The short-term fix for these exploits is a combination of new recommendations and requirements to app developers, and additional procedures in the App Store review. “What the App Store can do is run something similar at least to identify—not malicious apps, but at least those vulnerable as targets,” Wang said.
His colleague, PhD candidate Luyi Xing, noted that “Apple should do something to enforce scheme management” as well. However, Xing said that it boils down to being a design problem, rather than an app implementation issue. That will require some deep rethink at Apple, and put some burden on developers as new authentication and registration procedures make their way into App Store requirements.
Neither we nor Luyi Xing and his team have been able to figure out a completely reliable way to solve this problem. We thank them for their help and suggestions during these discussions. But, although there is no perfect solution, there are things that can be done to make such attacks more difficult.
On modern operating systems, applications under the same user are separated from each other, for the purpose of protecting them against malware and compromised programs. Given the complexity of today's OSes, less clear is whether such isolation is effective against different kind of cross-app resource access attacks (called XARA in our research). To better understand the problem, on the less-studied Apple platforms, we conducted a systematic security analysis on MAC OS~X and iOS. Our research leads to the discovery of a series of high-impact security weaknesses, which enable a sandboxed malicious app, approved by the Apple Stores, to gain unauthorized access to other apps' sensitive data. More specifically, we found that the inter-app interaction services, including the keychain, WebSocket and NSConnection on OS~X and URL Scheme on the MAC OS and iOS, can all be exploited by the malware to steal such confidential information as the passwords for iCloud, email and bank, and the secret token of Evernote. Further, the design of the app sandbox on OS~X was found to be vulnerable, exposing an app's private directory to the sandboxed malware that hijacks its Apple Bundle ID. As a result, sensitive user data, like the notes and user contacts under Evernote and photos under WeChat, have all been disclosed. Fundamentally, these problems are caused by the lack of app-to-app and app-to-OS authentications. To better understand their impacts, we developed a scanner that automatically analyzes the binaries of MAC OS and iOS apps to determine whether proper protection is missing in their code. Running it on hundreds of binaries, we confirmed the pervasiveness of the weaknesses among high-impact Apple apps. Since the issues may not be easily fixed, we built a simple program that detects exploit attempts on OS~X, helping protect vulnerable apps before the problems can be fully addressed.
Had a great time meeting customers and our team at the Apple Store Boylston St in Boston. Enjoy your Apple Watches! pic.twitter.com/7AOGyCSW9i— Tim Cook (@tim_cook) June 17, 2015
First time controlling a Keynote from my Apple Watch. Weird to have both hands free.— Robert Sharl (@Sharl) June 18, 2015
There’s a “culture of walking and texting” on the Utah Valley University campus, according to conversations with students, but that’s not the main reason Matt Bambrough, the creative director at UVU, came up with an idea to paint a “texting lane” on a staircase leading up to the brand-new Student and Wellness Center. According to Bambrough, it’s first and foremost a design project—the texting lane was a tongue-in-cheek reference to the college-wide epidemic of kids walking around with their faces buried in their iPhones.
It will now enable magazine creators to add more of their own voice to their publications by allowing them to share thoughts and opinions on the news they’re sharing, as well as ask questions, quote text, customize their magazine with links or their own personal photos, and more.
Contrast might not have been the first developer to make one, but it was certainly the first to get it right, and nearly three years after its debut, Launch Center Pro is still the one to beat.
Dark Sky, a weather app specializing in hyper-local forecasts, has hit version 5.0, refreshing the layout, adding advanced alert options, and more. The app also packs advanced functionality for iPhone 6 owners, letting them opt in to sending pressure sensor data for better short-term forecasts.
The definition of insanity is typing the same word over and over again, and expecting autocorrect to not screw it up this time.— Nick Arnott (@noir) June 18, 2015
Back in 2003, software engineer Don Ho wasn’t satisfied with the source code editor he was using for work and decided to take on the challenge of crafting something better. Notepad++ has since become a staple of many users looking for richer features than your OS’s default text editor, and better performance than more bloated options. We caught up with Don to learn about what went on behind the app.
*breaks down in hysterical laughing fit* (from Apple's new "UI Design Dos and Don'ts" https://t.co/vdKLVXCSgu) pic.twitter.com/I9KFKJiFhf— Sebastiaan de With (@sdw) June 15, 2015
Mr Heath said: “If you are running a small label on tight margins you literally can’t afford to do this free trial business. Their plan is clearly to move people over from downloads, which is fine, but it will mean us losing those revenues for three months.”
The non-profit watchdog group has praised the company for its transparent policies regarding how it handles data requests from government agencies.
The announcement included a number of senior departures, as well as a reorganization of existing executives, but the most telling of these changes is, perhaps, the departure of Stephen Elop, Nokia’s ex-CEO. [...] His exit from the company seems to be as strong a sign as any that Microsoft is—at least in spirit—seceding from a crowded smartphone market that has become increasingly difficult to penetrate.
According to the email Apple just sent me, my iTunes Match subscription is due for renewal this June 30th.
Whether this timing is good or bad remains to be seen: the Apple Music web page on Apple Singapore's web site still says "Coming Soon" instead of promising a specific date.
Have we invented a new medical term for the condition of the weakening of the heart due to the dropping or potential dropping of one's iPhone onto concrete floor?
Why machines will never replace humans. They just don't understand us. pic.twitter.com/0qeMBxq5mt— Simon Cobb (@s13mon) June 16, 2015
Thanks for reading.