i've warned plenty about downloading that emulator and i've gotten crap about "who the hell cares, it's still secure, it's not like I jailbroke my device"
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Responds to 'Masque Attack' Vulnerability, Not Aware of Customers Affected by Attack
- Thread starter MacRumors
- Start date
- Sort by reaction score
i've warned plenty about downloading that emulator and i've gotten crap about "who the hell cares, it's still secure, it's not like I jailbroke my device"
Didn't answer my question. The emulators have nothing to do with this "security" flaw. They were legit open source apps that didn't do anything malicious to the device or to the user's data.
So I ask again, why are you laughing at the people who downloaded emulators?
You'd have to remove the overwritten app. But, you had started it (or rebooted and it had autostarted an app in that sandbox), the data breach of the data accessible from that sandbox/app could already have occurred. In this case, removing the app, just limits the damage.
Not sure if the profile used is removed when the last app that uses it goes away, at first glance I'd say no. But, it doesn't matter much anyway, because you still need to download an app and install it to be exploited.
----------
Unless you compiled the code and that code comes from a trusted source, or the binary comes from a trusted source, you still have to trust someone other than Apple. Open source doesn't mean much if you trust any binary that purports coming from that source coming from anyone.
Of course, modders takes bigger security risks than most, so this may not be an issue for you.
Apple warns you,,, it doesn't prevent u...
Two different things....... The user is still the final tally.
Apple's way.... I hate Apple's way, since they deliberately go out of their way to open up the ability for anyone to get apps from anywhere, and then we all get scared when it comes to light that "apps from outside the app store is installed can cause a vulnerability"
I mean, what sort of a ding-a-lings are working on iOS app store not to even see this...
A company allows u to get apps from outside of the app store ? Of cause it's a security risk....
And if it makes it eaiser, since developers may not want to get their app on the app store, pricing etc... i understand that, but it also allows for them to do anything they like....
Personally, if i had my view, i would just say ... "Only on the app store" and if u want to break the rules and getting this stuff from outside... then tough.......It's an Apple device which is is meant to be "secure"
How can we call it that when Apple keeps allowing this crap in ?
Two different things....... The user is still the final tally.
Apple's way.... I hate Apple's way, since they deliberately go out of their way to open up the ability for anyone to get apps from anywhere, and then we all get scared when it comes to light that "apps from outside the app store is installed can cause a vulnerability"
I mean, what sort of a ding-a-lings are working on iOS app store not to even see this...
A company allows u to get apps from outside of the app store ? Of cause it's a security risk....
And if it makes it eaiser, since developers may not want to get their app on the app store, pricing etc... i understand that, but it also allows for them to do anything they like....
Personally, if i had my view, i would just say ... "Only on the app store" and if u want to break the rules and getting this stuff from outside... then tough.......It's an Apple device which is is meant to be "secure"
How can we call it that when Apple keeps allowing this crap in ?
Last edited:
Apple is not allowing this this crap, yet people go above and beyond and find it compelling to "jail break" their iPhones and download "cracked" apps.
Ignorance of some never sees to amaze me... Wreck your iPhone out of your good will and then complain to Apple that their product is crap... WTF...?!
WTF?!? You just quoted a bunch of guys, told them they were all wrong and YOU were really the guy with no idea. What a waste of time!!
----------
Not sure but time to bring out the conspiracy theories. Mods controlling the world!!
Maybe it's the new Mosque attack on MR funded by Islamic State?
Bearing in mind the options have been in there to restrict to the App Store only since Lion, it is a fair assumption, that if Apple were going to do that, they would've done it by now.
----------
WTF?? BY DEFAULT Apple allows apps downloaded from the Mac App Store and identified developers.
Guess what... Adobe and MS are identified developers. So stop spreading FUD.
----------
agreed.
No they're not... If they were closing down OS X the first thing they would do is disable terminal access...
Here I am running Yosemite...
Oh look... Terminal... OS X is still wide open then..
Also read the statement again...
My boldface. The App Store was used as an example. They are saying only download from a source you KNOW you can trust.
Attachments
And you just quoted me saying I have no idea about something yet providing no information at all as to why, which basically didn't add or explain anything and certainly didn't make anything I said incorrect in any way. A waste of time indeed.
Nice argument but myself and others (who you quoted) already explained the mechanism of the attack (so has the article). You're just randomly calling people wrong and the onus is on you to prove me, other posters, the article and security experts wrong before you start telling me to respond.
All that was in your explanation and that of others that I quoted was some tirade about installing from outside the App Store and people not being careful. When the actual exploit is not about the part of installing from outside sources (which isn't new, weird, or bad in some way) but about one outside source being able to overwrite a whole different app, which is something that shouldn't be happening.
It's pretty simple, but people choose to concentrate on discussing and attacking other parts of it all which still doesn't addrsss the actual exploit that exists and should be addressed.
All that was already explained fairly clearly and ignoring it and just calling it wrong just because doesn't change the realty of it.
What does one have to do with the other, or more importantly with the actual flaw? The exploit is with an installation being able to install itself over another unrelated and previously installed app.
Clarity
I believe some people here are responding to this, and other, articles that omit half the facts -- facts that, for most intents and purposes, nullify any newsworthiness. This "flaw" requires either the phone be jailbroken or the phone has been provisioned in a certain way, typically in an enterprise, and typically for internal app testing puposes.
I believe some people here are responding to this, and other, articles that omit half the facts -- facts that, for most intents and purposes, nullify any newsworthiness. This "flaw" requires either the phone be jailbroken or the phone has been provisioned in a certain way, typically in an enterprise, and typically for internal app testing puposes.
The facts are actually not really those as already has been pointed out in many posts. Yes, something is definitely required on user's part and yes this wouldn't apply to most, but it's certainly easier than the phone needing to be jailbroken or provisioned in some way from the beginning.
Have a beer and think about that one mate...
This is the whole reason why you are lost and you're calling those who understand idiots instead of lostening. You don't understand HOW it's all happening, you just care about what it's doing.
RL example... leave a bank vault open, never lock it. When somebody robs the bank you can't then say 'the door was not strong enough!!! The company that made the door should fix this security hole!!!' because you left it open.
Same here. By using a pirated dev certificate and trusting apps distributed by hackers directly, you're leaving the door right open. Apple can't prevent you from intentionally installing this kind of garbage using a pirated dev certificate.
Last edited:
Nice of you to say I call people names I've done no such thing. Pointing out someone is incorrect or misinterpreting something is not even in the same league as pointless name calling. But nice attempt at trying to make me seem like I just put people down, truly makes for a strong argument.
As for the actual flaw, seeing the analogy that was used only further supports what I and some others have been pointing out--the issue isn't with what you and some others are trying to say it is, the issue is with something else.
Using the "RL" example, the problem isn't that the vault door is open, the problem is that someone else's safety deposit box key not can only opens their box but yours as well. Someone can be fully allowed in the vault to access their safety deposit box, but they surely shouldn't be able to access yours with their key. So being in the vault and the vault door being open (or not) isn't the actual issue there, or even that someone might steal and have someone else's key, the problem is the fact that the manufacturer of that vault with safety deposit boxes somehow made it so that any key can open any safety deposit box.