Android vs iOS: Which is more secure?

Android and iOS represent the lion's share of the mobile operating system market, and while there's inherent risk with the use of any mobile device in the enterprise, Android presents a much bigger target for malware attacks and, in turn, corporate security issues.

With the massive growth of Android-powered devices in businesses over the past couple of years, companies need a strategy to minimize any risk the platform may pose, according to industry research firm J. Gold Associates.

"Even if you modify the look and feel of a messaging app, you may not know you've added a vulnerability," he said. "That's the problem with open code, you never know until you've tested it."

Conversely, Apple's iOS is much more restrictive with what developers can do and  Apple doesn't release its source code. That means, generally, that iPhones [and iPads] are harder to jailbreak than Android phones, Gold said, "because Apple puts all kinds of restrictions on them and they'll check you every now and then. And, if they find a phone is jailbroken, they'll shut you down.

"And, because Apple controls the hardware and the software, they have the ability to impose tighter security," Gold added.

In some ways, Android has also suffered from its success.

Android and iOS now account for 94% of the mobile operating system market worldwide, according to Forrester Research's just-released "Mobile, Smartphone, And Tablet Forecast, 2017 To 2022." Android is the dominant platform for smartphones, capturing 73% of the market with more than 1.8 billion subscribers in 2016, according to Forrester.

Android is expected to maintain the lead this year, according to Forrester, with 74% market share, followed by Apple with 21% and Windows Phone with just 4%.

"The truth is, when Android gets attacked, it tends to be more vulnerable because there are more devises out there and more people also hear about it," Gold said. "Android also has a problem in that the latest version of Android OS is generally a small portion of the base of devices in the marketplace. So, when upgrades are issued, not everyone gets them. Whereas, when Apple upgrades, everyone gets it."

Additionally, as enterprises develop more of their own custom applications -- many of them mobile apps as part of a mobile-first strategy -- in-house developers are increasingly at risk of unwittingly using open-source code rife with vulnerabilities.

  

Applications today are rarely coded from scratch, particularly when software is created outside a company's development and operations units. Developers typically go to online libraries for open-source components -- chunks of code that act as building blocks -- to assemble custom mobile apps. Not only can chunks of code be modified, but they can natively contain vulnerabilities.

Mobile threat detections double

According to Symantec's Internet Security Threat Report issued in April, overall threat detections on mobile devices doubled last year, resulting in 18.4 million mobile malware detections. Similar threats were seen in 2015, according to Symantec, with 5% of all devices being targeted for infection in each of the past two years.

According to Symantec, from 2014 through 2016 the level of iOS vulnerabilities remained fairly flat. And while new Android malware families dropped significantly, from 46 in 2014, to 18 in 2015 and just 4 in 2016, the OS remains the main focus for mobile attacks, Symantec noted.
The overall volume of malicious Android apps increased significantly in 2016, growing by 105%, but that was still smaller than in 2015, when the number of malicious apps increased by 152%.
Mobile malicious threats are grouped into "families," and "variants." Malware families are a collection of threats from the same or similar attack groups. In 2014, there were 277 malware families overall. That grew to 295 families in 2015 and 299 in 2016. So while the number of new families grew more slowly, the overall number of threats remained sizable.

 

The overall number of vulnerabilities doesn't tell the entire story, according to Gold."The number of malware variants that attempted to exploit these vulnerabilities is far more numerous," Gold said in a report he issued last year titled, "Android in the Business Environment: Is It Safe?"
Variants are modifications hackers make to malware, and they can number in the thousands, overall. For example, last year there were 59 variants of 18 new malware families, which translates into more than 1,000 new mobile malware variants, according to Symantec. Mobile malware variants per family increased by more than a quarter in 2016, slightly less than the 30% increase in 2015.

