C/C++/Cocoa tool for codesign security, Developer ID, & Mac App Store Receipt Validation
Tighten Pro - in the Mac App Store
Tighten Pro is now available in the Mac App Store.
Simply click on the icon to the left to purchase directly from Apple.
Or choose PKCS#7Viewer.app by clicking the image to the right.
Mac Developer: OS X 10.10.2 will fix years-old Thunderbolt hardware vulnerability
OS X 10.10.2 will fix years-old Thunderbolt hardware vulnerability: "The so-called 'Thunderstrike' hardware exploit was publicized late last year, but the hack takes advantage of a flaw in the Thunderbolt Option ROM first disclosed in 2012. Until now, that flaw hasn't been patched, but according to iMore, the latest beta of Apple's OS X 10.10.2 update fixes the problem."
Labels: security fix, security flaw, thunderstrike
Mac Developer: Twitter’s war on developers continues: Tweetbot for Mac falls victim to token limit, gets pulled from App Store | 9to5Mac
Twitter’s war on developers continues: Tweetbot for Mac falls victim to token limit, gets pulled from App Store | 9to5Mac: "In November, 9to5Mac brought you an exclusive interview on Twitter’s limitations on third-party developers with the Iconfactory’s Gedeon Maheux. In the original article, Maheux said that development on Twitterrific 5 for Mac had stalled due to Twitter’s strict limits on how many users can login to a particular application."
All in good fun until somebody loses an eye.
Labels: devwars, twitter
Mac Developer: Google's Project Zero reveals three new zero-day exploits in Apple's OS X [u]
Google's Project Zero reveals three new zero-day exploits in Apple's OS X [u]: "An internal software security research team at Google has publicly revealed three of recently-discovered zero-day exploits in Apple's Mac OS X desktop operating system, though the severity of each vulnerability is unknown."
Don't like the sound of sandbox escape via XPC.
Labels: security flaw, XPC service
Mac Developer: Security bug Heartbleed may be forgotten, but it's not gone | VentureBeat | Security | by Ruth Reader
Security bug Heartbleed may be forgotten, but it's not gone | VentureBeat | Security | by Ruth Reader
However, a new bill called the Cyber Supply Chain Management and Transparency Act of 2014, would require software makers to provide a bill of materials for all the code components used in the software.
Obviously, bureaucracy will provide a solution that software engineers themselves cannot provide. Right.
Mac Developer: What Blackhat Gets Right: A Chat With Former Hacker Kevin Poulsen
What Blackhat Gets Right: A Chat With Former Hacker Kevin Poulsen: "Back in Kevin Poulsen's hacker days, before he became writer and Wired editor, he pulled stunts like taking over the phone lines in a radio contest to win himself a Porsche, or breaking into the FBI's computer system when he ended up on the agency's Most Wanted list to change his physical description. He served a five-year sentence for his crimes. Now he's consulting for Hollywood hacker films."
It's an interesting plot, low on tech details that runs toward an ever-closing noose. Instead of ever heightening public stakes. I enjoyed it.
Labels: blackhat, hacker movie
Mac Developer: This USB wall charger secretly logs keystrokes from Microsoft wireless keyboards nearby | VentureBeat | Security | by Emil Protalinski
This USB wall charger secretly logs keystrokes from Microsoft wireless keyboards nearby | VentureBeat | Security | by Emil Protalinski: "Privacy and security researcher Samy Kamkar has released a keylogger for Microsoft wireless keyboards cleverly hidden in what appears to be a rather large, but functioning USB wall charger. Called KeySweeper, the stealthy Arduino-based device can sniff, decrypt, log, and report back all keystrokes — saving them both locally and online."
It ain't getting better...
Labels: security, security flaw
Mac Developer: Today's computers face more attacks than ever - CNET
Today's computers face more attacks than ever - CNET: "Kaspersky saw four times more mobile malware attacks in 2014 than the year before, said Patrick Nielsen, a researcher with the company."
Dang! Glad most of those are for the Windows.
Mac Developer: Quarantino - xattr com.apple.quarantine in an App
Introducing Quarantino.app for Mac OS X (10.6.8 through 10.10.x) - a simple and effective way to view the signing credentials of an app downloaded from the internet, and if so desired, remove the quarantine attribute (xattr -l com.apple.quarantine).
The fact of the matter is, some OS features are not available to properly signed applications if they are in the quarantine. Don't believe me? See if you can spot the differences in operation between Quarantino.app (quarantined) and after you remove it from the quarantine.
