C/C++/Cocoa tool for codesign security, Developer ID, & Mac App Store Receipt Validation
Tighten Pro - in the Mac App Store
Tighten Pro is now available in the Mac App Store.
Simply click on the icon to the left to purchase directly from Apple.
Or choose PKCS#7Viewer.app by clicking the image to the right.
Mac Developer: 'iWorm' malware controls Macs via Reddit, more than 17K affected
'iWorm' malware controls Macs via Reddit, more than 17K affected: "Entered into the virus database of Russian research firm Dr. Web as 'Mac.BackDoor.iWorm,' the new threat is described as a complex multi-purpose backdoor capable of issuing a variety of commands to be carried out by an affected host Mac. Among the operations available to the malware are data gathering and limited system remote control.
The name is Evil, Dr. Evil. Ha ha ha!
Labels: security flaw, security tools mac
Mac Developer: BBC News - Personal data stores found leaking online
BBC News - Personal data stores found leaking online: "Those at risk are people who use home data storage devices known as Network Attached Storage (NAS). Correctly configured, these devices act as a common data store accessible by any other device connecting to that home network."
NAS hung on the wrong side of the NAT.
Labels: security flaw
Mac Developer: genkiyooka/MacRuntimeSandboxDetection · GitHub
genkiyooka/MacRuntimeSandboxDetection · GitHub: "For CFPlugIn and AudioUnit developers - how to check Mac App Store sandbox capabilities at runtime."
Apologies for the delay, but just checked in bug fixes for detecting Mac OS X sandbox capabilities at runtime. I'm using this in production code now, and I believe it is stable and working correctly on 10.6-10.9.
This code is quite useful when building solutions that may be DeveloperID or Mac App Store and/or sandboxed. If you discover any cases that are not correctly handled, please let me know.
Labels: app security, secure coding mac
Mac Developer: 9to5Mac: Apple iPhone, Mac and iPad News Breaking All Day
9to5Mac: Apple iPhone, Mac and iPad News Breaking All Day: "As noticed by Apfelpage, Apple has published a new page to be more open about why it rejects apps. A chart at the bottom of the page shows the top ten reasons for app rejection in the last seven days; such as lack of information, crashes or bugs encountered, complicated user interfaces."
"Watch your parking meters." - Bob Dylan
Labels: security flaw
Mac Developer: BBC News - Gmail smartphone app hacked by researchers
BBC News - Gmail smartphone app hacked by researchers: "This shared memory is used by all apps, and by analysing its use the researchers were able to tell when a user was logging into apps such as Gmail, giving them the opportunity to steal login details and passwords."
Sounds like everyone is going to have zero memory when it's deallocated.
Labels: app security
Mac Developer: 9to5Mac: Apple iPhone, Mac and iPad News Breaking All Day
9to5Mac: Apple iPhone, Mac and iPad News Breaking All Day: "Following a recent ruling that Apple would have ten days to remove the anonymous social app Secret from its Brazilian App Store, Apple has complied with the order. The"
Ah, the benefits of centralized control.
Labels: 2001, HAL
Mac Developer: Confirmed: Security breach is not reason for Gatekeeper app signing changes | 9to5Mac
Confirmed: Security breach is not reason for Gatekeeper app signing changes | 9to5Mac
We’ve now confirmed with sources close to the situation that there is no truth to the rumors and that a Dev Center breach was not the reason behind the Gatekeeper app signing changes.
In other words, it's just a worthless change (read: everybody churn!) aimed at making life difficult for 3rd party ISV's which, unlike Apple, do not have unlimited capital with which to hire engineers, do testing and so forth. Should be very popular with enterprise developers.
Mac Developer: Spies used YouTube videos and Microsoft log-ins to take over devices
Spies used YouTube videos and Microsoft log-ins to take over devices: "The study names Hacking Team and FinFisher as two of the companies that sell law enforcement agencies 'network-injection' technologies like this for around $1 million dollars. In fact, Italian company Hacking Team is known for developing software to spy on people's emails, phone calls and the like specifically for sale to law enforcement in countries not blacklisted by NATO."
Like a blacklist is going to prevent the movement of software!
Labels: security, security law
Mac Developer: Surveillance leak shows spyware loves Android, but can't infect Apple's iPhones without jailbreak
Surveillance leak shows spyware loves Android, but can't infect Apple's iPhones without jailbreak: "The regularly updated software tool supports all releases of Android, devices running BlackBerry OS prior to the newest BB10, Symbian and Windows Mobile phones, but notes that in order to spy on an iPhone, the user must jailbreak their device, a step that disables Apple's security. "
At last, some good news.
Mac Developer: BBC News - US should pay hackers who find threats, says analyst
BBC News - US should pay hackers who find threats, says analyst
Dan Geer said large bounties would prevent the vulnerabilities from ending up in the hands of criminal gangs or hostile authorities.