 

"It is a very significant problem. For bring-your-own-device organizations, they don't have a choice. It's not their device so they don't know if it has the latest OS," Gold said. "Some organizations do require if you have a device without the latest OS, you can't log into the corporate network, but that's rare."Because there were fewer new malware families in 2016, but a greater number of variants, Symantec deduced that attackers "are opting to refine and modify existing malware families and types rather than develop new and unique threat types."

iOS attacks occur, too

Those attacks included iOS.
While rare, three zero-day vulnerabilities in iOS were exploited in targeted attacks to infect phones with Pegasus malware in 2016. Pegasus is a spy software that can take over an iPhone and access messages, calls, and emails.
The Pegasus malware can also gather information from apps, including Gmail, Facebook, Skype, and WhatsApp, according to Symantec.
The attack worked by sending a link to the victim through a text message. If the victim clicked on the link then the phone was jailbroken, Pegasus could be injected onto it and start spying.
The vulnerabilities that allowed the Pegasus attack to take place included one in the Safari WebKit that allowed an attacker to compromise the device if a user clicked on a link, an information leak in the OS kernel, and an issue where kernel memory corruption could lead to a jailbreak, Symantec said.
Just one mobile device infected with malware can cost an organization on average $9,485, according to a report issued last year by the Ponemon Institute. The potential financial consequences if a hacker compromises an employee’s mobile device to steal their credentials and access sensitive and confidential company data can be larger; it costs an average of $21,042 to investigate, contain and remediate damage from such an attack.

 

Ponemon Institute/J. Gold Associates

A survey of 588 IT managers and IT security professionals by the Ponemon Institute relased in February 2016 revealed 67% of companies are either certain, very likely or likely to have had a security breach due to a mobile device.

Most attacks on mobile devices are related to hackers trying to steal confidential information,such as contact lists, trying to send text messages, or launching a denial of service attack. To date, ransomware attacks, where blackhat operators lock a device and require a "ransom" be paid to unlock it, have been far rarer, according to Gold. However, "I'd bet ransomware is coming to mobile devices in the near future. I can't imagine why it wouldn't."Think about what the average user has on their phone. If someone shut down your phone tomorrow, it would be a big problem," Gold said.

Android is making progress

Among new malware attack vectors, Android continues to be the most targeted mobile platform, according to Symantec.
A noteworthy change in 2016: Android surpassed iOS in terms of the number of mobile vulnerabilities reported, a stark contrast with previous years, "when iOS far outstripped Android in this area," Symantec said.
"This change may be partially attributed to continuing improvements in the security of the Android architecture and an ongoing interest by researchers in mobile platforms," the report noted.
"Following an explosive year in 2015," Symantec said, security improvements in Android's architecture "have made it increasingly difficult to infect mobile phones or to capitalize on successful infections."
William Stofega, IDC's program director for mobile phone research, agreed Google has made a concerted effort in recent years to take back control of its Android OS compared to its "wild west" early days, when anyone could change the source code.

Symantec

For example, Google now manages its source code to ensure app developers and smartphone manufacturers must go through Android compatibility testing.In addition, the upcoming release of Google's newest mobile OS, Android O, may not be as open as its predecessors.
"It's been implied that they're going to rebuild it and it won't be under public license, and they'll avoid disclosing source code," Stofega said. "It hasn't been implemented yet, but it would make it more difficult to break in.
"I still think there's been a lot of progress made -- not that it doesn't need additional progress," Stofega added.
Android smartphone and tablet manufacturers such as Samsung have also upped their security. For example, Samsung's Knox, a free containerization security app, enables greater separation between enterprise and personal data by creating a virtual Android environment within mobile devices -- complete with its own home screen -- as well as its own launcher, apps and widgets.
Knox creates a container so that only authorized personnel can access content within it. All files and data, such as email, contacts, and browsers are encrypted within the container.
Knox also allows end-users to securely add personal apps to the My Knox Container via Google Play. Once inside the container, the personal apps utilize the same security of Knox.
"A lot of this is about how you introduce something like Android into the enterprise," Stofega said.

