What You Need To Know About The Latest Adobe Flash Vulnerabilities

Mobile app security

To say that Adobe Flash has been mired in controversy for much of its existence is something of an understatement. For millions of computer users around the world, Adobe Flash represents a catch-22 of the highest order. While it is necessary to play many of the streaming videos that users have come to enjoy on a daily basis, it also brings with it a large number of disadvantages that are difficult to ignore. Not only is Flash a huge burden on the resources of older computers, but it also opens a machine up to a huge number of potentially devastating vulnerabilities, as the news of the last week has so expertly illustrated.

Adobe Flash and Security: What Happened Now?

Last week, a new series of catastrophic Adobe Flash vulnerabilities were uncovered during some routine testing by Alex Stamos. For those unaware, Stamos acts as the chief security officer for social media giant Facebook. Not only could these new vulnerabilities potentially be used to overload a system’s resources, but they could also likely be used as a “backdoor” into the system that would allow a hacker to compromise the sensitive information stored inside. As a result of his findings, Stamos publicly stated that he hoped Adobe would finally use this as an excuse to discontinue the antiquated software once and for all.

The backlash of this news was swift and immediate. Both Mozilla Firefox and Google Chrome, the two most popular Web browsers on planet Earth, released new versions that specifically disabled Adobe Flash functionality by default as a result of these security issues. Developers for both Mozilla and Google indicated that Flash would continue to remain disabled indefinitely until the security issues were properly addressed by Adobe. Users could still opt into the use of Flash on their systems if they wanted to, but the process can be difficult for someone without at least an intermediate level of computer knowledge. All current and past versions of Flash were blocked by both of these browsers.

Many people took this as a sign that the winds of streaming content are truly changing and that Google and Mozilla were teaming up in an attempt to “kill” Flash once and for all. They are hardly the only two companies to attempt to do so in the last several years for these very reasons. Streaming video site YouTube has been steadily moving away from its dependence on Flash, allowing users to opt into the use of HTML5 for all streaming video needs for some time now.

What Is Adobe Doing?

To its credit, Adobe has quickly taken a number of steps in order to improve the security capabilities of Flash and address the issues of the past week as wholly as possible. Three new defenses were released in the latest version of Flash, for example, that were designed by developers at Adobe and Google working in conjunction with one anther.

One of these fixes included a new vector unit buffer heap partitioning system, which keeps arrays separated from other heap objects. An attempt by a hacker to overflow a vector’s length is therefore much more difficult than it had been in the past. Stronger randomization for Flash heaps was also released, closing off one channel that was previously used by hackers in the past. In order to properly exploit Flash, a hacker needs to know the way that Flash is laying out memory on a particular system. Thanks to this new, higher level of randomization, the aforementioned process has become exponentially more difficult.

Stephen L

Top 10 Testing And Quality Assurance Fails of 2014

Mobile app security

Technologically speaking, it’s hard to think of a year that was more exciting in recent memory than 2014. We saw a huge wave of new products like the iPhone 6, as well as were treated to upcoming glimpses of products in development like the Apple Watch and the BlackBerry Classic. Unfortunately, 2014 was also a fairly big year in terms of technology-related fails. From quality assurance to testing to security, issues seemed to crop up on an almost daily basis to embarrass some of the biggest tech companies in the world. Even Apple wasn’t immune to large scale fails this year.

The iCloud Scandal

The iCloud Scandal was a perfect storm of “fail” that left the sensitive information, including personal information and even nude photographs, of dozens of celebrities exposed to the world at large. Apple insists that they did nothing wrong and that the issue resulted from celebrities embracing weak passwords and other security-related flaws. Despite that, the iCloud Scandal was still able to embarrass the company and cast a pretty large shadow of doubt over the entire iCloud platform.

The BlackBerry Passport

The BlackBerry Passport is a quality assurance fail at its finest. In theory, the device should have been a success – in a world where mobile device screens are getting larger, it would probably be awhile before a company hit that “too large” area and customers rebelled. BlackBerry found out it was a scenario that would happen sooner rather than later by releasing a mobile device that was essentially unusable with only one hand.

