Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

iOS and OS X Security Flaws Enable Malicious Apps to Steal Passwords and Other Data

sundragon said:
I call BS. You forget Google pwns all your data

Oh and friendly reminder, the flaws that exist in 40% of a All Android phones because they aren't updated trump this. Google's engineers aren't fixing it, they just keep rolling new versions of Android (That don't make it to 95% of devices older than a year).

Go for it! :)
Click to expand...
He said with no facts to back up his claims...
 
  • Like
Reactions: TheHateMachine
sundragon said:
Dude, don't forget your tinfoil hat... Why do people scream the sky is falling every time an article like this is posted? There are no known app that uses this yet. Worry then... LOL
Click to expand...

I'm more of an aluminum man myself given the likelihood that aliens control our tin supplies. :p Seriously, where did I scream anything? Why do people employ hyperbole in response to lighthearted comments?

cforster said:
Go use Windows if you think you will be more safe......
Click to expand...

I already said I would in my original comment—wait, no I didn't. Windows wasn't even mentioned. 'Way to go, Apple!' was an expression of my annoyance at how long Apple has known about these exploits without patching them.
 
  • Like
Reactions: jnpy!$4g3cwk
horsebattery said:
The attack can be carried out from malicious apps. This implies that so long as you have that malicious app installed AND the vulnerability exists, then changing your passwords won't help - if they are stored on the device. The other implication is that app data is also exposed, which means that offline (on-device) store is also at risk.

Therefore the better suggestion is - be careful of what you install onto your devices.
Click to expand...
Does this only impact jailbroken devices or are there malicious apps on the AppStore right now?
 
Akoni 2011 said:
Great attidude Apple, just ignore.
Click to expand...
Maybe they are, maybe they aren't.

Remember the whole "nude pictures" thing from last year, where celebrity's iCloud passwords were allegedly "brute forced". Apple didn't really respond (i.e. "just ignored it"), but six months later, two-factor authentication rolls out for managing Apple IDs, and since then it's been implemented for iCloud restores and even logging into iCloud.com (in addition to them adding application-specific passwords for things like FaceTime and Messages).

IMO, that's a fairly substantial response on their part to an issue that they were made aware of, but "ignored" in terms of publicly reporting what they were doing to fix it, before that fix was ready.

So who knows what their plan is to fix this issue.

They really could be sitting on their ****s ignoring this issue completely. But from what I've seen in the past, they simply don't talk about major security fixes until they're ready to release. That doesn't have to mean that they're ignoring it. As for how long it's taking them to address this issue, if it's something deep down inside that's broken (which sounds like may be the case, this time), the fix really may be in the next version of the OS (i.e. 10.11 and iOS 9).
 
  • Like
Reactions: Oblivious.Robot, dtich, ApfelKuchen and 1 other person
So according to the article the malicious apps are on the app store? How many times has apple pulled an app from the store because it had an undocumented hidden feature not approved of by apple?

Thinking. The one that allowed tethering comes to mind and another that had a built in Nintendo emulator? Two? Three?

I'll play devil's advocate and say there were ten malicious apps snuck onto the store. Out of millions. Maybe there were more but did we ever hear about it. How are apps curated? Who curates them? How are back doors and the like searched for?

It's still a problem but not as huge as you might think unless you jailbreak your phone and get your apps from a slumsonesian server somewhere.

So, the point is: don't download sketchy apps, don't jailbreak your phone and think twice about what you use your phone for possibly.

Apple needs to at least address this. Saying nothing makes them look like the henhouse doors are open and the foxes are running in and out with various chickens.
 
Rogifan said:
Does this only impact jailbroken devices or are there malicious apps on the AppStore right now?
Click to expand...
From The Register's article:
The team was able to upload malware to the Apple app store, passing the vetting process without triggering alerts that could raid the keychain to steal passwords for services including iCloud and the Mail app, and all those store within Google Chrome.
Click to expand...
 
  • Like
Reactions: centauratlas, V.K. and 7thson
bawbac said:
What facts?
I see nothing about the percentage of bugs and that Google is not fixing them AS YOU CLAIM!
Click to expand...

