Why in the hell do they do that? There's NO REASON to keep credentials anywhere but on the device itself. I'm surprised Apple actually approved an app that does this as the security implications are dire.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Patches Two Security Vulnerabilities Impacting Mail App in iOS 13.4.5 Beta
- Thread starter MacRumors
- Start date
- Sort by reaction score
Why in the hell do they do that? There's NO REASON to keep credentials anywhere but on the device itself. I'm surprised Apple actually approved an app that does this as the security implications are dire.
Screw the beta! How about patching this NOW & getting it out to all iOS users? Really!
Would be nice if Apple updated their apps separately from the iOS point releases... 
Any mail app that has push notifications enabled is storing your credentials. Any app that requires you to create an account has those account credentials, which is why it's wise to make your passwords vary with every account you have. The only problem I would have with Spark is Readdle having my e-mail credentials when I didn't know they would, but again, anything with push enabled has them and already know this. Readdle does more though, they store e-mail too. I have never seen a clear answer from them on whether disabling push notifications removes everything from their servers or not. They have a feature in settings where you can delete your info from their servers. Pretty cool, but does it just populate again the next time you start the app?
iOS mail doesn't push, so it's a good app for privacy. You can disable push on almost any other mail app, but you never know what's happening on the other side. If they haven't explicitly written code to delete your credentials when you disable push notifications, it remains there even though you think you're good (you could change your password for more assurance). Without having access to source code, network traffic, and unabridged server-side access, you have no idea what's really happening. Then there's information sharing, which won't be stored in any application code or any network traffic that you can see.
iOS mail doesn't push, so it's a good app for privacy. You can disable push on almost any other mail app, but you never know what's happening on the other side. If they haven't explicitly written code to delete your credentials when you disable push notifications, it remains there even though you think you're good (you could change your password for more assurance). Without having access to source code, network traffic, and unabridged server-side access, you have no idea what's really happening. Then there's information sharing, which won't be stored in any application code or any network traffic that you can see.
As a member of the Spark team, I want to assure you that we follow all the recommended industry practices to keep your data safe. Spark needs access to your email account to enable you to read and send emails. This is how every email client works. Our databases are encrypted and all connections are protected with TLS.
To make things as secure as possible, we don't use our own servers. Instead, we rely on Google Cloud which is one of the most secure solutions in the industry, and many tech copies like PayPal or Twitter also use it.
Here, we've explained everything you need to know about Spark's privacy policy:https://sparkmailapp.com/blog/privacy-explained
It's required for some of the functionality they offer, such as push notifications for IMAP accounts. Note that they aren't the only ones doing that (e.g. the mobile Outlook app does the same). But that doesn't make it any better. Personally I would never use such an app.
[automerge]1587575049[/automerge]
I believe that, but it's still a fundamental security issue. Storing (unhashed) access credentials server-side is always a risk. The users should be made fully aware of this so they can make an informed decision whether the tradeoff is worth it to them.
Now this is just disingenuous. Apple Mail and many other clients do *not* store account credentials on a server that the user doesn't control.
That means absolutely nothing. A server you run in the cloud is still your server, it's just a virtual machine or instance running on someone else's hardware. If anything this is slightly LESS secure, as now Google and its employees potentially have access in addition to your company.
I'm not saying that I don't trust your company in particular, just that having my password stored in a non-hashed form anywhere but on my own hardware is unacceptable.
Or they’ll push a security update to earlier iOS versions, like they do every once in a while. iOS 9 still gets updates believe it or not.
Try this: https://www.reuters.com/article/us-...hackers-to-steal-data-for-years-idUSKCN2242IK
*snip*
By itself, the flaw could have given access to whatever the Mail app had access to, including confidential messages.
Wonder what other system apps have a similar vulnerability?
iOS 12 is still getting security updates, so basically everybody with an iPhone 5S or later will get a patch.
iPhone 5 is almost 8 years old so nobody can complain it's not getting updates, while no Android phone order than 2 years is not getting any update.
As a side note, I still don't understand why on earth people are putting up with the Apple mail client when there are many better free alternatives. I, for one, am using Microsoft Outlook, and before that I was using Newton/CloudMagic.
Here’s the bit that frustrates me:
”Avraham based most of his conclusions on data from “crash reports,” which are generated when programs fail in mid-task on a device. He was then able to recreate a technique that caused the controlled crashes.”
Don‘t those crash reports automatically go to Apple? If so, it seems like Apple should have found this sometime in the last 7 years. Perhaps it’s rare, but any buffer overflow is a critical risk.
Maybe this is the danger of going in and setting everything for maximum privacy... Looking at my own settings, I don’t see a separate setting for crash reports any more, but I do have “share analytics“ turned off.
While I appreciate this part of your design, you are still able to change who you use as your back end at any time, so its not like this is contractual.
As far as I know, if you have Data Sharing turned off Apple does not get them.
Still, think about it. 900 million devices and the reports coming in. They would need to be looking for something specific to notice it in all the ground clutter.
Since Apple has a patch why haven't they immediately released it as a security update? Ridiculous. I'm installing the beta.
So what are the effects.. what can they access with this exploit.
And what can one do if one suspects they have already been targeted?
How does one go about clearing/protecting the device till the new ios is released?
And what can one do if one suspects they have already been targeted?
How does one go about clearing/protecting the device till the new ios is released?
The use of Google Cloud (or Amazon AWS, or Microsoft Cloud, or any other public cloud) is just name dropping and doesn't mean anything on its own. It all depends on how the service provider using the cloud configures its instances. Just a few weeks ago a large database was leaked from a Google Cloud server due to an improper configuration. This happens all the time.
That's an extremely dangerous vulnerability, and it's still not patched. Apple not the best at security, only the best at giving the image of being the best. Numerous security issues over the years, yet the faithful still profess Apple security is impenetrable.
Huh? This isnt about your connection being encrypted. Its what if their cloud server is breached where your emails run through? A pissed off employee logs in and messes with people?
Any time a 3rd party has access they have access to all, including password resets for that email account and all important things attached- banking, investments, etc. You would never know either since they would get that info first and be able to delete it before you see it on device.
Yeah, I sympathize with the data volume, and I’m not sure exactly what the crash report here would flag, but if there was a buffer overrun or some other unsafe memory operation then I’d hope their automated tools would find and flag it regardless of how common it was. It’s possible though that because these were targeted attacks, it only happened to a handful of people who may have all opted out of sharing analytics...