The Sony Hack

The Sony Hack makes the list of the top 10 tech fails of 2014 not due to the fact that it happened, but due to the astonishingly poor security-related practices that it exposed. For one of the biggest technology-related companies on the planet, you would think that they would store passwords and other sensitive information in encrypted files. If they did have to store them in an unencrypted location, you would hope that it wouldn’t be in a folder labeled “Passwords.”

The Amazon Fire Phone

The Amazon Fire Phone makes the list of top 2014 fails due to a huge number of quality assurance fails. Amazon was so excited to rush the phone to market that they didn’t perfect many of the features that it depended on. From sub-par battery life to a 3D screen with a resolution so low it would feel outdated even five years ago, the product was one big fail after another.

Google Glass

Google made a bold step in the direction of wearable technology with Google Glass. The reason it makes the “fail” list is for something that should have been handled during the testing phase – longtime users of the device report everything from awful headaches to vision problems and essentially everything in between.

Android Wear

Android Wear included some of the first true smart watches and other wearable devices to hit the market in a big way. It’s too bad that nearly every aspect of them, including the built-in heart rate monitors, failed to work properly.

The Aereo

No list of 2014 fails would be complete without the Aereo and the unfortunate fact that it turned out to be a revolutionary new product with a business model that even the Supreme Court said was copyright infringement.

Cannibalizing the Tablet Market

Tech companies accidentally cannibalized the tablet market in 2014 by releasing “bigger and better” smartphones with large screens that rivaled devices like the iPad.

Streaming Sony TV

The PlayStation TV initially seemed to be Sony’s answer to the Apple TV set top box. By launching without support for even basic streaming services like Netflix or YouTube, it turned out to be Sony’s answer to essentially nothing.

Microsoft Kinect

Microsoft Kinect 2.0 shipped with the Xbox One gaming console and relied heavily on voice commands that were supposed to revolutionize the in-home entertainment experience – if, that is, they worked the way they were supposed to even half of the time.

Stephen L

What You Need To Know About Two Factor Authentication

enterprise-mobile-apps-security

It’s a procedure that dates back to the dawn of civilization. Secret organizations use it to weed out imposters. Kids use it when playing spy-themed games at the playground. And grocery stores use it before letting you bring home the milk and eggs. Two-factor authentication (2FA) is as effective as it is simple. Here’s what mobile app developers need to know about it.

What Is Two-Factor Authentication?

2FA is just what its name implies – a form of identity confirmation that requires two pieces of information. The first factor is something the person has such as a credit card number, a mobile phone, or a username and password. The second factor is something the person knows, which might be a PIN number, zip code, birth date, or the name of a person or pet. In the app realm, if you are logging into a familiar account (like Google, Facebook or Twitter) from a device that the site does not recognize, it will ask for answers to security questions or send an SMS with a unique PIN to your phone number.

Who Uses Two-Factor Authentication?

Everyone and their grandma. Well, maybe not, but most people run into some form of 2FA almost every day. For example, most banks require customers to provide additional information such as answers to a set of security questions to access their online accounts. Other places that use 2FA include:

  • Most retail stores
    Financial institutions
    Gas stations
    A growing number of websites and apps, especially social sites

Why Use Two-Factor Authentication?

While a username and password might seem secure enough, they can be easily exploited by hackers, spyware, and keylogging programs. This is especially true for mobile users who provide personal information to third-party apps every day over unsecured public networks. The last thing app developers want is for their customers’ sensitive data to fall into the wrong hands.

In the realm of app security, it’s easy to tell where a phone is being used and what network it’s on, but impossible to determine whose thumbs are tapping away at the screen. Lost phones are about as rare as pigeons in New York City. 2FA ensures that if a thief has a user’s phone, he must also know personal information about the user before doing damage. While much of this burden of protection depends on what customers store in their phones, app developers must do their part to reduce this risk.

