You'd think all those celeb photo leaks would have them on the defensive, but they're complacent as ever.
As long as sales are good they'll not worry too much.
Apple has downplayed the Masque iOS security threat, saying no one has actually been affected by the security vulnerability. The Masque Attack opened by the security shortcoming creates a way for attackers to replace genuine iOS apps with malicious doppelgängers, as previously reported. Security firm FireEye warned about the …
doesn't know how to find out if he has picked up malicious software, it doesn't mean that no fruity machines have been taken over by this dastardly piece of evilness. 90% of the population, having had their bank accounts, email accounts, their facebooks etc. taken over, wouldn't know wheter it was the result of dodgy software on their phone, the result of a phishing attack on their desktop or the wife's dog having messed around with the bitch on heat 3 doors away.
How can Apple continue to be so complacent about their security after so many fails in the past couple of years?
"Nobody has been affected yet? Oh well that's alright then..."
Yeah, but don't forget:
> We designed OS X and iOS with built-in security safeguards to help protect customers and warn them before installing potentially malicious software
Users are warned.
So that's definitely alright, then.
Which they did in this case, quite quickly. They could further close the loop in two ways:
1) when the enterprise certificate is pulled, ALL software signed by it is deactivated on ALL iOS devices (pain in the ass if a corp's legitimate certificate is stolen, but that would provide strong incentive to take very good care of it!)
2) have a certificate associated with each app (if there isn't already one) that iOS can check when it is updated - that way there's no way to fake the bundle ID of a legitimate app and get access to that app's private data
FireEye's guide to prevention in the meantime..
'iOS users can protect themselves from Masque Attacks by following three steps:
Don’t install apps from third-party sources other than Apple’s official App Store or the user’s own organization.
Don’t click “Install” on a pop-up from a third-party web page, no matter what the pop-up says about the app. The pop-up can show attractive app titles crafted by the attacker.
When opening an app, if iOS shows an alert with “Untrusted App Developer”, click on “Don’t Trust” and uninstall the app immediately.'
As it stands, I would not want a jailbroken device in my hands..potential minefield approaching
You have to admit, they're consistent:
we went from "you're holding it wrong" when the reception sucked,
to "you're storing it wrong" when it bent while in people's pockets,
and now "your security expectations are wrong" from people who actually expect a minimum of security.
I can only wonder what their next attempt to blame everyone but themselves will be.
Historically, what Apple would do to make sure their products are free from flaws, is scour their forums for any mention of a defect, remove those posts, then remove the posts wondering why the first posts were removed. Problem solved, then they can say there's no mention of a problem, so it probably doesn't exist.
"WireLurker claimed a small number of victims (principally in China), according to Kaspersky Lab, a finding that runs contrary to Apple's assurance to nobody has been hit."
Well, I suppose the IPhones in China are black market, the owners are therefore unpersons and do not count.
Seriously, Apple, if you want people to take your products seriously, you must take security seriously.
Okay, let's say I click through all the necessary links and dialogs to allow a "malicious" app to be installed, then I run it.
Apps are still sandboxed. So what is this "malicious" app going to do to me?
Maybe it can get my GPS coordinates, or my contact list. After I agree to more dialog boxes. (Unlikely.) It's not the end of the world.
It'll have to ask your permission to get your location, or access your contacts, so the danger there really isn't any more than with any other app.
It sounds like the main danger is accessing private app data by masquerading as another app. i.e. if it uses the same ID as Facebook, it could get access to your Facebook password and cached data. If it uses the same ID as your email app, it can get your email password and cached email (and of course login as you to get ALL your email)
So it is really more of a targeted attack that could go after say a popular banking app that stores a bit too much private data on the phone. So if you are able to access your bank account with a "convenient" app that has saved your login/password, that info isn't quite as safe you as might have thought (though you still have to approve installation of an app using some weird enterprise certificate, so it requires a certain level naivete on the part of the target)
Apple may be ignoring it a bit too much, but the fandroids are acting like the sky is falling when this is nothing compared to some of the real malware Android has faced even from the Play store, let alone from third party app stores like this attack relies upon.
"It sounds like the main danger is accessing private app data by masquerading as another app. i.e. if it uses the same ID as Facebook, it could get access to your Facebook password and cached data."
Not sure what you mean by "using the same ID."
I guess somebody could make an app that *looks* like the Facebook app, with a similar login prompt, and thus try to trick you into typing in your user name/password...
My understanding is that each app has a unique ID associated with it. If someone can trick an iOS user to installing an app from an untrusted app developer, it can be called whatever it likes, but if it uses Facebook's ID it gets access to Facebook's private data. It doesn't have to fool you into thinking it is Facebook, if you start the app it could get access to the Facebook app's private data and immediately upload it all.
Of course most of us say "who cares" about Facebook, this would be more of a problem with an app like Mail+, which I use to make a OWA connection to read business email (I use it instead of Apple's Mail app because I do NOT want my phone to be "managed" by someone else who can change security measures like making my lock screen timeout 2 minutes, and be able to remotely wipe my device!)
Maybe I'm wrong and it has to claim to BE Facebook, which raises the bar, but the basic attack mechanism remains the same.
I love how my post is attracting a bunch of downvotes but no explanation of how a "malicious" iOS app is going to harm me.
I can only imagine how many people were overwhelmed with schadenfreude to hear about a security flaw with Apple's stuff, and then crushed to realize that it's not really that big a deal because of Apple's other security measures. Sorry guys, Apple's software really is quite good. I know it's a big disappointment.
Are you serious?
You install your favourite, legitimate app to backup your contacts to cloud storage. It therefore has permissions to read your contacts and to access the internet. Of course, it does exactly what you want.
Mr Nasty now replaces that app with one that looks exactly the same. It has the same permissions as the app it replaced so it now slurps up all of your contacts and copies them to www.badstuff.com.
The continued arrogant, complacency of Apple apologists is sickening.
There are a lot of Apple haters everywhere. Hard not to be whilst they continue to lie and treat their customers with such contempt. In a recent hackathon, iOS vs Android vs Windows, guess which one fell first? Yep, iOS, as usual, and as usual ,via Safari. If they were humble and honest, it might be different but they are arrogant, complacent, dishonest and sneering - actually, sums up a sizable portion of their user base too.
Biting the hand that feeds IT © 1998–2022