Security

iOS 6.0 gets US federal government's security stamp of approval

By Derek Kessler, Tuesday, May 7, 2013 a 3:42 pm

Since the dawn of time, BlackBerry smartphones have been the mobile communicator of choice for the United States federal government. The federal National Institute of Standards and Technology has been approving hardware and software to meet the FIPS (Federal Information Processing Standard) since 1995, and today iOS 6.0 was granted FIPS 140-2 certification. Specifically, the iOS CryptoCore Kernel Module 3.0 was assured to to meet the security requirements of the government.

iOS app flagged for malware, and why you shouldn't worry

By Nick Arnott, Thursday, May 2, 2013 a 8:18 pm

An iOS game called Simply Find It, when run through BitDefender’s virus scanner, reportedly returns a positive result for Trojan.JS.iframe.BKD. This has drawn into question the effectiveness of Apple’s App Store approval process. Is this something that Apple should have caught, and is it something App Store customers should be worried about?

The Mailbox security failure that wasn’t

By Nick Arnott, Monday, Apr 29, 2013 a 9:38 pm

A few days ago it was reported that the popular Mailbox app was falling short on protecting user data. Developer Subhransu Behera published a post on his blog outlining what he considered to be security failures on the part of Mailbox.

Apple declines to fix vulnerability in Safari's Web Archive files, likely because it requires user action to exploit

By Nick Arnott, Sunday, Apr 28, 2013 a 9:48 am

Metasploit software developer Joe Vennix has detailed a vulnerability in Safari’s webarchive file format along with how it can be exploited. The post on Rapid7 indicates that after being reported to Apple back in February, the bug was closed last month with a status of “wontfix”, indicating that Apple has no plans to address the bug. So what is it and why is that?

Security vs. convenience: How do you balance your passwords?

By Rene Ritchie, Saturday, Apr 6, 2013 a 11:10 am

Security is at constant war with convenience. The stronger the passwords we use to keep our data safe, the more steps we take to lock down what we own, the less accessible our data and our devices become -- even to us. Balancing it all can be tough, and a lot depends on what the platforms and services we use do to help us. And nowhere is this more evident than mobile.

Multitouch keyboards, in large part, rely on things like like character pair prediction and auto-correct to make entry acceptable. Neither of those things are possible with passwords, and strong passwords require far higher than normal frequencies of shifting between upper and lower case, and between letters and numbers and symbols. It's the worst possible experience.

What the DEA really said about iMessages, and what it means to you

By Nick Arnott, Friday, Apr 5, 2013 a 2:32 pm

It was recently reported that iMessage had caused a snag in the Drug Enforcement Administration’s ability to intercept text messages. Citing iMessage’s end-to-end encryption as the cause, the DEA stated that "iMessages between two Apple devices are considered encrypted communication and cannot be intercepted, regardless of the cell phone service provider." On the surface, this seems reassuring to iMessage users that their conversations can’t be intercepted. But is it possible that we’re giving a little too much credit to the DEA when they say iMessages are “impossible to intercept”?

Anatomy of the Apple ID password reset exploit

By Nick Arnott, Saturday, Mar 23, 2013 a 2:49 pm

When The Verge broke news of Apple’s password reset vulnerability, they cited a step-by-step guide that detailed the process of exploiting the service. They declined to link to the source for security reasons, and rightfully so. However, now that Apple has closed the security hole the topic of how it worked and why is worth exploring.

Newly discovered security hole lets attacker reset your Apple ID with only your birthday and email address

By Nick Arnott, Friday, Mar 22, 2013 a 4:13 pm

Arriving right on the coat tails of Apple’s two-step verification implementation, a new security flaw has been found in Apple’s password reset process for Apple IDs. The vulnerability allows an attacker to reset your Apple ID’s password with only the knowledge of your Apple ID and date of birth, completely bypassing the need to answer your security questions. The Verge first reported the vulnerability after being tipped off to the hack.

Configuration profile warning reminds us not to carelessly tap and install things on our iPhones and iPads

By Rene Ritchie, Wednesday, Mar 13, 2013 a 11:06 am

Configuration profiles can be installed on the iPhone, iPod touch, or iPad in order to allow ad hoc (beta) apps to run, to help Apple diagnose things like battery life problems, and to change settings for certain types of network access, among other things. Unfortunately, like many empowered conveniences, they bring with them theoretical security concerns. Namely, bad guys could make a malicious profile and try to trick us into installing it so they can do us harm. Skycure -- a security vendor, keep in mind -- reports:

Apple turns on HTTPS for the App Store, closes numerous security vulnerabilities

By Nick Arnott, Monday, Mar 11, 2013 a 6:04 pm

Some great work by Google researcher Dr. Elie Brusztein has led to Apple increasing security on its iOS App Store. Last July, Elie reported a number of vulnerabilities in the App Store to Apple. As of January, they have been fixed. It appears that certain areas of the App Store were not using HTTPS, and as a result, it was possible for attackers to execute a number of different exploits on users.