And so advising users to update or delete apps is impossible. The unhappy situation here is that those “hundreds of millions” of users can’t know which apps have been patched and which have not. As Forbes cybersecurity contributor Davey Winder said on his move from Android to iPhone, “four words explain it-security, privacy, fractured, ecosystem… I've been growing increasingly unhappy when it comes to security updates.”
But Android is much more fragmented and less well policed than iOS-that’s why those iPhone users feel better protected. But, in truth, Google could mandate the fix and test apps in its Play Store to ensure they are running the updated library. It’s for developers to manage the security of their apps.
On one level, Google can’t do much about this. It’s the “countless” other apps that haven’t been tested by Check Point and so haven’t been notified that is the real issue here. One can assume those apps have patched or will soon patch the problem-it just requires the updated Google library. But to single any out would be misleading-these are just the ones Check Point “randomly” happened to test and name. Moovit, which was also named, confirmed after publication that it had issued a fix. Check Point also lists Viber, Yango Pro and even Microsoft Edge among those apps it tested and says it found to be vulnerable, none of which responded to requests for comment before publishing. We’re grateful to partners like Check Point who together with OkCupid, put the safety and privacy of our users first.”
Our team quickly responded, and we have already issued a hotfix… We will continue to enhance our practices to proactively address these and similar concerns as we continue our commitment to our users.” And OkCupid confirmed “we were notified by Check Point earlier this week and have already released the fix. Grindr told me that “we are grateful for the Check Point researcher who brought the vulnerability to our attention today. If you need convincing as to the severity of this, then let’s look at some of the apps that have just recently patched this vulnerability.ī told me “we can confirm we have already addressed this vulnerability with a patch to our Android app on November 11.” And Cisco confirmed that “on December 1, published software updates for the Cisco WebEx Teams mobile app for Android that include fixed versions of the Google Play Core Library that contains the security vulnerability.” This becomes a soft entry point to steal credentials for a corporate network, for example, or to track persons of interest. Check Point also warns that the vulnerability can be used to “inject code into enterprise applications to gain access to corporate resources or into social media applications to spy on the victim and use location access to track the device.” As ever, a vulnerability with a popular app installed on tens of millions of devices provides a large attack surface for a targeted campaign.
0 kommentar(er)
