UNCERTAIN APPS: millions of customer data at risk

by Rudolf Faix Sunday, May 31, 2015 5:51 AM

Still are app developers careless with user data. A study by the Fraunhofer SIT showed that several million records are at risk in the cloud - for a lax handling of authentication.

Hand coming out of the monitor for typingDevelopers are still storing unprotected preferred secret keys and tokens for access to the cloud storage in their apps. With little effort it can get read. For this criminals can get access to databases such as the Amazon Web Services (AWS) or Facebook. By this way are up to 56 million records compromised, estimates the Fraunhofer Institute for Security in Information Technology (SIT).

Together with the Technical University of Darmstadt and expert from Intel examined the Fraunhofer SIT in an automated process about two million apps in Google Play Store and Apple's App Store. In many has been the simplest form of authentication for access to cloud providers implemented. The developers are probably not aware of how inadequate the information are protected and getting collected by the Apps Data.

Unrestricted access to customer data

In their experiments, the scientists could not only read highly personal information, such as who are friends with whom Facebook or health information, from some app users. Using the secret key actually they could read complete user databases or even could manipulate them.

The report concludes that user cannot become actively protect. You should be careful what app you entrust personal information. Developers, however, should be better informed of the safety precautions of the cloud provider and implement more restrictive access controls in their apps. The researchers have already informed some developers on the most critical vulnerabilities.

Cloud providers have to act

Even with the providers of cloud services is the Fraunhofer SIT in contact. Both, Amazon and Facebooks Parse.com, Google and Apple have been informed of the findings too. The cloud providers also incumbent responsibility to bring the app developers to use not only the most vulnerable authentications. In addition, the cloud provider should make not convenient, but the safest possible standards mandatory.

The problem is not new. Already in June 2014 did researchers of the New York's Columbia University, a similar investigation and covered a distance of thousands of secret access token for Amazon Web Services open. The researchers then criticized that many developers did not follow the recommended conversions when programming their Apps and imbedded secret keys directly into the source code. They are apparently unaware of how simple source code can be translated back. In March 2014 researchers had discovered ten thousands of AWS credentials on Github.

 

Be careful with the instant message that crashes iPhones and iWatch

by Rudolf Faix Sunday, May 31, 2015 4:21 AM

Newfound iOS bug triggers wave of instant messages that causes iDevice reboot loop.

iWatchThere's yet another iOS bug that causes Apple gadgets to crash when they get instant messages containing a string of extraordinary characters. With further finessing, the same endeavor may have the capacity to assault Macs, since OS X is likewise not able to process the same mix of characters, which are in fact known as glyphs.

As indicated by individuals researching the bug on reddit, the content reasons iPhones running different variants of iOS to expeditiously crash. A whirlwind of Twitter clients, irate that their gadgets succumbed to instant messages, demonstrates that the bug is bringing on issues. Apple will in all likelihood issue a fix. Meanwhile, clients can secure themselves against the irritation message by going to framework settings, exploring to Notifications>Messages>Show Previews, and switching it to off. 

iPhoneThat change will forestall assaults that are as of now coursing on the web, yet it may not prevent scoundrels from discovering better approaches to crash individuals' iDevices. As per reddit the string messages sent over WhatsApp might likewise trigger the accident. What's more, contingent upon the way individual applications parse Unicode glyphs, different projects may do likewise. The bug can likewise trek up OS X, in spite of the fact that the assault obliges an objective to connect or glue a malevolent record into the Mac terminal, as indicated by an analyst who passes by the Twitter handle Hacker Fantastic.

Programmer Fantastic has tweeted a mixture of other fascinating specialized points of interest. The bug, he reported, lives in a piece of the working framework that procedures Unicode glyphs and reasons a string to be composed to a specific memory area. The bug is fixed to the way flag warnings process Unicode, reddit user sickestdancer98 reported. The pennant is not able to show the content and in the long run crashes the whole OS. 

While the bug is legitimately viewed basically as an aggravation, refusal of-administration vulnerabilities can frequently be the consequence of genuine defects that, with more work, can be misused to perform code-execution assaults. Furthermore, notwithstanding when more vindictive adventures aren't conceivable, DoS openings can infrequently show open doors for blackmailers or individuals hoping to upset huge occasions for occurrence individuals at a meeting. Anticipate that Apple will discharge a patch in the advancing week or somewhere in the vicinity.

 

Follow me

Tag cloud

AboutMe

I'm since more then 35 years in the computer business (programming and technical support) and using the Internet since it has started. Since 2002 I'm programming solutions for Asterisk and since 2004 I'm in the call center industry.

Disclaimer

All data and information provided on this site is for informational purposes only. I make no representations as to accuracy, completeness, currentness, suitability, or validity of any information on this site and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. All information is provided on an as-is basis. By browsing or using content from this site you accept the full legal disclaimer of this website.


web page counter code