{"id":27851,"date":"2022-09-02T08:35:56","date_gmt":"2022-09-02T12:35:56","guid":{"rendered":"https:\/\/www.itworldcanada.com?p=501056"},"modified":"2022-09-02T10:03:51","modified_gmt":"2022-09-02T14:03:51","slug":"cyber-security-today-sept-2-2022-hundreds-of-insecure-mobile-apps-found-guidance-for-securely-creating-software-and-an-uproar-over-american-police-cellphone-tracking","status":"publish","type":"post","link":"https:\/\/technewsday.com\/staging\/cyber-security-today-sept-2-2022-hundreds-of-insecure-mobile-apps-found-guidance-for-securely-creating-software-and-an-uproar-over-american-police-cellphone-tracking\/","title":{"rendered":"Cyber Security Today, Sept. 2, 2022 \u2013 Hundreds of insecure mobile apps found, guidance for securely creating software and an uproar over American police cellphone tracking"},"content":{"rendered":"<p data-ar-index=\"0\">Hundreds of insecure mobile apps found, guidance for securely creating software and an uproar over American police cellphone tracking.<\/p>\n<p data-ar-index=\"1\">Welcome to Cyber Security Today. It\u2019s Friday September 2nd, 2022. I\u2019m Howard Solomon, contributing reporter on cybersecurity for <em>ITWorldCanada.com.<\/em><\/p>\n<p data-ar-index=\"2\"><iframe style=\"border: none;\" title=\"Libsyn Player\" src=\"https:\/\/html5-player.libsyn.com\/embed\/episode\/id\/24245766\/height\/90\/theme\/custom\/thumbnail\/yes\/direction\/forward\/render-playlist\/no\/custom-color\/000000\/\" width=\"100%\" height=\"90\" scrolling=\"no\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<table style=\"width: 100%;\">\n<tbody>\n<tr>\n<td><a href=\"https:\/\/www.amazon.com\/ITWC-Cyber-Security-Today\/dp\/B07BRNG89P\/ref=sr_1_1?s=digital-skills&amp;ie=UTF8&amp;qid=1522688435\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"aligncenter wp-image-396718 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-alexa-200.png\" alt=\"Cyb er Security Today on Amazon Alexa\" width=\"200\" height=\"74\" border=\"none\" \/><\/a><\/td>\n<td><a href=\"https:\/\/www.google.com\/podcasts?feed=aHR0cDovL2N5YmVyc2VjdXJpdHl0b2RheS5saWJzeW4uY29tL3Jzcw%3D%3D\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"thumbnail aligncenter wp-image-408712 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2018\/09\/sub-gp-200.png\" alt=\"Cyber Security Today on Google Podcasts\" width=\"200\" height=\"74\" \/><\/a><\/td>\n<td><a href=\"https:\/\/itunes.apple.com\/ca\/podcast\/cyber-security-today\/id1363182054\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"aligncenter wp-image-396720 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-itunes-200.png\" alt=\"Subscribe to Cyber Security Today on Apple Podcasts\" width=\"200\" height=\"74\" border=\"none\" \/><\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p data-ar-index=\"3\">\n<p data-ar-index=\"4\"><strong>Just over 1,800 poorly-created mobile apps<\/strong> for the iPhone\/iPad and Android platforms have been discovered by security researchers. The problem: Almost three-quarters of the apps included valid tokens that allowed access to Amazon AWS servers. And many had tokens that would also have given full access to millions of private files held in Amazon S3 storage buckets. The tokens were buried in the code of the apps and could have been found and exploited by hackers. The victims would have been companies the developers were creating the apps for. In one case over 300,000 digital fingerprints were leaked by five mobile banking apps. Access to the IT infrastructure of 16 online gambling apps were also open to be hacked.<\/p>\n<p data-ar-index=\"5\">Researchers at Symantec,<a href=\"https:\/\/symantec-enterprise-blogs.security.com\/blogs\/threat-intelligence\/mobile-supply-chain-aws\" rel=\"noopener\"> who made the discovery<\/a>, believe these hard-coded access keys were inadvertently added to the apps by developers who inserted what they thought were trusted components to their software code. Or they may have needed to use a hard-coded access key for a function but forgot to time-limit the key for security. Mistakes like this can be avoided if software developers use security scanning tools before finally releasing an application. If a company uses an outsourced provider the developer should have to submit a mobile app report card showing how the app was tested. It\u2019s vital that third-party software development kits and frameworks be examined before being included in applications.<\/p>\n<p data-ar-index=\"6\"><strong>This and other kinds of software supply chain problems<\/strong> can be limited if developers follow guidance <a href=\"https:\/\/www.nsa.gov\/Press-Room\/Press-Releases-Statements\/Press-Release-View\/Article\/3146465\/nsa-cisa-odni-release-software-supply-chain-guidance-for-developers\/\" rel=\"noopener\">released this week by the U.S. National Security Agency and the Cybersecurity and Infrastructure Security Agency.