iOS

Apple to present at Black Hat Security Conference for the first time

Black Hat Security Conference is underway at Ceasar's Palace in Las Vegas and Apple is planning to present for the first time in the event's fifteen-year history. Warming up to hackers, the iPhone maker dispatched Dallas De Atley, its Manager of the Platform Security team, to talk iOS security.

According to the conference agenda, De Atley will "discuss key security technologies in iOS" as "Apple designed the iOS platform with security at its core". Apple's decision to take part in the conference coincides with a few security breaches in its mobile and desktop operating systems that routinely make headlines in the press.

Some of the recent examples include the widely reported IAP exploit and Mac malware that prompted Apple to step up its game with the new Gatekeeper feature in OS X Mountain Lion, designed to only allow for approved, signed apps from the Mac App Store...

Russian hacker admits defeat in IAP breach

Alexey V. Borodin, the Russian hacker who made headlines with a tool which lets anyone steal extra content in apps, no jailbreak required, is admitting defeat following Apple's announcement that the in-app purchasing (IAP) exploit will be fixed in the shipping version of iOS 6 this fall.

In an unprecedented move, Apple gave developers access to a pair of private APIs in iOS, a temporary solution that effectively bypasses the hack. Borodin just publicly acknowledged that currently there is no way to circumvent Apple's band-aid fix in apps updated to take advantage of the private APIs...

Is Apple stepping up fight against IAP exploit with UDIDs?

A flaw in the in-app purchasing mechanism in iOS that a Russian hacker exposed last week by leveraging a proxy server which enabled $30,000+ in sales of extra content may soon become a thing of the past as Apple is reportedly looking to contain the exploit by issuing a unique identifier in validation receipts.

This identifier apparently includes the Unique Device Identifier (UDID) for the device making the in-app purchase. The development is indicative remembering that the company recently began rejecting third-party apps over use of UDIDs. Apple was also thought to be readying tools for developers to let apps figure out users without resorting to UDIDs...

Apple starts blocking Russian servers that authenticate in-app content for free

Making good on its promise, Apple has started to block Russian servers which authenticate paid in-app content for free, The Next Web reports. The company is blocking IP addresses that host the rogue in-appstore.com domain by issuing takedown notices to hosting companies. PayPal has also intervened to block a private account through which donations had been collected, citing violation of its terms of service.

Despite this, hacker Alexey V. Borodin, the brains behind this controversial method, has already moved the servers to another country in an attempt to evade Apple’s legal requests...

Russian hacker cracks iOS in-app purchasing, no jailbreak required

iOS in-app purchasing mechanism which lets you buy digital items in games, upgrade to full versions of apps and purchase additional content, has been cracked by a savvy Russian hacker who posted a proof of concept video, embedded below.

First noticed by Russian blog i-ekb.ru (via 9to5Mac), the hack is credited to Russian developer ZonD80 who runs the conveniently named In-AppStore.com website where he collects donations to support development of the project.

What's special about this method - and potentially devastating to the development community - is that it doesn't require a jailbreak and can be completed in a few simple steps by even the most inexperienced users. UPDATE: contrary to reports that Apple took the proxy site down, developer confirms it's simply under high load and says the info site is being moved to Blogger.

Surf the web in total privacy with Onion Browser

If a person wanted to browse the web discreetly on their iOS device, there are a number of ways to do so. For starters, there is the native 'Private Browsing' function in mobile Safari. And there dozens of third-party browsers available with similar features.

But if a person wanted to browse the web in an untraceable, highly-secure, super-stealth manner, they might have to turn to an app like Onion Browser. The software allows you to encrypt, block, and spoof your way to total anonymity on the web...

Apple prompting users to make their Apple ID accounts more secure

Have you recently received a notification on one of your iOS devices prompting you to confirm your Apple ID password? If so, you're not alone. Users have been flocking to Apple's support forums to report the suspicious popup.

No, it's not a phishing scam. Apple is trying to beef up its security. TheNextWeb is reporting that over the past 24 hours, the company has started prompting iOS device owners to make their accounts more secure...

How secure is your iCloud data?

To say that iCloud is a big deal for Apple is a bit of an understatement. The cloud-based storage and backup service was launched just 6 months ago, alongside the iPhone 4S and iOS 5, and has already garnered more than 100 million users.

But its quick rise in popularity and deep integration into Apple's software has led to one major question: how secure is it? Well the folks over at ArsTechnica recently spoke with some software security experts to find out...

Tweetbot developer confirms Apple is now rejecting apps over use of UDIDs

A report on Monday alleged Apple began rejecting third-party iOS apps that make use of Unique Device Identifiers (UDIDs). Today, developer Paul Haddad confirms that a new build of his Tweetbot app failed to pass Apple's requirements due to its use of UDIDs. Haddad received an email from the company that cites section 17.1 of the App Store Review Guidelines.

It states “apps cannot transmit data about a user without obtaining the user’s prior permission and providing the user with access to information about how and where the data will be used”.

With this app rejection, I think we can safely conclude that developers are now wise to drop UDIDs from their apps. Better late than never, if you ask me...

Apple begins rejecting apps that access UDIDs

Apple is beginning to reject app submissions which access a device's UDID, according to a report by Mashable.

You just can't beat a good privacy scare, and the one surrounding the use of UDIDs, or Unique Device Identifiers is the current biggie. Used by developers and advertising companies, UDIDs allow tracking of individual devices which has the privacy conscious up in arms.

With Apple now reportedly rejecting apps that use UDIDs, developers, ad. agencies and anyone else who may legitimately use UDIDs will need to re-write their apps to remove the feature...

Safari exploit that allows URL spoofing discovered in iOS 5.1

Although iOS is considered to be one of the safest mobile operating systems on the market, it's not perfect. This is something that those of us in the jailbreak community know all too well.

With that in mind, it's not terribly surprising that another security bug has recently been discovered in Apple's software. Reports are surfacing today that an exploit has been found inside mobile Safari...

Apple’s cheapest iOS device might also be the most secure

All things considered, it's been a pretty good weekend for the jailbreak community. Not only have hackers managed to find multiple exploits for the new iPad (within 24 hours no less), but we've even seen proof of an untethered jailbreak.

It gets better. Word is that the work that is being done on Apple's new tablet will also apply to older devices on iOS 5.1, except perhaps the new Apple TV. Apparently, the least expensive iOS device also happens to be the most secure...