Have hackers ever been motivated by money?
Mac Developer: 'Canvas fingerprinting' has a new enemy, and its name is Ghostery | VentureBeat | Security | by Richard Byrne Reilly
'Canvas fingerprinting' has a new enemy, and its name is Ghostery | VentureBeat | Security | by Richard Byrne Reilly: "Critically, canvas fingerprinting cannot be blocked by refusing or deleting browser cookies, which is what most tracking tools use. Although canvas fingerprinting works on both desktop and mobile, it thrives in the former, because the technology is older."
All signs point to the browser as the main security vulnerability.
Labels: secure coding mac
Mac Developer: Master Control Program
Are you sure it's what you want? A centralized control of everything in the system? Such a thing is necessarily brittle. Nothing can stop open systems: like water, it will flow into the future regardless as to the barriers.
Mac Developer: Apple changing Gatekeeper app signing rules in OS X 10.9.5 & Yosemite, could break some apps | 9to5Mac
Apple changing Gatekeeper app signing rules in OS X 10.9.5 & Yosemite, could break some apps | 9to5Mac: "For users, this will add an extra layer of annoyance when dealing with certain third-party apps, especially those downloaded from the web rather than through the Mac App Store."
Pretty soon, dealing with publishing requirements will take more time than developing applications. Great news for crap developers that wrap HTML5 in WebViews!
Labels: codesign, security
Mac Developer: BBC News - Wearable users tracked with Raspberry Pi
BBC News - Wearable users tracked with Raspberry Pi: People who use wearable gadgets to monitor their health or activity can be tracked with only $70 (£40) of hardware, research suggests.
The work, carried out by security firm Symantec, used a Raspberry Pi computer to grab data broadcast by the gadgets.
The snooping Pi was taken to parks and sporting events where it was able to pick out individuals in the crowds.
I'm sure the situation is much worse than you'd expect because embedded systems on these kinds of devices are rarely scrutinized like desktop and mobile operating systems.
Labels: security, security flaw, wifi
Mac Developer: 'BadUSB' malware lives in USB firmware to remain undetected, unfixable
'BadUSB' malware lives in USB firmware to remain undetected, unfixable: "As there is no easy fix to malware like BadUSB, the researchers suggest users adopt a new way of thinking about USB hardware. Instead of thoughtlessly transporting files and other data back and forth between machines, Nohl and Lell recommend connecting only to known devices that are user-owned or trusted. "
Goodbye USB, hello my old friend FireWire.
Labels: security, security flaw
Mac Developer: Russia requests Apple provide access to source code | 9to5Mac
Russia requests Apple provide access to source code | 9to5Mac: "Reuters reports that Russia has asked Apple to provide the government with access to the company’s source code to make sure its iOS devices and Macs aren’t used for spying.
This is weirdly hilarious and disturbing at the same time.
Labels: security law
Mac Developer: BBC News - Android Fake ID bug exposes smartphones and tablets
BBC News - Android Fake ID bug exposes smartphones and tablets
BlueBox Labs said it was particularly concerning as phone and tablet owners did not need to grant the malware special permissions for it to act.
If this is true, then essentially Android devices do not have codesigning protection. Sounds like any app can use a self-signed certificate chain to spoof the identifier of a well-known manufacturer. I guess the good news is they are fixing the bug.
Labels: android, certificate, certificate authority, codesign, codesigning
Mac Developer: Apple begins encrypting iCloud email sent between providers | 9to5Mac
Apple begins encrypting iCloud email sent between providers | 9to5Mac
The change is documented on Google’s transparency website that shows the percentage of emails encrypted in transit for both inbound and outbound email exchanges
I can't tell if the world is changing or if we all simply woke up and smelled the malware.
Mac Developer: Crypto certificates impersonating Google and Yahoo pose threat to Windows users | Ars Technica
Crypto certificates impersonating Google and Yahoo pose threat to Windows users | Ars Technica: "A blog post published Tuesday by Google security engineer Adam Langley said the fraudulent transport layer security (TLS) certificates were issued by the National Informatics Centre (NIC) of India, an intermediate certificate authority that is trusted and overseen by India's Controller of Certifying Authorities (CCA)."
My personal opinion is that many of the so-called trusted technologies that are in use on the internet have never really been properly audited or stress-tested. It's only as the malware networks reap their rewards that anyone is paying any real attention to exploits. Software is complex and hard to debug and it gets much worse when you consider a heterogenous system such as the global internet. On the plus side, a truly heterogenous system based on standards says that someone is going to emerge as a clear leader in this area.
I personally think the monolithic bloatware OS is going to be superseded in the coming years by something very minimalistic. Maybe a hypervisor. Something so small it can be completely tested and debugged.
