I need a little bit of help from you guys, there's one thing I don't understand and I'm hoping you can explain it to me. In January I downloaded a free app from the app store which had free movies and cartoons but was later taken down by Apple. Later I got notified by the app that there was an update available but it can only be downloaded from their webpage, so I did and it worked.
So my question is how is this possible? I thought it was only possible to download apps from the app store store and nowhere else.
From your subsequent post I gathered you are referring to an iPad. Assuming it's true this would worry me. I am as well of the opinion that this would be impossible.
OTOH I seem to recall a couple of occasions where an iPad game upon launch loaded some new content, new levels etc. Thinking about this how can one be sure no malware is introduced in this way?
The other way to load an app outside of the app store is by using a signed adhoc provisioning profile (which you're typically limited to an audience of 100 devices) or an enterprise provisioning profile (I think has no limit) both of which must have a valid Developer Apple ID account and can be blocked by Apple if it wishes to do so.
Did you get a prompt to install a certificate before installing the update?
The other way to load an app outside of the app store is by using a signed adhoc provisioning profile (which you're typically limited to an audience of 100 devices) or an enterprise provisioning profile (I think has no limit) both of which must have a valid Developer Apple ID account and can be blocked by Apple if it wishes to do so.
Did you get a prompt to install a certificate before installing the update?
It fits your original comment which stated "The title is indeed somewhat misleading as there are no real world examples of this vulnerability being used by malware."
I'm dying for you to tell me how you know there are no real world examples.
That's easy - DED would have been crowing about it from the rooftops instead of spreading FUD on his vegie patch.
While it sounds menacing, has the exploit actually been found in the wild? I'm never sure where the terror starts, there is a vast difference between 'can/might' and 'did'.
One thing is that in order to be affected by this flaw, one has to enable a checkbox buried in Settings that is disabled by default. Enabling said option triggers a warning message that enabling the option makes the phone and personal data more vulnerable to attacks and you have to accept or decline.
I really, really wish the folks over at Consumer Reports would factor this data into their glowing reviews of Android phones and tablets. I've only seen the malware issue mentioned in passing in a recent article about cyber security.
The important thing is that exploits are only a "real concern" on Apple platforms and that Google is above criticism. As long as we agree on that, the forums will run smoothly.
Please no. Between “polar vortex”, “supermoon”, “superstorm”, and all the other ludicrously idiotic, meaningless, and misleading buzzwords the media seems to want to invent this decade, we don’t need “super malware” thrown in.
Google scanned every app in it's official app store. Found no instances of this exploit.
Google updated automatically, behind the scenes every android device to add this exploit check to it's verify apps program.
In order to for this exploit to be used this is what has to happen:
1. Go into security settings and enable third party app installation (off by default)
2. Accept the warning saying not to do this.
3. A developer will have to actually make an app that uses this exploit.
4. The user will have to download this malicious new, theoretical app from a third party app store.
5. User will have to accept a prompt asking if they want to install a third party app that could be potentially harmful.
6. User will have to override the verify app warning that explicitly states that the app was found to be malicious (does it even let you???)
This is a non-issue. While it's never good to see a a security flaw, like is the case with every Android security flaw out there, Google has in place the necessary defenses.
The important thing is that exploits are only a "real concern" on Apple platforms and that Google is above criticism. As long as we agree on that, the forums will run smoothly.
Am I the only one increasingly suspicious of the huge security flaws turning up in all the most widely used pieces of software (Heartbleed, 'goto fail', and now this)? Groups like the NSA benefit greatly from undetected exploits like these - are they just unfortunate bugs, or something more?
Alternatively, perhaps I need to go and buy a tinfoil hat.
Quote:
Originally Posted by Tallest Skil
Please no. Between “polar vortex”, “supermoon”, “superstorm”, and all the other ludicrously idiotic, meaningless, and misleading buzzwords the media seems to want to invent this decade, we don’t need “super malware” thrown in.
I honestly don't understand why they aren't just calling it 'malware'. Privilege escalation exploits do not a different name make.
Although perhaps it's just the same people that benefit from 'iOS confirmed as most insecure software ever written' scare stories doing the same thing with Android.
I quite agree with you. And I might go a step further, because it seems that 9 times out of 10, these theoretical vulnerabilities are found in an Apple platform and the tech press creates a bunch of sound and fury signifying nothing. I'd be pleased to see Apple Insider document this phenomenon of theoretical threat versus in-the-wild reality. Today's DED story is like the exception that proves the rule, because in general this phenomenon is used to create anti-Apple FUD.
you got me thinking....
what would Apples market share be without all the propaganda and FUD?
