I’d be more impressed by Google if they concentrated on fixing their own security issues instead of Apple’s.
Now THIS is a valid comment.
As an iPhone user I am very pleased that Google is helping to improve my iPhone. But I can't understand why Google can't improve the balance of an their open platform with a safer/more secure platform. Windows 10 is much better in this regard these days.
Google improves their platform security every month with regular pushed updates to devices they sell, and on rare occasion more often than that. EOM's (who they don't control) get those same security updates supplied to them in advance of the the Google device rollout. Did you think they don't, and if so based on what?
If you do any current reading you'd come away with the realization that Google Android today is not Google Android of 10 years ago. Now they're generally seen as close to if not equally as secure as iOS by most security professionals I see offering honest comment.
BTW the very latest Win10 update bonkered one of my RIP stations (but not the other??) so no I'm not particular happy with them these days.
So anyway users of any computer operating system should be thankful for the efforts of Google's Project Zero team. Without them no one's platform of choice would be as secure as it is, nor would the OS providers be as driven to push out patches.
Pretty pathetic reputation considering Apple’s marketing focus on privacy and security. The memory of MacOS permission screw-up getting admin or even root permission is still very fresh.
Also consider the public perception when ‘Google researchers’ discover ‘Apple problems’.
Pathetic reputation? Because a vulnerability was discovered? You obviously haven't a clue the scope of software development (especially regarding operating system development) and the possibilities of a bug causing a security hole. We hear about an issue with iOS maybe a handful times a year, but if you ever take the time to read Apple’s release notes, you’ll see there are many squashed bugs that had the potential to cause security holes. This is a normal part of the development process. It is IMPOSSIBLE to test every possible interaction between bits of code.
Google’s Project Zero is a great team of engineers and security researchers who mainly look for holes in their own projects and 3rd party code that might affect their own. Sometimes those holes lead to others. In this instance, it looks like they discovered a vulnerability in certain web server configurations that allowed a “hacker” to install code. Some of that code just happened to exploit a security hole in iOS when an iOS user visited the site. The team let Apple know of the exploit. Apple fixed it.
I’m pretty sure Apple finds “security” bugs in 3rd party code all the time... They just don’t publicly disclose it. Teams like Project Zero are set up to specifically discover and disclose security issues to the developer. The practice of publicly disclosing is an “incentive” to make sure the vulnerability gets fixed in a timely manner.
I’d be more impressed by Google if they concentrated on fixing their own security issues instead of Apple’s.
Now THIS is a valid comment.
As an iPhone user I am very pleased that Google is helping to improve my iPhone. But I can't understand why Google can't improve the balance of an their open platform with a safer/more secure platform. Windows 10 is much better in this regard these days.
Google improves their platform security every month with regular pushed updates to devices they sell, and on rare occasion more often than that. EOM's (who they don't control) get those same security updates supplied to them in advance of the the Google device rollout. Did you think they don't, and if so based on what?
I wasn't questioning their update schedule.
What I meant is Android is by design a more open OS, more versatile, more flexible, supportive of more diverse devices. All good things.
But this also makes it inherently more vulnerable, more complex to cohesively keep updated, and users have more of an option to make their devices less secure. Their is a balance to be had there.
Apple does provide more 'idiot' proof security by design, but makes the platform less interesting and adaptable. Again, a balance.
Pretty pathetic reputation considering Apple’s marketing focus on privacy and security. The memory of MacOS permission screw-up getting admin or even root permission is still very fresh.
Also consider the public perception when ‘Google researchers’ discover ‘Apple problems’.
The “public” doesn’t see this shit. Only tech blog denizens hash this over and over and use it as a club. And tech blog denizens have no influence on anything.
I’d be more impressed by Google if they concentrated on fixing their own security issues instead of Apple’s.
Now THIS is a valid comment.
As an iPhone user I am very pleased that Google is helping to improve my iPhone. But I can't understand why Google can't improve the balance of an their open platform with a safer/more secure platform. Windows 10 is much better in this regard these days.
Google improves their platform security every month with regular pushed updates to devices they sell, and on rare occasion more often than that. EOM's (who they don't control) get those same security updates supplied to them in advance of the the Google device rollout. Did you think they don't, and if so based on what?
If you do any current reading you'd come away with the realization that Google Android today is not Google Android of 10 years ago. Now they're generally seen as close to if not equally as secure as iOS by most security professionals I see offering honest comment.
