build those applications do not adequately secure their S3 data stores, leaving user data exposed—sometimes directly to web browsers.  And while that may not be a privacy concern for some sorts of applications, it's potentially dangerous when the data in question is "private" photos shared via a dating application.

Jack'd, a "gay dating and chat" application with over 1 million downloads from the Google Play store, has been leaving images posted by users and marked as "private" in chat sessions open to browsing on the Internet, potentially exposing the privacy of thousands of users. Photos were uploaded to an AWS S3 bucket accessible over an unsecured web connection, identified by a sequential number. By simply traversing the range of sequential values, it was possible to view all images uploaded by Jack'd users—public or private. Additionally, location data and other metadata about users was accessible via the application's unsecured interfaces to backend data.

The result was that intimate, private images—including pictures of genitalia and photos that revealed information about users' identity and location—were exposed to public view. Because the images were retrieved by the application over an insecure web connection, they could be intercepted by anyone monitoring network traffic, including officials in areas where homosexuality is illegal, homosexuals are persecuted, or by other malicious actors. And since location data and phone identifying data were also available, users of the application could be targeted

Read 15 remaining paragraphs | Comments

Posted in amazon s3, AWS, bad software, Biz & IT, Mobile Security | Comments (0)

Several Popular Beauty Camera Apps Caught Stealing Users’ Photos

February 4th, 2019
Just because an app is available on Google Play Store doesn't mean that it is a legitimate app. Despite so many efforts by Google, some fake and malicious apps do sneak in and land millions of unaware users on the hunting ground of scammers and hackers. Cybersecurity firm Trend Micro uncovered at least 29 devious photo apps that managed to make its way onto Google Play Store and have been

Posted in Android, android apps, Android Malware, Beauty Camera Apps, malware, Mobile Security, Photo Editing Apps | Comments (0)

New Android API Lets Developers Push Updates Within their Apps

November 8th, 2018
You might have read somewhere online today that Google is granting Android app developers powers to forcefully install app updates…but it is not true. Instead, the tech giant is providing a new feature that will help users to have up-to-date Android apps all the time and yes, it's optional. Along with the launch of a number of new tools and features at its Android Dev Summit 2018, Google has

Posted in Android, Android API, android app developer, android app development, Android app update, Android Update, cybersecurity, In-app updates API, Mobile Security | Comments (0)

How to Navigate this Connected World

August 18th, 2017

This blog was written in collaboration with Kishore Jotwani, Sr. Director of Marketing & Business Development for Intel’s Wireless Consumer Infrastructure Platforms and Bill Zhou, VP of product management, ARRIS. 

Doors locked, windows shut, and alarm set. I should be safe… right?

The Internet of Things (IoT) is an ever-growing force that makes my everyday life easier. With real-world applications aplenty, I can’t imagine my life without IoT devices. Fitness wearables allow me to stay on track with my health goals, smart home security cameras keep my family and home safe, and even my smart oven helps me step up my cooking skills.

Unfortunately, as with anything else, there are two sides to this coin. Highlighted events over the past year have shown us that IoT devices, if not properly secured, can be vulnerable to attacks. In October of 2016,  the Dyn DDoS attack leveraged, and infected, countless connected devices to shut down several popular sites, like Spotify and Twitter. Similarly, the Mirai malware used vulnerable IoT devices, forming them into a botnet army, to stake its claim.

Now more than ever, it’s clear we live in an interconnected world, in which our homes present new opportunities for entry—and I don’t mean breaking a window. Instead of only having to worry about a physical break-in, we’re faced with the threat of a cyber break-in—one that aims to compromise connected home gadgets, and personal data to boot.

I use connected devices to help make my life easier and streamline everyday processes, but without proper security, I’m left as a sitting duck. Also, with the growing number of IoT devices in my home, they’re all competing for network bandwidth and slow down my network speed.

So, what can you do to keep your home, and your family’s data and devices secure without sacrificing network speed?