A mobile malware strategy

As more companies adopt a "mobile first" business strategy, the most common solution to avoiding malware is relatively simple: keep the software on the devices regularly updated. Updating software to the latest platform helps address OS variants. Of course, while technically simple, all things are relative.
For organizations that have a BYOD policy, getting users to update their mobile OS is, at best, a struggle, Gold said as "it's not their device."
Even for enterprises that issue mobile devices, updating software can be arduous and spur pushback from users. But it's critical to regularly issue patches and platform updates.
"I've talked to IT managers, and users often don't want to update their software. A lot of folks just don't keep to the schedule. But it's terribly important," Stofega said.
Companies should also avoid a "mobile" security strategy, Gold said.
"They should have a security strategy and mobile should be a part of it," he explained. "If you're trying to do something unique for mobile devices, it may not necessarily fit in with everything else you're doing in the company. Whereas, if you have an overarching security policy, then you can do all you want in mobile to fit in with that overarching strategy."
For example, companies are beginning to roll out encryption on mobile devices to protect corporate data, yet many they don't have it on their desktops. Conversely, if a company has two-factor authentication on PCs in order to access a corporate application, such as SAP, they should also have it on mobile devices, Gold said.
"Optimize security first, and then figure out what you can do on each device. In some cases you can't have equivalence. Just do the best you can," he said.
Gold, Stofega and Symantec recommend companies keep the software on corporate-issued mobile devices up to date, and issue frequent notices to employees using their own hardware to do the same. And it's important to remind workers to refrain from downloading apps from unfamiliar sites and install apps only from trusted sources.
Symantec also recommends that IT admins pay close attention to the permissions requested by mobile apps, as it can indicate malicious behavior.
Additionally, companies that do issue mobile devices to employees should ensure that  Android devices are enhanced for corporate use. Google is addressing the needs of many business Android users by offering an enterprise-class upgrade known as Android at Work. The Android at Work mobile devices offer segmented workspaces and profiles to keep corporate and personal apps separate.
They also require companies to first deploy a set of enforcement tools on a mobile device, either through mobile device management or a wider-encompassing enterprise mobility management tool set, according to Gold.
Some new mobile malware has been identified as having rootkit capabilities, or modified OSes that can be used to gain administrative access to corporate systems. So enterprises should also install root detection software on mobile devices, or better yet, purchase mobile hardware already configured with root detection software.
"Essentially, this allows a way for any low-level code running the device to be pre-vetted so as to determine if it is genuine," Gold's report said. "It prevents the ability to root, or to substitute a corrupted OS that could then be used to boot the system."
Device manufacturers can also play a key role in making phones and tablets more secure. Some mobile vendors have been known to delay OS updates for months; that practice, according to Gold's report, should indicate to an enterprise that the vendor is an unacceptable hardware supplier.
Lastly, while adding security feature to mobile devices is recommended, it's not as useful as simply stick to good practices. Educating employees about best practices, such as not downloading apps they've not vetted or opening unexpected attachments in messages, is crucial.
"A lot of this is about getting users on your side," Gold said. "Dialogue with them and educate them on why security is necessary. There are a lot of practices users do that they shouldn't, but they simply don't know any better."

Read More

Pokemon GO Facts You’ve Gotta know Before You Go

Pokémon GO was released just a few days ago and is already taking the world by storm. The new game, created by Nintendo in partnership with Niantic, has made headlines all over the world. The experts are even talking about a new mania that is driving both the young and middle-aged crazy! In less than a week since its release in the United States, Pokémon GO is proving more addictive than Tinder and Snapchat, according to the official numbers, while an abundance of stories and crazy facts about the popular app are going viral. We’ve collected 25 Pokemon GO Facts that are making it the hottest thing at the moment. The real question is: Why bother searching for a date when you can say, “I choose you” to Pikachu? He’s probably cuter anyways! These are 25 Pokemon GO Facts You’ve Gotta know Before You Go.

 

Breaking All the Records

The First week of its release, Pokemon GO is already reported bigger than Tinder in the US. Nintendo’s valuation went up by $9 billion with all the press and mania over the release of Pokemon GO worldwide. Pokemon GO was installed more than twice the number of the android phone in the First week. As per the report from SimilarWeb, 62 percent of Android users in the US are playing the game everyday which also break the daily users record of social giant Twitter.

Making You Healthy

The Game uses the Geotagging so the player can catch Pokemons in Real World, this makes the Players get out of the office/home and walk around in the real world. Your character in the game walks and turns the same way you move. In the First week, we saw a lot of players complaining about the Sore Legs and posting funny stories about the game online. You might be lucky if you have a PokeStop and a Gym nearby but for hatching Pokemon eggs, the game requires you to walk a set distance to accomplish this goal.

A Profitable Side Business

After the Hugh Success, the trending Pokemon GO has led many business owners to either post warning signs on their properties or make a business out of the Lucky PokeStop. For example, there is a PokeStop at the Restaurant you might take an advantage of it and attract more Pokemon trainers at your location. There are also few cases where people have complained about trespassing their private property.

