Apple pushes the idea that they tightly manage devices & control what software the user can install in the interest of security. Then they overlook something as simple & fundamental as this!
http://arstechnica.com/security/2013/03/after-leaving-users-exposed-apple-finally-https-protects-ios-app-store/ / password attack Apple didn't fully encrypt traffic between App Store end users iOS customers open to attack because engineers failed implement standard technology encrypt encrypted encrypts traffic between handsets App Store HTTPS encrypted communications prevent attackers from intercepting manipulating sensitive traffic sent online banks merchants native iOS app connects Apple's App Store fully deployed the protection Elie Bursztein Google researcher discovered security hole blog post reported various iOS flaws Apple's security post gave no indication that the iOS app had ever fully used HTTPS significant omission has been present for years Apple doesn't comment on security matters impossible for Ars confirm precise timeline level protection readers know HTTPS basic security measure almost as old as the Web ensures that traffic traveling between end-user webserver encrypted prevent prevents connection between the two endpoints from listening in. HTTPS cryptographic assurance server answering calls itunes.apple.com truly impostor Google Facebook Twitter end to end end-to-end HTTPS harder attackers exploits bypass customers using iOS app unnecessary risk iPhone iPad download an app unsecured Wi-Fi connection attackers connected same network freely available tools social-engineering trick retrieve passwords log-in credentials fake App Stores issue fake apps upgrades Apple legit legitimate fix fixing vulnerabilities iOS App Store fake upgrade attack Paul Ducklin, a researcher at antivirus provider Sophos, has more here on why HTTPS protection for the App Store is crucial /
No comments:
Post a Comment