The most important thing to note is that cybercriminals rely on the assumption that we, as consumers, won’t be proactive when it comes to properly locking down our smart home devices, and the accounts connected to them.

By following these tips, you can stay proactive and beat cybercriminals at their own game:

  • Stay updated: Do your research on smart home devices, and choose the most secure one you can get your hands on. Also, always keep your devices’ software up to date to practice optimal security.
  • Change it up: If you purchase a new, connected device for your home, change the default password right away. Need some help creating a secure login for it? We’ve got you covered.
  • Safety first: Implement a solution that keeps all your smart home devices secure. For an extra layer of security, you can onboard two different routers for your home, dedicating one specifically to your IoT devices. Having one network for your connected devices and another for your other personal devices (laptop and mobile) is considered a best practice. That way, if a hacker gains access of one network, your devices on the other network are safe.
  • Have a one-stop shop: Look for a solution that offers protection at the home network level, like ARRIS Secure Home Internet by McAfee®, now available in the ARRIS SURFboard SBG7580-AC gateway. Because this solution is directly embedded in the gateway, it automatically protects your connected gadgets, without slowing down your network speed.

Remember, cybercriminals are expecting us to slip up with security, so it’s important to stay on top of it. Stay informed on smart home protection best practices, and show those hackers who’s boss!

Interested in learning more about mobile security tips and trends? Follow @McAfee_Home on Twitter, and like us on Facebook.

The post How to Navigate this Connected World appeared first on McAfee Blogs.

Posted in consumer, IoT, Mobile Security | Comments (0)

Running from Ransomware: A Mobile User’s Guide

July 25th, 2017

From the second my alarm goes off, my day goes 100 miles a minute. In addition to getting myself ready for work, I have to pack my kids some brag-worthy lunches, conquer the stack of unwashed dishes in the sink from the night before, and make sure that everyone is out the door on time. One day, in  the midst of all the usual mania, I had a horrible realization that I had forgotten to buy my mom’s birthday present.

To save myself some time, I whipped out my phone, scrolled through the net and explored a few last-minute gift options. In the corner of my eye, I saw an ad for some cute shoes she’d like from a retail site I had previously visited. Zoom, tap, bam! Browsing history comes through to help me find a present in the blink of an eye.

Last-minute online shopping isn’t the only thing our connected devices are good for. We rely on our mobile phones for the simplest things to navigate through our daily lives. From mapping directions, to scrolling through nearby restaurant reviews, to quickly scanning newsworthy articles, our devices accumulate a lot of personal data through our browsing history.

Although browsing history has come handy for me in certain situations, it often gets a bad rap on its own. Leaker Locker, the new mobile malware discovered by the McAfee team, has created a browsing history nightmare by leveraging surfing habits against mobile users.

When we’re navigating through the net, we usually (often wrongfully) assume that our information will remain private. Unfortunately, that’s not always the case. Our increased trust of the web and dependence on our connected devices has excited cybercriminals, causing the number of mobile malware threats to grow over 80% in the last year.

Hiding behind apps that can be found in the Google Play store, Leaker Locker harnesses its malicious ransomware by disguising itself as an unauthorized mobile backup. Present on two apps on the Google Play store, this ransomware disguised as an app leaves the everyday consumer, like you and me, vulnerable.

So how does Leaker Locker work? It attacks when the user allows device permissions to the newly downloaded, disguised app. Once the malicious app gains access to the device, the device is locked down, and a message pops up on-screen, announcing  that the owner’s sensitive information has been compromised. This private information is then used as a bargaining chip for a ransom.

