Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Who installs apps from non official app stores?? I never did that even when I had an Android.

Also more importantly... Why would you answer a text/email from someone you do not know?


I though it is impossible to install apps from non office app stores unless it is jailbreak with appsync to do so?
 
Yeah I'd already noticed the profiles list was gone on iOS 8 :( I wonder why Apple removed this?? It certainly doesn't make it any more secure.

There is still a "device management" screen on iOS 8 that shows my company's restrictions. Perhaps this would show up there?

----------

I though it is impossible to install apps from non office app stores unless it is jailbreak with appsync to do so?

Corporate apps customized for specific enterprises use side-loading so as not to require the App Store. I can enter in my timesheet, for example, through a custom app.
 
This is a serious security concern. The current example showing how to exploit it may seem like you have to be an idiot to do it, but don't assume that's the only way to exploit it. What about a legit app in the App Store that's a fun game but purposely designed to take advantage of this exploit by promoting a new version of the game within the app and asks users to install it, which then uses a link to retrieve a malicious version from a site.

I think Apple App store would still have to approve update? But I would like to know answer for sure?:confused:
 
I'll repeat this - the bigger issue is that this security hole exists and that apps can be overwritten.

Some people need to stop focusing on whether or not old people, stupid people or whatnot would click on some random link.
 
You're missing the point. How it gets installed is less important than the fact that it CAN be installed this way in the first place.

You're focusing on the wrong issue.

Everything should focus on normal practice. This is not a normal practice...just like Lurkworm last week...Researchers try to show the WAY that an operating system can be infected, the way that's irrelevant on how people use the device every day.
 
Everything should focus on normal practice. This is not a normal practice...just like Lurkworm last week...Researchers try to show the WAY that an operating system can be infected, the way that's irrelevant on how people use the device every day.

Are you suggesting that Apple shouldn't worry about this or do anything about it?

My point is pretty clear - while it's not some major widespread issue - it should be plugged up. Especially given Apple's reputation and PR around security.
 
It's the side-loading that makes this so scary. Get a victim to any web page that serves up an App reference and provides an Install button and this could become messy very fast. Apple has made it too easy to install apps, bypassing the protected App Store channel.

The factor that just a bundle ID is used to identify and replace an installed app seems like a serious weakness to me. Why is iOS not verifying the *source host* of the app download? That seems like it would nip this problem in the bud.
 
Are you suggesting that Apple shouldn't worry about this or do anything about it?

My point is pretty clear - while it's not some major widespread issue - it should be plugged up. Especially given Apple's reputation and PR around security.

Absolutely! Do you think this is being addressed in 8.1.1?
 
I'm the same way, learned my lesson years ago with Windows about side loading or links from emails etc..:cool:

Google Gmail, is anyone surprised its not secure at all?:eek:

Also, if I understand this correctly, the direct links be it email or SMS, still has you down load outside of App Store? If that's correct, most smart people will not have a problem at all.:cool:

They are using gmail as an example. They could use anything else.

Also, es it's outside of the app store, and you're aware every single company network make their user download apps outside of it right ?
 
Something doesn't make sense here... Isn't this issue limited to jailbreaked devices ?

No, Apple introduced "app awareness" into any website which triggers the regular download and install process. However, it seems to work from any source, not just from Apple's own store. That's the scary part here and needs to be fixed asap.
 
Wouldn't you still be using only company approved Apps.?

Well that is the problem, thanks to the hole outsiders can send fake updates of enterprise apps to employees and perform industrial espionage and more.

This is a huge problem and Apple is unable to fix this in almost half a year. Unbelievable.
 
Absolutely! Do you think this is being addressed in 8.1.1?

I don't know. Historically (I believe) that even if it were - Apple wouldn't acknowledge it directly. Don't they usually just use a vague reference, ie "improves security" or something like that. They seem to have pretty standard/generic language.
 
Who installs apps from non official app stores?? I never did that even when I had an Android.

You'd be amazed how many people do things like that to get access to emulators, dodgy movie downloads, etc - a quick search through these forums will reveal quite a few threads about how wonderful it is to be able to download a "free" movie app direct from a pretty sketchy website.

It's amazing how the lure of something for nothing can still catch people out in 2014...
 
Seems youd have to be pretty stupid to fall for all the things you'd need to fall for to make this work.

No... I can think of several people in my circles that would fall for this, because it's leveraging *official* mechanisms for installing apps. Because any web page can make a reference to an app, prompting the user to install that app instead of using a website, users could very easily fall victim to this.

What seems to be the loophole here, which should be easy for Apple to fix, is that the malicious app must be coming from the hacker's servers, not from Apple servers. Since Apple has a policy of enforcing apps only from the App Store, it makes sense that the source be verified. That doesn't seem to be happening, which is scary and a big boo-boo on Apple's part.
 
Apple better reading this and take it serious to patch asap. This doesn't make any sense since such hacks can only happen in the jailbreak community but now it spread to non-jailbreak device as well. I just delete my gmail app right after reading this post.
 
Enterprise.




Enterprise.

My best guess would be that those people installing apps through the Enterprise option, would already have a known distribution method, that doesn't require clicking a link to a 3rd party website. Or a SMS or email from an unknown person. But, that's just my thought...
 
So you can only get burned if you download an app from outside the app store right? Honestly, who does that?

More than you think - quite a few people download paid apps from third party app websites willingly themselves, especially since enterprise provisioning profiles allow the apps to be installed on any iDevice and doesn't therefore require a jailbreak.

It's an attractive thing to do for those who don't want to jailbreak their device but want to install paid apps or apps that are not available on the App Store. The downside is that it could sting you bad if you download from a dodgy source.

Most people are smart enough not to click on a dodgy sms link from an unknown person but there are also many who actively choose to download from third part websites.

The main point is that entrprise provisioning is being abused for malicious intent and many are unlocking a back door on their devices without them even knowing it. :|
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.