It’s been a bad week for mobile security: At the Blackhat Summit in London, NowSecure’s Ryan Welton outlined a vulnerability that could put as many as 600 million Samsung Galaxy users at risk. Meanwhile, a separate group of researchers demonstrated flaws in Apple’s iOS and OS X that could allow hackers to steal passwords and other information from apps on a device.
As Ars Technica reports, the Samsung exploit works through a weakness in the devices’ keyboard software, which occasionally scans for updates. Hackers can interfere with this process, installing malware that could allow them to remotely control a wide range of the phone’s functions. Among other things, Ars’ Dan Goodin explains, they could “surreptitiously monitor the camera and microphone, read incoming and outgoing text messages, and install malicious apps.”
Because this update operation happens in the background without user intervention, there’s little that owners of the devices can do to prevent it. And though Samsung has already provided a patch to mobile network operators, it’s unclear how quickly—and widely—it will be adopted since Samsung can’t force operators to implement it. Users can avoid unsecured networks, but it’s not clear whether this will be sufficient.
By contrast, the holes in Apple’s OSs may be easier for users to circumvent, but they’re similarly dangerous for those who stumble into them. The researchers were able to use an app that was approved by the Apple Store to access and interfere with resources shared by other apps. Most notably, as they explain in their paper, this attack allowed them to acquire information like passwords, granting them access to “sensitive user data, like the notes and user contacts under Evernote and photos under WeChat.”
In the Register, Darren Pauli explains that these Apple vulnerabilities, which the researchers reported to Apple in October 2014, have yet to be repaired. Ben Lovejoy of 9to5Mac sensibly proposes that users of Apple products can take two steps to stay safe: They should “be cautious in downloading apps from unknown developers” and, more generally, resist the temptation to let browsers and password managers “store your most sensitive logins, such as for online banking.”