AuthorEvan Schuman

Google finds a nation-state level of attacks on iPhone

When it comes to mobile security, users are routinely warned to be extremely careful, avoid suspicious links, emails, and attachments. But the growth of no-click attacks sidesteps these soft defenses.

Google recently drilled into one such attack, which happened to have hit an iPhone. “We assess this to be one of the most technically sophisticated exploits we've ever seen, further demonstrating that the capabilities (one vendor) provides rival those previously thought to be accessible to only a handful of nation states,” said the Google advisory.

To read this article in full, please click here

Apple is sneaking around its own privacy policy — and will regret it

Apple has a rather complicated relationship with privacy, which it always points to as a differentiator with Google. But delivering on it is a different tale. 

Much of this involves the definition of privacy. Fortunately for Apple’s marketing people, “privacy” is the ultimate undefinable term because every user views it differently. If you ask a 60-year-old man in Chicago what he considers to be private, you’ll get a very different answer than if you asked a 19-year-old woman in Los Angeles. Outside the US, privacy definitions vary even more. Germans and Canadians truly value privacy, but even they don’t agree on what they personally consider private.

To read this article in full, please click here

Apple is sneaking around its own privacy policy — and will regret it

Apple has a rather complicated relationship with privacy, which it always points to as a differentiator with Google. But delivering on it is a different tale. 

Much of this involves the definition of privacy. Fortunately for Apple’s marketing people, “privacy” is the ultimate undefinable term because every user views it differently. If you ask a 60-year-old man in Chicago what he considers to be private, you’ll get a very different answer than if you asked a 19-year-old woman in Los Angeles. Outside the US, privacy definitions vary even more. Germans and Canadians truly value privacy, but even they don’t agree on what they personally consider private.

To read this article in full, please click here

When biometrics can be outsmarted this way, we need to talk

It’s one of the sad facts of mobile authentication that the industry tends to initially support the least effective security options. Hence, phones initially supported authentication based on fingerprints (which can be impacted by prescriptions, cleaning products, hand injuries, and dozens of other factors) and then moved on to facial recognition. 

In theory, facial recognition is supposed to be more accurate. Mathematically, that’s fair, as it is examining far more data points than scanning a fingerprint. But the reality in the real world is much more problematic. It requires a precise distance from the phone and yet offers no pre-scan markers for the user to know when they hit it correctly. That’s one reason I see facial recognition reject a scan roughly 40% of the time — even though it will approve a positive scan two seconds later.

To read this article in full, please click here

Store your corporate card on an iPhone? Uh-oh

Apple and Google (and especially Visa) last week gave us yet another example of how security and  convenience are often at odds with each. And it looks like they opted for convenience.

The latest issues speaks to only a subset of iPhone and Android users — specifically, those who use their phones for mass transit payments. If you think of how subways work in a major city (I’ll use New York City as an example), they require extreme speed. Using facial recognition or entering a PIN right before paying to get on the subway would dramatically slow down the line. 

Instead of allowing authentication to happen earlier — say, perhaps within five minutes of a transaction — or by accelerating the process to a split second, Apple, Google, and Visa apparently chose to forego any meaningful authentication. (Note: I am focusing on Visa because the hole still exists for it. MasterCard and others have already patched the flaw.)

To read this article in full, please click here

Store your corporate card on an iPhone? Uh-oh

Apple and Google (and especially Visa) last week gave us yet another example of how security and  convenience are often at odds with each. And it looks like they opted for convenience.

The latest issues speaks to only a subset of iPhone and Android users — specifically, those who use their phones for mass transit payments. If you think of how subways work in a major city (I’ll use New York City as an example), they require extreme speed. Using facial recognition or entering a PIN right before paying to get on the subway would dramatically slow down the line. 

Instead of allowing authentication to happen earlier — say, perhaps within five minutes of a transaction — or by accelerating the process to a split second, Apple, Google, and Visa apparently chose to forego any meaningful authentication. (Note: I am focusing on Visa because the hole still exists for it. MasterCard and others have already patched the flaw.)

To read this article in full, please click here

Google now tells criminals when Chrome users are ‘idle.’ What could go wrong?

When Google released Chrome 94 for Android (and desktop), it slipped in some naughty capabilities via an API called Idle Detection.  

“The Idle Detection API notifies developers when a user is idle, indicating such things as lack of interaction with the keyboard, mouse, screen, activation of a screensaver, locking of the screen, or moving to a different screen. A developer-defined threshold triggers the notification,” Google said in a blog post. “Applications that facilitate collaboration require more global signals about whether the user is idle than are provided by existing mechanisms that only consider a user's interaction with the application's own tab.”

To read this article in full, please click here

How one coding error turned AirTags into perfect malware distributors

One of the more frightening facts about mobile IT in 2021 is that simplicity and convenience are far too tempting in small devices (think AppleWatch, AirTags, even rings that track health conditions, smart headphones, etc.). 

Compared with their laptop and desktop ancestors, they make it far more difficult to check that URLs are proper, that SPAM/malware texts/emails don’t get opened and that emlpoyees follow the minimal cybersecurity precautions IT asks. In short, as convenience ramps up, so do security risks. (Confession: Even though I try to be ultra-vigilant with desktop emails, I do periodically — far more often than I should — drop my guard on a message coming through my AppleWatch.)

To read this article in full, please click here

On app tracking, both Android and iOS have to do better

Mobile app use continues to climb in enterprises worldwide, and it won’t be long before almost all employee/contractor communications take place over mobile devices. That’s why it’s such a threat to security and compliance that mobile apps have extensive access to everything on a device — and few limitations on what those apps can share.

Apple argues that it’s already doing something about this in iOS with its app tracking transparency push. But a report in The Washington Post last week undermines the company’s promises. Why? Because Apple has been trusting app vendors to actually do what they agree to do. (No one could have foreseen that blowing up.)

To read this article in full, please click here

© 2022 Camel Larry

Theme by Anders NorénUp ↑