BTW the very latest Win10 update bonkered one of my RIP stations (but not the other??) so no I'm not particular happy with them these days.
So anyway users of any computer operating system should be thankful for the efforts of Google's Project Zero team. Without them no one's platform of choice would be as secure as it is, nor would the OS providers be as driven to push out patches.
What you conveniently leave out, of course, is the fact that many Android device manufacturers other than Google itself rarely if ever push updates out to their customers.It’s usually months and months before a few manufacturers issue updates. And as you have stated elsewhere the Pixel is a tiny blip on the smartphone radar screen. Many Android devices never get an update during their lifespan and are therefore vulnerable to all the security flaws discovered. Apple, on the other hand, all but forces iOS users to update their devices on a regular basis. Some scream bloody murder about being annoyed by Apple’s persistent notices to update. So the Google emperor has no clothes when it comes to touting security updates and patches. In the real world Android is the leaky security risk, not Apple.
Various implant commands enable the attackers to steal the container directories of third-party apps. The implant contains a hardcoded list of apps which will always have their container directories uploaded when the implant starts up. Here’s the pre-populated list of bundle identifiers for third-party apps, which will always have their container directories uploaded if the apps are installed:
com.yahoo.Aerogram
com.microsoft.Office.Outlook
com.netease.mailmaster
com.rebelvox.voxer-lite
com.viber
com.google.Gmail
ph.telegra.Telegraph
com.tencent.qqmail
com.atebits.Tweetie2
net.whatsapp.WhatsApp
com.skype.skype
com.facebook.Facebook
com.tencent.xin
….
Those are not the websites that are hosting the exploit. Those are the list of containers that your iPhone uses to hold the respective apps that you have on your phone. The scary part is that after you’ve been infected, the bad agents can get a refreshed list of apps that’s installed on your phone so that they can update this container list and steal any other information contained in those apps as well.
I’d be more impressed by Google if they concentrated on fixing their own security issues instead of Apple’s.
I couldn't be more impressed. I have skin in Google because I use gmail accounts for analytics, for email, for YouTube so their security profiles are important to me professionally. However, Project Zero putting substantial efforts in finding and reporting on Apple security weaknesses is laudable and important. Similar weaknesses in Android doesn't affect me, as I don't use Android products, nor do a write systems for that product line.
On the one hand this exploit appears to be irrelevant to the average iPhone user (since it was fixed and was only hosted on a small number of sites that had "thousands" of daily visitors--i.e., a few fringe sites).
On the other: holy crap! What kind of exploit allows a hacker to get access to Keychain data (and more) just because a user hits a web page via Safari? Can anyone give a few sentence explanation of the exploit? I would have thought that impossible.
Various implant commands enable the attackers to steal the container directories of third-party apps. The implant contains a hardcoded list of apps which will always have their container directories uploaded when the implant starts up. Here’s the pre-populated list of bundle identifiers for third-party apps, which will always have their container directories uploaded if the apps are installed:
com.yahoo.Aerogram
com.microsoft.Office.Outlook
com.netease.mailmaster
com.rebelvox.voxer-lite
com.viber
com.google.Gmail
ph.telegra.Telegraph
com.tencent.qqmail
com.atebits.Tweetie2
net.whatsapp.WhatsApp
com.skype.skype
com.facebook.Facebook
com.tencent.xin
….
Those are not the websites that are hosting the exploit. Those are the list of containers that your iPhone uses to hold the respective apps that you have on your phone. The scary part is that after you’ve been infected, the bad agents can get a refreshed list of apps that’s installed on your phone so that they can update this container list and steal any other information contained in those apps as well.
Oh, well then a double thanks for the explanation.
Various implant commands enable the attackers to steal the container directories of third-party apps. The implant contains a hardcoded list of apps which will always have their container directories uploaded when the implant starts up. Here’s the pre-populated list of bundle identifiers for third-party apps, which will always have their container directories uploaded if the apps are installed:
com.yahoo.Aerogram
com.microsoft.Office.Outlook
com.netease.mailmaster
com.rebelvox.voxer-lite
com.viber
com.google.Gmail
ph.telegra.Telegraph
com.tencent.qqmail
com.atebits.Tweetie2
net.whatsapp.WhatsApp
com.skype.skype
com.facebook.Facebook
com.tencent.xin
….
