C/C++/Cocoa tool for codesign security, Developer ID, & Mac App Store Receipt Validation
Tighten Pro - in the Mac App Store
Tighten Pro is now available in the Mac App Store.
Simply click on the icon to the left to purchase directly from Apple.
Or choose PKCS#7Viewer.app by clicking the image to the right.
Mac Developer: Woz says Apple would never hire him or Steve Jobs today | Cult of Mac
Woz says Apple would never hire him or Steve Jobs today | Cult of Mac: "Steve Wozniak thinks he and co-founder Steve Jobs could never have found employment at the company they created together, had they been in their twenties in 2015.
‘I look at the experience and education levels you need to get a job at Apple today and I think, ‘Well, Steve Jobs and I never could’ve gotten a job at Apple today,'’ Woz told The Australian Financial Review in an interview."
But they wouldn't need to because they could download Xcode and spend $100 to enroll in an Apple developer program and start their own company that way. It's the eco-system, silly.
Mac Developer: Google warns of fake digital certificates issued for its domains and potentially others (Updated) | VentureBeat | Security | by Dylan Tweney
Google warns of fake digital certificates issued for its domains and potentially others (Updated) | VentureBeat | Security | by Dylan Tweney: "Google revealed today that it has discovered several fake digital certificates for some of its domains.
That’s bad, because any browser accessing these domains via transport layer security (TLS; the latest security protocol, and a successor to SSL) counts on a certificate in order to be sure that it’s connecting with the real McCoy, not some imposter."
Everything is going to be stress tested in ways that can't even imagine.
Labels: security, security flaw
Mac Developer: Apple's Safari among browsers taken down at Pwn2Own day 2
Apple's Safari among browsers taken down at Pwn2Own day 2: "South Korean security researcher Jung Hoon Lee toppled Safari with a use-after-free vulnerability, according to Threatpost. Lee was then able to bypass Safari's sandbox thanks to an uninitialized stack pointer, with the combined exploits netting him some $50,000 in prize money."
It's unfortunate, but the lazy code of browser-writers penalize everyone else who must spend months reworking application software to work within the confines of increasingly restrictive security sandboxes.
It's the browser. And apps that thinly wrap the browser (read: Facebook).
Labels: app security, security flaw
Mac Developer: Apple reportedly cracks down on antivirus apps from iOS App Store, many apps pulled | 9to5Mac
Apple reportedly cracks down on antivirus apps from iOS App Store, many apps pulled | 9to5Mac: "One casualty of the removal is Intego’s VirusBarrier, which claims that this takedown was not specific to its product with Apple deciding the entire category of antivirus products is now off-limits."
I like the fact that Apple is fairly lax about editorializing App Store content, but it would be good if the app store became organized around search because otherwise in the long term, Google will be used to find apps in the store.
Labels: app security, app store
Mac Developer: Hundreds of iOS apps vulnerable to HTTPS-based FREAK attack
Hundreds of iOS apps vulnerable to HTTPS-based FREAK attack
Security researchers at FireEye recently went through thousands of iOS and Android apps and found that while a bulk are not vulnerable to the "FREAK" (Factoring RSA Export Keys) attack, a significant number are, reports Ars Technica.
Internal app security is the next frontier of security.
Labels: secure coding mac, security flaw
Mac Developer: Who's afraid of the Apple Watch?
Who's afraid of the Apple Watch?: "When experts at Bluebox Security examined a series of holiday-promoted Android products being sold in the U.S. at major retailers including Target and Walmart, it found that virtually every one of them was contaminated by malware or wide open vulnerabilities, in some cases with apparent malice involved, in the same fashion as Lenovo's intentional, ROI-motivated installation of Superfish advertising malware on its Windows notebooks."
It's not always good to lead in a category.
Labels: security flaw
Mac Developer: CIA has waged 'secret campaign' to crack Apple's iOS security - report
CIA has waged 'secret campaign' to crack Apple's iOS security - report: "Classified documents released by whistleblower Edward Snowden reveal that the Central Intelligence Agency has been engaged in a multi-year coordinated effort to crack the security of Apple's iOS platform, which powers and protects the iPhone and iPad."
If they were smart, they'd join forces with the NSA. Love that compartmentalization!