ROFL, thou doth protest too much for a recently former Apple fan ;)

http://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-19997/Google-Android.html
https://bluebox.com/technical/android-fake-id-vulnerability/

But wait: http://******.com/?q=Android+security+flaws

You can now continue trolling Apple forums pretending to be an upset Apple fan ;)

xoxo
 
Last edited:
The team was able to upload malware to the Apple app store, passing the vetting process without triggering alerts that could raid the keychain to steal passwords for services including iCloud and the Mail app, and all those store within Google Chrome.
Click to expand...

Who knows how much malware is in the App Store.
 
  • Like
Reactions: alvindarkness and centauratlas
autrefois said:
If everyone just used TouchID for everything, we wouldn't have this problem. Hey, maybe that's why Apple didn't fix this! :p

(I'm joking.)
Click to expand...

Joking aside, for less technical readers it should be pointed out that Touch ID increases convenience not security. It only enhances security by encouraging users to use stronger passwords. Anything that can be accessed via Touch ID can also be accessed via an underlying password which is stored in the Keychain. And everything in the Keychain is vulnerable to this exploit.
 
  • Like
Reactions: Demo Kit
Alenore said:
OSX is the new Windows ;)
Click to expand...

Not exactly true. Microsoft at least takes a more immediate action against security fixes. So does linux. You can't run enterprise OS (windows or linux) with security issues for long. Look how fast heartbleed and all the others were fixed.... days not 6 months.
 
AppleInLVX said:
"The thirteen-page paper research paper" I know paper is becoming less-used in academia, but I didn't think we had to explicitly point this out yet. :)

/editor's eye.
Click to expand...

This has been going on for years. Not sure why people mention amount of pages as if they wanted to brag about how much they had to write, or type.
 
LordBeelzebub said:
There is no such thing as security from this sort of thing. For every programmer that writes a security program that is supposed to keep our information secure, there is a hacker out there that can decode/hack the program to steal what ever they want.

Apple could come out with a patch today to fix the current problem, but tomorrow someone else finds a way to hack it.

There is no such thing as security.
Click to expand...

Security is a process not a program. By using trusted applications, keeping your computer software updated, and knowing the activity on the computer can keep you secure. If you find a threat, try to stop the threat, or at least disconnect from the interwebs immediately. On another device, report the issue so it can be fixed.

When I had my apartment a few years back, I had an overlap of ISP service. One of my computers was a fresh install of Windows XP SP 1 with no updates ever done so I could run a game. I put this tiny network on a separate ISP from my other devices. It ran for just over a year and had snort sniff the port on my switch for activity. It is very unlikely that you will be targeted unless you purposely download some malware or go on shady websites downloading stuff.
 
The amount of Apple blamers are mind boggling. Who says they aren't addressing it?
We don't know whether they do or not. It's not going to be advertised.
It should be clear that nothing is ever safe which is created by humans, especially software.

So, all the platforms have their vulnerabilities

As long as there are apps and OS traffic there will be a spot to enter.
 
Last edited:
  • Like
Reactions: gadgetguy03
Don't download sketchy apps off the Mac App Store. Don't download apps off the Mac App Store, period. It's a wasteland. The few quality apps on there should be purchased directly from the developer's web site instead - there are more benefits to doing so (like the ability to offer discounts on future versions).

The Mac App Store is for updating Mac system software and other Apple applications, nothing more.
 
Funny, looks like Apple is facing the same security issues that Microsoft went through after explosive growth. I seem to remember everyone saying that Apple was different and it wouldn't make a difference of they had a larger user base. :rolleyes:
 
  • Like
Reactions: Demo Kit
:-/ when my apps need to store sensitive data, they put it in Keychain...

I imagine that Apple hasn't responded either because:
1 - The team who reviews bugs.apple.com are terrible at their job and don't actually escalate anything that they should (seems most likely to me).
2 - This issue is so deeply embedded/entangled in everything that it's going to require more than a few months to fix without breaking other things.
 
  • Like
Reactions: DCIFRTHS, alvindarkness and centauratlas
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back