Open source libraries a big source of application security flaws

By John E Dunn

How many vulnerabilities lurk inside the bazillions of open source libraries that today’s developers happily borrow to build their applications?

Predictably, the answer is a lot, at least according to application security company Veracode which decided to scan 85,000 applications to see how many flaws it could turn up in the 351,000 libraries used by them.

All told, around seven in ten applications had a security vulnerability traceable to one or more of those libraries, which might come as a shock to the developers who thought they were getting something for free.

Read more at https://nakedsecurity.sophos.com/2020/05/27/open-source-libraries-a-big-source-of-application-security-flaws/

Google may soon add end-to-end encryption for RCS

By Lisa Vaas

Make room, WhatsApp, iMessage, Signal, Telegram and all you other end-to-end encrypted messaging services – Google’s getting closer to elbowing its way onto the stage with its Google Messages.

Heaven knows when or even if it will happen, but 9to5Google has analyzed the source code of the latest update to Google Messages and found a slew of clues that strongly suggest that Google’s finally planning to add e2ee to the chat app’s rich communication services (RCS).

What is RCS and why should you care?

The RCS protocol – popularly known as Chat – is the successor to SMS messaging and does what most other texting services do, but without the end-to-end encryption of apps like Signal, et al. In December 2019, Digital Trends did a nice, deep dive into the protocol, explaining why it’s been developed by mobile phone manufacturers, carriers and the cell phone industry’s governing agencies, as well as why we’re all going to love it way more than the blah SMS texting we now have.

Here’s Digital Trend’s pithy explanation of the blah we’ve been putting up with since texting debuted:

Let’s face it: Text messages as we’ve known them throughout history (i.e., since the 1990s) are tired. They don’t support read receipts, group messaging, or the animated stickers your pals trade on apps like Facebook Messenger, WhatsApp, and WeChat. They rely on a cellular connection—which is restricted to places with a signal—and they stop you at 160 characters.

RCS, or Chat, on the other hand, allows group chats, video, audio, and high-resolution images. It already has much of the look, feel and functionality of rich messaging apps, such as iMessage. It also offers read receipts and enables users to see, in real-time, when somebody’s typing a reply to your message. You might already have it in the phone you’re now using.

Read more at https://nakedsecurity.sophos.com/2020/05/27/google-may-soon-add-end-to-end-encryption-for-rcs/

New iPhone jailbreak released

By Paul Ducklin

Apple’s latest iOS versions have only been out for a week.

The updates are new enough that Apple’s own Security updates page still lists [2020-05-26T14:00Z] the security holes that were fixed in iOS 13.5 and iOS 12.4.7 as “details available soon”.

But there’s a jailbreak available already for iOS 13.5, released by a group known as Unc0ver.

Proceed with care

Jailbreaking, as we have said before, can be a risky business, because in the process of jailbreaking you’re actively and deliberately exploiting a security vulnerability that wasn’t supposed to be there in the first place.

As appealing as it sounds to “escape” from Apple’s walled garden, jailbreaking is not for the faint-hearted, because it can leave you exposed to more dangers than before.

In fact, the only cases we know of where iPhone worms have been able to spread from device to device by themselves has been on jailbroken phones, where applying the jailbreak inadvertently opened up devices to remote connections that were blocked before.

Read more at https://nakedsecurity.sophos.com/2020/05/26/new-iphone-jailbreak-released/

Internet giants unite to stop warrantless snooping on web histories

By Lisa Vaas

Earlier this month, the US Senate narrowly voted to renew warrantless collection of Americans’ web-browsing histories.

This week, the US House of Representatives is expected to consider the act that reauthorizes that warrantless data collection: the USA Freedom Reauthorization Act. The House already passed the reauthorization act, sent it to the Senate, and will this week consider the Senate’s tweaks before sending it to President Trump for his signature.

On Friday, leading up to the House’s vote later this week, a group of seven internet companies and organizations suggested that legislators just might want to rethink the legislation’s disregard for Americans’ privacy.

The group includes Mozilla, Engine, Reddit, Reform Government Surveillance, Twitter, i2Coalition, and Patreon. They’re asking legislators to amend the bill in order to limit government access to internet browsing and search history without a warrant.

They wouldn’t have had to put together a plea to protect American’s online privacy if an amendment to the bill had passed in the Senate. Unfortunately, it didn’t: the amendment to curtail warrantless web history search missed passage by only one vote when four senators didn’t show up for the Senate’s vote.

Read more at https://nakedsecurity.sophos.com/2020/05/26/internet-giants-unite-to-stop-warrantless-snooping-on-web-histories/