[Dailydave] iPhone Security
Kristian Erik Hermansen
kristian.hermansen at gmail.com
Tue Sep 13 16:24:02 EDT 2016
Thanks to Apple for finally fixing the issues today with latest
updates and not crediting where credit is due. And, you should really
update to get the patches just released...
"CVE-2016-4741: Description: An issue existed in iOS updates, which
did not properly secure user communications. This issue was addressed
by using HTTPS for software updates."
On Tue, Jan 5, 2016 at 12:53 PM, Kristian Erik Hermansen
<kristian.hermansen at gmail.com> wrote:
> On Tue, Jan 5, 2016 at 8:31 AM, Dave Aitel <dave at immunityinc.com> wrote:
>> http://immunityproducts.blogspot.com/2016/01/the-danger-of-other-on-iphone.html
>
> The TL;DR version is that the mail client is not validating the
> SSL/TLS certificate. In older versions of iOS, when testing, I felt
> this was a weak area of the platform. I notified Apple Security of the
> issue, but received no response from them about it. However, in later
> versions of iOS 8/9 (?) a new option / enforcement was added to the
> platform for certificate validation. I never trusted Apple would
> completely fix this, or they may have a regression, so I was weary of
> utilizing it. Since you need to put in your Google creds for Contacts
> (and for calendar before Google released a standalone Calendar app in
> 2015), that was something I would only enable like once a month while
> on trusted wifi to sync new contacts). In any event, there are tons of
> outstanding issues on Apple's platforms that have weaknesses that I
> have reported and go unfixed. Here is a short list of other things
> that smell dangerous too and remain unfixed last I checked...
>
> * Apple App Store connections do not utilize HTTPS
> * Apple App Store leverages a lot of XML (hint hint)
> * Privileged network-positioned attackers (NSA?) can uniquely track
> Apple iOS clients by injecting HTTP headers and getting them cached
> client-side, or utilize other client sniffing tricks
> * Updates for Apple platform and apps come over HTTP, but do you
> really trust the in-line digital signatures over HTTP against nation
> states?
> * Apple OS X printer drivers (like HP) are distributed over HTTP
> links, without encryption, and install without any Apple binary
> signature (inject your OS backdoors here into the kernel via the ZIP
> file stream in transit)
> * Numerous other Apple OS X components, distributed apps, drivers, and
> sometimes other components are distributed without being signed /
> attributed to Apple (untrusted).
> * Apple Maps API data wasn't encrypted, last I checked
>
> I could keep going...here are some links and descriptions...
>
> * Apple Maps on iOS Leaks All Geo Data over HTTP without Encryption
>
> http://gspe19.ls.apple.com/tile.vf
>
> * Apple iOS crypto libraries don't support strong ciphers > 128bits
>
> * iOS Allows Invalid Profile Cryptographic Keys to be Installed
>
> Open the following links in Safari:
>
> http://iapnupdatetfdata.straighttalk.com
>
> http://iapnupdateatt.straighttalk.com
>
> * Numerous Apple updates / downloads over insecure HTTP:
>
> http://mesu.apple.com/assets/com_apple_MobileAsset_SafariCloudHistoryConfiguration/com_apple_MobileAsset_SafariCloudHistoryConfiguration.xml
>
> http://download.info.apple.com/Apple_Support_Area/
>
> http://supportdownload.apple.com/download.info.apple.com/Apple_Support_Area/Apple_Software_Updates/Mac_OS_X/downloads/031-3384.20140211.Xcc3e/BootCamp5.1.5621.zip
>
> http://support.apple.com/downloads/DL907/en_US/hpprinterdriver3.1.dmg
>
> http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=22512&cat=33&platform=osx&method=sa/TextTranslator.zip
>
> --
> Regards,
>
> Kristian Erik Hermansen
> https://www.linkedin.com/in/kristianhermansen
--
Regards,
Kristian Erik Hermansen
https://www.linkedin.com/in/kristianhermansen
https://profiles.google.com/kristian.hermansen
More information about the Dailydave
mailing list