Dailydave mailing list archives
Re: iPhone Security
From: Kristian Erik Hermansen <kristian.hermansen () gmail com>
Date: Tue, 13 Sep 2016 13:24:02 -0700
Thanks to Apple for finally fixing the issues today with latest updates and not crediting where credit is due. And, you should really update to get the patches just released... "CVE-2016-4741: Description: An issue existed in iOS updates, which did not properly secure user communications. This issue was addressed by using HTTPS for software updates." On Tue, Jan 5, 2016 at 12:53 PM, Kristian Erik Hermansen <kristian.hermansen () gmail com> wrote:
On Tue, Jan 5, 2016 at 8:31 AM, Dave Aitel <dave () immunityinc com> wrote:http://immunityproducts.blogspot.com/2016/01/the-danger-of-other-on-iphone.htmlThe TL;DR version is that the mail client is not validating the SSL/TLS certificate. In older versions of iOS, when testing, I felt this was a weak area of the platform. I notified Apple Security of the issue, but received no response from them about it. However, in later versions of iOS 8/9 (?) a new option / enforcement was added to the platform for certificate validation. I never trusted Apple would completely fix this, or they may have a regression, so I was weary of utilizing it. Since you need to put in your Google creds for Contacts (and for calendar before Google released a standalone Calendar app in 2015), that was something I would only enable like once a month while on trusted wifi to sync new contacts). In any event, there are tons of outstanding issues on Apple's platforms that have weaknesses that I have reported and go unfixed. Here is a short list of other things that smell dangerous too and remain unfixed last I checked... * Apple App Store connections do not utilize HTTPS * Apple App Store leverages a lot of XML (hint hint) * Privileged network-positioned attackers (NSA?) can uniquely track Apple iOS clients by injecting HTTP headers and getting them cached client-side, or utilize other client sniffing tricks * Updates for Apple platform and apps come over HTTP, but do you really trust the in-line digital signatures over HTTP against nation states? * Apple OS X printer drivers (like HP) are distributed over HTTP links, without encryption, and install without any Apple binary signature (inject your OS backdoors here into the kernel via the ZIP file stream in transit) * Numerous other Apple OS X components, distributed apps, drivers, and sometimes other components are distributed without being signed / attributed to Apple (untrusted). * Apple Maps API data wasn't encrypted, last I checked I could keep going...here are some links and descriptions... * Apple Maps on iOS Leaks All Geo Data over HTTP without Encryption http://gspe19.ls.apple.com/tile.vf * Apple iOS crypto libraries don't support strong ciphers > 128bits * iOS Allows Invalid Profile Cryptographic Keys to be Installed Open the following links in Safari: http://iapnupdatetfdata.straighttalk.com http://iapnupdateatt.straighttalk.com * Numerous Apple updates / downloads over insecure HTTP: http://mesu.apple.com/assets/com_apple_MobileAsset_SafariCloudHistoryConfiguration/com_apple_MobileAsset_SafariCloudHistoryConfiguration.xml http://download.info.apple.com/Apple_Support_Area/ http://supportdownload.apple.com/download.info.apple.com/Apple_Support_Area/Apple_Software_Updates/Mac_OS_X/downloads/031-3384.20140211.Xcc3e/BootCamp5.1.5621.zip http://support.apple.com/downloads/DL907/en_US/hpprinterdriver3.1.dmg http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=22512&cat=33&platform=osx&method=sa/TextTranslator.zip -- Regards, Kristian Erik Hermansen https://www.linkedin.com/in/kristianhermansen
-- Regards, Kristian Erik Hermansen https://www.linkedin.com/in/kristianhermansen https://profiles.google.com/kristian.hermansen _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Re: iPhone Security Kristian Erik Hermansen (Sep 13)