I wonder how hard it would be to fake the AppStore app opening using CSS in Safari. It might not be this complicated to trick an unsuspecting user, say, your grandma.
I mean: people are used to this kind of link: View In iTunesby now. An expertly crafted link that opens a website in Safari that looks like it opens iTunes (but doesn't really) would be doable. Some of the (really nice) effects on the Apple website, or the HTML 5 Apple page (which seems to have been removed now???), or even in WebGL with https://developer.apple.com/videos/wwdc/2014/?id=509 might enable this kind of evilness. You'll still get the popup, but most people already click them through, like the "we need your location" in Strava.
In the end, the announcement is sensationalist, a security firm phishing for clicks/reputation, but with additional work, criminals might be able to turn this into something dangerous for the common user, which is most of the world...
here is yet another reason apple is different than android. a malicious app tells you something is fishy before you decide to install it. on android it just assumes that since you have android (the most secure mobile os according to a piece of Schmidt) installing the malicious app is a given.
A few of the warnings you'll receive if you attempt to install an app identified as malicious on Google Android, even from one of those 3rd party stores.
Well what about an app that revels itself as malicious sometime after it was installed?
And Yes it's available to nearly every Google android smartphone and tablet in use today.
I wonder how hard it would be to fake the AppStore app opening using CSS in Safari. It might not be this complicated to trick an unsuspecting user, say, your grandma.
I saw recently an article describing how some attacks are being done now using proxy-pass-through. This would probably work against AppStore also.
it is possible to side load apps without jailbreaking via Configurator.
for example, my mom has an iphone 5 that was one of the sleep button phones. she just upgraded to a 6 and decided to get the button fixed to give it to my nephew. When i took it in they loaded an app via a laptop to test the phone. it came up with that whole trusted developer warning. wasn't really a big deal since they had just erased everything from mom's phone so theres nothing to hack. when i get it back I'll restore it again to fresh just in case
Comments
a piece of Schmidt installing the malicious app is a given.
I see what you did there.
I wonder how hard it would be to fake the AppStore app opening using CSS in Safari. It might not be this complicated to trick an unsuspecting user, say, your grandma.
I mean: people are used to this kind of link: View In iTunes by now. An expertly crafted link that opens a website in Safari that looks like it opens iTunes (but doesn't really) would be doable. Some of the (really nice) effects on the Apple website, or the HTML 5 Apple page (which seems to have been removed now???), or even in WebGL with https://developer.apple.com/videos/wwdc/2014/?id=509 might enable this kind of evilness. You'll still get the popup, but most people already click them through, like the "we need your location" in Strava.
In the end, the announcement is sensationalist, a security firm phishing for clicks/reputation, but with additional work, criminals might be able to turn this into something dangerous for the common user, which is most of the world...
A few of the warnings you'll receive if you attempt to install an app identified as malicious on Google Android, even from one of those 3rd party stores.
Well what about an app that revels itself as malicious sometime after it was installed?
And Yes it's available to nearly every Google android smartphone and tablet in use today.
I wonder how hard it would be to fake the AppStore app opening using CSS in Safari. It might not be this complicated to trick an unsuspecting user, say, your grandma.
I saw recently an article describing how some attacks are being done now using proxy-pass-through. This would probably work against AppStore also.
On a corporate account yes.