Obvious: do not use Facebook, Google and Microsoft, whats new?
Aren't those spoof sites? Com. or Net. before the website instead of after?
Its a reverse URL, used in bundle identifiers, or in the app info plist to uniquely identify the app. For instance when an app is launched from another app, the app will generally be identified with a reverse URL.
Ah, thanks, understood. So then they are more like the common fake domains trying to appear as legitimate ones, but not putting net or com first?
Not fake, no. Its a way to uniquely identify apps so they can be referenced from links - like maps etc.
The format is usually com.company.app, so maps is probably com.apple.maps. We can see in that list facebook is com.facebook.Facebook as the app is the same as the company. MS refines it further to specify the app group i.e. com.microsoft.Office.Outlook
These bundleIDs are unique and you cant upload an app with the same bundleID as another app, as it is automatically rejected. If the other app is squatting on your domain then you can get Apple to take them down. These URLS/IDs are used for handover, launching another app, notifications and more. The main thing is that they identify the app, so quite a few fairly common apps have this bug. Although it may be an iOS bug of course.
Pretty pathetic reputation considering Apple’s marketing focus on privacy and security. The memory of MacOS permission screw-up getting admin or even root permission is still very fresh.
Ah yeah, the vulnerability that was patched and had no known exploits in the wild. So very fresh. Quite pathetic compared to Windows and Android which have dozens of known exploited vulnerabilities in the wild over the years. /rolleyes
On the other: holy crap! What kind of exploit allows a hacker to get access to Keychain data (and more) just because a user hits a web page via Safari? Can anyone give a few sentence explanation of the exploit? I would have thought that impossible.
Web pages contain executable code in the form of Javascript, which is executed locally in the javascript runtime engine. This is part of an open-source project, so anyone could get access to the code and find vulnerabilities. One of the most common issues/bugs is memory leaks. If someone can track down code that consistently leaks memory, they can inject code into that leak and execute it.
This is a huge reason why Apple is moving away from the Objective-C runtime and replacing it with Swift which uses more secure memory management and strict type casting.
And the Keychain data does not include passwords, which are always kept in an encrypted state.
Various implant commands enable the attackers to steal the container directories of third-party apps. The implant contains a hardcoded list of apps which will always have their container directories uploaded when the implant starts up. Here’s the pre-populated list of bundle identifiers for third-party apps, which will always have their container directories uploaded if the apps are installed:
com.yahoo.Aerogram
com.microsoft.Office.Outlook
com.netease.mailmaster
com.rebelvox.voxer-lite
com.viber
com.google.Gmail
ph.telegra.Telegraph
com.tencent.qqmail
com.atebits.Tweetie2
net.whatsapp.WhatsApp
com.skype.skype
com.facebook.Facebook
com.tencent.xin
….
Obvious: do not use Facebook, Google and Microsoft, whats new?
Aren't those spoof sites? Com. or Net. before the website instead of after?
Its a reverse URL, used in bundle identifiers, or in the app info plist to uniquely identify the app. For instance when an app is launched from another app, the app will generally be identified with a reverse URL.
Ah, thanks, understood. So then they are more like the common fake domains trying to appear as legitimate ones, but not putting net or com first?
Not fake, no. Its a way to uniquely identify apps so they can be referenced from links - like maps etc.
The format is usually com.company.app, so maps is probably com.apple.maps. We can see in that list facebook is com.facebook.Facebook as the app is the same as the company. MS refines it further to specify the app group i.e. com.microsoft.Office.Outlook
On the one hand this exploit appears to be irrelevant to the average iPhone user (since it was fixed and was only hosted on a small number of sites that had "thousands" of daily visitors--i.e., a few fringe sites).
On the other: holy crap! What kind of exploit allows a hacker to get access to Keychain data (and more) just because a user hits a web page via Safari? Can anyone give a few sentence explanation of the exploit? I would have thought that impossible.
There are links in the article. Somehow they get a root exploit and then they can just use SQL to query the local databases in the app containers.
If iPhones are vulnerable imagine Android phones which in this extract are not mentioned at all ... it sounds like an excellent marketing strategy for Google to me. Oh wait ... of course this is the very information all Android users hand over to Google to use already, what am I thinking?
