Connect with us

Biz & IT

This Week in Apps: Black Friday’s boost, security news and the year’s biggest apps

Published

on

Welcome back to This Week in Apps, the Extra Crunch series that recaps the latest OS news, the applications they support and the money that flows through it all. What are developers talking about? What do app publishers and marketers need to know? How are politics impacting the App Store and app businesses? And which apps are everyone using?

This week we look at how the Black Friday weekend played out on mobile (including which non-shopping category that saw a boost in revenue!), as well as a few security-related stories, TikTok’s latest bad press, plus Apple and Google’s best and most downloaded apps of 2019, and more.

Headlines

80% of Android apps are encrypting traffic by default

Google gave an update on Android security this week, noting that 80% of Android applications were encrypting traffic by default, and that percentage was higher for apps targeting Android 9 or higher, with 90% of them encrypting traffic by default. Android protects the traffic entering or leaving the devices with TLS (Transport Layer Security). Its new statistics are related to Android 7’s introduction of the Network Security Configuration in 2016, which allows app developers to configure the network security policy for their app through a declarative configuration file. Apps targeting Android 9 (API level 28) or higher automatically have a policy set by default that prevents unencrypted traffic for every domain. And since Nov. 1, 2019, all apps (including app updates) must target at least Android 9, Google says. That means the percentages will improve as more apps roll out their next updates.

Black Friday boosted mobile game revenue to a record $70M

U.S. sales holiday Black Friday wasn’t just good for online shoppers, who spent a record $7.4 billion in sales, $2.9 billion from smartphones. It also boosted iOS and Android mobile game revenue to a single-day record of $69.7 million in the U.S., according to Sensor Tower. This was the most revenue ever generated in a single day for the category, and it represents a 25% increase over 2018. Marvel Contest of Champions from Kabam led the day with approximately $2.7 million in player spending. Two titles from Playrix — Gardenscapes and Homescapes — also won big, with $1 million and $969,000 in revenue, respectively.

These increases indicate that consumers are looking for all kinds of deals on Black Friday, not just those related to holiday gift-giving. They’re also happy to spend on themselves in games. Mobile publishers caught on to this trend and offered special in-game deals on Black Friday which really paid off.

Did Walmart beat Amazon’s app on Black Friday?

Sensor Tower and Apptopia said it did. App Annie also said it did, but then later took it back (see update). In any event, it must have been a close race. According to Sensor Tower, Walmart’s app reached No.1 on the U.S. App Store on Black Friday with 113,000 new downloads, a year-over-year increase of 23%. Amazon had 102,000 downloads, making it No. 2.

Arguably, many Amazon shoppers already have the app installed, so this is more about Walmart’s e-commerce growth more so than some ding on Amazon.

In fact, Apptopia said that Amazon still had 162% more mobile sessions over the full holiday weekend — meaning Amazon was more shopped than Walmart.

More broadly, mobile shopping is still huge on Black Friday. The top 10 shopping apps grew their new installs by 11% over last year on Black Friday, to reach a combined 527,000 installs.

Report: Android Advanced Protection Program could prevent sideloading

Google’s Advanced Protection Program protects the accounts of those at risks of targeted attacks — like journalists, activists, business leaders, and political campaign teams. This week, 9to5Google found the program may get a new protection feature with the ability to block sideloading of apps, according to an APK breakdown. What’s not yet clear is if program members will have the option to disable the protection, but there are some indications that may be the case. Another feature the report uncovered appears to show that Play Protect will automatically scan all apps, including those from outside the Play Store. This won’t affect the majority of Android users, of course, but it is an indication of where Google believes security risks may be found: sideloaded apps.

Bug hunter suggests Security.plist standard for apps

Source link



Source link

Continue Reading

Biz & IT

Microsoft issues emergency patches for 4 exploited 0-days in Exchange

Published

on

Microsoft is urging customers to install emergency patches as soon as possible to protect against highly skilled hackers who are actively exploiting four zero-day vulnerabilities in Exchange Server.

The software maker said hackers working on behalf of the Chinese government have been using the previously unknown exploits to hack on-premises Exchange Server software that is fully patched. So far, Hafnium, as Microsoft is calling the hackers, is the only group it has seen exploiting the vulnerabilities, but the company said that could change.

“Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems,” Microsoft Corporate Vice President of Customer Security & Trust Tom Burt wrote in a post published Tuesday afternoon. “Promptly applying today’s patches is the best protection against this attack.”

Burt didn’t identify the targets other than to say they are businesses that use on-premises Exchange Server software. He said that Hafnium operates from China, primarily for the purpose of stealing data from US-based infectious disease researchers, law firms, higher-education institutions, defense contractors, policy think tanks, and nongovernmental organizations.

Burt added that Microsoft isn’t aware of individual consumers being targeted or that the exploits affected other Microsoft products. He also said the attacks in no way are connected to the SolarWinds-related hacks that breached at least nine US government agencies and about 100 private companies.

The zero-days are present in Microsoft Exchange Server 2013, 2016, and 2019. The four vulnerabilities are:

  • CVE-2021-26855, a server-side request forgery (SSRF) vulnerability that allowed the attackers to send arbitrary HTTP requests and authenticate as the Exchange server.
  • CVE-2021-26857, an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is when untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave Hafnium the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
  • CVE-2021-26858, a post-authentication arbitrary file write vulnerability. If Hafnium could authenticate with the Exchange server, then it could use this vulnerability to write a file to any path on the server. The group could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
  • CVE-2021-27065, a post-authentication arbitrary file write vulnerability. If Hafnium could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. It could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

The attack, Burt said, included the following steps:

  1. Gain access to an Exchange server either with stolen passwords or by using the zero-days to disguise the hackers as personnel who should have access
  2. Create a web shell to control the compromised server remotely and
  3. Use that remote access to steal data from a target’s network

As is usual for Hafnium, the group operated from leased virtual private servers in the US.

More details, including indicators of compromise, are available here and here.

Microsoft credited security firms Volexity and Dubex with privately reporting different parts of the attack to Microsoft and assisting in the investigation that followed. Businesses using a vulnerable version of Exchange Server should apply the patches as soon as possible.

Continue Reading

Biz & IT

Rookie coding mistake prior to Gab hack came from site’s CTO

Published

on

Gab.com

Over the weekend, word emerged that a hacker breached far-right social media website Gab and downloaded 70 gigabytes of data by exploiting a garden-variety security flaw known as an SQL injection. A quick review of Gab’s open source code shows that the critical vulnerability—or at least one very much like it—was introduced by the company’s chief technology officer.

The change, which in the parlance of software development is known as a “git commit,” was made sometime in February from the account of Fosco Marotto, a former Facebook software engineer who in November became Gab’s CTO. On Monday, Gab removed the git commit from its website. Below is an image showing the February software change, as shown from a site that provides saved commit snapshots.

The commit shows a software developer using the name Fosco Marotto introducing precisely the type of rookie mistake that could lead to the kind of breach reported this weekend. Specifically, line 23 strips the code of “reject” and “filter,” which are API functions that implement programming idioms that protect against SQL injection attacks.

Developers: Sanitize user input

These idioms “sanitize” the inputs that website visitors enter into search boxes and other web fields to ensure that any malicious commands are stripped out before the text is passed to backend servers. In their place, the developer added a call to the Rails function that contains the “find_by_sql” method, which accepts unsanitized inputs directly in a query string. Rails is a widely used website development toolkit.

“Sadly Rails documentation doesn’t warn you about this pitfall, but if you know anything at all about using SQL databases in web applications, you’d have heard of SQL injection, and it’s not hard to come across warnings that find_by_sql method is not safe,” Dmitry Borodaenko, a former Production Engineer at Facebook who brought the commit to my attention wrote in an email. “It is not 100% confirmed that this is the vulnerability that was used in the Gab data breach, but it definitely could have been, and this code change is reverted in the most recent commit that was present in their GitLab repository before they took it offline.”

Marotto didn’t respond to an email seeking comment for this post. Attempts to contact Gab directly didn’t succeed.

Revisionist history

Besides the commit raising questions about Gab’s process for developing secure code, the social media site is also facing criticism for removing the commits from its website. Critics say the move violates terms of the Affero General Public License, which governs Gab’s reuse of Mastodon, an open source software package for hosting social networking platforms.

Critics say the removal violates terms that require forked source code be directly linked from the site. The requirements are intended to provide transparency and to allow other open source developers to benefit from the work of their peers at Gab.

