The Mac Security Blog
We talk about iPhones here a lot, since they’re Apple devices, but some Mac users may use or want to use an Android phone, or may simply not have the coverage necessary to use an iPhone. While iPhone security issues always get a lot of coverage, it’s important to point out that other smartphones have problems as well. In particular, it turns out that many Android apps collect user data in ways that users are unaware of, and that “Android’s course-grained access control provides insufficient protection against third-party applications seeking to collect sensitive data,” according to a paper to be presented at the USENIX Symposium on Operating Systems Design and Implementation next week.
As Cnet reports, researchers developed a tool called TaintDroid that “analyzes in real-time what potentially sensitive information is collected, including GPS data, phone number, contacts, IMEI (International Mobile Equipment Identity) number that identifies the device, and the SIM card serial number.” With this tool, they looked at 30 of the most popular Android apps, and determined that 2/3 of them collected such data.
While many people worry about security vulnerabilities in smartphone apps, data collection can be a more serious issue, given the types of confidential data these devices contain. It remains to be seen just what the companies behind these apps do with the data, but nothing prevents an app from “phoning home” and giving its developer more data than you would want it to. And, as The Register points out, “There are no guarantees apps for Apple’s iPhone or Research in Motion’s Blackberry would fare any better if subjected to the same scrutiny.”
United States law enforcement and security officials are planning to ask Congress to mandate that all devices that use the Internet to provide two-way communication – whether they be phones, websites or applications – have backdoors allowing for wiretap access if so requested. According to the New York Times, the Obama administration will submit a bill to Congress next year asking for this requirement. This will mean that all your Internet-enabled devices – your iMacs, MacBook Pros, your iPhones, your iPads, and even your iPod touches – and the software they use to communicate will be liable to be sniffed by the US government.
It’s not clear how this will be implemented, how any encryption used for communications will be dealt with, or how much work this would involve for software and hardware providers. Will those outside the US have to comply with such regulations, if their software is sold in the US, even over the Internet? What about small developers – will they have the same level of compliance requirements as large developers? There is also the risk that hackers can take advantage of any such backdoors that are available.
For now, this bill is in its early stages, but it could have major implications for the computer industry in general. We’ll be watching as this plays out.
Last week, we wrote about Adobe’s latest problems, with new flaws in Flash, Acrobat and Reader. Well the company has rushed out a security fix for Flash, for all platforms, for a flaw that has been actively exploited on Windows computers. Adobe’s security bulletin gives more details about this.
As usual, users should download the latest version of Flash to protect themselves from this vulnerability.
Apple has issued a rare single-vulnerability security update for an AFP issue whereby “A remote attacker with knowledge of an account name on a target system may bypass the password validation and access AFP shared folders.” This is a critical flaw, and if Apple issued this update on its own, they certainly felt that it was essential to get it installed as soon as possible. This only affects Snow Leopard (Mac OS X 10.6), but all users should apply this update immediately by running Software Update, or downloading the updater from Apple’s Downloads page.
Full information is here.
Talented singer Lily Allen uses a Mac, and it turns out that her laptop got hacked. According to the UK daily The Sun, “the only way she can find out how is by taking legal action.”
Apparently she tried to get Apple to help find out who hacked her laptop, and not being satisfied with the results of this, she decided to sue.
If only she had VirusBarrier X6 on her laptop, perhaps this wouldn’t have happened. If she gets in touch with us, we’ll be happy to give her a free copy, to protect her from any future problems.
Google has issued a security update for its Chrome browser, fixing 10 flaws, one of which is a critical vulnerability affecting only the Mac version of the program. The Mac fix is, in fact, a correction to a fix of a previous bug.
Users can download the latest version of Chrome, 6.0.472.59, here.