Observations:
You don't know what Project Zero is. You don't know what they do
You skimmed the article looking for excuses why these exploits existed and lasted so long.
Finding none, you decided it would be perfectly fine to inject baseless speculation and disparage the research team
I've always been curious why people do what you did? I think either you completely misunderstood what you read or you intentionally made up some stuff. If it's the former, I'd suggest rereading and clicking on the links to gain understanding. If it's the latter, might I suggest a look in a mirror and ask yourself: what am I thinking?
Project Zero has been criticized in the past before for not disclosing Googles security failures. The comment is valid.
I’d be more impressed by Google if they concentrated on fixing their own security issues instead of Apple’s.
Now THIS is a valid comment.
As an iPhone user I am very pleased that Google is helping to improve my iPhone. But I can't understand why Google can't improve the balance of an their open platform with a safer/more secure platform. Windows 10 is much better in this regard these days.
However, it is extremely impressive that their are people in the world who are so extraordinarily skilled to be able to find and exploit these vulnerabilities. It would be fascinating to see what a state like Russia has been able to do with their hack teams.
Project Zero discovers vulnerabilities in Google products.
Serious question, what do you mean with "I can't understand why Google can't improve the balance of an open source platform with safer/more secure platform"
Various implant commands enable the attackers to steal the container directories of third-party apps. The implant contains a hardcoded list of apps which will always have their container directories uploaded when the implant starts up. Here’s the pre-populated list of bundle identifiers for third-party apps, which will always have their container directories uploaded if the apps are installed:
com.yahoo.Aerogram
com.microsoft.Office.Outlook
com.netease.mailmaster
com.rebelvox.voxer-lite
com.viber
com.google.Gmail
ph.telegra.Telegraph
com.tencent.qqmail
com.atebits.Tweetie2
net.whatsapp.WhatsApp
com.skype.skype
com.facebook.Facebook
com.tencent.xin
….
Obvious: do not use Facebook, Google and Microsoft, whats new?
Aren't those spoof sites? Com. or Net. before the website instead of after?
As answered below (by Asdasd): domain names read backwards. But spoofed or not my remark still stands.
I’d be more impressed by Google if they concentrated on fixing their own security issues instead of Apple’s.
Now THIS is a valid comment.
As an iPhone user I am very pleased that Google is helping to improve my iPhone. But I can't understand why Google can't improve the balance of an their open platform with a safer/more secure platform. Windows 10 is much better in this regard these days.
Google improves their platform security every month with regular pushed updates to devices they sell, and on rare occasion more often than that. EOM's (who they don't control) get those same security updates supplied to them in advance of the the Google device rollout. Did you think they don't, and if so based on what?
If you do any current reading you'd come away with the realization that Google Android today is not Google Android of 10 years ago. Now they're generally seen as close to if not equally as secure as iOS by most security professionals I see offering honest comment.
BTW the very latest Win10 update bonkered one of my RIP stations (but not the other??) so no I'm not particular happy with them these days.
So anyway users of any computer operating system should be thankful for the efforts of Google's Project Zero team. Without them no one's platform of choice would be as secure as it is, nor would the OS providers be as driven to push out patches.
What you conveniently leave out, of course, is the fact that many Android device manufacturers other than Google itself rarely if ever push updates out to their customers.It’s usually months and months before a few manufacturers issue updates. And as you have stated elsewhere the Pixel is a tiny blip on the smartphone radar screen. Many Android devices never get an update during their lifespan and are therefore vulnerable to all the security flaws discovered. Apple, on the other hand, all but forces iOS users to update their devices on a regular basis. Some scream bloody murder about being annoyed by Apple’s persistent notices to update. So the Google emperor has no clothes when it comes to touting security updates and patches. In the real world Android is the leaky security risk, not Apple.
Nothing "conveniently" left out. I alluded to that in my own post with the comment about OEM's. It's also been pretty common knowledge that many of the Google Android licensees had been lagging on their duties. Everyone here knows that.
What's not as common knowledge is that OEM's are getting the message: Nokia, OnePlus, Essential (what's left of 'em), Samsung, Xiaomi, Huawei, Lenovo (Motorola) and a few others are among those with regular committed update schedules and that covers millions and millions of handsets. In fact a few OEM's are even faster at getting security updates out to their device owners than Google is with Pixels that may take a few days to receive push notifications.