This mad race to add OS features isn't really serving anyone. Except the marketers. In other words, people who don't have any vested long-term interest in the integrity of a user's experience. Just as long as the gloss is still the most prevalent consideration.
Oh, wait. Icon gloss has been deprecated for flat minimalistic design. By design I mean fashion fad.
Labels: certificate trust chain, security, self-signed certificates
Mac Developer: Malwarebytes takes in $30M, its first round since launching in 2008 | VentureBeat | Deals | by Richard Byrne Reilly
Malwarebytes takes in $30M, its first round since launching in 2008 | VentureBeat | Deals | by Richard Byrne Reilly: "It is an astonishing tale that continues to amaze. Today, Malwarebytes’ anti-virus security software protects the computers and mobile devices of more than 206 million clients who are fiercely loyal, employs 140 — 90 of whom occupy R&D roles — and will soon begin acquiring smaller players in the space."
The number of malware attacks per minute is troubling.
Mac Developer: Inside App Extensions: the Cloud Kit-savvy Photos future of Apple's iPhoto & Aperture
Inside App Extensions: the Cloud Kit-savvy Photos future of Apple's iPhoto & Aperture
At the same time, the fact that Extensions are always bundled in an app means that developers can deploy new Extensions as an app update (allowing Instagram to make its filters available in Photos, for example), and sell Extensions as an additional feature for their existing apps.
Even though everyone is articulating the idea that XPC is some new technology, it's really just a security-wise reworking of distributed objects. Which is great. Because DO is a terrific tool for Objective-C developers. The fact that it is coming to iOS is awesome. It signals the end of the era of monolithic iOS apps and the beginning of something entirely new.
Labels: app extensions, distributed objects, XPC service
Mac Developer: genkiyooka/MacRuntimeSandboxDetection
For CFPlugIn and AudioUnit developers - how to check Mac App Store sandbox capabilities at runtime.
If you write system components (i.e. CoreAudio AudioUnit), CFPlugIn bundles or loadable Cocoa frameworks which are shared among applications (like haxies), you may wish to detect the capabilities of the sandbox environment into which you've been loaded so you can gracefully disable features and so forth.
Naive implementations of such loadable code often dump huge volumes of system messages into the Console.log - not useful to anyone.
Labels: app store, c++, cocoa, mac runtime sandbox detection, sandbox, secure coding mac, security tools mac
Mac Developer: Secure Coding Guide: Introduction to Secure Coding Guide
Secure Coding Guide: Introduction to Secure Coding Guide
The document begins with “Types of Security Vulnerabilities,” which gives a brief introduction to the nature of each of the types of security vulnerability commonly found in software. This chapter provides background information that you should understand before reading the other chapters in the document. If you’re not sure what a race condition is, for example, or why it poses a security risk, this chapter is the place to start.
A good overview that just popped up on my radar.
Labels: sandbox, secure coding mac, security
Mac Developer: Fully Countering Trusting Trust through Diverse Double-Compiling (DDC) - Countering Trojan Horse attacks on Compilers
Fully Countering Trusting Trust through Diverse Double-Compiling (DDC) - Countering Trojan Horse attacks on Compilers
In the DDC technique, source code is compiled twice: once with a second (trusted) compiler (using the source code of the compiler’s parent), and then the compiler source code is compiled using the result of the first compilation. If the result is bit-for-bit identical with the untrusted executable, then the source code accurately represents the executable.
You are in a maze of twisty passages, all alike.
Mac Developer: Who Is Paunch? — Krebs on Security
Who Is Paunch? — Krebs on Security
“As I have done before, I am asking all the users as well as IT Security professionals to disable all plug-ins and add-ons in their browsers,” Fedotov warned forum members. “Do not think that if you are not users of Internet money (web money), there is no danger of being infected. In this case, the infected PCs are turned into socks proxies, spam/ddos bots and all the bad activity is done under your name, so that law enforcement can place all the blame on your shoulders. Safe surfing and good luck to you.”
I think this means you.
Labels: app security, security
Mac Developer: Open Threat Exchange (OTX) | AlienVault
Open Threat Exchange (OTX) | AlienVault
AlienVault Open Threat Exchange (OTX™) is an open threat information sharing and analysis network, created to put effective security measures within the reach of all organizations.
This is a terrific idea.
Mac Developer: Russian malware creators rule. Here's how they got so good | VentureBeat | Security | by Richard Byrne Reilly
Russian malware creators rule. Here's how they got so good | VentureBeat | Security | by Richard Byrne Reilly: "Eastern Europe, in particular Russia, is the malware capital of the world.
That’s the assertion of Adam Kujawa, a former Navy cryptologist and head of malware intelligence for Malwarebytes, a growing San Jose security outfit that has 100 employees and was originally founded in the windswept Baltic country of Estonia."
Labels: security, security law