Archive for Mobile

Google Or Samsung Android Cameras Could Be Spying On You

Researchers at Checkmarx say they have discovered vulnerabilities in Google and Samsung smartphone apps that could allow hackers to remotely spy on users using their phone’s camera and speakers.

Study

The proof-of-concept (PoC) study results, highlighted on the Checkmarx blog reveal how the Checkmarx Security Research Team cracked into the apps that control android phone cameras (firstly using a Google Pixel 2 XL and Pixel 3) in order to identify potential abuse scenarios.

The team reported finding “multiple concerning vulnerabilities” (CVE-2019-2234) which stemmed from “permission bypass issues”.  The team later found that camera apps from other vendors i.e. Samsung are also affected by the same vulnerabilities.

The Checkmarx team have since shared a technical report of their findings with Google, Samsung, and other Android-based smartphone OEMs to enable those companies to find fixes.

What Could Happen?

According to Checkmarx, the vulnerabilities mean that a hacker could use a rogue application (that has no authorised permissions) to take control of another person’s Android phone camera app.  This could allow the attacker to take photos and/or record videos as well as to gain access stored videos and photos, GPS metadata embedded in photos, and even to locate the user by taking a photo or video and parsing the proper EXIF data.

The researchers also found a way to enable a rogue app to force camera apps to take photos and record video even when a phone was locked or the screen is turned off, or when a user was is in the middle of a voice call.

One particularly worrying aspect of the Checkmarx findings is that if the video can be initiated during a voice call the receiver and the caller’s voices can be recorded.  This could allow eavesdropping that could enable an attacker to discover potentially sensitive personal data or to gather information that could be used for extortion.

Google

According to Checkmarx, after they shared their findings with Google, the Checkmarx team were notified by Google that the vulnerabilities weren’t confined to the Google Pixel product line but also extended to products (Android) by other manufacturers.  For example, Samsung also reportedly acknowledged that the flaws impact their Camera apps and said that they had begun taking mitigating steps. Checkmarx reports that Google has said that the problem has now been addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. Also, a patch has been made available to all Google partners.

What Does This Mean For Your Business?

It is very worrying that hundreds-of-millions of smartphone users may have been facing a serious privacy and security risk without being aware of it.  For business users, this may have left them open to industrial espionage and security threats, although there is no evidence that real hackers have exploited the vulnerabilities prior to them coming to light.

When it comes to smartphone apps, the best practice is to ensure that all apps on your device are kept updated. Other defensive actions you can take regarding your phone apps include checking the publisher of an app, checking which permissions the app requests when you install it, and deleting any apps from your phone that you no longer use.  It’s also now important to be aware of the threat posed by fake apps, and you may wish to contact your phone’s service provider or visit the high street store if you think you’ve downloaded a fake malicious/suspect app.

5G Mobile Network is 450% Faster Than 4G in Tests

Tests by Ookla, the developer of Speedtest.net, are reported to have shown that the new 5G mobile network is 450% faster than 4G.

Speed

According to the Speedtest.net website, the results of the testing of 5G in 29 UK cities during Q3 of 2019 generally show download speeds as being 450-475% faster than those on all mobile technologies combined, and that the 5G download speed in Northern Ireland showed a 618.3% improvement due to the fact that mean mobile download speeds on all technologies are slower in Northern Ireland than elsewhere in the U.K.

The tests also revealed that mean 5G download speeds are uniformly high across the U.K., with only 6 Mbps difference between the fastest country (England) and the slowest (Northern Ireland).

Availability

Speedtest.net says that mobile operators have embraced 5G across the UK this year.  For example, 5G is now commercially available in 22 English cities such as London, Birmingham, Bristol, Liverpool, Manchester and Wolverhampton.

5G is also now available in Edinburgh, Glasgow and Paisley in Scotland, in Belfast in Northern Ireland, and in Cardiff, Llandudno and Penarth in Wales.

Rankings

In terms of ranking operators in terms of their 5G download speed in the UK during Q3 2019, Speedtest.net put EE in first place, O2 in second and Vodafone in third place.

No Three

The Speedtest.net results and analysis didn’t include Three because they currently only offer 5G broadband in certain districts of London and their 5G has not yet been launched.

Three announced earlier this year, however, that new and existing customers with compatible handsets will be able to get 5G at no extra cost(s) when its 5G service is launched.

Upload Speeds Not As Impressive

The test results showed, however, that 5G upload speeds, although good, were not quite as impressive as the download speeds with percentage increases ranging from 38.5% to 110% faster.