Want to make sure you’re not the next victim of this ransomware? Follow these tips:

  • Attention, Please: Scope out the app’s listing on the app store, and read through its reviews carefully. Sure, an app might look like a fun game or seem to make your life convenient, but it pays to be vigilant. Many users leave helpful warnings to others about if a specific app has been disguised as a hub for ransomware. If the reviews or actual app listings seem fishy, steer clear.
  • Don’t Pay to Play: Cybercriminals love to demand money in exchange for the “safety” of your personal data. Although paying the ransom seems like a good idea, don’t fall for this trap! Paying the ransom doesn’t guarantee the return of your information. Be extra cautious and try to keep sensitive data off your mobile device.
  • Back It Up: Back up your personal information and files by taking advantage of both an external hard drive and the cloud. In the event that you get locked out of your mobile device, you’ll still have access to important data. This back up plan will give you a better peace of mind.

Mobile ransomware has been making headlines, and cybercriminals don’t plan on stopping anytime soon. Get educated and be familiar with their actions. To cover all of your bases, consider turning to a mobile security solution like McAfee Mobile Security (MMS) for Android. With newly designed features that allow you to browse more securely on mobile, MMS provides real time malware (ransomware included) detection capabilities. Most importantly, it gives you the power to safeguard against threats like Leaker Locker a single tap.

Interested in learning more about mobile security tips and trends? Follow @McAfee_Home on Twitter, and like us on Facebook.

The post Running from Ransomware: A Mobile User’s Guide appeared first on McAfee Blogs.

Posted in consumer, Mobile Security | Comments (0)

Researcher Claims Samsung’s Tizen OS is Poorly Programmed; Contains 27,000 Bugs!

July 13th, 2017

A researcher has claimed that Samsung’s Tizen operating system that runs on millions of Samsung products is so poorly programmed that it could contain nearly 27,000 programming errors, which could also lead to thousands of vulnerabilities.

Tizen is a Linux-based open-source operating system backed by Intel and Samsung Electronics, which has been in development since early 2012 and designed

Posted in hacking news, mobile operating system, Mobile Security, operating system, PVS-Studio, Samsung, Tizen OS | Comments (0)

123456 Is Not an Acceptable Password in 2017

July 11th, 2017

Mirror, mirror on the wall, what is the safest password of them all?

We all know using a secure password is one of the best practices for protection on the web, but we don’t always practice what we preach. We’ve all been guilty of using our first street address or our first pet’s name as passwords, and dedicating that one login to all of our online accounts for the sake of simplicity. I can even admit that there was once a time that my phone was PIN-free—it’s just plain easier, and faster. I understand the long sigh that comes with having to sign in every time you want to use a device. However, it’s never a good idea to trade security for convenience, especially with devices or accounts that hold information as personal as your bank info or family address. Complex passwords help protect your online banking account, emails, and personal information from being accessed by prying eyes.

Yes, secure logins are a crucial layer for account protection, but in all honesty, humans are creatures of habit. We love to use the same password for multiple accounts, use easy-to-remember birthdays or nicknames, or simply don’t change default passwords on devices.

Recent breaches have reminded us that passwords should always take priority (they’re so important, we’ve acknowledged a World Password Day dedicated to changing your passwords!). History has shown us that hackers love and live for bad passwords, so using poor passwords for important accounts will increase your vulnerability to a hack. To make sure that you don’t a commit a security faux pas, check out this secure password checklist:

  • Don’t Use a Real Word: If your password contains a word from the dictionary, nix it. Don’t use the name of your favorite flower or the name of your pet. Instead, consider using either a made-up word, mix of ‘slang’ words, or even gibberish. The more complicated, the better!
  • Mix It Up: As almost all password readers are case-sensitive, consider using a mix of upper- and lowercase letters to be extra secure. Throw in some numbers and symbols to complicate the password, and stay away from your standard birthday or ‘123456’ password.
  • Use the Default and You’ll Be At Fault: All “smart” devices are equipped with default passwords, from your new smart thermostat to the drone you just got for your birthday. As soon as you take your gadget out of the box and set it up for use, change the password immediately, and make sure you update these passwords regularly.
  • “One Size Fits All” Doesn’t Apply: Don’t use the same password for multiple accounts. Although it may seem like a hassle to remember these passwords, the can’t-beat security will be worth the extra effort down the line. Password management solutions like True Key are helpful to keep track of all your login info, as well as generate secure, unique passwords for you.