How Effective Is Two-Factor Authentication?

It’s by no means foolproof, but 2FA adds a layer of security that makes it much harder for thieves to go about their business. It adds a simple step to the login process, and if done right, costs very little for app developers to implement. However, like cereal, 2FA comes in many varieties.

2FA traditionally comes in the form of physical authentication tokens. These gadgets produce single-use passwords after the user logs in with valid credentials. Sounds cool, but these keyfobs can cost well over $100 and many companies get headaches with distributing, tracking, and replacing them. Customers aren’t too thrilled with them, either.

Jim Fenton, CSO of password management firm OneID, stated that while 2FA makes hackers’ jobs more difficult, savvy hackers can also use it to their advantage.

Should App Developers Use Two-Factor Authentication?

A better question is “how should app developers use 2FA?” Nobody wants to buy a clunky device that can easily break or be stolen. And most developers don’t have a vault of cash to spend on app security.

Requiring PIN numbers or answers to security questions are better options. Still better is fingerprint verification recently introduced into the mobile sphere. The technology is young, but it has potential. Generally, the more advanced a technology, the more it costs to adopt. But it’s certainly much harder for a hacker to steal a thumb than a PIN.

Edgar L

6 Areas Your App Security Testing Shouldn’t Miss

mobile-securityHere’s a stat that should scare just about everyone – from developers to marketers to everyday app consumers: Market Research Firm Gartner says more than three-quarters of mobile-apps would fail basic security testing.

Notice the word “would” in the above sentence. That implies that most apps are actually not even tested for security. Those which have been, well, they fail three out of four times.

Obviously, with an increase of critical application breaches on a global scale, the demand for efficient and accurate security testing is more important than ever.

AST technology is designed to analyze and test for security holes, yet many AST industry leaders fall short of spotting all vulnerabilities. The following is a 6-point list of what a well-rounded, mature mobile app testing service should offer its users.

#1. Provide AST as a service and a tool tadalafil generic.

AST can come in the form of a cloud service or a tool. The report suggests a reputable mobile app testing service will offer both.

To supplement the AST tool, the testing service should use a single management console and an enterprise-class reporting framework that supports multiple users, groups and roles.

#2. Provide Static AST (SAST)

Static AST is the testing for vulnerabilities at the programming and/or testing software life cycle phases. For example, testing for byte or binary code, application source, and design.

#3. Provide Dynamic AST (DAST)

Dynamic AST mimics cyber attacks against applications and analyzes the reaction. This occurs during operation or testing phases, and analyzes applications in real time (or close to it).

Continue Reading

Is the Login Screen Necessary for Your Mobile App?

loginThe login screen: an area of great debate amongst mobile app developers and testers. Some believe the login creates a more customized experience for users since it saves their personal information. However, others (e.g. consumers) resist the login page and immediately leave an app when it requests personal information. What is to be done? The Nielsen Norman Group recently discussed the debate regarding the creation of a log-in account.

Login walls require a significaninteraction cost: users must remember their credentials (if they have an account) or take the time to create a new account. Therefore, sites should use them only if users will benefit significantly from the presence of these walls.”

What could occur when a new user encounters a login wall? A few things:

  1. Users are confronted with the login page first-hand and immediately bail on the application
  2. Users complete the login process and proceed to navigate through the app
  3. Users remember their login, come back to the app and have an overall good user experience
  4. Users login once, forget their password the second time and don’t bother using the app again

Though they were mostly referring to website pages – where passwords can be easily saved – the same logic applies to a mobile app, particularly point number one. If a user is required to sign-up before doing anything else, there’s a good chance the app will be abandoned. In many instances, a mobile app will require a sign-in after a major update, or after a certain amount of time passes, so you cannot always count on saved passwords to address this concern.