Safety Concerns

One issue not covered by the testing was the safety fears surrounding 5G. For example, 5G uses 3 Spectrum bands, low-band spectrum (LTE), mid-band spectrum, and what some believe to be the potentially dangerous mmWave high-frequency spectrum.

The mmWave spectrum, however, is still not close to the kind of ionising wavelengths that can cause damage to DNA and mmWave will mostly be deployed in a spectrum that suffers from high reflection rates – 24 to 29GHz.  This should mean that any absorption by the body will be confined to the surface layers of the skin rather than the deeper tissue that is reached by lower frequency radiation.

What Does This Mean For Your Business?

Ofcom is due to auction additional spectrum for 5G in the 700 MHz and 3.6-3.8 GHz bands in spring 2020 and this should help fuel the further expansion of the 5G networks.  This is likely to be good news for businesses who have been waiting for the speed benefits that 5G can bring, for example in improving file sharing and other communication capabilities.

Although the rollout is currently only confined to major UK cities, which will, of course, favour businesses in those areas, it is good news that 5G has been achieving consistent speeds in its deployments around the world, thereby improving on one of the challenges of 4G.

Different operators look set to take different approaches to their 5G rollouts and offerings, and greater 5G availability will provide a boost to the sales of new generation mobile handsets in the UK where many people and businesses have been holding back on purchasing the latest 5G models until they could reap the benefits of having a much more established 5G network in place.

Microsoft Announces New, Integrated ‘Office’ Suite App For Mobile Devices

Microsoft has announced that it is working towards the launch of its ‘Office’ mobile app (currently only available in public preview) which integrates Word, Excel, and PowerPoint mobile apps into a single app.

The ‘Office’ Vision

Microsoft says that the mobile app, called simply ‘Office’, represents their vision for what a productivity solution would look like if first built for mobile devices.

The idea is that users have all their Office documents together in one place, can reduce the need to switch between many different apps, and can reduce the amount of space that they use on their phone compared to multiple installed apps.

“Simple, Integrated Experience”

The ‘Office’ app is intended to provide users with what Microsoft describes as a “simple, integrated experience”.

The app combines Word, Excel, and PowerPoint, access to recent and recommended documents stored in the cloud or on a user’s device, the ability to search for documents across a user’s organisation if using a work account, and easy access to Sticky Notes e.g. for reminders and writing down ideas.

What Can You Do?

Microsoft’s Tech Community web pages say that users of ‘Office’ will be able to create content “in uniquely mobile ways” such as snapping a picture of a document and turning it into an editable Word file with just the press of a button or transforming a picture of a table into an Excel spreadsheet so that users can quickly work on the data. Also, a new Actions pane in the app will enable users to complete tasks such as creating PDFs with their camera and signing PDFs just by using their finger or scanning QR codes to open files and links.

Public Preview and Only On Phones

The Office app is currently available in public preview for Android and iOS, can be downloaded and used for free, and doesn’t require a sign-in to use it.  Those with work, school, or personal Microsoft Accounts can, however login and gain access to their files stored in the cloud via the app.

Microsoft has said that it will continue to support and invest in the existing Word, Excel, and PowerPoint mobile apps (‘Office’ isn’t replacing them), and that the new ‘Office’ app is currently only available for phones, although plans are afoot to extend this to tablets.

What Does This Mean For Your Business?

Back in February, Microsoft announced its new, free “Office” app for Windows 10 as an update to the former My Office app, and as a way for those who do have a 365 subscription and have Microsoft’s apps installed on their device to open Office from the Office app, and those who don’t have a subscription to be automatically directed to the online version.  This latest announcement of the preview stage, available to all, soon-to-be-launched ‘Office’ mobile app is a progression of Microsoft’s move to publicise, raise awareness about, and get more people using its (free) versions of Office.  This will also help Microsoft adapt and compete with rivals, such as Google, and appeal to business and other existing Microsoft Office users who are now used to being able to carry out most of their business on-the-go with mobile devices and apps.  Some of the features, such as taking a picture of a document and turning that into an editable file are likely to add value for many business users who are spending less time at the desktop.

The new app could mean time-savings (not switching between multiple apps), convenience and greater leverage of mobile capabilities for users, and for Microsoft, it offers them a way to keep existing users loyal to their OS and Office Suite, gain new users, and stay competitive in a rapidly evolving mobile working market.

“Stalkerware” Partner-Spying Software Use Rises By 35% In One Year

Kaspersky researchers have reported a 35 per cent rise in the number of people who have encountered the use of so-called ‘stalkerware’ or ‘spouseware’ software in the first 8 months of this year.