Question for those few complainers in the thread: Do you think you and your iPhone would be better off from a device security standpoint if Project Zero didn't work so hard to discover iOS and Mac security flaws and exploits along with issues affecting the security of other OS's? Why do you care more who found 'em and not that they were found?
Comments
If you do any current reading you'd come away with the realization that Google Android today is not Google Android of 10 years ago. Now they're generally seen as close to if not equally as secure as iOS by most security professionals I see offering honest comment.
BTW the very latest Win10 update bonkered one of my RIP stations (but not the other??) so no I'm not particular happy with them these days.
So anyway users of any computer operating system should be thankful for the efforts of Google's Project Zero team. Without them no one's platform of choice would be as secure as it is, nor would the OS providers be as driven to push out patches.
Pathetic reputation? Because a vulnerability was discovered? You obviously haven't a clue the scope of software development (especially regarding operating system development) and the possibilities of a bug causing a security hole. We hear about an issue with iOS maybe a handful times a year, but if you ever take the time to read Apple’s release notes, you’ll see there are many squashed bugs that had the potential to cause security holes. This is a normal part of the development process. It is IMPOSSIBLE to test every possible interaction between bits of code.
Google’s Project Zero is a great team of engineers and security researchers who mainly look for holes in their own projects and 3rd party code that might affect their own. Sometimes those holes lead to others. In this instance, it looks like they discovered a vulnerability in certain web server configurations that allowed a “hacker” to install code. Some of that code just happened to exploit a security hole in iOS when an iOS user visited the site. The team let Apple know of the exploit. Apple fixed it.
I’m pretty sure Apple finds “security” bugs in 3rd party code all the time... They just don’t publicly disclose it. Teams like Project Zero are set up to specifically discover and disclose security issues to the developer. The practice of publicly disclosing is an “incentive” to make sure the vulnerability gets fixed in a timely manner.
What I meant is Android is by design a more open OS, more versatile, more flexible, supportive of more diverse devices. All good things.
But this also makes it inherently more vulnerable, more complex to cohesively keep updated, and users have more of an option to make their devices less secure. Their is a balance to be had there.
Apple does provide more 'idiot' proof security by design, but makes the platform less interesting and adaptable. Again, a balance.
On the other: holy crap! What kind of exploit allows a hacker to get access to Keychain data (and more) just because a user hits a web page via Safari? Can anyone give a few sentence explanation of the exploit? I would have thought that impossible.
The format is usually com.company.app, so maps is probably com.apple.maps. We can see in that list facebook is com.facebook.Facebook as the app is the same as the company. MS refines it further to specify the app group i.e. com.microsoft.Office.Outlook
These bundleIDs are unique and you cant upload an app with the same bundleID as another app, as it is automatically rejected. If the other app is squatting on your domain then you can get Apple to take them down. These URLS/IDs are used for handover, launching another app, notifications and more. The main thing is that they identify the app, so quite a few fairly common apps have this bug. Although it may be an iOS bug of course.
Web pages contain executable code in the form of Javascript, which is executed locally in the javascript runtime engine. This is part of an open-source project, so anyone could get access to the code and find vulnerabilities. One of the most common issues/bugs is memory leaks. If someone can track down code that consistently leaks memory, they can inject code into that leak and execute it.
This is a huge reason why Apple is moving away from the Objective-C runtime and replacing it with Swift which uses more secure memory management and strict type casting.
And the Keychain data does not include passwords, which are always kept in an encrypted state.
https://forums.appleinsider.com/discussion/comment/3187162/#Comment_3187162
https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html
https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html
Serious question, what do you mean with "I can't understand why Google can't improve the balance of an open source platform with safer/more secure platform"
But spoofed or not my remark still stands.
What's not as common knowledge is that OEM's are getting the message: Nokia, OnePlus, Essential (what's left of 'em), Samsung, Xiaomi, Huawei, Lenovo (Motorola) and a few others are among those with regular committed update schedules and that covers millions and millions of handsets. In fact a few OEM's are even faster at getting security updates out to their device owners than Google is with Pixels that may take a few days to receive push notifications.
Question for those few complainers in the thread: Do you think you and your iPhone would be better off from a device security standpoint if Project Zero didn't work so hard to discover iOS and Mac security flaws and exploits along with issues affecting the security of other OS's? Why do you care more who found 'em and not that they were found?