Russian security researcher Vladimir Katalov gave a talk last week at Hack in the Box security conference detailing his findings on Apple's iCloud protocols. Katalov's research highlights several shortcomings in iCloud's security model, including the fact that iCloud data is not protected by the two-step verification system Apple rolled out earlier this year.
Last week, researchers from QuarksLab gave a presentation at HITBSecConf2013 on the security of iMessage. The researchers sought to investigate claims made by Apple that nobody but the sender and receiver could read iMessage data thanks to their use of end-to-end encryption. While the researchers discovered that they were able to intercept and decrypt iMessages, Apple was quick to respond insisting iMessages infrastructure is not set up for that type of interception. So which is it? Is iMessage secure or not?
Earlier this year we reviewed a promising runtime inspector for iOS apps called Reveal. While Reveal has been available as a beta for months, the makers, Itty Bitty Apps, have now released a complete version 1.0 of the app.
As with nearly all software updates from Apple, iOS 7 brought with it a large number of security updates for users. Ranging from entirely new features all the way down to minor tweaks and enhancements, there's a lot to discuss when it comes to iOS 7 security. iMore's editor-in-chief Rene Ritchie briefly touched on most of the changes in his iOS 7 review, but I thought it would be fun to take a closer look.
Over the weekend, Apple’s Bug Reporter website saw a short-lived facelift. Developers were treated to a visually overhauled website on Saturday, but seems to have been reverted to its old, archaic predecessor sometime Sunday. If you missed it, you weren't alone. Here's what seems to have happened...
Update: The redesign has reappeared. If you're a developer and you've checked it out, let us know what you think!
Apple recently updated their Web Server notifications page with several new acknowledgements to people who discovered and reported security vulnerabilities in Apple's servers. Among the discoveries acknowledged seems to be the vulnerability that was responsible for Apple's Developer Portal's eight-day outage. The notifications page shows a remote code execution vulnerability being reported on July 18th, the same day that Apple took the developer site down.
Today researchers Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee from Georgia Tech gave a talk at the 22nd USENIX Security Symposium and revealed the details of how they got a so-called "Jekyll app" through the App Store approval process and into a position where it could perform malicious tasks. Their methods highlight several challenges to the effectiveness of the Apple's App Store review process as well as security in iOS. The researchers immediately pulled their app from the App Store after downloading it to their test devices, but demonstrated techniques that could be used by others to also sneak malware past Apple's reviewers.
The details of Apple's app review process are not publicly known, but aside from a few notable exceptions it has been largely successful in keeping malware away from iOS devices. The basic premise of a Jekyll app is to submit a seemingly harmless app to Apple for approval that, once published to the App Store, can be exploited to exhibit malicious behavior. The concept is fairly straightforward, but let's dig in to the details.
Tielei Wang and his team of researchers at Georgia Tech have discovered a method for getting malicious iOS apps past Apple's App Store review process. The team created a "Jekyll app" that seemed harmless at first, but after making it into the App Store and onto devices, is able to have its code rearranged in order to perform potentially malicious tasks.
In June we heard about Mactans, a malicious iPhone charger created by three security researchers from the Georgia Institute of Technology. This week the researchers presented their findings at Black Hat, an annual hacker convention in Las Vegas, and Apple officially responded to them. Here's the deal...
A new Apple Knowledge Base article details steps that people can take to report spam iMessages. If you receive and unwanted iMessage, you can report it to firstname.lastname@example.org by sending a screenshot of the message, the sender's email address or phone number, and the date and time that the message was received.
So far this year, Apple customers have been exposed to an increased number of phishing attempts according to a study done by Kaspersky Labs. The study shows a greatly increased number of phishing emails purporting to come from Apple in the first five months of this year when compared to the number of Apple-related phishing attempts detected in 2011. More specifically, Kaspersky seems to be looking at the number of attempts to access phishing sites that have been blocked by their products.
Apple has pushed out an update to their Developer Portal maintenance page to give developers some additional information about the current status of things in the wake of their security breach. The update announces the order in which developers can expect services and functionality to be restored.
Ibrahim Balic received a lot of attention recently after claiming he may be the person responsible for Apple's ongoing Developer Portal outage. With no further communication or corroboration from Apple, people are still trying to get a clear picture as to exactly what happened last Thursday that prompted Apple to take the site down, and if Balic's actions are truly the cause. In order to get a better handle on what may or may not have happened, and his potential role in it, I communicated with Balic yesterday and asked him a series of questions. Here's what I found out:
Following just days after Tango's servers were compromised, the Syrian Electronic Army(SEA) has hacked another calling and messaging service, Viber. E Hacking News is reporting that this time SEA was able to acquire a partial database backup containing phone numbers, UDIDs (Viber generated, not Apple UDIDs) and IP addresses, among other user information for some of Viber's more than 200 million subscribers.
At this year's Black Hat USA security conference cryptographer and security researcher Karsten Nohl will be presenting his findings on SIM card insecurities. While Nohl's research revealed that about one-quarter of the tested SIM cards were vulnerable to an attack that exploits an outdated encryption standard, it's unclear at this point exactly who should be worried.
Last week San Francisco District Attorney George Gascón and New York Attorney General Eric T. Schneiderman announced they would be putting Apple's recently announced Activation Lock feature to test. Details of the tests remain private, but for now Gascón is saying that "clear improvements" have been made.