So should your mobile app require a login? If so, when and where? Let’s take a closer look:

Continue Reading

Hybrid Mobile App Testers: Beware of Code Injections

Hybrid-vs_-Native-Mobile-Apps1Hybrid mobile applications present a great way for developers to create a system that operates across many devices and platforms. According to a recent forecast from IT research and advisory company Gartner, Inc., more than 50 percent of mobile apps deployed by 2016 will be of the hybrid variety. There are plenty of benefits for companies choosing to go the hybrid route, but the concept brings with it a major security concern.

Before we take a look at this concern, it’s important to understand the different types of mobile applications.

Native applications are built for a specific platform, generally structured off of the vendor-provided platform SDK, tools, and languages. Native apps, even when installed through an app store, live on your device and are accessed through icons on the device’s home screen. Because native apps are developed expressly for a single platform, they’re afforded the opportunity to take advantage of any of the device’s features, including the camera, GPS, contact list, or even the tilt-axes. Native apps are able to tap into the device’s notification system and can often be used, at least in-part, when the device is offline.

Mobile Web applications are server-side entities, built using any available server-side technology option. In fact, mobile web apps are really not applications, but websites that are optimized to look and feel like native apps. Even when a user “installs” a mobile web app to their home screen, they’re really just leaving a bookmark to return to the page. Mobile web apps are run using a browser and are typically written in HTML5.

Hybrid mobile apps, like native apps, can be found in a platform-specific app store and can take advantage of a device’s unique functionality. Like mobile web apps, hybrid mobile apps rely on a form of HTML and/or JavaScript being rendered in your device’s browser, even thought that browser is typically embedded within the app.

Continue Reading

The Future of Mobile Security

mobile-securityAs the lines become further and further blurred between our business and personal lives, our mobile devices often endure the same struggle. There is an incredible amount of sensitive data stored in these devices, and mobile apps frequently represent an unlocked door for cyber criminals to break in. Therefore, it comes as no surprise that a new study from Gartner has predicted that, by 2017, mobile apps are expected to become the main victims of endpoint breaches.

With smartphones and tablets becoming so essential in both our business and personal lives, it is easy to see why the data stored on these devices would look so appetizing to cyber criminals. Yet, as Midsize Insider points out, popularity isn’t the only thing that makes mobile devices vulnerable. According to Gartner, 75% of all of those security breaches attacking mobile devices by 2017 will actually be caused by a misconfiguration of mobile apps and programs.

“Mobile security breaches are – and will continue to be – the result of misconfiguration and misuse on an app level, rather than the outcome of deeply technical attacks on mobile devices,” explained Dionisio Zumerle, principal research analyst at Gartner.

As Zumerle suggested, one of the prominent misconfigurations of mobile technology is the result of professionals using personal cloud services for business data. Organizations practically manufacture this problem for themselves when they choose to have employees bring their own devices to work and don’t demonstrate a strategy for securing workplace data. Further actions that employees may have performed on their personal devices, such as “jailbreaking” or otherwise enabling their device to bypass some of its native limitations, only serve to create more vulnerabilities that further open up the device – and its data – to the risk of malware.

Continue Reading

Coming Soon: Mobile Apps With Fraud Detection

mobile_fraudIdentity theft, malware and stolen data are now well-known threats in the mobile world. While security will continue to play a major part in the mobile app testing strategy of brands for the foreseeable future, a new tool from IBM could act as a safety net in the event that a vulnerability (or hacker) slips through the cracks.

Before we explain its long-term significance, here’s CSO Online with the details:

IBM researchers have developed a technique that website operators, cloud service providers and mobile application developers could use to spot a fraudster who has stolen an account holder’s credentials.

The patented technology builds a profile on each person using a site or app based on his navigation habits recorded through the browser. Metrics are collected through the computer mouse and keyboard and the touchscreen on a tablet or smartphone.

