Urban75 Home About Offline BrixtonBuzz Contact

Apple iPhone and related items (cont.)

Well he did create and upload to the store an app that bybassed security and could transmit user data to his private server. That's against the T&C's. Not very clever really.
 
There's a whole submitting your app process, where the developer could quite easily have pointed it out/raised awareness.
 
editor said:
How else could he proved that the flaw existed?
Click to expand...
There is an accepted way of doing this that usually involves telling the company about the flaw, waiting 30 days, then announcing the flaw to the press. What this chap did is not the way to go about things.
 
Charlie Miller, a longtime Mac hacker, has earned himself a bit of notoriety this week by revealing a security hole in iOS and losing his Apple Developer Program license in the process. He managed to identify an exception introduced from iOS 4.3 onwards that allows the browser to run unsigned code in memory, which he then expanded to include other apps, thereby skipping the code-signing check that is fundamental to iOS security. The result, as demonstrated in the video below, is that seemingly benign apps can make use of that exception to download and run unchecked and unauthorized code through the system. ..

Needless to say, this is a pretty major vulnerability in the typically ironclad App Store defenses, and Charlie's decided to keep the particulars of the flaw under wraps until the SyScan conference in Taipei in order to give Apple time to patch the problem. The first response from Cupertino, however, has been to yank Charlie's app from the App Store — understandable, since it is a form of malware — and his name from its Developer Program. The latter move is likely motivated by the fact Charlie opted to publish his findings in app form (and thereby clearly breaking Apple's rules for developers), but it still strikes us as draconian when the man's trying to alert Apple to the problem instead of exploiting it for his own gain.
http://www.theverge.com/2011/11/8/2...-an-ios-app-vulnerability-loses-his-developer
Click to expand...

The app contained no malicious code, btw.
 
elbows said:
Apple take security flaws seriously.
Click to expand...

They take bad PR seriously.

They don't appear to take security so seriously (a bit like most of their traditional customer base). They make M$ security look competent these days.

For example, they didn't revoke the DigiNotar Root CA compromised certificates in OSX for 10 days (when others revoked them pretty much immediately). They didn't revoke them in iOS for over 6 weeks. Mozilla and M$ revoked them within 24 hours.

Holes have festered in OSX for months, when the patches, to what are at their core open source packages, have long since been produced by others (cache poisoning holes in BIND, CVE-2008-1447, buffer overflows in CUPS, CVE-2009-0163, are but two that come to mind).

They've created their own holes (or re-introduced old ones) - for example the recent LDAP authentication debacle in Lion, CVE-2011-3435 (which only took them some 6 weeks to fix - what ever happened to QA testing before throwing these things out the door?).

Apache's CVE-2011-3192 is another. 7 weeks to fix when solutions were available in hours, the 'official' fix release in 14 days.

It would appear that they dropped the security ball some time ago. Probably about the time that Apple Computer Inc., became Apple Inc. and decided to focus on the shiny, shiny phones (and then tablets).
 
Well perhaps they have become somewhat complacent due to a lack of malware targeting their systems. Perhaps they will learn the hard way, perhaps its not much of an issue in the wild.
 
I have a 2year-old 3GS and want to sell it for a 4 or 4s. With view to having a phone for a year, until the 5 comes out, I'm guessing my best option is to get a black 16gb 4S sim free from Apple (499pound) - because I can't see a 16gb 4 on the Apple site? - and shove in a giffgaff sim...unless Orange, who have better 3G coverage are doing a better deal? I'm a valued o2 customer if that helps, but given their charging for data coverage, I hope to leave unless customers know how I can bag 1gb/unlimited data allowance with a new phone.
 
Kid_Eternity said:
How would they do that if the guy that discovered it could just go public anyway? :confused:
Click to expand...

If he spelled the security issue out to them, assuming the penny dropped, then they could claim they would have vetted the app and not permitted it in the iOS app store.

But they didn't. He submitted his app to them. Apple approved it and put it in the store.

They let it in. Which really was the point of the exercise.

It gets more interesting though.

It appears he actually did notify Apple of the iOS security flaw that the app itself exploited back on 14th October (he mentions this on his twitter account and it's reported in coverage of the story by various news outlets)...
 
Seriously when you have reams of coverage for a battery issue that doesn't even affect 1% of owners anything negative about Apple security would be leapt on.
 
RaverDrew said:
New iOS 5.0.1 Update ‘Nothing Short of Amazing’
Click to expand...
...said some Wired reader.

Apparently the phone now defies the laws of physics:

“Frankly the difference is nothing short of amazing,” said Wired reader Donald Kuntzman, who downloaded the update on his Verizon iPhone 4. “To go almost an entire day without a change in the meter reading seems unbelievable. Where before I could almost watch the battery drain, now it doesn’t move at all.”

I wish my phone could go 'almost an entire day' without any change in the meter reading. His phone must be powered by pixies now. Or air-borne plankton.
 
Well I've returned to Apple after my 18 month fling with Android on the Desire.

I'm loving having all my old iPhone apps back and their new and improved versions.
Loving many of the new apps I've downloaded.

I was severely limited by the Bravo's internal memory as to how many apps I could have. Now I'm in quality app heaven.

I must admit though that I miss being able to turn mobile browsing off. But what if I don't want the mobile site but the full site!? Grrr.

And I'm missing the way my Android browsing squeezed all the text onto the screen so you didn't have to scroll.

Otherwise I'm lovin my 4S.
 
If you use a 3rd party browser like iCab, you can change your browser ID to desktop safari and get the full version every time.
Although iphone Safari does have the Reader function now, which is excellent for removing all the extraneous guff around an article.
 
Thats 5.0.1, Im glad its available a an over-the-air update since I have numerous devices to support at work and now hopefully users will just do it for themselves.
 
elbows said:
Thats 5.0.1, Im glad its available a an over-the-air update since I have numerous devices to support at work and now hopefully users will just do it for themselves.
Click to expand...

For some reason it never showed up on my phone so had to update the old fashion way. 800mbs later...and er it's still working great!
 
You must log in or register to reply here.

Similar threads

singsongfun
Apple says iPhones will support RCS in 2024
2
Replies
44
Views
1K
wemakeyousoundb
wemakeyousoundb
X
iPhone microphone adapter mount?
Replies
4
Views
219
wemakeyousoundb
wemakeyousoundb
danny la rouge
Recommendation iPhone SE 2020 case
Replies
7
Views
362
xenon
X
xsunnysuex
Help iPhone 11
Replies
14
Views
476
xsunnysuex
xsunnysuex
ATOMIC SUPLEX
Help iphone problem (my daughters) that I don't understand
Replies
12
Views
467
Throbbing Angel
Throbbing Angel
Back
Top Bottom