Major App Store Vulnerability Leaves/Left Users Vulnerable to Password Theft

[macUser2007]

Well then average users can enjoy having their details stolen for not bothering to make sure they're being secure. The fact that such ignorance is encouraged is a problem. Why do you think people still bother phishing? Because some idiot will always fall for it because they don't think they "need to know this stuff."

If people must use an open WiFi network they should always do it through a VPN. Simple as that really.
...

Seriously, dude? On one hand, the fanbase extolls the virtues of iOS's simplicity (stuff like "my grandmother uses an iPhone"), on the other hand, whenever Apple screws up majorly, like this time, the same fanbase starts chiding users for being "idiots."

VPN?! Why should anyone have to use VPN, which is complex and often costly, just because Apple couldn't implement something as simple as HTPS.

 

[SomeDudeAsking]

Seriously, dude? On one hand, the fanbase extolls the virtues of iOS's simplicity (stuff like "my grandmother uses an iPhone"), on the other hand, whenever Apple screws up majorly, like this time, the same fanbase starts chiding users for being "idiots."

VPN?! Why should anyone have to use VPN, which is complex and often costly, just because Apple couldn't implement something as simple as HTPS.

Actually, I believe 0dev is also an Android user.

 

[0dev]

Using a VPN can definitely cause noticeable lag and decreased bandwith

Only if you're on a crappy connection anyway, usually it's negligible.

All that encryption and decryption is not free. You have to make the processor do the extra work which results in decreased battery life.

Not in any way that's noticeable.

And if you want to tether in the US, those plans cost at least $20 extra according to the carrier guide at http://www.pcworld.com/article/261928/the_ultimate_android_tethering_guide.html

Sucks to be you.

That means, with your solution, a person would have to pay an extra $20 + $7.50 (£5) = $27.50 per month just for these workarounds. You don't have to look hard to see why your suggestion will get laughed at by most people.

You only need one of those solutions. £5 a month for a VPN is nothing.

And a VPN connection is not totally secure from end to end. Your VPN connection terminates at your VPN host, they then have to send the traffic over the regular internet to reach the intended target, in this case Apple. At attacker could still sniff this portion of the link and steal your passwords. A proper SSL connection would prevent this.

Not an attacker on the WiFi network, they'd have to hack the VPN provider itself.

And there is another major draw back of using a VPN: Nothing on your home network will be able to connect to each other. This means that iTunes wireless sync, iTunes wireless backup, Apple TV remote app, NAS, Airplay, etc.... will not work.

I'm only talking about using a VPN on public networks, not all the time.

If you login to an unsecure wifi hotspot (which for business travelers is sometimes a requirement), you can't help but have sensitive data sent over the network. Most of this happens in the background without the users consent. You can't blame users for that.

You can help it by not connecting to an unsecure network. Business users, though, use a VPN.

----------

Seriously, dude? On one hand, the fanbase extolls the virtues of iOS's simplicity (stuff like "my grandmother uses an iPhone"), on the other hand, whenever Apple screws up majorly, like this time, the same fanbase starts chiding users for being "idiots."

VPN?! Why should anyone have to use VPN, which is complex and often costly, just because Apple couldn't implement something as simple as HTPS.

I'm not defending Apple, but users have to take responsibility too.

Actually, I believe 0dev is also an Android user.

Correct.

 

[macUser2007]

Actually, I believe 0dev is also an Android user.

Yeah, I saw the Nexus 7 bit. But 0dev's argument is still in the same vein.

 

[PNutts]

So it was no big deal that our Apple ID passwords could have been intercepted for years...

I'm tardy to the pardy. Passwords were already sent via HTTPS (not interceptable if I understand your intent using that word) and the rest of the session had mixed content. Not good but nowhere nearly as bad as sending the password in the clear.

OpenDNS (free DNS based web filtering and more which IMHO everyone should use) makes the free Umbrella iOS app that adds VPN capabilities to your device. It will automatically or on demand tunnel your connection (wifi and wireless).