It’s important to remember to change passwords early, and change them often, across all devices—this makes it extra difficult for cybercriminals to access your personal information. Protecting accounts and devices from their wired connection up to their web logins will help keep hackers at bay.

Interested in learning more about mobile security tips and trends? Follow @McAfee_Home on Twitter, and like us on Facebook.

The post 123456 Is Not an Acceptable Password in 2017 appeared first on McAfee Blogs.

Posted in consumer, Mobile Security | Comments (0)

Will Your Smart Home Be Your Next House Sitter?

June 23rd, 2017

As I rush to catch a flight, I’ll often think in a panic, “Do I have my keys? Passport? Plane ticket?” Once I plop down in my seat, a terrifying visualization of everything else I may have forgotten flashes across my mind: “Did I turn the lights off in the main hallway?” “Did I set the alarms?” “Did I lower the temperature on the thermostat?” With all the moving parts involved in leaving for a vacation, I’ve started to rely on smart home devices to do some of the work for me.

Since we’ve begun to rely on smart devices more, however, the inherent convenience they provide for the home is sometimes met with headaches—including concerns around the risk of malware and phishing scams. These new intuitive devices are designed to help us perform everyday tasks with ease, but when not secured, they can become a hacker’s playground.

A previous blog went into detail about smart home appliance vulnerabilities, and how you can arm yourself with the proper tools to help you combat cybercriminals. To keep you in the know, I’ve compiled a list of smart devices to consider locking down.

  • Smart Home Security Cameras: Smart home security cameras can help monitor your home to make sure it’s safe and sound from unwanted visitors, but hackers have been known to prey on unprotected devices and turn them into spying tools.
  • Smart TVs: Smart TVs can recommend new shows for you to watch, but if not safeguarded, bad actors could utilize the video and audio functions of these devices to track your every move.
  • Smart Thermostats: Smart thermostats allow you to control the temperature of your home from your smartphone, but researchers have recently found that they can be used as bargaining tools when not locked down. “Want to turn the heat back on? Pay up!”
  • Smart Refrigerators: Although smart refrigerators remind you to get eggs and milk when you run out, an unprotected one in your home could expose the email account embedded into its integrated home calendar. Now that’s what I’d call interrupting your dinner plans.

So, what can you do to lock down all your smart home gadgets? To keep hackers away from your devices, install protection to combat the bad guys right from the source—your router.

With security based at the router level, you can have the best of both worlds. Router-based protection, like McAfee Secure Home Platform, provides an always-on solution that alerts you of emerging vulnerabilities, plus protection for connected devices. What’s more? If you’re away from home, you can manage your device connections through the mobile app. Now that’s something convenience-lovers will have a field day for.

Vacation is supposed to be a time for relaxation and quality time with your family. So before jetting off, make sure you know the ropes of securing your nest. Take the quiz below to test your knowledge, and make sure your home and devices are vacation-ready!

Interested in learning more about mobile security tips and trends? Follow @McAfee_Home on Twitter, and like us on Facebook.







Note: There is a widget embedded within this post, please visit the site to participate in this post’s widget.

The post Will Your Smart Home Be Your Next House Sitter? appeared first on McAfee Blogs.

Posted in consumer, Internet of things, Mobile Security, secure home, shp | Comments (0)

 We’ve Mastered Encrypted Messaging, So Are Encrypted Calls Next?

June 13th, 2017

We’ve all heard the names before – WhatsApp, Viber, Telegram, Wire, Signal, Allo… with so many cyberattacks in the news recently, people have begun to rely on encrypted messaging apps to protect their privacy from potential hackers. These services secure end-to-end connections using varying tactics and levels of encryption – you may find yourself questioning what any of that means. How do you encrypt your messages? Can anyone do it? What is being protected when you use an encrypted messaging system? If encrypted messaging is so great, why isn’t everyone using encrypted messages? It sure could put an end to all the celebrity phone hacks and government information leaks…  Here’s what you should know about encryption, and find the answers to all your questions.