What is Stalkerware?

Stalkerware (or ‘spouseware’) is surveillance software that can be purchased online and loaded onto a person’s mobile device. From there, the software can record all of a person’s activity on that device, thereby allowing another person to read their messages, see screen activity, track the person through GPS location, access their social media, and even spy on the mobile user through the cameras on their device.

Covert, Without Knowledge or Consent

The difference between parental control apps and stalkerware is that stalkerware programs are promoted as software for spying on partners and they run covertly in the background without a person’s knowledge or consent.

Unlike legitimate parental control apps, such programs run hidden in the background, without a victim’s knowledge or consent. They are often promoted as software for spying on people’s partners.

Most Stalkerware needs to be installed manually on a victim’s phone which means that the person who intends to carry out the surveillance e.g. a partner, needs physical access to the mobile device.

Figures from Kaspersky show that there are now 380 variants of stalkerware ‘in the wild’ this year, which is 31% more than last year.

Most In Russia

Kaspersky’s figures show that this kind of surveillance software is most popular in Russia, with the UK in eighth place in Kaspersky’s study.

What Does This Mean For Your Business?

Unlike parental control apps which serve a practical purpose to help parents to protect their children from the many risks associated with Internet and mobile phone use, stalkerware appears to be more linked to abuse because of how it has been added to a device without a user’s consent to covertly and completely invade their privacy.  This kind of software could also be used for industrial espionage by a determined person who has access to a colleague’s mobile phone.

If you’d like to avoid being tracked by stalkerware or similar software, Kaspersky advises that you block the installation of programs from unknown sources in your smartphone’s settings, never disclose the passwords/passcode for your mobile device, and never store unfamiliar files or apps on your device.  Also, those leaving a relationship may wish to change the security settings on their mobile device.

Kaspersky also suggests that you should check the list of applications on your device to find out if suspicious programs have been installed without your consent.

If, for example, you find out that someone e.g. a partner/ex-partner has installed surveillance software on your devices, and/or does appear to be stalking you, the advice is, of course, to contact the police and any other relevant organisation.

Banking App Fraud On The Rise

A recent report from cyber-security company RSA has highlighted a significant rise in fraud via fake banking apps.

Number of Attacks Has Trebled

The Fraud and Risk Intelligence (FRI) team at RSA have noted a tripling of the number of fraud attacks via fake mobile banking apps in the first six months of this year with rogue mobile app fraud generally up by a staggering 191 per cent.

Fake Mobile Apps Exploit Digital Finance Trust

Not only did the 40,344 fraud attacks represent a 63 per cent rise, but 29 per cent of those attacks were recorded as coming from fake mobile apps.

In fact, the report identified an 80 per cent rise in the use of financial malware in the first half of this year, highlighting how cyber-criminals are using the transformation of finance to the digital world and the increasing trust of users in financial apps and digital financial transactions as a way in.

Changing

Tech and finance commentators have noted that as companies offer more convenient digitised financial initiatives to customers e.g. open banking, and as this has necessitated customers engaging in more digital touchpoints, it has led to a widening of the potential ‘attack surface’ that criminals can take advantage of.

Could Banks Do More?

An Immuniweb report from August this year noted that a massive 98 per cent of the world’s100 leading financial technology (fintech) startup companies are vulnerable to web and mobile app attacks, and that 97 of the 100 largest banks are also vulnerable to web and mobile attacks which could facilitate a breach of sensitive data.

The Immuniweb report also highlighted mobile financial apps as being a problem area with all mobile apps tested showing at least one ‘medium risk’ security vulnerability, and 97 per cent having at least two medium/high-risk vulnerabilities. The tests also showed that over 50 per cent of mobile app backends have serious SSL/TLS misconfigurations or privacy issues which could be traced to not having robust-enough web server security.

This has led to some speculation that banks and other financial organisations could be doing more to help close potential security loopholes in their apps, thereby offering better protection to customers.

What Does This Mean For Your Business?

Mobile apps offer banks and other financial organisations a way to offer convenience and added value to their customers who want to be able to manage their finances on the go. However, legitimate app security problems, a proliferation of fake/rogue financial apps and a widening of the potential attack plane that this brings to consumers who increasingly trust their finances to mobile digital transactions have increased the attack plane and the risks that businesses and consumers face.

