Patch Android! June 2019 update fixes eight critical flaws

By John E Dunn

Unbeknown to most users, devices running supported versions of Android are supposed to get small amounts of new software every month, mostly security updates.

Unfortunately, as we pointed out in May, when and whether that happens is a matter of whim for each device’s manufacturer.

Updates for Google’s Pixel smartphones will arrive sometime this week – covering functional issues as well as security patches.

But if your device is made by another vendor, June’s Android patches could turn up any time from next month to some point later this year.

Given that June’s two patch levels (2019-06-01 and 2019-06-05) comprise only 13 CVEs plus another 9 from Qualcomm, this might not sound like that big a loss.

But if the same device is also missing previous updates, as many will be, the number of missing patches rises to dozens.

Amplifying the update confusion is Android’s version fragmentation, which gave Apple CEO Tim Cook cause to gloat when he mentioned at this week’s WWDC 2019 conference that the newest version of Android is still only running on 10% of Google’s mobile devices compared to 85% of iPhones running the latest iOS.

Read more at https://nakedsecurity.sophos.com/2019/06/05/patch-android-june-2019-update-fixes-eight-critical-flaws/

Apple bans ads, third-party tracking in apps meant for kids

By Lisa Vaas

On Monday, at its World Wide Developers Conference (WWDC), Apple had a big on-stage announcement of its new Sign In with Apple offering.

But it also made a less ballyhooed tweak: the company swept kids up in its privacy march.

On Monday, Apple updated the Kids category in its App Store developer guidelines to include a new ban on third-party advertising or analytics (which are ostensibly used for tracking) in content aimed at younger audiences.

Previously, the guidelines only restricted behavioral advertising tracking – e.g., advertisers weren’t allowed to serve ads based on kids’ activity, plus ads had to be appropriate for young audiences.

The current guidelines also (still) stipulate that apps can’t include links that take a user outside of the app, or other things that would “distract” kids, unless they’re behind a parental gate: a feature used in apps targeted at kids that keeps them from buying stuff or following links out of an app to websites, social networks, or other apps without the knowledge of their parent or guardian.

Apple also reminded developers to pay attention to privacy laws around the world when it comes to the data they collect from kids.

Read more at https://nakedsecurity.sophos.com/2019/06/05/apple-bans-ads-third-party-tracking-in-apps-meant-for-kids/

ATM skimming crook behind bars after draining bank accounts for 2 years

By Lisa Vaas

A Boston federal court on Monday sentenced a Romanian national to 65 months in federal prison for a multi-state ATM card-skimming scheme through which he and his gang drained $868,706 from 531 people’s bank accounts.

The Justice Department said that Bogdan Viorel Rusu, 38, was also sentenced to five years of supervised release and ordered to pay restitution and forfeiture of $440,130.

Rusu pleaded guilty in September 2018 to one count each of conspiracy to commit bank fraud, bank fraud, and aggravated identity theft. He had been arrested November 2016 and has been in custody since then.

ID’ed through his asylum application photos

According to court documents, video surveillance cameras picked up a man installing a pinhole camera and a skimmer device on a bank ATM machine located in Chicopee, Massachusetts in August 2014.

Thomas Roldan – a special agent with Homeland Security’s Immigration and Customs Enforcement (ICE) within the US Department of Homeland Security (DHS) – said in an affidavit that he identified Rusu based on photos that Rusu submitted in support of an asylum application to US Citizenship and Immigration, as well as Roldan’s own physical surveillance of the suspect.

The skimming devices were plugged in at around 16:26, and then the video cameras picked up footage of somebody else picking up the pinhole camera and skimmer a few hours later, at 20:01. Bank records showed that 85 customers used the ATM during that time, and 12 of them later reported losses totaling $8,399.43.

Next day, same thing, but this time, Rusu plugged in the skimming devices and picked them back up himself after a few hours. That time, customers lost $9,823.50.

Read more at https://nakedsecurity.sophos.com/2019/06/05/atm-skimming-crook-behind-bars-after-draining-bank-accounts-for-2-years/

Apple battles Facebook and Google with rival sign in service

By Danny Bradbury

Apple’s World Wide Developers Conference (WWDC) on Monday was full of surprises. One of them was a new feature designed to make signing in to apps and websites more private: ‘Sign In with Apple’.

You know how you’ve signed up for dozens of accounts on websites over the years? You have to enter your email address, choose a  password that meets requirements, store it (hopefully with a password manager)… and soon after comes the flood of junk mail from the site’s needy marketing team.

Some folks use a throwaway-email address service for each new account. But what if you want to see some of that mail? And how sure are you that the dummy address won’t get reused in the future by someone else? And how do you know if the website’s going to store your password securely?

The other option is to use a single sign-on service from one of the two big providers: Google or Facebook. When you see a ‘Sign In With Google’ or ‘Sign In With Facebook’ button on a web site, it’s offering to let you use your Google or Facebook ID for a quick, one-click sign up or sign on, no password required, as long as you’re signed into Google or Facebook.

The problem with services like these is that the companies running them (and their hidden partners) end up knowing more about you than your grandmother.

Sign In with Apple is Cupertino’s privacy-conscious version of those services. The idea is to make signing in – and signing up – to websites as simple as possible, without having to provide any personal information.

Read more at https://nakedsecurity.sophos.com/2019/06/05/apple-battles-facebook-google-with-rival-sign-in-service/

Synthetic clicks and the macOS flaw Apple can’t seem to fix

By John E Dunn

What’s more embarrassing than a researcher revealing a security oversight in a company’s software?

In the case of Apple, it would be when that software, macOS 10.15 ‘Catalina’, hasn’t even shipped to users yet.

The bearer of bad news was noted researcher Patrick Wardle of Digita Security, who used last weekend’s Objective by the Sea conference in advance of macOS 10.15’s launch this week to reveal a weakness through which malicious apps could exploit ‘synthetic clicks’ – automated clicks or keystrokes made by an app in the interests of accessibility.

Hijacking this, malware could automatically generate synthetic clicks to bypass prompts that ask the user to authorize actions such as installing software, hijacking webcams and microphones, or accessing Apple’s Keychain password manager, none of which would be a good thing.

Because macOS security depends on the response to such alerts, malware that can simulate these clicks on behalf of the user would have a dangerous amount of power.

In 2017 it was realized that FruitFly malware had adopted the technique as far back as 2008, as did DevilRobber in 2011 and Genieo in 2014, so the threat is more than theoretical.

The flaw

To counter this, Apple introduced a whitelist that limited access to synthetic clicks to applications approved by the user.

However, for reasons of backwards compatibility it was discovered that Apple had built in some exceptions to this rule through the Transparency Consent and Control system (TCC), including for the open source VLC media layer, Adobe Dreamweaver, and the Steam games platform.

Read more at https://nakedsecurity.sophos.com/2019/06/04/synthetic-clicks-and-the-macos-flaw-apple-cant-seem-to-fix/