Available for download now
from this website (DeveloperID credentials) and coming soon to the App Store (fingers crossed - in review)!
Labels: com.apple.quarantine, quarantino, secure coding mac, security, utility
Mac Developer: Mac OS X Security Overview
Nice security overview of Mac OS X. Different features and advantages are covered.
Labels: mac runtime sandbox detection, sandbox policy language, secure coding mac, security, xprotect.plist
Mac Developer: Security researcher rewrites Mac firmware over Thunderbolt, says most Intel Thunderbolt Macs vulnerable | 9to5Mac
Security researcher rewrites Mac firmware over Thunderbolt, says most Intel Thunderbolt Macs vulnerable | 9to5Mac: "Once installed, the firmware cannot be removed since it replaces Apple’s public RSA key, which means that further firmware updates will be denied unless signed by the attacker’s private key"
Most hardware manufacturing is done overseas.
Labels: security flaw
Mac Developer: Technical notes, my online memory: Gatekeeper, XProtect and the Quarantine attribute
Technical notes, my online memory: Gatekeeper, XProtect and the Quarantine attribute: "Apps can opt-in to Gatekeeper and Xprotect protection by adding LSFileQuarantineEnabled to their Contents/Info.plist. This means that any files created by that app will get tagged with the apple quarantine HFS+ extended attribute.
Everything you wanted to know about quarantine but were afraid to ask.
Labels: gatekeeper, quarantine, secure coding mac, security
Mac Developer: Touch ID hackers attempt to take things to next level, no need for physical fingerprint | 9to5Mac
Touch ID hackers attempt to take things to next level, no need for physical fingerprint | 9to5Mac: "The hacker who successfully used a fingerprint captured from an iPhone to fool Touch ID now believes it may be possible to perform the same hack without needing access to a physical fingerprint."
Anyone who has already seen a Bond film knew that.
Labels: security, security flaw
Mac Developer: The Cocoa Distillery - How to build on 10.8 and earlier, then sign for...
The Cocoa Distillery - How to build on 10.8 and earlier, then sign for...: "The only way to obtain a v2 signature is by code signing under 10.9, but since Xcode 3 doesn’t run on anything newer than 10.6.8, I’ll have to separate the build process from the signing, packaging and submission process."
For those building under 10.6.8 for the Mac App Store or Gatekeeper.
Labels: codesign, gatekeeper, secure coding mac, security, version 2 signature
Mac Developer: Keybase
Keybase: "Get a public key, safely, starting just with someone's social media username(s)."
Interesting solution to a problem which is probably a better foundation than Facebook authentication.
Labels: keybase.io, public key, security
Mac Developer: PSN is coming back online, Xbox Live is up -- and that's maybe because of Kim Dotcom | GamesBeat | Games | by Jeff Grubb
PSN is coming back online, Xbox Live is up -- and that's maybe because of Kim Dotcom | GamesBeat | Games | by Jeff Grubb: "When Dotcom, who owns and operates the file-transfer website Mega, found out that he could not get online to play developer Bungie’s online shooter Destiny on Xbox One, he took to the Web to strike a deal. "
I guess that worked better than whatever the Feds had in mind.
Labels: security, security flaw, think different
Mac Developer: Sony considers YouTube as possible distributor for The Interview after hack | Film | The Guardian
Sony considers YouTube as possible distributor for The Interview after hack | Film | The Guardian: "Sony Pictures still wants and intends to release its controversial film The Interview, possibly via YouTube."
Sounds like a plan, Stan.
Labels: security flaw, sony hack
Mac Developer: BBC News - Jeans made that will prevent 'digital pickpocketing'
BBC News - Jeans made that will prevent 'digital pickpocketing': "A pair of jeans containing material that blocks wireless signals is being developed in conjunction with anti-virus firm Norton.
The trousers are intended to stop thieves hacking into radio frequency identification (RFID) tagged passports or contactless payment cards."
Although I think these are cool, I shudder to think they are necessary.
Labels: security flaw
Mac Developer: BBC News - Google considers warning internet users about data risks
BBC News - Google considers warning internet users about data risks: "Google is proposing to warn people their data is at risk every time they visit websites that do not use the 'HTTPS' system."
For years, HTTPS has been the leakiest system ever. Hey, let's encourage everyone to overuse it!
Labels: overcompensation, security flaw
Mac Developer: Technical Note TN2206: OS X Code Signing In Depth
Technical Note TN2206: OS X Code Signing In Depth: "Checking Gatekeeper Conformance
To test Gatekeeper conformance, you must use OS X 10.9.5 or later. Follow these steps:
Package your program the way you ship it, such as in a disk image.
