Tag Archive: Fraser Valley iPhone


Apple finally fixes App Store flaw by turning on encryption

Apple has finally fixed a security flaw in its application store that for years has allowed attackers to steal passwords and install unwanted or extremely expensive applications.

The flaw arose because Apple neglected to use encryption when an iPhone or other mobile device tries to connect to the App Store, meaning an attacker can hijack the connection. In addition to a security flaw, the unencrypted connections also created a privacy vulnerability because the complete list of applications installed on the device are disclosed over Wi-Fi.

It also allows the installation of apps, including extremely expensive ones that top out at $999.99, without the user’s consent, which can create serious consequences because Apple doesn’t give refunds. To do this, an attacker needs to be on the same private or public Wi-Fi network, including, for example, a coffeeshop, hotel, or airport network.

Security researcher Elie Bursztein discovered the vulnerability and reported it to Apple last July. Apple fixed the problem in a recent update that said “content is now served over HTTPS by default.” Apple also thanked Bernhard Brehm of Recurity Labs and Rahul Iyer of Bejoi.

Bursztein, who works at Google, in Mountain View, Calif., but emphasized this was work done at home in his spare time, published a personal blog post today that described details about the App Store vulnerability and included videos of how an attacker was able to steal passwords or install unwanted apps.

Publicizing this flaw, Bursztein said, highlighted how necessary encrypted HTTPS connections were. “Many companies don’t realize that HTTPS is important for mobile apps,” he said. But if they rely on Web connections or Webviews, he added, they are vulnerable to attacks: “Providing a concrete example seems a good way to attract developer attention to the issue.”

As a postdoctoral researcher at Stanford University, Bursztein published research that included demonstrating flaws in Captchas and the Web interfaces of embedded devices. At the Defcon conference in Las Vegas two years ago, he demonstrated how to bypass Windows’ built-in encryption that Web browsers, instant messaging clients, and other programs used to store user passwords.

Bursztein’s blog post comes a day after Apple’s marketing chief, Phil Schiller, took a security-related swipe at Google on Twitter by pointing to a report on the rise of Android malware.

 

Source: CNET

Blacklist created to fight smartphone theft

Canada’s wireless carriers are targeting smartphone theft by setting up a database that will blacklist lost or stolen phones to prevent them from being reactivated.

The move would also help protect personal data on such devices, the Canadian Wireless Telecommunications Association said Thursday.

Smartphones are worth $600 to $700 and can be resold on the black market, noted association president Bernard Lord.

“With this database, it makes that a lot less attractive because the buyer of the stolen phone will not be able to connect to any network in Canada,” Lord said from Ottawa.

“It eliminates the incentive for stealing a device.”

The idea is also to reduce the black market value of a smartphone in the eyes of criminals, Lord added.

Once consumers call their wireless carrier to report their smartphone lost or stolen, the device’s internal identification number goes on the electronic blacklist.

Lord said even though more smartphones are lost than stolen, law enforcement officials have raised concerns about the issue.

The database for the Canadian wireless industry will be up and running by September 2013 and Canada’s carriers will also be contributing to an international database to help prevent smartphone theft, he said.

However, consumers who have their smartphones lost or stolen are “not off the hook” for paying their smartphone contracts.

A website will also be set up by the association to help consumers protect their smartphone data and help protect themselves from theft.

Lord said the smartphone’s ID number — called the international mobile electronic number — will be verified by carriers to make sure the device has not been lost or stolen.

The Canadian Radio-television and Telecommunications Commission congratulated the wireless industry for the initiative, but would like the database running sooner rather than later.

“I would strongly encourage the industry to implement the database before September 2013 to ensure Canadians benefit from this added protection as soon as possible,” chairman Jean-Pierre Blais said in a statement.

The creation of a database and collaboration to make sure stolen or lost devices aren’t reactivated will help make them less desirable to thieves, Blais said.

“The CRTC has been concerned for some time about reports of an increase in crimes involving lost or stolen cellphones.”

Telus said while the wireless industry, law enforcement, and regulators all have a role to play, smartphone users need to think about where they’re buying their devices.

“We ask consumers to reconsider buying phones on sites like eBay, Craigslist, or Kijiji and instead buy their devices from a verified dealer,” Telus spokesman Shawn Hall said.

“If you buy a phone from Craig’s List it might be legitimate, but it could be stolen and then you will likely be unable to get it activated,” he said.

Smartphone use in Canada is among the highest in the world and penetration has exceeded 50 per cent, Lord said.

Canada’s wireless industry will spend about $20 million on the initiative, he said.

The United States is also taking steps and will have a similar database to fight the black market for smartphones in November 2013, Lord said.

Ryan says:  This should change the market in the way deals are made on classified for sale sites.  Phones will be checked first to see if they work properly before buying.  New tricks will be implemented ie. IMEI / IMSI masking so I do not see this as a long term solution for blacklisting phones but its a move in the right direction.

Source:  CTV News