iOS

Major security flaws leave iOS and OS X vulnerable to wide ranging password theft

Your confidential information ranging from web passwords in Chrome and other browsers to app passwords to banking credentials stored and synced between devices though Apple's iCloud Keychain service—even data you thought was stored safely in password managers like 1Password and LastPass—can be easily compromised due to a trio of major vulnerabilities discovered in Apple's desktop and mobile operating systems.

As discovered by a team of researchers at Indiana University, Georgia Tech and China's Peking University and reported by The Register, Keychain's access control lists, URL schemes and OS X's app containers contain flaws creating serious attack vectors.

IneffectivePower and Unicode Suppressor will protect jailbroken devices from the “effective power” Messages bug

There is a new bug in iOS that resprings most peoples phones due to a low memory crash. It is caused by iOS's inability to render certain strings of Arabic characters which overloads the memory, causing resprings and reboots or safe mode on a jailbroken device. Simply explained, when someone messages you those characters and you get a banner notification, your phone starts kicking the bucket.

A few developers have stepped in and saved the day for jailbreakers. This isn't the first or second time the jailbreak community receives a security fix quicker than Apple is able to push one to stock devices. It's a great example of the argument that jailbroken iOS, in the right hands, can be more secure than stock.

Apple issues updates for OS X, iOS and Apple TV to address ‘FREAK’ attack

Apple on Monday issued a security update for OS X to address a handful of vulnerabilities, including the high profile SSL flaw known as "FREAK." Spotlighted last week, the bug allows would-be attackers to spy on communications made through Safari.

More specifically, FREAK stands for Factoring RSA Export Keys, and it affects certain embodiments of web encryption technologies SSL and TLS. If used maliciously, the flaw could leave systems open to what are known as man-in-the-middle attacks.

Apple confirms ‘FREAK Attack’ patch for iOS and OS X due next week

A new exploit dubbed ‘FREAK Attack’ — which stands for “Factoring attack on RSA-EXPORT Keys” — that takes advantage of a security flaw dating back to the 1990s will be patched soon by Apple.

As we speak, the iPhone maker is readying a fix in iOS and OS X that will be available in software updates next week, a spokesperson for the Cupertino firm told iMore.

Plagued by this security flaw, users of Mac, iPhone, iPad, iPod touch and Android devices are at risk when visiting vulnerable websites that downgrade a secure HTTPS connection to a weaker encryption method.

Poll: should Apple add multi-user access to iOS?

Yesterday, I stumbled upon an intriguing post over at The Loop which I felt raised a valid point about multi-user access in iOS, or the lack of.

It's especially relevant in light of the fact that Android Lollipop enables multi-user support on phones.

Tablets, of course, have had this for nearly three years with Jelly Bean and up. Now, adding the ability to share your iPhone or iPad with someone else isn't as trivial as it may appear at first sight as there are many technical hurdles to overcome.

On the other hand, can anyone imagine Apple not working on solving this pain point for its users? I mean, OS X supports multiple user accounts by design and iOS is basically a slimmed down version of OS X.

Anyways, is multi-user access one of those features the company should prioritize for the next major refresh of iOS, do you think?

Elcomsoft’s Phone Breaker can now help access iCloud data protected with 2-step verification

Moscow-based Elcomsoft, which produces a mobile forensic tool used by law enforcement around the world to gain access to a suspect's iOS devices, has updated its Phone Breaker application which now makes it easier to bypass Apple's two-step verification for Apple ID accounts in order to access underlying iCloud data, Engadget reported Thursday.

Not only does this include iWork documents stored in iCloud, but also data in third-party apps such as WhatsApp communications, 1Password password databases — even user dictionaries that may contain secret words and phrases — provided a user has enabled the app in question to sync data with iCloud.

Although hackers still need both your Apple ID username/password and a two-factor code sent to your trusted device (or a digital token stolen from your computer), once they do gain access to your account Phone Breaker can then create a digital token granting them permanent access to iCloud data, no two-step verification code needed — until you change your Apple ID password, that is.

Chinese authorities shut down WireLurker site, suspects arrested

Chinese authorities arrested three individuals last Friday that are believed to have developed the "WireLurker" malware, according to a police post on Sina Weibo. The authorities were tipped off by Chinese security company Qihoo 360 technology. Additionally, the post says that authorities have also identified and shut down the website that was hosting and distributing the malware.

Apple issues statement on Masque Attack, says it’s not aware of any affected users

Apple tonight broke its silence regarding Masque Attack, a recently discovered vulnerability in iOS. In a statement to iMore, the company says it encourages customers to only download apps from trusted sources and that it's not currently aware of any users affected by the exploit.

Research security FireEye announced its discovery of Masque Attack on Monday. The malware installs itself through a phishing link disguised as a new app or game, and then masquerades as a legitimate app. Once installed, it can access login credentials, credit card info and more.

iOS security flaw could lure unsuspecting users into installing dangerous malware

A new security exploit discovered in Apple's mobile operating system allows attackers to fool unsuspecting users into installing malicious iPhone and iPad apps disguised as new versions of popular apps and games such as Gmail, Angry Birds and more.

Instances of malicious apps with such deceiving names as “New Angry Bird”, “New Flappy Bird” and others were mentioned Monday in a report by mobile security research firm FireEye.

Apple now blocking apps infected with WireLurker malware

Apple released a statement today saying that it is aware of the newly discovered WireLurker malware that targets Macs and iOS devices, and it has taken action. "We’ve blocked the identified apps to prevent them from launching," a spokesman for the company told the Wall Street Journal.

Yesterday security researchers at Palo Alto Networks published a report saying they had discovered a new malware targeting Macs and iOS that is the “biggest in scale” it has ever seen. They named the malware "WireLurker" for its ability to jump from infected Macs to iOS devices over USB.

New malware ‘WireLurker’ found infecting Macs and iOS devices in China

Security researchers at Palo Alto Networks say they've uncovered a new malware campaign targeting Macs and iOS that is the "biggest in scale" it has ever seen. Dubbed WireLurker, the malware has infected more than 400 apps in the Maiyadi App Store, a third-party Mac app store in China.

In the last six months, researchers say 467 infected applications have been downloaded 356,104 times, and “may have impacted hundreds of thousands of users.” The scary part is, the malware can be transmitted to a connected iOS device via USB, regardless of whether or not it's jailbroken.

Meet Xsser mRAT, Chinese trojan that steals treasure trove of info from jailbroken iOS devices

There's a new trojan in town, one that attacks jailbroken iPhone, iPod touch and iPad devices.

As discovered by Lacoon, the malicious software dubbed Xsser mRAT uses social engineering to steal valuable data from jailbroken devices by fooling unsuspecting users to tap on an install link in phishing messages from unknown senders.

Created by Chinese hackers, it can extract a vast range of personal information including your iOS address book, SMS messages, call logs, GSM identities, your approximate geographical location (as determined by the cell tower ID), on-device pictures, as well as passwords and other authentication data in the iOS keychains used by your Apple ID, mail accounts and other services.