As users of banking and other financial apps, we can help protect ourselves by sticking to some basic security procedures such as not clicking on links in unfamiliar messages or texts (to avoid loading malware), keeping a close eye on our bank transactions, and by being very cautious when downloading apps of any kind. For example, to minimise the risk of falling victim rogue/fake apps, you should check the publisher of an app, check which permissions the app requests when you install it, delete any apps from your phone that you no longer use, and contact your phone’s service provider or visit the high street store if you think you’ve downloaded a malicious/suspect app.

Any Thumbprint Unlocks a Galaxy A10

Samsung’s so-called “revolutionary” fingerprint authentication system for the Galaxy A10 phone appears to be offering less than satisfactory results as it is discovered that any thumbprint can unlock one.

Biometric ‘Fail’

South Korean phone giant Samsung has received some unwanted bad publicity for its new Galaxy A10 phone after an article appeared in the Sun newspaper highlighting how a British couple discovered that, after putting a low-priced screen protector (purchased from eBay) on the phone, each other’s thumb print could unlock the phone.

The thumbprint scanner, which uses ultrasound to detect 3D ridges in fingerprints and only is supposed to recognise the thumbprint that has been registered by the user is reported to have recognised both of the thumbprints of user Lisa Neilson and both of her husband.

Patch

Samsung is reported to have acknowledged the fault and to be in the process of preparing a software patch to fix it.

Google Pixel ‘Face Unlock’ Issue

It seems that Samsung isn’t the only company struggling to produce a biometric phone security system that works properly.

The BBC has recently reported that after testing Google’s Pixel 4 phone’s Face Unlock system, it was discovered that with normal default settings on, the phone could be unlocked even if the user’s eyes were closed. The problem with this is that the phone could potentially be unlocked by another unauthorised person while the user is asleep simply by holding the phone in front of the user’s face.

The phone does, however, offer a ‘lockdown’ mode which users can switch to in order to deactivate the facial recognition system altogether.

Biometrics – The Way Forward?

Even though multi-factor authentication is more secure than relying on just a password for authentication, a continued reliance on weak passwords and password sharing by users, coupled with more sophisticated cyber and phone crime techniques mean that there is a strong argument for biometric methods of authentication, and a move towards what Microsoft has recently described as a “passwordless future”.

What Does This Mean For Your Business?

Even though biometrics has been shown to make things much more difficult for cyber-criminals to crack, as the A10 and the Pixel 4 security systems illustrate, biometrics have not been 100% successful to date and is still needs some work.  In fact, this is not the first time that a Samsung Galaxy has been in the news for a biometric issue. For example, a Reddit user recently claimed to have used a 3D printer to clone a fingerprint and then use that fake fingerprint to beat the in-display fingerprint reader on the Galaxy S10. Also, there was the report of the Twitter user who claimed to have fooled Nokia 9 PureView’s fingerprint scanner by using somebody else’s finger, and then just a packet of chewing gum, and of the incident back in May 2017 where a BBC reporter said that he’d been able to fool HSBC’s biometric voice recognition system by passing his brother’s voice off as his own.

There is no doubt that the move away from passwords to biometrics is now underway, but we are still in the relatively early stages.

Food Writer Loses £5,000 in Phone ‘Simjacking’

Well known food writer, Jack Monroe, has reported falling victim to criminals who were able to steal £5,000 from her bank and payment accounts in a “Simjacking” attack.

What Is Simjacking?

Simjacking, simswapping or ‘phone hijacking’ involves criminals being able to port a person’s mobile phone number over onto on another SIM card. This is often carried out by criminals who, armed with the necessary personal data of an intended victim, go to a phone shop and pose as a customer who wants to switch to a different mobile provider but keep their existing phone number.

In some cases it may involve mobile operator or phone shop staff members being paid to carry out the crime.  One of the first clues that you may be a victim of Sjmjacking is when your phone suddenly stops working.

£5,000 Taken

In Jack Monroe’s case, the food writer said in a Tweet that her card details and PayPal information were taken from an online transaction which meant that when her phone number was ported onto a new SIM, the criminals were able to “access/bypass authentication” and therefore authorise payments from her account.  In another Tweet, Jack Monroe appears to imply that her date of birth may have been found by the criminals on Wikipedia.

With £5,000 being taken, Jack Monroe Tweeted that, despite being “absolutely absurdly paranoid about security”, not using publicly available email addresses on any financial accounts, using “gobbledegook” letter/number/special character passwords and having two-step authentication on all accounts, the criminals were still able to make purchases and withdraw cash using her account.

Jack Monroe Tweeted the amount taken, saying that the criminals had “HELPED THEMSELVES to around five thousand of them” (pounds). “Total figure not in yet. I’m so white-hot angry”.

