Apple Apps Store Security Issues

RusliRusli Posts: 991 Adventurer

Apple patches Apple  Apps Store Security Issues. Why take them so long to figure this out! When many users are affected!

 

http://news.cnet.com/8301-1009_3-57573334-83/apple-finally-fixes-app-store-flaw-by-turning-on-encryption/

 

Apple finally fixes App Store flaw by turning on encryption

Company moves to protect its iOS customers from security and privacy attacks over Wi-Fi by turning on encryption, at least half a year after being alerted to the problem

 

Apple has finally fixed a security flaw in its application storethat for years has allowed attackers to steal passwords and install unwanted or extremely expensive applications.

The flaw arose because Apple neglected to use encryption when an iPhone or other mobile device tries to connect to the App Store, meaning an attacker can hijack the connection. In addition to a security flaw, the unencrypted connections also created a privacy vulnerability because the complete list of applications installed on the device are disclosed over Wi-Fi.

It also allows the installation of apps, including extremely expensive ones that top out at $999.99, without the user's consent, which can create serious consequences because Apple doesn't give refunds. To do this, an attacker needs to be on the same private or public Wi-Fi network, including, for example, a coffeeshop, hotel, or airport network.

Security researcher Elie Bursztein discovered the vulnerability and reported it to Apple last July. Apple fixed the problem in a recent update that said "content is now served over HTTPS by default." Apple also thanked Bernhard Brehm of Recurity An Apple representative declined to respond to questions from CNET this morning, including a query about why it took so long to fix this particular vulnerability.

Bursztein, who works at Google, in Mountain View, Calif., but emphasized this was work done at home in his spare time, published a personal blog post today that described details about the App Store vulnerability and included videos of how an attacker was able to steal passwords or install unwanted apps.

Publicizing this flaw, Bursztein said, highlighted how necessary encrypted HTTPS connections were. "Many companies don't realize that HTTPS is important for mobile apps," he said. But if they rely on Web connections or Webviews, he added, they are vulnerable to attacks: "Providing a concrete example seems a good way to attract developer attention to the issue."

As a postdoctoral researcher at Stanford University, Bursztein published research that included demonstrating flaws in Captchas and the Web interfaces of embedded devices. At the Defcon conference in Las Vegas two years ago, he demonstrated how to bypass Windows' built-in encryption that Web browsers, instant messaging clients, and other programs used to store user passwords.

Bursztein's blog post comes a day after Apple's marketing chief, Phil Schiller, took a security-related swipe at Google on Twitter by pointing to a report on the rise of Android malware

Comments

  • RusliRusli Posts: 991 Adventurer

    Well. Android have malwares.

     

    That's true. 99 percent of it.

     

    When Apple starts to transition to ARM CPU for their Macbook Airs, Macbook Pros, iMac, etc.

     

    They are going to dump Intel. That's for sure!

     

    Yes, Android is using ARM CPU.

     

    What makes Apple think that Malware will not affect Apple running ARM CPU???

     

    With their next Mac OS 11!

     

    Creating malwares with ARM CPU is already proof with Android.

     

    And time will come that Mac OS will get infected as well.

     

    Never??? Don't be too confident Apple. Only time will tell!

     

    Malware will be easily ported to Mac OS 11. If not carefull.

     

    See news below:-

     

    http://www.theregister.co.uk/2013/03/07/apple_said_to_be_in_chibaking_talks_with_intel/

     

    http://www.tomshardware.com/news/Foundry-manufacturing-Apple-Intel-14nm,21400.html

     

    http://www.macrumors.com/2011/05/27/apple-testing-an-arm-a5-powered-macbook-air/

     

    http://en.wikipedia.org/wiki/ARM_architecture

     

    Apple Apps Store Malware is already exists!!!

     

    http://www.theinquirer.net/inquirer/news/2189908/apple-app-store-malware-kaspersky

     

    http://www.infosecurity-magazine.com/view/29908/2013-mobile-exploit-kits-apple-app-store-malware-cyberwar-top-the-threatscape/

     

    2013: Mobile exploit kits, Apple App Store malware, cyberwar top the threatscape

    18 December 2012

    With many of the same cyberthreats expected to play out in 2013 as during 2012 (think government-sponsored attacks, hacktivism and open-source hacks against Wordpress, Joomla and Drupal), Websense Security Labs expects some new wrinkles in the threatscape, including mobile exploit kits and sandbox/virtual environment avoidance.