May Help Some Criminals to Commit Crimes

Being the Fun part that you have to explore the real world also makes it scary as there are savvy criminals who have already tried to take advantage of the new trend. You have to be careful where you are heading. Police officers in O’Fallon, Missouri, arrested four people suspected of using Pokemon GO to lead their victims to remote areas to 'catch' Pokemon characters and rob them. Be Careful and Stay Alert.

Fake Counterfeit Version

Pokemon Go has to be Launched for Australia, The United States, and New Zealand. If you happen to live outside these three then you'll be trying to download from some sources. We want to warn you about the Counterfeit Version of Pokemon GO are there online which contains malicious content that can damage your phone. Try to wait until July 15, when the game is expected to be released in Europe and Asia.

Reason behind Pokemon GO

According to its developers, Pokemon GO is destined to help people with anxiety, panic attacks, and depression. As the Game requires and forces people to physically get up and head outside to explore the new area, it encourages people with agoraphobia to leave their house, exercise and engage with other people.

Fun But Risky

While playing Pokemon GO, you need to track the nearby PokeStops, Gym, and sometimes places where Pokemon spawn, but getting people out of the house to play a video game can also be terrifying at times. The is a warning for those players who go into strange alleys finding for Pokemon. Reportedly, A girl searching for a Pokemon ended up finding a dead body. Be Alert.

Good for Young Americans

Americans have always think about distance in miles and in Pokemon GO you need to think in kilometers instead of miles. Gizmodo predicts that millions of young Americans will eventually learn the metric system all because of Pokemon GO, as it will force them to think in kilometers instead of miles.

Read More

Whatsapp Calling goes Official

The most awaited feature of Whatsapp has finally came and that is Whatsapp voice calling. There were users who were eager to avail this feature of Whatsapp and it has finally came. The latest voice calling feature has taken Whatsapp to another peak of success.

The Whatsapp voice calling is not different from Viber, Skype, Line or other services, but it has many more users than these. Therefore, there is a scope of using this feature by many users and many can interact with their circle using Whatsapp voice calling. Additionally, there must be many users who are not very much acquaint with the process of enabling this on their Smartphones. Therefore, today we are going to make you learn that, “How to Enable Whatsapp Voice Calling on Smartphone?” You need to apply these simple steps and then you’ll be able to start making voice calls to your Whatsapp friends; however, remember that your friend must have enabled the voice calling too. You can only make calls using Whatsapp ones you have enabled the voice calling both sides.

Learn-How to Enable Whatsapp Voice Calling

So, here are the steps which are supposed to followed in order to enable Whatsapp voice calling on your Smartphones. The steps are quiet simple yet hidden and today these are going to be revealed for you guys here. Now, without taking your time more, I would request you to get towards the below piece of content in order to get this feature for your accounts too.

1. First of all, get the latest version of Whatsapp on your Phone. The latest version is Version 2.12.16.

2. Once it is downloaded then install it on your Phone and then it’ll automatically add the voice calling feature to your account.

3. Now, you need to go to your Contacts and find a friend who has enabled this feature already, then you’ll see a Call button there. Simply tap on it and start making voice calls.

Conclusion

This was our simple guide which could be used to enable Whatsapp voice calling on your Smartphones. We are sure that this would have been proven helpful for many of you out there. If you have any queries or questions to ask then do let me know. We shall get back to your queries and questions as soon as possible.

Furthermore, if you have found this guide helpful and worth reading then do share it with your other friends and circle too. You may never know that your shares may be proven helpful for many of the users out there. So, keep sharing and liking our content over social media in order to keep helping people in your circle.

Read More

Airtel Free TCP VPN Trick for Free Net in Mobile/PC[April]

Hope you enjoying well, Today we going to give you a new trick of AirTel 3G TCP vpn configs of April 2015 for free net/Gprs in your mobile and computer.This TCP trick working fine in many states and also giving 3G speeds so no need to very so read full post to know how you use it Free. 

There is so many days left we does not post any airtel trick so we decided to post new again.Because you know airtel is our favorite network for free net.

                    

So let's start...

Requirement For this AirTel 3G Tcp Vpn Trick 

1. AirTel 3G/2G Enabled Sim card.
2. Nmdvpn Client (download from here).
3. PC or MOBILE.

If you have all basic requirements which above listed,then you are ready to go for next steps.And i hope you have every thing.