Download it from its website, or mail it to yourself, or send it to yourself using AirDrop or Message. This will quarantine the downloaded copy. This is necessary to trigger the Gatekeeper check as Gatekeeper only checks quarantined files the first time they're opened.
Hint: keep the downloaded .dmg around; it will stay quarantined and you can use it again and again to test.
Drag-install your app and launch it.
Observe the results.
Hint: Don't launch from inside the .dmg."
A quick guide to testing Gatekeeper conformance under 10.9.5
Mac Developer: Powerful, highly stealthy Linux trojan may have infected victims for years | Ars Technica
Powerful, highly stealthy Linux trojan may have infected victims for years | Ars Technica: "Researchers have uncovered an extremely stealthy trojan for Linux systems that attackers have been using to siphon sensitive data from governments and pharmaceutical companies around the world."
May you live in interesting times.
Labels: security flaw
Mac Developer: Ranked: The 12 programming languages that will earn you the most | VentureBeat | Dev | by Dylan Tweney
Ranked: The 12 programming languages that will earn you the most | VentureBeat | Dev | by Dylan Tweney: "Quartz’s Max Nisen pulled out some figures on the most valuable programming languages based on a larger study from the Brookings Institution that was published in July."
Good news for Obj-C hackers.
Mac Developer: US DOJ fines StealthGenie for selling Android, iOS spyware, demands source code
US DOJ fines StealthGenie for selling Android, iOS spyware, demands source code: "The United States Department of Justice has fined the CEO of spyware vendor StealthGenie $500,000 and demanded the firm turn over the source code for software designed to remotely monitor calls, texts and other activity on Android and jailbroken iOS devices."
Labels: security, security law
Mac Developer: SanDisk launches portable storage drive with built-in Lightning connector
SanDisk launches portable storage drive with built-in Lightning connector: "The iXpand Flash Drive comes in capacities of 16, 32 and 64 gigabytes and is compatible with any iOS device with a Lightning port running iOS 7 or later. File transfers and backups are accomplished through the SanDisk iXpand Sync app available for free on the App Store."
I'm actually quite curious as to what entitlements this app is using.
Labels: app security, app store
Mac Developer: WSJ: Department of Justice uses fake cell towers on airplanes to capture data from mobile phones | 9to5Mac
WSJ: Department of Justice uses fake cell towers on airplanes to capture data from mobile phones | 9to5Mac: "The Wall Street Journal reported today that the United States Department of Justice has been using planes equipped with devices that pose as cellular towers (called ‘dirtboxes’) to collect data from suspected criminals’ cell phones—and capturing data from innocent bystanders in the process."
Yay for us!
Labels: security, security flaw
Mac Developer: Major iOS security flaw ‘Masque Attack’ reportedly uncovered, found to ‘pose much bigger threat’ than WireLurker | 9to5Mac
Major iOS security flaw ‘Masque Attack’ reportedly uncovered, found to ‘pose much bigger threat’ than WireLurker | 9to5Mac: "FireEye claims that it notified Apple about this vulnerability, which affects both non-jailbroken and jailbroken devices running iOS 7.1.1 through iOS 8.1.1 beta, on July 26th. "
You are in a maze of twisty passages all alike.
Labels: pyramid text adventure, security flaw
Mac Developer: Apple blocks WireLurker malware apps from opening, but needs to do more, argues security researcher | 9to5Mac
Apple blocks WireLurker malware apps from opening, but needs to do more, argues security researcher | 9to5Mac: "We are aware of malicious software available from a download site aimed at users in China, and we’ve blocked the identified apps to prevent them from launching. As always, we recommend that users download and install software from trusted sources."
I believe the USB exploit is more or less impossible to defend against.
Labels: security, security flaw, security tools mac
Mac Developer: Chinese Mac and iOS users targeted by new ‘WireLurker’ malware capable of infecting non-jailbroken devices | 9to5Mac
Chinese Mac and iOS users targeted by new ‘WireLurker’ malware capable of infecting non-jailbroken devices | 9to5Mac: "The New York Times reports that a security firm called Palo Alto Networks has uncovered a new form of Apple-focused malware that is capable of infecting non-jailbroken iOS devices. Typically when such software pops up, as it does from time to time, one of the key factors that allows the malicious code to run on iOS is whether the device is jailbroken. The new ‘WireLurker’ malware, however, is installed on the mobile device over USB by an infected Mac."
Labels: app security, app store