Would iPhone have significantly more marketshare or would sales basically be the same?
I brought up the iPhone to my dad once and he responded "but doesn't the iPhone suck?"
He really is a moron but there's probably millions of them.
I've also gotten a similar reaponse from a female friend. I could go on, but it seems like the brainwashing only affects uneducated people.
what would Apples market share be without all the propaganda and FUD?
Would iPhone have significantly more marketshare or would sales basically be the same?
I brought up the iPhone to my dad once and he responded "but doesn't the iPhone suck?"
He really is a moron but there's probably millions of them.
I've also gotten a similar reaponse from a female friend. I could go on, but it seems like the brainwashing only affects uneducated people.
The company I work for handed out Motorola tablets recently. When I inquired about why weren't we getting iPads the answer I got was "nobody uses iPads anymore", and this was from a quite educated, and very tech savvy manager.
Comments
From your subsequent post I gathered you are referring to an iPad. Assuming it's true this would worry me. I am as well of the opinion that this would be impossible.
OTOH I seem to recall a couple of occasions where an iPad game upon launch loaded some new content, new levels etc. Thinking about this how can one be sure no malware is introduced in this way?
Still wish I had an answer as this could be a major iOS security hole.
No. I just pushed the download button on the website and it got installed.
Would you mind sharing the name of the app?
CartoonHD, but their website is gone now.
It fits your original comment which stated "The title is indeed somewhat misleading as there are no real world examples of this vulnerability being used by malware."
I'm dying for you to tell me how you know there are no real world examples.
That's easy - DED would have been crowing about it from the rooftops instead of spreading FUD on his vegie patch.
Removed. meant to quote another post
I found http://forums.macrumors.com/showthread.php?t=1732270
Still wish I had an answer as this could be a major iOS security hole.
No. I just pushed the download button on the website and it got installed.
Its most likely just a web app. I downloaded a weather program called forecast the same way. Its not a true App.
http://forecast.io/
While it sounds menacing, has the exploit actually been found in the wild? I'm never sure where the terror starts, there is a vast difference between 'can/might' and 'did'.
One thing is that in order to be affected by this flaw, one has to enable a checkbox buried in Settings that is disabled by default. Enabling said option triggers a warning message that enabling the option makes the phone and personal data more vulnerable to attacks and you have to accept or decline.
Please no. Between “polar vortex”, “supermoon”, “superstorm”, and all the other ludicrously idiotic, meaningless, and misleading buzzwords the media seems to want to invent this decade, we don’t need “super malware” thrown in.
The important thing is that exploits are only a "real concern" on Apple platforms and that Google is above criticism. As long as we agree on that, the forums will run smoothly.
Am I the only one increasingly suspicious of the huge security flaws turning up in all the most widely used pieces of software (Heartbleed, 'goto fail', and now this)? Groups like the NSA benefit greatly from undetected exploits like these - are they just unfortunate bugs, or something more?
Alternatively, perhaps I need to go and buy a tinfoil hat.
Please no. Between “polar vortex”, “supermoon”, “superstorm”, and all the other ludicrously idiotic, meaningless, and misleading buzzwords the media seems to want to invent this decade, we don’t need “super malware” thrown in.
I honestly don't understand why they aren't just calling it 'malware'. Privilege escalation exploits do not a different name make.
Although perhaps it's just the same people that benefit from 'iOS confirmed as most insecure software ever written' scare stories doing the same thing with Android.
you got me thinking....
what would Apples market share be without all the propaganda and FUD?
Would iPhone have significantly more marketshare or would sales basically be the same?
I brought up the iPhone to my dad once and he responded "but doesn't the iPhone suck?"
He really is a moron but there's probably millions of them.
I've also gotten a similar reaponse from a female friend. I could go on, but it seems like the brainwashing only affects uneducated people.
Isn’t that the definition? How people who’ve broken the constitution keep getting elected because their constituencies are too stupid to know, etc.?
Is it ignorance of the law breaking, or an affinity for the law breaker?
Both (usually only the first), the latter founded in the former.
The company I work for handed out Motorola tablets recently. When I inquired about why weren't we getting iPads the answer I got was "nobody uses iPads anymore", and this was from a quite educated, and very tech savvy manager.