Now most important thing ,Now download config file from below link First.

** Download AirTel Tcp Config File 4m Here*** 

Now i Hope you downloaded above file form datafile host link.Now  you are ready to move next step.Now choose you pc user or mobile user ,means on which medium you are going to use it and choose those medium and follow the steps.

For PC Users:

1.Connect your system with modem/Mobile with APN airtelgprs.com

2.Download The Attachment ofAirtel Tcp 3G Vpn Trick (if downloaded all ready then go to next step).

2.Install Nmdvpn and Put configs(or exact) Here (C:\Program Files\NMDVPN\config) in your system location

3.Windows 7 and Windows 8 Users RUN NMD VPN as the Administrator.

4.Just Connect given server and Enjoy.

And if you have not a PC/Computer  Then you can also enjoy free net in your android mobiles.

For Mobile users:  

Android mobile use can also use these airtel tcp 3G Trick configs  with their android devices just you need to follow these simple steps :

1. Download and extract config in SD card.
2. Go to Google Play Store Search for open vpn for android. Or Click Here
3. Install Open Vpn in you android device.
4. Add airtel tcp 3G Vpn Config to open Vpn folder.
5. when it ask user name password (see earticleblog txt file in attachment) enter it.
6. Run and Enjoy  :) 

Hope you follow all process and enjoyed this trick.

Note- Do't try at higher balnce your balnce got deducted.Use it at 0 rs balnce.

Read More

Help Your Friend, Report Suicidal Post in Facebook now.

A few ago, in order make its product more helpful, Facebook updated its tool to report suicidal post. Facebook claims that this tool will make it easy to report a person if he is having any kind of suicidal tendency. You can report a friend’s suicidal post and that friend will be provided help using different measures.

Today, I am going to tell you how to report suicidal posts on Facebook.

Step 1: Click on the arrow in top right corner of the post and then click on “I don’t like this post.”

 

Step 2: Now click on “I think it shouldn’t be on Facebook” and continue.

Step 3: Select  “It’s hurtful, threatening or suicidal” and continue.

Step 4: Now select “I think they might hurt themselves.”

Step 5: Now Facebook will give you different options to reach to your friend who is having some suicidal tendency. This option may vary in number depending upon the services provided in your region. I am getting only 3 here, but for some of you options like “Chat with the trained helper” or “Call lifeline”

Read More

Whatsapp Releasing New Update to Disable Blue Ticks: How to Disable Blue Ticks Right Now?

At the start of this month, Whatsapp added a new feature of Reading Receipts. One grey tick meant that the message has been sent, two grey ticks meant that the message has been delivered and two blue ticks meant that the message has been read by the recipient. The new Whatsapp feature of reading receipts was a welcome feature for many people, but it was a nightmare for some. I personally found the feature helpful and I was already loving similar feature on Hike and BBM.

Now Whatsapp is rolling out an update to give its users the choice to disable this feature. Read this post to know how to disable blue ticks right now.

Whastapp was on the receiving end on many online forums where people blamed this feature for jeopardising their relationships and some even claimed the instances of divorce due to divorce. Some people may fail to understand the concern, but this surely is an important factor if you are ignoring someone.

Now Whatsapp has addressed this issue and is working on a new update. This update features the option to disable the blue tick (reading receipts) on your phone. Right now this update is unavailable on mobile app store platforms but Whatsapp has released the updated version of app on their website. You need to manually download the application and install the Whatsapp apk file. The available version of Whatsapp on Google Play store is 2.11.432 but the update version available on the website is 2.11.452.

Updated version 2.11.452 installed on my device

How to get the update right now? 

• Go to the Whatsapp website and download the apk file.

• Once downloaded, transfer the file to your phone.

• Open the apk file from your file browser app and click on the file.

• After completing the installation, go to settings menu un Whatsapp and then proceed to privacy option.

• Here you will see the Read Receipts option already checked.

• Now uncheck this option to disable the blue tick.

Read Receipts option in privacy settings

Right now this update is only available for Android users via apk download. It is not known when the full update will be pushed out to all users, or when other platforms including iOS and BlackBerry will see the changes.

Read More

How Can We Protect Our Website By Common Web Attacks?

How Can We Protect Our Website By Common Web Attacks ?