Gab had long provided commits at https://code.gab.com/. Then, on Monday, the site suddenly removed all commits—including the ones that created and then fixed the critical SQL injection vulnerability. In their place, Gab provided source code in the form of a Zip archive file that was protected by the password “JesusChristIsKingTrumpWonTheElection” (minus the quotation marks).

Representatives from the Mastodon project didn’t immediately respond to an email asking if they shared the critics’ concerns.

Besides questions about secure coding and license compliance, the Gab git commits also appear to show company developers struggling to fix their vulnerable code. The image below shows someone using the username “developer” trying unsuccessfully to fully fix the code containing the SQL injection vulnerability.

Thread participants respond by sarcastically pointing out the difficulty the developer seemed to be having.

Gab’s security breach and behind-the-scenes handling of code before and after the incident provide a case study for developers on how not to maintain the security and code transparency of a website. The lesson is all the more weighty given that the submission used the account of Gab’s CTO, who among all people should have known better.

Continue Reading

Biz & IT

Donald Trump is one of 15,000 Gab users whose account just got hacked

Published

on

The founder of the far-right social media platform Gab said that the private account of former President Donald Trump was among the data stolen and publicly released by hackers who recently breached the site.

In a statement on Sunday, founder Andrew Torba used a transphobic slur to refer to Emma Best, the co-founder of Distributed Denial of Secrets. The statement confirmed claims the WikiLeaks-style group made on Monday that it obtained 70GB of passwords, private posts, and more from Gab and was making them available to select researchers and journalists. The data, Best said, was provided by an unidentified hacker who breached Gab by exploiting a SQL-injection vulnerability in its code.

“My account and Trump’s account were compromised, of course as Trump is about to go on stage and speak,” Torba wrote on Sunday as Trump was about to speak at the CPAC conference in Florida. “The entire company is all hands investigating what happened and working to trace and patch the problem.”

An important data set

GabLeaks, as DDoSecrets is calling the leak, comes almost eight weeks after pro-Trump insurrectionists stormed the US Capitol. The rioters took hundreds of thousands of videos and photos of the siege and posted them online. Mainstream social media sites removed much of the content because it violated their terms of service.

“The Gab data is an important, but complicated dataset,” DDoSecrets personnel wrote in a post on Monday morning. “In addition to being a corpus of the public discourse on Gab, it includes every private post and many private messages, as well. In a simpler or more ordinary time, it’d be an important sociological resource. In 2021, it’s also a record of the culture and the exact statements surrounding not only an increase in extremist views and actions, but an attempted coup.”

Gab and a competing site called Parler were some of the last refuges that allowed much of the content to remain publicly available. Amazon and web hosting providers later cited a lack of adequate content moderation in suspending service to Parler.

Shortly before the shuttering, however, somebody found a way to use Parler’s publicly available programming interfaces to scrape about 99 percent of the user content from the site and subsequently make it publicly available.

While law enforcement groups likely had other ways to obtain the Parler data, its public availability enabled a much wider body of people to do their own research and investigations. The leak was especially valuable because materials contained metadata that’s usually stripped out before users can download videos and images. The metadata gave people the ability to track the precise timelines and locations of filmed participants.

DDoSecrets said that the 70GB GabLeaks contains over 70,000 plaintext messages in more than 19,000 chats by over 15,000 users. The dump also shows passwords that are “hashed,” a cryptographic process that converts plaintext into unintelligible characters. While hashes can’t be converted back into plaintext, cracking them can be trivial when websites choose weak hashing schemes. (Best told Ars they didn’t know what hashing scheme was used.) The leak also includes plaintext passwords for user groups.

Hate-speech haven

Gab has long been criticized as a haven for hate speech. In 2018, Google banned the Gab app from its Play Store for terms of service violations. A year later, web host GoDaddy terminated service to Gab after one of its users took to the site to criticize the Hebrew Immigrant Aid Society shortly before killing 11 people in a Pittsburgh synagogue.

Gab has also been investigated by Pennsylvania’s attorney general. In January, the Anti-Defamation League called on the US Justice Department to investigate Gab for its role in the insurrectionist attack on the capitol.

Attempts to reach Torba for comment didn’t succeed.

Best said that DDoSecrets is making GabLeaks available only to journalists and researchers with a documented history of covering leaks. People can use this link to request access.

Continue Reading

Trending