Apple's iPhone is often touted as being more "secure" than Google's Android equivalents because it has a tightly managed ecosystem. Apple's careful not to let malicious apps into its App Store, from where they could worm their way into devices. It turns out that the update dealt with a single loophole uncovered by Trustwave Spiderlabs' Nick Percoco and team, and Apple worked fast to solve it because as holes go, it was gaping. To get a certificate, a website offering this type of security has to officially request one from a trusted certificate authority, and the certificate is crafted to have the identity of the website built into it. Percoco's team decided to test iOS devices with the same kind of hack that a malicious coder could use to break SSL.
They bought an officially issued SSL for a genuine website, cut out the parts of the certificate's code that equate to its signature of authenticity, and bolted that signature onto a fake certificate for a different website. Trustwave explained to us that they alerted Apple on July 15th, and Apple's security team was sufficiently motivated to put a fix in place, test it, and roll it out to the public this week on July 25th, as iOS 4.3.4, In addition, Percoco's team also pulled off an elegant hack of Google's Android OS that's actually more fundamentally problematic. The trick involves using perfectly legitimate APIs, the code hooks that let app writers gain access to special features of the Android core code, the kind of connector that lets an app turn on your phone's camera for a video call, for example. By combining specific APIs, Percoco's team discovered that it's possible to steal user log-in credentials-passwords, usernames, and so on-from "the most popular apps in the Android application market."
They've alerted Google to the problem, but Google can't pull off the same kind of fix as Apple quickly pushed out, because the hack involves perfectly valid code right at the core of Android that thousands of apps legitimately use. But when it comes to Apple's community, Percoco would wait until an iPhone jailbreak came out, and then attack the code to insert maliclous code on it: "The jailbreak is basically getting root access to your device. You could say 'here's a jailbreak, everybody' and it actually does jailbreak the phone and install the Cydia market," but you also install a backdoor that gives you, as a remote hacker, direct access to the phone and thus all the data stored in it, and potentially any web activity like log-ins, passwords, and credit card numbers. Google and Apple have different problems to face in terms of security on their phones. And users have to be smart to avoid exposing themselves: Don't install any old app from the Android marketplace without checking to see if it's legitimate, and keep your iPhone up to date with Apple's latest iOS upgrades and unjailbroken.
No comments:
Post a Comment