A new security vulnerability has been discovered on Apple’s iOS platform, this time to do with certificate security regarding apps. The issue is because Apple doesn’t enforce certificates for apps with the same bundle identifier, it means non-legitimate apps installed via a provisioning profile can “take over” legitimate apps installed from the App Store. Ars Technica’s explanation of the threat…
I love how all the news sites make massive deals out of these iOS security flaws, as if they’re going to strike you AT ANY TIME, when the reality is that you’d have to actively seek the flaw out and give it permission to run. That one a few weeks back was heralded as the biggest breach ever, but it was entirely dependent on the user going to a dodgy Chinese website, downloading pirated software, installing it, then allowing it access to an iOS device attached to their computer.
Now we have this one, which relies on you installing an app that hasn’t come from the App Store, which apparently involves a popup saying ‘this is from an untrusted source, do you want to continue’.
It’s kind of your fault if you blindly install anything you’re offered then wake up 2 days later in an icebath with your iPhone’s bluetooth module missing.
Yeah, these attacks via social engineering is becoming a pretty serious issue. You can make computer systems as secure as you want, but at the end of the day, there’s a human sitting behind the computer keyboard with the power to screw everything up — and the worst thing is, the only real protection is a little common sense and constant vigilance.
Which, let’s be honest, can be in short supply at the best of times.