<\/a> The 64-page guidance lists best practices for securely creating applications, verifying third-party components they include and hardening an app to prove it hasn\u2019t been tampered with.<\/p>\n<p data-ar-index=\"7\"><strong>Instagram users are being suckered<\/strong> into giving away their passwords and personal information. How? They are falling for an offer to have their profile verified with a blue checkmark badge. That\u2019s a sign beside their name that shows the person doing the posting is the real John Smith and not an impersonator. The victim thinks the offer comes from Instagram and clicks a link to fill in the attached form. However, <a href=\"https:\/\/www.vadesecure.com\/en\/blog\/instagram-phishing-campaign-hackers-exploit-social-verification\" rel=\"noopener\">researchers at Vade Secure point out<\/a> the email of the sender and grammatical errors show this is a scam. Neither Instagram nor Facebook will contact users for creating a blue badge. People have to apply.<\/p>\n<p data-ar-index=\"8\"><strong>Finally,<\/strong> police in nearly 24 American jurisdictions have been using a cellphone tracking tool allowing them to create a history of people\u2019s movements. Sometimes,<a href=\"https:\/\/www.securityweek.com\/tech-tool-offers-police-mass-surveillance-budget\" rel=\"noopener\"> according to the Associated Press,<\/a> police don\u2019t get a search warrant to access the location data. That\u2019s because the data is captured by cellphone apps like Waze, Starbucks and others and sold by them to a company called Fog Data Science. That company calls the data \u2018advertising identification numbers\u2019 that are put on individuals\u2019 smartphones by these mobile apps. That\u2019s different, the company says, from the ID numbers assigned by cellphone carriers when you buy a phone. The implication is this isn\u2019t a violation of people\u2019s rights under the U.S. Constitution because they knowingly install apps on their phones. It isn\u2019t clear if that\u2019s true, or if this violates state privacy laws. It isn\u2019t known if police in Canada use this service.<\/p>\n<p data-ar-index=\"9\">The Electronic Frontier Foundation<a href=\"https:\/\/www.eff.org\/deeplinks\/2022\/06\/what-fog-data-science-why-surveillance-company-so-dangerous\" rel=\"noopener\"> also released a report on this.<\/a> It notes that while the so-called advertising identification data that police scan doesn\u2019t have a device users\u2019 name or address, that can be figured out by following the data that shows a device regularly stops at a residence at night.<\/p>\n<p data-ar-index=\"10\">Later today the Week in Review edition will be out. Guest commentator Terry Cutler of Montreal\u2019s Cyology Labs will talk about women in cybersecurity and more.<\/p>\n<p data-ar-index=\"11\">Links to details about podcast stories are in the text version at <em>ITWorldCanada.com.<\/em><\/p>\n<p data-ar-index=\"12\">Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.<\/p>\n<p data-ar-index=\"13\">The post <a href=\"https:\/\/www.itworldcanada.com\/article\/cyber-security-today-sept-2-2022-hundreds-of-insecure-mobile-apps-found-guidance-for-securely-creating-software-and-an-uproar-over-american-police-cellphone-tracking\/501056\">Cyber Security Today, Sept. 2, 2022 \u2013 Hundreds of insecure mobile apps found, guidance for securely creating software and an uproar over American police cellphone tracking<\/a> first appeared on <a href=\"https:\/\/www.itworldcanada.com\/\">IT World Canada<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This episode reports on an Instagram scam, poorly-created mobile apps and a new way U.S. police are tracking people with the help of apps yo<\/p>\n","protected":false},"author":17,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[360,16],"tags":[389],"class_list":["post-27851","post","type-post","status-publish","format-standard","hentry","category-podcasts","category-security","tag-cyber-security-today"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/27851","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=27851"}],"version-history":[{"count":3,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/27851\/revisions"}],"predecessor-version":[{"id":27856,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/27851\/revisions\/27856"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=27851"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=27851"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=27851"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}