When people encrypt their communications, it means that only the sender and the recipient can see one another’s messages. While the message is in transit, it cannot be decoded or unraveled by outsiders or the maker of the application, which allows for privacy and security. Some apps do this by protecting individual messages sent to and from the device, some have encryption built in, and others offer a “secret” mode that can be switched on and off. Certain apps, namely Wire and Signal, encrypt messages by design. By installing and signing into the app, all communications are automatically encrypted.

People use encryption for all kinds of communication – for a long time, these apps could only offer encryption for text-based chat, but introducing encrypted calls has been natural next-step and layer of protection in today’s digital world. Encrypted calls would be highly valuable, with the ability to thwart any snooping. However, developing the technology to create such protection for voice calls has proven difficult for programmers.

One of the main challenges that developers face is mastering internet-based calls, which still are not the most reliable way to communicate. Wi-Fi or Ethernet connections are the most stable, but many people still use cellular data to make VoIP (or Voice Over Internet Protocol) calls. In 2014, Signal, one of the many platforms offering encrypted communication, began to offer encrypted calling despite the complications with dropped calls and connection reliability, as did Wire. When WhatsApp introduced encrypted calls and video chat to their one billion users in 2016, other secure messaging apps finally began to pick up the pace and develop secure calling services of their own.

So, now that both encrypted texting services and encrypted calling services have been developed, it seems like all of our calls and texts should be secured by encryption, no questions asked. However, there are many factors slowing down adoption among potential users, one of the main reasons being that both parties must be using the same system for end-to-end encryption to function. Think about it this way – you may find an app that you love to use, but it might be difficult to convince all your friends and family to go through the steps to downloading and using the new app regularly. Everyone has their preferences, and getting everyone in your life to be on the same page can be difficult. Now, expand that to everyone in their lives – and so on, and so forth.

The resolution to this particular problem would be to fully open source these encryption products, so that people can communicate securely within different interfaces and applications. Developers can implement this by making all end-to-end encryption protocols the same, so they could speak to each other cross-product. While some small companies have adopted the Open Secure Telphony Network, or “OTSN,” many of the larger names in encryption – like Skype, Google, and Apple – have decided to brave the world of secure communication on their own, and forego open sourcing (much to the chagrin of people who need complete and total security). The potential security flaws with open-source code can be reason enough for these larger companies to privatize their communications, which defeats the whole purpose. Until developers find the right solution, what’s the best way to keep your private communications safe?

  • Avoid Risky Wi-Fi. Don’t trust unsecured Wi-Fi networks when sending personal information. While it’s great in theory that Wi-Fi is almost always readily available, those unsecured networks are an easy target for hackers to gain access to hundreds of personal devices. If you send personal information over an open network, you don’t know who could be spying on your device – or who could be sharing your data.
  • Keep Your Secrets to Yourself. Generally, it’s a good idea to keep any super sensitive data off mobile devices and messaging apps. Besides not knowing who might be spying on your phone, devices can get lost or stolen, and physically broken into. There are many ways your data can be stolen from a phone, but if you never keep it there in the first place, you’re much more likely to keep it secure.
  • Security Software Goes a Long Way. I highly recommend trusting a security software to have your back as a last resort. McAfee Mobile Security, which is free for Android and iOS, will warn you if you’re about to connect to an unsecured Wi-Fi network. That way, you’ll be more cautious if you are about to send any personal information over your phone.

Looking for more mobile security tips and trends? Be sure to follow @McAfee_Home on Twitter, and like us on Facebook.

The post  We’ve Mastered Encrypted Messaging, So Are Encrypted Calls Next? appeared first on McAfee Blogs.

