“The new Android malware disguises itself in fully functional copies of apps, including ―Angry Birds Space,∥ and hides its malicious payload in the string of code at the end of an otherwise genuine JPEG file, Lookout said. This rogue code exploits the GingerBreak vulnerability, a flaw that enables it to gain control of the phone and trick the victim into purchasing apps from illegitimate app stores.”

It looks like Android developers need to start paying more attention to security in general now that Android has exceeded 50% market share in the US market. While this vulnerability isn’t something that is directly addressable with Insight at the moment, but it reminds us that we need to start focusing more on mobile. Since Android development is Java-based, you can immediately benefit from downloading Nexus Professional 2.0 today and making sure that all of your application dependencies are free of known vulnerabilities.

Note: This post references our Security Feed. We maintain a feed of security stories relevant to developers which is isolated from our main blog feed. If you are interested in getting the full feed, read it here.

Penetration testing experts use a tool like Havij: An Advanced SQL Injection Tool. It’s a nice friendly GUI designed to make it easy to “own” an application. Point, click, and compromise. Well, even though the project itself has nothing to do with evil, Cybercriminals are having a love affair with Havij.

My advice: download this tool and get to know it. Start your own love affair with Havij before the bad guys start throwing errant quotes into your form fields. Also don’t think that enterprise languages like Java or .NET are invulnerable to SQL injection attacks. To avoid these attacks, here’s some quick advice:

• Never trust input directly from an HTTP parameter.
• Use some web framework like Tapestry, GWT, or Struts, and make sure that all user input passes through whatever mechanism it is using for input processing and validation. It is very likely that the framework is built to resist SQL injection.
• Use a good ORM or persistence library like iBatis or Hibernate. Again these are just more layers to make sure that your input isn’t going straight into a SQL statement.
• Use Nexus 2.0 Repository Health Check to make sure that your web frameworks and persistence frameworks are up to date.

Note: This post references our Security Feed. We maintain a feed of security stories relevant to developers which is isolated from our main blog feed. If you are interested in getting the full feed, read it here.

This Ars Technica article captures a new term: “Forever Day”. Software and hardware developers that identify vulnerabilities but fail to fix them. Maybe a product is reaching end-of-life, or maybe no one is paying attention. Here’s a quote from the article that resonates with some of what we’ve been saying about application security:

“They’re just not going to get patched,” said Terry McCorkle, an independent security researcher who specializes in ICS devices used to control equipment on factory floors, dams, and in other industrial settings. “The big question is how many of their clients are actually set up to take those advisories and take action upon them?”

We mentioned this last week: unless you pay attention to security, you are essentially living with “Forever Day” exploits in production. The alternative would be to start paying attention, Download Nexus Professional 2.0, and keep track of known vulnerabilities.

Note: This post references our Security Feed. We maintain a feed of security stories relevant to developers which is isolated from our main blog feed. If you are interested in getting the full feed, read it here.

In case you missed it there is a vulnerability in Apple’s version of Java that is fueling the rise of what people are calling the Flashback botnet. According to this Computerworld article, this OSX Flashback botnet is at least 600,000 computers strong and the latest variants of the attack “do not require user intervention”. The advice to fix this Mac vulnerability? Last week a Register article stated that “F-Secure advises users to disable Java, which is not needed to visit the vast majority of Web sites, on their Mac.” Right….. disable Java. Something tells me that’s not effective advice for this developer audience.

If you want to protect yourself, follow Apple’s instructions and upgrade Java. If you are running OSX Leopard or earlier, you are out of luck and you should probably either disable Java or upgrade (really, isn’t it time for an upgrade anyway?). This upgrade from Apple will also remove installed malware if you’ve been compromised. Conclusion: Java developers, all of your OSX machines are belong to Flashback. Upgrade now.

Note: This post references our Security Feed. We maintain a feed of security stories relevant to developers which is isolated from our main blog feed. If you are interested in getting the full feed, read it here.