    “The past year illustrated how quickly the threat landscape continues to evolve, with attacks and exploits redefining the concepts of crime, business espionage and warfare,” said Charles Renert, vice president of Websense Security Labs. “The risk to organizations continues to be amplified by the frailty of human curiosity. It’s now expanding across diverse mobile platforms, evolving content management systems and an ever-increasing population of online users.”

    Leading the firm’s predictions is an expectation that cross-platform threats will now involve mobile devices. “The coming year will bring exploit kits for mobile devices,” Websense noted. “When a smartphone visits a website, the malware will be able to identify the operating system and device (Android, iOS and Windows 8) and deliver specific malware to the smartphone or tablet.”
    The top three mobile platforms cybercriminals will target the most are Windows 8, Android and iOS, with threats to Microsoft mobile devices seeing the highest rate of growth, it predicts.

    “Cybercriminals are similar to legitimate application developers in that they focus on the most profitable platforms,” Websense said. “As development barriers are removed, mobile threats will be able to leverage a huge library of shared code. Attacks will also continue to increasingly use social engineering lures to capture user credentials on mobile devices.”

    2013 will also see the rise of legitimate mobile apps stores hosting more malware as malicious apps will increasingly slip through validation processes. Websense predicts that hackers may even take on Apple’s rigid vetting process for applications, and that code writers will get savvy enough to evade Apple’s detection.

    “And, we may even see an increase of good applications behaving badly, by collecting large amounts of data (that the user has approved),” it added. “This data will either be hacked from the developer’s systems or transmitted directly to cybercriminals to distribute malicious wares on a mass scale.”

    This all will continue to pose risks to organizations enabling bring your own device (BYOD) policies. In addition, jail-broken/rooted devices and non-sanctioned app stores will pose significant risk to enterprises as more allow BYOD.

    Another new threat will be the efforts of hackers to work their way around virtual environments and sandboxes. More organizations are utilizing virtual machine defenses to test for malware and threats. As a result, attackers are taking new steps to avoid detection by recognizing virtual machine environments. Some potential methods will attempt to identify a security sandbox, just as past attacks targeted specific AV engines and turned them off.

    Threats will evolve to more frequently and more readily tell if they are in a sandbox environment, so they can hide until someone lets them into the network. Examples of this are already being seen, most notably Trojan Upclicker, which ties itself to mouse strokes to avoid detection and is deployed when a user left-clicks.

    In terms of ongoing threats, Websense suspects that government-sponsored attacks will increase. “We will see new and smaller government cyber-warfare players, and a shift from military and national security objectives to economic, business and local civic targets,” it noted.

    In the wake of several publicized cyber-warfare events, there are a number of contributing factors that will drive more countries toward these strategies and tactics. While the effort to become another nuclear superpower may be insurmountable, almost any country can draft the talent and resources to craft cyber-weapons. Countries and individual cybercriminals all have access to the blueprints for previous state-sponsored attacks like Stuxnet, Flame and Shamoon.

    Meanwhile, there is no doubt hacktivists gained confidence and momentum in 2012. Driven by highly publicized hacktivist events in recent years, organizations have deployed increasingly better detection and prevention policies, solutions and strategies. Hacktivists will move to the next level by increasing their sophistication.
    Also in 2012, vulnerabilities in Wordpress and other platforms have frequently been exploited with mass compromises. As other content management systems (CMS) and service platforms increase in popularity, the bad guys will routinely test the integrity of these systems in 2013. Attacks will continue to exploit legitimate web platforms, requiring CMS administrators to pay greater attention to updates, patches and other security measures. Cybercriminals compromise these platforms to host their malware, infect users and invade organizations to steal data.

    And finally, Websense suspects that timed and targeted spear-phishing email attacks, along with an increase in malicious email attachments, are providing new opportunities for cybercrime. “Malicious email will make a comeback,” it said. “Domain generation algorithms will also bypass current security to increase the effectiveness of targeted attacks.”
    All of this will drive businesses to up their game when it comes to prevention measures. “2013 will absolutely reinforce the fact that traditional security measures are no longer effective in thwarting advanced cyber-attacks,” said Renert. “Organizations and security providers need to evolve toward more proactive real-time defenses that stop advanced threats and data theft.”

     

     

This discussion has been closed.