This is certainly an interesting concept (it remains in the conceptual phase, by the way), but the more one reads about how it’s being developed, the more promising this technology seems. The article continues:

Walker and his colleague Brian O’Connell built a client-side app using AJAX, which stands for asynchronous JavaScript and XML. The group of interrelated Web development techniques is used to build apps that run in the browser and can send and retrieve data from a server. AJAX apps load automatically and do not require a plugin.

The analytical software that would compare activity to an account holder’s profile could be on the web server or somewhere else on the network. If the percentage of matching activity fell below a pre-configured threshold, then the site could ask for the answer to a security question or perform some other type of authentication.

The sensitivity of the trigger would depend on the transaction. For example, a banking site could require near 100 percent identification of the user for transfers involving large amounts of money.

At the beginning of this post, I mentioned a potential use case for this type of technology: in the event that a hacker or intruder is able to bypass the existing security framework. It’s important to recognize that most security testing practices are focused on prevention, as opposed to mitigation. In other words, testers primarily ensure that criminals cannot access user data, whereas they tend to focus less on how to reduce the amount of damage said criminal can do once they have the information. There’s a huge difference between the two.

In the future – and ideally, with the help of technology like this – perhaps they can shift their focus. As we’re starting to see, preventing fraud and criminal behavior is virtually impossible. It is, however, possible to prevent them from doing maximum damage.

How do you see this technology shaping the future of mobile app security testing? Be sure to share your thoughts in the comments section below.

3 Not-So-Obvious Ways to Avoid Mobile App Security Problems

enterprise-mobile-apps-securityBy now, most companies understand the importance of mobile app security, even if they’re not entirely sure how to best achieve it. Security testing – via real testers and automated tools – is the obvious route, but there are several lesser-known methods for ensuring that your mobile app is safe for users.

Here are three such methods (along with our own commentary) courtesy of SearchCIO:

Avoid Open-Ended Questions

Any personal data collected from a mobile app could turn up in unintended and awkward places. And you will get blamed, even if the customer is at fault for the privacy invasion.”

Although there are security measures in place to format your app so only select individuals are able to view consumer information, accidents can occur. The chance of a company grabbing hold or misplacing data is very possible and almost always happens as the result of human error.  For example, if you have an advertisement that’s sponsoring the survey within your app, it’s possible that said advertiser may click through to view the information your customers are giving your company, even if by accident.

Look over the information and determine what you need to know (as opposed to what you want to know) from your client base.  And focus “yes” and “no” answers; don’t leave any room for error or for a consumer’s privacy to be breached.

Avoid Adding Photos or Videos

Digital photos today are married to metadata, which can intrude on a person’s privacy by indicating the exact location, time and date of the photo. Take enough photos over time and the metadata provides a detailed roadmap of that customer’s travels.”

Yes, photographs are able to give your app that extra “jazz,” but if you can avoid using them within your app, do it.  Enabling photos will only make your company more liable to any potential harm and misconstrued information that your customers provide while using the app.

Continue Reading

3 Things Every Enterprise Should Know About App Testing

enterpriseBelieve it or not, testing – particularly security testing – is still not a high priority for enterprises who develop mobile apps. Despite all that’s at stake, they continue to neglect even the most basic fundamentals. And in doing so, they are putting YOUR personal information (contacts, calendars, passwords, etc.) at risk. Scary, right?

We thought so, which is why we wanted to share a few things every enterprise should know about mobile app testing from this recent article on SearchSoftwareQuality.com. Let’s take a closer look:

1. There’s still a lot we don’t know about the mobile space…

“Mobile app platforms are relatively new, and therefore, both the know-how — as well as inherent security in the code — is not very well understood.”

The downside about mobile app platforms being so new is that even the developers who do have experience writing code are still exploring a new territory with the mobile app.  Writing code for a mobile app is very different from other programs and, although a web developer may be under the impression that the code works out well for the mobile app, there is plenty of room for error – something many enterprises end up learning the hard way.

2. Security testing is NOT a post-launch activity.

“We can sometimes expose these vulnerabilities through open source tools, vulnerabilities that we were not able to expose through commercial tools.”

Continue Reading