Cyber Security Today, Sept. 2, 2022 – Hundreds of insecure mobile apps found, guidance for securely creating software and an uproar over American police cellphone tracking

Share post:

Hundreds of insecure mobile apps found, guidance for securely creating software and an uproar over American police cellphone tracking.

Welcome to Cyber Security Today. It’s Friday September 2nd, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for

Cyb er Security Today on Amazon Alexa Cyber Security Today on Google Podcasts Subscribe to Cyber Security Today on Apple Podcasts

Just over 1,800 poorly-created mobile apps for the iPhone/iPad and Android platforms have been discovered by security researchers. The problem: Almost three-quarters of the apps included valid tokens that allowed access to Amazon AWS servers. And many had tokens that would also have given full access to millions of private files held in Amazon S3 storage buckets. The tokens were buried in the code of the apps and could have been found and exploited by hackers. The victims would have been companies the developers were creating the apps for. In one case over 300,000 digital fingerprints were leaked by five mobile banking apps. Access to the IT infrastructure of 16 online gambling apps were also open to be hacked.

Researchers at Symantec, who made the discovery, believe these hard-coded access keys were inadvertently added to the apps by developers who inserted what they thought were trusted components to their software code. Or they may have needed to use a hard-coded access key for a function but forgot to time-limit the key for security. Mistakes like this can be avoided if software developers use security scanning tools before finally releasing an application. If a company uses an outsourced provider the developer should have to submit a mobile app report card showing how the app was tested. It’s vital that third-party software development kits and frameworks be examined before being included in applications.

This and other kinds of software supply chain problems can be limited if developers follow guidance released this week by the U.S. National Security Agency and the Cybersecurity and Infrastructure Security Agency. The 64-page guidance lists best practices for securely creating applications, verifying third-party components they include and hardening an app to prove it hasn’t been tampered with.

Instagram users are being suckered into giving away their passwords and personal information. How? They are falling for an offer to have their profile verified with a blue checkmark badge. That’s a sign beside their name that shows the person doing the posting is the real John Smith and not an impersonator. The victim thinks the offer comes from Instagram and clicks a link to fill in the attached form. However, researchers at Vade Secure point out the email of the sender and grammatical errors show this is a scam. Neither Instagram nor Facebook will contact users for creating a blue badge. People have to apply.

Finally, police in nearly 24 American jurisdictions have been using a cellphone tracking tool allowing them to create a history of people’s movements. Sometimes, according to the Associated Press, police don’t get a search warrant to access the location data. That’s because the data is captured by cellphone apps like Waze, Starbucks and others and sold by them to a company called Fog Data Science. That company calls the data ‘advertising identification numbers’ that are put on individuals’ smartphones by these mobile apps. That’s different, the company says, from the ID numbers assigned by cellphone carriers when you buy a phone. The implication is this isn’t a violation of people’s rights under the U.S. Constitution because they knowingly install apps on their phones. It isn’t clear if that’s true, or if this violates state privacy laws. It isn’t known if police in Canada use this service.

The Electronic Frontier Foundation also released a report on this. It notes that while the so-called advertising identification data that police scan doesn’t have a device users’ name or address, that can be figured out by following the data that shows a device regularly stops at a residence at night.

Later today the Week in Review edition will be out. Guest commentator Terry Cutler of Montreal’s Cyology Labs will talk about women in cybersecurity and more.

Links to details about podcast stories are in the text version at

Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.

The post Cyber Security Today, Sept. 2, 2022 – Hundreds of insecure mobile apps found, guidance for securely creating software and an uproar over American police cellphone tracking first appeared on IT World Canada.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs


Related articles

Cyber Security Today, Week in Review for week ending Friday, Feb. 23, 2024

This episode features discussion on the takedown of the LockBit ransomware gang

Breaking news: RCMP facing ‘alarming’ cyber attack

The RCMP is facing a serious cyber attack from an unspecified threat actor. The Mounties told CBC News today that a “breach of this magnitude is alarming.” “The situation is evolving quickly but at this time, there is no impact on RCMP operations and no known threat to the safety and security of Canadians,” a spokesperson

Hashtag Trending Feb.23- Companies losing top talent with long hiring processes; Intel – the “foundry for the world?”; AT&T outage

(PRE MUSIC ANNOUNCEMENT) If you know me, you know I’m passionate about three things – music, books and data. My interview on the weekend edition hits two of those passions. I read a book called Winning with Data Science, and it blew me away. So, I reached out and managed to get one of the

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways