Page 1 of 2 12 LastLast
Results 1 to 10 of 12
Discuss 3rd party app security audits at the Free Toolchain Software (Cydia App's) - Hackint0sh.org; Is any one auditing the software on the app tap installer? we are basically installing ...
  1. #1
    Rookie Array

    Join Date
    Aug 2007
    Posts
    25
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default 3rd party app security audits

    Is any one auditing the software on the app tap installer? we are basically installing apps that are brand new, from programmers who most likely do not have reputations.. who knows what could be in them or what they could be harvesting from our phones. I'm curious what has been done to ensure our phones are safe... I'm guessing nothing...

    Our iPhones are computers so we should treat the security on them in the same way that we would our regular computer systems.



  2. #2
    Senior Professional Array

    Join Date
    Jul 2007
    Posts
    445
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    30

    Default

    nothing, just like when you go on sourceforge or any website and download an app from some guy you've never heard about...

  3. #3
    Rookie Array

    Join Date
    Aug 2007
    Posts
    25
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    RVN84, true. However since the apps on SF are more widely used (because the iPhone is so new) I have more confidence that the OSS community will find backdoors , etc. I guess its going to be hard to know what all of the apps have in them.. but maybe we should have a warning for users when they are installing the apps? 3rd party app makers would suffer a pretty big loss if one bad apple gave 3rd party apps a bad wrap IMO. It would also give apple more fuel to throw on the fire as to why 3rd party apps should be blocked.

  4. #4
    Senior Professional Array

    Join Date
    Jul 2007
    Posts
    445
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    30

    Default

    AFAIK, there is such a warning in AppTapp installer when you get community sources...

    My comment above was in agreement with you, but just pointing out that this isnt only on iphones... it happens on all platforms...

    Unfortunately, it will be difficult to get some sort of "security seal" which can be independent (i.e. trustworthy) while also being effective enought and cheap to keep quick and free applications from popping up...

  5. #5
    Newbie Array

    Join Date
    Sep 2007
    Posts
    3
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    Yes there is such a warning when you install community sources.

    I agree with the concern, it's a right one, but I would say it's nearly impossible to guarantee good security in these apps that are developed for the iPhone. Just like people run AnySim without reading through the source code. We just have to trust the developers and the community.

    As a side note; I doubt all the people installing sshd, knows that anyone on your wlan can log into your iPhone and fsck it up as much as they want too (assuming default root password).


  6. #6
    Newbie Array

    Join Date
    Sep 2007
    Posts
    2
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    Really? Does sshd get installed when you put on the BSD Subsystem?

    (unix n00b)

  7. #7
    Advanced Array

    Join Date
    Sep 2007
    Posts
    40
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    SSH does not get installed with the BSD Subsytem.

    However, I do agree with the concerns of security using these apps. Many of the applications on AppTap do have google code repositories or some other form to publicly browse thier code. Many developers at this stage are learning from each other so those actually get looked through quite often, although not with a security focus. So far I personally have looked through UIctl, rSBT, NES, DeEDGE, Stumbler, and Colloqy (not thoroughly) without any cause for concern yet.

  8. #8
    Rookie Array

    Join Date
    Sep 2007
    Posts
    16
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    Languard N.S.S. 8.0 (2007) reports some vulnerabilities on my iPhone. Maybe someone with expertise could give it a try on his. It would be interesting to see how an out-of-factory phone reacts to the scan. I'm going to take all 3rd party apps off the phone tomorrow for a moment to see the changes. E.g. this asylum hint isn't that nice (even though the port is reported stealth if onEDGE/GPRS).

    Last edited by benne; 09-29-2007 at 04:24 AM.

  9. #9
    Senior Professional Array dogzilla's Avatar

    Join Date
    Aug 2007
    Location
    Boston
    Posts
    106
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    12

    Default

    This is something that I've been worried about for a while, especially after some of the talk I've seen on IRC concerning turning iPhones into zombies and other types of hacking. I think developers need to take more responsibility here - most iPhone apps don't even have the level of info from developers provided by Freshmeat. A web page describing what the app is, does, and a version history, source code if applicable, and contact info would be - I would think - a minimum requirement. Additionally, I really admire what the developer of Sketches has done, providing version history in the app itself. I think developers should do more of this.

    Additionally, nullriver has been talking about making Installer.app a commercial product. If so, I think they're going to need to do more to vet applications by requiring a little more from application developers in order to be pushed through Installer.app. I like Installer.app, but I'm really concerned about the utter lack of security. It would be trivial to write and distribute an app containing a really nasty and virulent worm, especially when you consider that apps run as root.

    Overall, I'm starting to warm to the idea of Apple controlling what apps run on the iPhone. I think we absolutely need an SDK, but I also don't believe that the iPhone dev community has shown the ability or even willingness to take security seriously.
    "Are you into S&M?"
    "Well...I'm a Red Sox fan. Does that count?"
    Go Sox!

  10. #10
    Rookie Array

    Join Date
    Aug 2007
    Posts
    14
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    Is the concern with inadvertant security holes, ie buffer overflows etc. or with outright malicious software? I don't think malware is a problem, the scene is so small this will get found out quickly. Apart from Installer.app I only install opensource software, as far as security holes in software goes ... I have to admit the code I've seen in a lot of popular iPhone applications is absolutely atrocious. While its not a security hole, here is an example from a very popular iPhone project that will remain nameless:
    Code:
    NSString* fileInfo = [[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[NSString string]
    		stringByAppendingString: @"Size: "] ... it just gets worse from here
    I mean wtf, this project has even made it to Gizmodo ... you know who you are.


 

 
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 0
    Last Post: 11-08-2011, 09:00 AM
  2. MacNN: Apple increases supplier audits, trains 133,000 workers
    By hackint0sh in forum Latest Headlines
    Replies: 0
    Last Post: 02-24-2010, 02:30 AM
  3. MacNN: Swann Security debuts DVR4-2500 security recorder kit
    By hackint0sh in forum Latest Headlines
    Replies: 0
    Last Post: 12-29-2009, 05:20 AM
  4. Replies: 1
    Last Post: 02-22-2008, 05:29 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Powered by vBulletin®
Copyright © 2014 vBulletin Solutions, Inc. All rights reserved.
Search Engine Friendly URLs by vBSEO
(c) 2006-2012 Hackint0sh.org
All times are GMT +2. The time now is 12:16 PM.
twitter, follow us!