The WWW surety exploit known as FREAK that I discussed last hebdomad was patched by Apple days after it was discovered two weeks ago . FREAK relied on a configuration issue in internet waiter combine with a flaw for backwards compatibility in many software libraries used to create a unattackable connexion . But the patch only bear upon Apple ’s operating systems — not all apps .
This highlights how apps can remain vulnerable due to developers ’ choices . And Apple ’s FREAK update only bushel the problem in iOS 8.2 , OS X 10.8 , 10.9 , and 10.10 . While I address part of that last workweek , there ’s more to say .
When apps attack—or are attacked
Researchers at FireEyenoted in a blog poston Wednesday that while operating systems have been updated , their tests indicate that many Android and a handful of iOS apps rely on internal security code libraries , rather than using the security components in an OS .
FireEye tested well-nigh 11,000 popular Android apps in the official Google Play Store , and over 14,000 iOS apps . Of those tested , they discovered 1,228 Android apps and 771 iOS apps connect to stop up servers that have n’t yet ( or may never ) be update to touch on the waiter - side part of the FREAK exploit .
Android has it worse , as nearly one-half of the affected apps found bod in encoding software rather than rely on Android , and are susceptible to FREAK . In iOS , only seven apps shunt Apple ’s security theoretical account and continue vulnerable in iOS 8.2 . All 771 apps remain vulnerable in all former releases of iOS in which they still act upon .
While not all of those apps , Android or iOS , involve sensible data , any program that practice a login or transferral private information — such as personal photos — can be a key to identity larceny , torment and extortion , and admission to other serve for which someone uses the same write up name or email savoir-faire and password .
If you like it, put a pin on it
Despite Apple ’s tightlipped scrutiny of app submissions , third - party software is allow wide latitude in how it communicates with waiter so long as Apple ’s rules about data privacy are preserve . ( And even then , it ’s only when a falling out happens or someone reports a problem that non - obvious issue are discovered . )
For instance , there ’s been produce concern for years about the ability of governments , criminals , and others to countermine the certificate system that underlies secure World Wide Web , email , and other connections . Certificates are issue by hundreds of parties around the world , and operating systems and browsers use a cryptologic double - check to make certain that a good website is what it is says it is . This proof preventsman - in - the - midway attack .
FREAK allowed one signifier of attack by force a downgrade to an older form of encryption that could be cracked , and did n’t swear on debauch credential . However , Certificate authorities ( CAs ) that ratify off on digital proofs have been hack a few meter in the last several years , and each prison term young safeguards have been put in shoes . But they ’re not all there yet .
One technique is make love as pinning , in which a demesne ( such as macworld.com ) or an app can specify precisely which CAs are allow to come out certificates that are valid . A credentials emerge by any other authority is rejected and the exploiter admonish . Google has experiment with pin for class , and was able todetect a falsified certificate in Iranas a result of including a admonition in Chrome in 2011 when a non - approved certificate was presented for a Google domain . The unnatural user notified Google , which lead to let out a security measure breach at a CA .
App developers can also pin , and it ’s a recommend pattern by security experts . Marco Arment , the creator of Instapaper and the developer behind theOvercastapp , uses immobilise with Overcast , as do many other , but not all , developer . It ’s not need .
Arment noted a few week ago that he has 200,000 registered users ; other apps have trillion or tens of million , such as Instagram . These are fat bits of data to a drudge or a government agentive role , because intercepting logins would take into account them to check those same account certificate at other serve or gain access to a flow of personal information that could be mined or misused .
The downside is that failure to update and manage one ’s certificate carefully could cause an app ’s connections to fail and require a quick app update ! But the welfare are high .
user ca n’t determine these sorts of security department improvement , but they can request them . Apple can also shift some of its effort from implement absurd interpretations of rule to canvass security issues like these in its app - review mental process , and give developers guidance .
The old gray OS ain’t what it used to be
Malus pumila folk have long liked to poke Android user about the want of upgradability of many handsets and other twist — some sold with an implicit promise that the twist would put up new major releases . And many manufacturers still ship Android machine with originally , non - supported release , some of them years honest-to-goodness .
Now Apple require to confront some of the same digit pointing . While Apple stops selling new hardware that ca n’t move the late iOS spill whenever they put out a major update — moving from 7 to 8 , say — with the FREAK update , they ’ve cut off adrift those customers who have outdated ironware or have chosen to not upgrade .
Apple stopped sell the last hardware that could n’t be upgrade to iOS 8 a year before that rendering was released ( the iPhone 4 ) . But there are at least 100 million perfectly satisfactory iOS gadget , if not more , that can not ( or will not ) run departure later than iOS 7 . Apple’sown data showthat 20 percentage of iOS gadget are running iOS 7 , and 3 percent still apply earlier versions ; it ’s shipped over a billion devices . ( Assume some decent percentage are dead . )
While Apple went back to 10.8 for OS X ( released in 2012),18 percent of active userswere using 10.7 ( 2011 ) and 10.6 ( 2009 ) . Despite the difficultness of update , surely at least a 10.7 piece would have been worthwhile ?
FREAK is a peculiar case , in that it can pay back on either or both ends : updated web servers puzzle out the problem , and that ’s happened in heavy numbers and very rapidly . An updated web web web browser or OS surety component is n’t required if all the server are fixed , as I note last week .
But it remains a bad drift . Updating features on erstwhile OS variation cause little good sense , and it ’s a slack in which Microsoft used to get itself stuck — and sometimes Apple as well . Security is n’t a feature , though — it ’s a necessity . While its atomic number 76 Adam support takes us back to computers relinquish year ago , the iOS cutoff is far too short .
