Apple Apologizes to Researcher for Ignoring iOS Vulnerabilities, Says It's 'Still Investigating'

[JetBlack7]

They only got in touch with him because his public statements got huge attention. They should've just contected him and resolved the issue without him needing to go public. And he's not alone in this, other developers expressed the same frustration.

 

[JetBlack7]

It’s actually crazy that they ignore any of these. They could be sold and exploited in horrible ways.

It's already been done and still is.

 

[Ethosik]

Quote: "Apple CEO Tim Cook said earlier this year that the upcoming rules could "destroy the security" of the ‌iPhone‌"

Timmy, boy, it's already destroyed, theres no reason not to allow 3rd party app stores, if i want to destroy my iphone security I should be able to, it won't get any worse then it is now.

and maybe, just maybe, apple would invest much more in security if sideloading was allowed?

People need to stop being so selfish with IT security. I want Spam to stop. I want DDoS to stop. Zombie systems are the cause of these issues.

 

[nt5672]

Hot take! If that’s how you feel, I don’t understand why you are spending time on an Apple rumor web site

Trying the only way I know how to get Apple to realize their mistakes, to get Apple to change, and therefore to get Apple to do something (or maybe anything) to keep me from migrating away. It seems that lovefests don't cause change.

Apple features are geared to teenagers and those that, while they may be older, still think like teenagers. The software Apple delivers is bug ridden and poorly thought out. The walled garden is turning into a prison and expending to macOS. Apple routinely sniffles free speech and forces its own political views on its users.

This is not the stellar high tech company of yesteryears. And yes, I am migrating away from Apple. We now use more PCs (linux) than ever before. On the Macs that we do have we are using Apple software less and less.

What the new Apple does not understand is that one day when the fashion changes, Apple will not have us techies to fall back on because Apple's ecosystem no longer works for us. Increasingly Windows and Linux do.

 

[6787872]

I do. Exploits can put a lot of people in danger.

Then Apple should take it more seriously.

 

[The Phazer]

Just wanted to quote this in bold, since it's the sort of thing people keen on criticizing tend to tune out:



I'm not saying Apple did everything right here, but I think this does put things in perspective.

It's also worth noting that despite you downvoting me, Tokarev themselves has written a blog post saying that the App Store review process will not catch an app using this exploit, and the characterisation in the Macrumours article that he does not think it's a big deal seems... entirely false?

How malware gets into the App Store and why Apple can't stop that

Only after I had published a post detailing three iOS 0-day vulnerabilities and expressing my frustration with Apple Security Bounty Program, I received a reply from Apple: We saw your blog post...

habr.com

 

[Smith288]

Apple has an air of over confidence and it sucks because they were the very best when they had to hustle and bust their butts to be the best.

 

[vodkaPT]

What you indirectly suggest here is dangerous and a common mistake.

When a person, company or nation benchmarks against a lesser performing competitor and takes comfort and complacency in that as opposed to holding itself to a standard of excellence and continuous improvement (based on what is reasonably doable), decline and adverse events and publicity are possible.

As recent history has shown here.

Furthermore the security teams at Google are really good at finding and patching security issues.

as opposite to the apple securiy team, which is overridden by the marketing team, the Google team also finds a lot of issues in the apple devices.

the android messup with updates and releases and make it to people devices is another story.

 

[usagora]

It's also worth noting that despite you downvoting me, Tokarev themselves has written a blog post saying that the App Store review process will not catch an app using this exploit, and the characterisation in the Macrumours article that he does not think it's a big deal seems... entirely false?

How malware gets into the App Store and why Apple can't stop that

Only after I had published a post detailing three iOS 0-day vulnerabilities and expressing my frustration with Apple Security Bounty Program, I received a reply from Apple: We saw your blog post...

habr.com

If you think MR is falsifying information, better take it up with them. I'm just going by what the article stated.

As for your link, Tokarev states:

Now here is what happens when you submit your app for the App Store review. You can read it in more detail in this and this article but basically, a random reviewer downloads the app onto their iPad, taps through all the screens and makes a decision whether to allow it or not based on their own understanding of the App Store Review Guidelines biased by their own subjective opinions and attitudes.

However when I read "this" and "this" articles, it seems to me he is completely misrepresenting the review process, so I have to take his entire article with a grain of salt. It comes off as having an agenda rather than scientific.

 

[_Spinn_]

There is definitely room for improvement in Apple's bug bounty program. That being said other software companies have similar problems with their bug bounty programs as well. I don't envy them trying to triage bugs and making sure things don't get lost in the process.

 

[Robert.Walter]

I do. Exploits can put a lot of people in danger.


Isn‘t it a bit extreme to hold a congress hearing over how a company handles a bug bounty program?


Apple or the Unicode consortium?


Hot take! If that’s how you feel, I don’t understand why you are spending time on an Apple rumor web site

When one of the largest platforms used across the nation may not be timely and robustly handling risks to the information crossing and stored in that platform?

That’s exactly the kind of issue that congressional subcommittees hold hearings on.

 

[Caseynd]

I’m surprised I haven’t seen a post here about his other accusations against apples privacy and security- https://habr.com/en/post/580272/

 

[quarkysg]

There is definitely room for improvement in Apple's bug bounty program. That being said other software companies have similar problems with their bug bounty programs as well. I don't envy them trying to triage bugs and making sure things don't get lost in the process.

It doesn't help when the world is living thru a pandemic for the past year and a half as well.

 

[shadowbird423]

I’m surprised I haven’t seen a post here about his other accusations against apples privacy and security- https://habr.com/en/post/580272/

Someone posted it further upthread. Probably deserves its own article.

 

[cmaier]

Quote: "Apple CEO Tim Cook said earlier this year that the upcoming rules could "destroy the security" of the ‌iPhone‌"

Timmy, boy, it's already destroyed, theres no reason not to allow 3rd party app stores, if i want to destroy my iphone security I should be able to, it won't get any worse then it is now.

and maybe, just maybe, apple would invest much more in security if sideloading was allowed?

Except mathematical principles disagree with you, and say that allowing sideloading destroys the security of even those who do not sideload anything.

But don’t allow the laws of math, cryptography and information theory to get in the way of an entitled complaint.

 

[supremedesigner]

"Apologizes"

Sure... I find that hard to believe.

 

[tadasZ]

Except mathematical principles disagree with you, and say that allowing sideloading destroys the security of even those who do not sideload anything.

But don’t allow the laws of math, cryptography and information theory to get in the way of an entitled complaint.

yes and memoji in messenger does it too. I'll trade memoji with sideloading.