Hello Everyone, this week your editor is Dharminder.
I am back again with another edition of This Week in Security, This week I have security news about Apple's New policy for developers, How Andriod Malware slips onto Google Play Store and CISA's cybersecurity advisory on Preventing web application access Control Abuse and 2022 Top routinely exploited vulnerabilities
We in F5 SIRT invest lot of time to understand the frequently changing behaviour of bad actors. Bad actors are a threat to your business, your reputation, your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency please contact F5 SIRT.
Ok so let's get started to find details of security news.
If you are developer who already have an app on Apple’s App Store or planning to have one. Then you should know this important announcement from Apple.
To protect user privacy on Apple’s platform and to prevent miss use of API which collects data about users’ devices through fingerprinting. Apple will soon start enforcing a policy which will ensure developers select one or more approved reasons that accurately reflect how their app uses the API, also the app can only use the API for the selected reasons. This will help ensure that apps only use those APIs for their intended purpose.
Here is the list of APIs that require approved reasons.
Detailed information is available at https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_r...
Snippet of Apple’s Announcement.
“Starting in fall 2023, when you upload a new app or app update to App Store Connect that uses an API (including from third-party SDKs) that requires a reason, you’ll receive a notice if you haven’t provided an approved reason in your app’s privacy manifest. And starting in spring 2024, in order to upload your new app or app update to App Store Connect, you’ll be required to include an approved reason in the app’s privacy manifest which accurately reflects how your app uses the API. If you have a use case for an API with required reasons that isn’t already covered by an approved reason and the use case directly benefits the people using your app, let us know.”
As per Apple, they are enforcing this policy to ensure that APIs are not abused by app developers to collect device signals to carry out fingerprinting, which could be employed to uniquely identify users across different apps and websites for other purposes such as targeted advertising.
The Google Cloud security team has acknowledged a technique called versioning which is used by malicious actor to bypass Google Play Store’s review process and security controls. This technique is used by malicious actors to slip malware on Android devices. By using versioning, malicious actors are mainly targeting users credentials, data and finances.
How it works-
In the first stage developer release the app on the play store, since the app does not have any malware component it passes Google’s checks.
Once the checks are passed the second stage kicks in where attacker pushes update using third-party server (controlled by attacker) containing malware component using a method called DCL or dynamic code loading. Sharkbot is one of the examples. It is a financial trojan that initiates unauthorized money transfers from compromised devices using the Automated Transfer Service protocol.
The Australian Signals Directorate’s Australian Cyber Security Centre , U.S. Cybersecurity and Infrastructure Security Agency , and U.S. National Security Agency has released a joint Cybersecurity Advisory to warn vendors, designers, and developers of web applications and organisations using web applications about insecure direct object reference (IDOR) vulnerabilities.
IDOR vulnerabilities are access control vulnerabilities enabling malicious actors to modify or delete data or access sensitive data by issuing requests to a website or a web API specifying the user identifier of other, valid users. These requests succeed where there is a failure to perform adequate authentication and authorization checks.
Explaining the IDOR further, advisory talks about
IDOR vulnerabilities have resulted in the compromise of personal, financial, and health information of millions of users and consumers. Hence, Advisory encourages to implement the mitigations along with some additional steps mentioned in the advisory.
Use of Use indirect reference maps, Configure applications to deny access by default and ensure the application performs authentication and authorization checks for every request to modify/delete/access sensitive data, Use CAPTCHA to limit automated invalid user requests where feasible, Use memory-safe programming languages where possible etc are some of the mitigations provided in the security advisory.
I would highly recommend to read each and every details of the advisory and take necessary steps to prevent web app access control abuse.
There is another Cybersecurity advisory about 2022 Top Routinely Exploited Vulnerabilities. This advisory is coauthored by US Cybersecurity and Infrastructure Security Agency, US National Security Agency, US Federal Bureau of Investigation, Australian Signals Directorate’s Australian Cyber Security Centre, Canadian Centre for Cyber Security, New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand, and UK’s National Cyber Security Centre. To reduce the risk of compromise by malicious cyber actors, Advisory strongly encourages vendors, designers, developers, and end-user organizations to implement the recommendations found within the Mitigations section of the advisory.
List of Top Routinely Exploited Vulnerabilities
F5 customers, please note, in Aug 2nd QSN https://my.f5.com/manage/s/article/K12201527 F5 has published seven vulnerabilities. Out of seven vulnerabilities, 3 are of high severity where as remaining 4 are of medium severity. For more information please check K000135479: Overview of F5 vulnerabilities (August 2023) https://my.f5.com/manage/s/article/K000135479