 

On this post i am telling about five types of common web attacks, which are used in most types of defacements or dumps of databases.
Following five exploits are listed SQL injection, XSS, RCE, RFI, and LFI. Most of the time, we missed out some website code tags. So that our website gets attack and allows the hacker for hijack the vulnerable website.

1. SQL Injection
       
Types ->

     Login Form Bypassing
     UNION SQL Injection

2. Cross Site Scripting ( XSS )

Types -> Cross Site Request Forgery

3: File Inclusion

Types -> Remote File Inclusion and Remote Code Execution


1. SQL Injection
>> Login Form Bypassing
Here is an example of the vulnerable code that we can bypass very easily:

    index.html file:
    <form action="login.php" method="POST" />
    <p>Password: <input type="text" name="pass" /><br />
    <input type="submit" value="Authenticate" /></p>
    </form>
    login.php file:
    <?php
    // EXAMPLE CODE
    $execute = "SELECT * from database WHERE password = '{$_POST['pass'])";
    $result = mysql_query($execute);
    ?>

We can simply bypass this by using ' or '1=1', which will execute "password = ''or '1=1'';".

Alternatively, the user can also delete the database by executing "' drop table database; --".


>> PREVENTION:

Use mysql_real_escape_string in your php code.

Example:

    <?php
    $badword = "' OR 1 '";
    $badword = mysql_real_escape_string($badword);
    $message = "SELECT * from database WHERE password = "'$badword'";
    echo "Blocked " . $message . ";
    ?>

>> UNION SQL Injection

UNION SQL injection is when the user uses the UNION command. The user checks for the vulnerability by adding a tick to the end of a ".php?id=" file.
If it comes back with a MySQL error, the site is most likely vulnerable to UNION SQL injection. They proceed to use ORDER BY to find the columns, and at the end, they use the UNION ALL SELECT command. An example is shown below.

http://www.site.com/website.php?id=1'

You have an error in your SQL syntax near '' at line 1 SELECT SUM(quantity)
as type FROM orders where (status='completed' OR status='confirmed' OR status='pending') AND user_id=1'


No error--> http://www.site.com/website.php?id=1 ORDER BY 1-- 

Two columns, and it comes back with an error! This means that there is one column.
 http://www.site.com/website.php?id=1 ORDER BY 2--


Selects the all the columns and executes the version() command on the only column.
http://www.site.com/website.php?id=-1 UNION SELECT ALL version()--



SOLUTION:

Add something like below to prevent UNION SQL injection.

    $evil = "(delete)|(update)|(union)|(insert)|(drop)|(http)|(--)|(/*)|(select)";
    $patch = eregi_replace($evil, "", $patch);



2. Cross Site Scripting

Cross site scripting is a type of vulnerability used by hackers to inject code into vulnerable web pages. If the site is vulnerable to cross site scripting, most likely users will try to inject the site with malicious javascript or try to scam users by creating a form where users have to type their information in.

There are two types of XSS (cross site scripting) are persistent XSS and non-persistent XSS.


Example:
http://www.site.com/search.php?q=">


SOLUTION

        function RemoveBad(strTemp) {
            strTemp = strTemp.replace(/\<|\>|\"|\'|\%|\;|\(|\)|\&|\+|\-/g,"");
            return strTemp;
        }



3. File Inclusion
Types: Remote File Inclusion/Local File Inclusion, and Remote Code Execution

Remote File Inclusion allows a hacker to include a remote file through a script (usually PHP). This code is mostly patched on websites, but some websites are still vulnerable to the vulnerability. RFI usually leads to remote code execution or javascript execution.

Example of the vulnerable code:

    <?php
    include($_GET['page']);
    ?>

Exploiting would be something like as follows:
http://www.site.com/page.php?page=../../../../../etc/passwd or
http://www.site.com/page.php?page=http://www.site.com/xyz.txt?

SOLUTION:

    Validate the input.
    $page = $_GET['page'];
    $allowed = array('index.php', 'games.php' 'ip.php');
    $iplogger = ('ip.php');
    if (in_array $page, $pages)) {
    include $page {
    else
    {
    include $iplogger
    die("IP logged.");
    }


For remote code execution, the site would have to have a php executing command. You would patch this by about doing the same thing.

 Note: I hope this post will helpful for your website to get secure from above types of attacks.

Read More