Problem Not Addressed

The fact that the crime was committed against a celebrity and has been widely reported appears to have ignited discussion about an area that some feel the mobile industry may not have been addressing.

Mobile Connect – Alternative

The reports have also highlighted possible alternative mobile authentication systems that are available. One example is Mobile Connect, the GSMA’s secure universal log-in solution that matches a user to their mobile phone and is believed to represent a new standard in security.

What Does This Mean For Your Business?

The fact that simjacking is still quite a common crime, and not just in the UK, could highlight the fact that the mobile industry is not putting in enough effort and resources to eradicate the problem. In the UK, some commentators have called for an investigation by the Information Commissioner’s Office (ICO) to see if mobile operators are meeting their obligations to safeguard services and data under telecom privacy rules and GDPR.

The GSMA’s Mobile Connect secure login solution, if adopted and championed by mobile operators and banks, could be one way that the challenges of a lack of collaboration and standardisation have posed to security (such as the security problems and breaches that are at the heart of crimes like Simjacking/phone number hijacking) can begin to be tackled.

Tech Tip – Any.do

Any.do is an award-winning to-do list, calendar, planner and reminders app that can help you to increase your productivity and stay on top of things.

The app allows you to add tasks and manage shared projects, and to create a prioritised to-do list that you can actually stick to.

The app also gives you classic, location-based, recurring, missed call, and follow-up meeting reminders, while providing a calendar that can be turned into a powerful productivity tool.  You can also use hands-free to add tasks and voice commands to manage your to-do lists.

The Any.do app is available on the Google Play Store and on Apple’s App Store.

Tech Tip – Twobird

New email client app ‘Twobird’ allows you to put all your emails in one place and create notes and reminders on the fly (and attaches the notes on emails).

Twobird has been billed as “a new kind of email app” that offers email at the speed of live chat.  It includes all your everyday tools – writes emails, creates notes, set reminders and assign to-dos — all in your inbox. If, for example, if you’ve scheduled an appointment it will alert you at just the right time.

Features include:

– Remind: allowing you to schedule an email or note to appear in your inbox later.

– Low Priority: so you can set aside automated messages so you don’t get distracted.

– Pinned and Recent: this lets you keep important notes and conversations easily accessible.

– Tidy Up: archives any inactive conversations so your inbox stays fresh.

Twobird is available in the Google Play store.

Windows Virtual Desktop Generally Available Now

Microsoft has announced that its Windows Virtual Desktop is now generally available worldwide on Azure and will include Windows 7 free Extended Security Updates for up to three years.

Windows Virtual Desktop

Windows Virtual Desktop from Microsoft, which was announced last September but has just been made generally available worldwide, is a Cloud-based ‘virtual’ version of Windows that can be accessed by employees from any device from anywhere, provides full multi-session, and is always up to date.  The Virtual Desktop has been designed with modern working practice in mind where not all employees sit in an office, use just one device or work from secure locations.

According to Microsoft, Windows Virtual Desktop is the only virtual desktop infrastructure (VDI) that can provide simplified management, multi-session Windows 10, optimizations for Office 365 ProPlus, as well as and support for Remote Desktop Services (RDS) environments.

The Virtual Desktop enables Windows desktops and apps to be deployed and scaled on Microsoft’s Azure portal in minutes, and it includes built-in security and compliance features.

Supported Transition to Windows 10

One key sweetener of the new service for those companies facing the end of support for their old Windows 7 deployments is that it offers free extended security updates for the Windows 7 virtual desktop including more support options for previous app versions while users transition to Windows 10.

Migrate

Microsoft is keen to emphasise that its Virtual Desktop can work with your current Remote Desktop Services (RDS), and can therefore easily be migrated on Azure.

Trust

Microsoft is also keen to emphasise that businesses can trust the new Windows Virtual Desktop not least because Microsoft invests more than USD $1 billion annually on cybersecurity research and development, employs 3,500+ security experts, and Azure has more compliance certifications than any other cloud provider.

What Does This Mean For Your Business?

With Virtual Desktop, Microsoft is hoping to capitalise on the fact that many businesses have workers in multiple locations with multiple devices who need to have convenient and secure access to a constantly updated version of their desktop.  Microsoft also knows that companies are getting more confident about moving more of their infrastructure to the Cloud, and want a secure, scalable ‘as-as-Service’ offering where they don’t need to worry about having the expertise in-house.

The easy migration aspect of the service and the offer of extended Windows 7 support may be of value to businesses looking to make a leveraged move forward to Windows 10 and may help Microsoft retain valuable business customers.