Posted in consumer, mobile app, Mobile Security | Comments (0)

How Using A VPN Could Save Your Summer

May 23rd, 2017

As summer inches closer, I begin to daydream about all the trips I’ll get to take with my family. However, whether our days are spent on the beach or walking around cities we’ve never explored, they all start the same: long-haul flights, airports, and hotels. While the Wi-Fi at the airport may claim to be secure in the network name, public Wi-Fi networks lack encryption, which scrambles the data being sent over the network. Without encryption, cybercriminals can intercept shared information and gain access to personal passwords, financials, or identity information.

Traveling often means I’ll be surrounded by (and connecting to) unfamiliar Wi-Fi networks, which makes it especially important to have a smart security solution in place for all my devices. I rely on two different tools to keep my devices and my family’s devices safe while we’re on the road. One is a personal VPN, which keeps my connections safe, even if I need to log into an insecure Wi-Fi network. Personal VPNs encrypt online activities in both public and secure Wi-Fi networks, allowing users to surf the web safely and feel at peace knowing that sensitive information will be kept private.

If you tend to spend a lot of browsing or doing work from your device while traveling, make sure to download security apps that protect your devices directly. It’s nice to have that extra layer of security, as these apps analyze the applications already installed on my phone that use my private information, and secure my data accordingly. If you’re traveling to cities where pickpocketing is common (or if you’re simply forgetful), many of the security apps also offer anti-theft protection that allow the user to back up, lock, and wipe the device remotely.

My family likes to travel to many different places in one vacation, which makes these apps perfect – since we’re bouncing between hotels or vacation rentals, we’re often surrounded by unknown networks. If your device has made an unknown connection, you’re potentially at risk of downloading fishy viruses or malware through the network. I’ve found that it’s always smart to have extra protection if your devices have a higher chance of making an insecure connection.

While these tools are important to have, we’ve learned that technology can occasionally fail us. One of the most trustworthy ways to keep your devices safe while jet-setting around this summer is to understand what an insecure Wi-Fi connection looks like. If you can determine whether the connections around you are safe or not, it will potentially save you and your loved ones a massive headache down the road. Look out for these warning signs of an insecure network, and stay away from connecting if the network looks suspicious.

  • Check the Authenticity. If there is no WPA or WP2 password for protected access, the connection is open, or unencrypted. You can check the authenticity of the network by going into internet settings and looking to see if it’s protected with a WPA or WPA2, or if it says it’s “open.”
  • HTTP vs. HTTPS? Make sure that the web pages you visit are “HTTPS” encrypted whenever possible. Do this by looking at the beginning of the URL you are accessing – if the URL starts with “HTTP”, log out – particularly if you’re doing something sensitive.
  • Pay Attention to the Warning Signs. SSL and TLS warnings are the messages that pop up in your browser when you’re in danger of connecting to an insecure connection – and it’s likely that you’ve clicked through the notification without a second thought. Take a moment to think about what you’re agreeing to before moving past the notifications next time, because it could mean you’re putting your devices in danger.
  • Be Picky. Don’t set your device to automatically connect to Wi-Fi networks. Rather, make sure your laptops, tablets, or smartphones will “forget” certain networks when you disconnect, and that they’ll only reconnect when you choose to do so manually.

From the “secure Wi-Fi” you find at the airport and airplane, to whatever you can connect to in your hotel or vacation rental, it’s smart to have a secure solution if you plan to stay connected while traveling.  Know the warning signs of an insecure Wi-Fi connection and use a personal VPN and/or mobile security solution whenever possible to keep your data as protected as possible. Have a secure summer, and happy travels!

Looking for more mobile security tips and trends? Be sure to follow @McAfee_Home on Twitter, and like us on Facebook.

The post How Using A VPN Could Save Your Summer appeared first on McAfee Blogs.

Posted in consumer, McAfee Mobile Security, Mobile, Mobile Security | Comments (0)