 

[SomeDudeAsking]

I'm tardy to the pardy. Passwords were already sent via HTTPS (not interceptable if I understand your intent using that word) and the rest of the session had mixed content. Not good but nowhere nearly as bad as sending the password in the clear.

OpenDNS (free DNS based web filtering and more which IMHO everyone should use) makes the free Umbrella iOS app that adds VPN capabilities to your device. It will automatically or on demand tunnel your connection (wifi and wireless).

Umbrella isn't free.

 

[Brother Esau]

Over an unsecure wifi connection.
Besides who's going to analyze data from the wifi hotspots?(i suppose thats what they mean by insecure wifi connections since most wifi home connections come with a password by default)

Lots of people make a full time living going from WIFI Hotspot to WIFI Hotspot and doing the that very thing. The ignorant end user who thinks everything is hunky dory just throwing himself out their on a open wifi hotspot is the number one cause of identity theft across the globe.

I guess from what you just said you fit the bill to the tee

 

[Bahroo]

Is the Play Store https protected too?

 

[DMH3006]

Lots of people make a full time living going from WIFI Hotspot to WIFI Hotspot and doing the that very thing. The ignorant end user who thinks everything is hunky dory just throwing himself out their on a open wifi hotspot is the number one cause of identity theft across the globe.

I guess from what you just said you fit the bill to the tee

1st I don't know who you are to say i fit the bill to the tee
2nd the only wifi's i use are password protected besides my university wifi is as so much protection"encoding that must registered users can't even login due to all the security checks the freaking thing has
3rd anyone who checks sensitive data in unsafe connections is simply dumb,people nee to be held accountable, this theory that we must adapt everything to the lowest element(in this case people that don't know what they're doing) shouldn't exist,if you're going to use something you must know something about it,at least know how to protect yourself.

 

[0dev]

Is the Play Store https protected too?

Yep. Even when you visit it through a browser, everything goes through HTTPS.

 

[bozzykid]

3rd anyone who checks sensitive data in unsafe connections is simply dumb,people nee to be held accountable, this theory that we must adapt everything to the lowest element(in this case people that don't know what they're doing) shouldn't exist,if you're going to use something you must know something about it,at least know how to protect yourself.

Yeah, every person with an iPhone should be an expert on SSL and encrypted connections.

If a person uses an open wifi hotspot, they assume the protocols used by the various apps that work in the background are still secure. The fact is, Apple's App Store wasn't secure. There is zero blame for users in this case.

 

[DMH3006]

Yeah, every person with an iPhone should be an expert on SSL and encrypted connections.

If a person uses an open wifi hotspot, they assume the protocols used by the various apps that work in the background are still secure. The fact is, Apple's App Store wasn't secure. There is zero blame for users in this case.

Did i say that? I said that you should know how it works,not be an expert. People on computers know not to download strange files from "weird" websites or from emails of people they don't know,can't they do the same for open wifi hotspots?

Anyway its secure now so whatever.

 

[macUser2007]

Did i say that? I said that you should know how it works,not be an expert. People on computers know not to download strange files from "weird" websites or from emails of people they don't know,can't they do the same for open wifi hotspots?

Anyway its secure now so whatever.

Why should a user "know how it works" just to get an app from the Apple App Store?

Kind of like saying Apple can sell an iPad charger with exposed high-voltage wires, because consumers should "know how electricity works," since it's been over two centuries since Volta invented the battery.

 

[SomeDudeAsking]

Did i say that? I said that you should know how it works,not be an expert. People on computers know not to download strange files from "weird" websites or from emails of people they don't know,can't they do the same for open wifi hotspots?

Anyway its secure now so whatever.

No, the Apple App Store still may not be secure since it is unclear what version of iOS you need to have the patched version. Apple refuses to comment as always even when it would be so simple to do. There are many users on older versions of iOS than the latest 6.1.x that are likely still vulnerable.

 

[64Mario64]

Let's hope my account isn't taken. So far so good.

----------

"Active content is now served over HTTPS by default."
What does that mean? Is there a setting somewhere for this?