Mac Developer: Security firm finds preinstalled malware on Xiaomi Mi 4 smartphone | VentureBeat | Security | by Ruth Reader
Security firm finds preinstalled malware on Xiaomi Mi 4 smartphone | VentureBeat | Security | by Ruth Reader: "Data security firm Bluebox has discovered preinstalled malware and a host of other issues with a Xiaomi Mi 4 device the company tested. Scarier still, the phone seems to have been tampered with by an unidentified third party."
Brave new world.
Labels: android vs. ios, security flaw
Mac Developer: Researchers Find New 'FREAK' Security Flaw, Apple Says Fix Coming Soon - Mac Rumors
Researchers Find New 'FREAK' Security Flaw, Apple Says Fix Coming Soon - Mac Rumors: "Researchers have recently uncovered a major security flaw in software created by companies like Google and Apple, leaving many devices vulnerable to hacking attempts, reports The Washington Post. Called 'FREAK' (Factoring Attack on RSA-EXPORT Keys), the vulnerability stems from a U.S. government policy that once prevented companies from exporting strong encryption, requiring them to instead create weak 'export-grade' products to ship to customers outside of the United States. "
US policy, the gift that keeps on giving!
Labels: security, security law
Mac Developer: Cook teases ‘ton’ of Apple Watch announcements, including Panera Bread, Salesforce enterprise & fitness apps | 9to5Mac
Cook teases ‘ton’ of Apple Watch announcements, including Panera Bread, Salesforce enterprise & fitness apps | 9to5Mac: "In addition to discussing the international Apple Watch launch and accessibility efforts at a briefing in Germany, Apple CEO Tim Cook teased ‘a whole ton of announcements coming shortly about all of the apps coming’ for the Apple Watch, according to employees in attendance. Cook first highlighted the use of the Apple Watch in hotels by saying that ‘some of the best hotels in the world’ will allow Apple Watch users to use the wearable to unlock room doors."
Sounds like a good thing. Although I would worry that an unconscious person's finger can be used to unlock their iPhone TouchID. By unconscious, I mean sleeping.
Labels: security, touch ID
Mac Developer: After Superfish scandal, Lenovo vows less bloatware and to be 'leader in cleaner, safer PCs' | VentureBeat | Business | by Paul Sawers
After Superfish scandal, Lenovo vows less bloatware and to be 'leader in cleaner, safer PCs' | VentureBeat | Business | by Paul Sawers: "Fresh from the Superfish scandal that saw some of its PCs subjected to horrible preloaded software that compromised user security, Lenovo is trying to win brownie points by vowing to ‘significantly reduce’ its preloaded software, commonly known as ‘bloatware.’"
It came from the East!
Labels: security flaw
Mac Developer: The Safe Mac » OpinionSpy is back!
The Safe Mac » OpinionSpy is back!: "yesterday, I found an installer on CNET’s Download.com containing a new variant of the OpinionSpy malware. "
Good news is that xprotect has been updated to protect against it.
Mac Developer: Apple to require all Mac App Store submissions to ditch garbage collection, switch to ARC on May 1st | 9to5Mac
Apple to require all Mac App Store submissions to ditch garbage collection, switch to ARC on May 1st | 9to5Mac: "Apple has announced on its developer site that apps submitted to the Mac App Store starting on May 1st will no longer be allowed to incorporate garbage collection, which was deprecated in OS X 10.8. Instead, developers will be required to switch to ARC, which was introduced in 10.7."
In some ways, this is hilarious. I took one look at GC and in my own mind "never in my apps, but if you want to, good luck with that". I feel the same way about ARC, which is a performance SUCK.
Labels: ARC vs GC
Mac Developer: Microsoft Pushes Patches for Dozens of Flaws — Krebs on Security
Microsoft Pushes Patches for Dozens of Flaws — Krebs on Security: "The bulk of the flaws (41) addressed in this update apply to Internet Explorer, the default browser on Windows. This patch should obviously be a priority for any organizations that rely on IE. Other patches fix bugs in the Windows OS itself and in various versions of Microsoft Office. A full breakdown of the patches is available here."
Maybe that Google arm wrestle is working after all.
Labels: security flaw
Mac Developer: The 3 Hottest Physical Security Products at CES 2015 | The Mac Security Blog
The 3 Hottest Physical Security Products at CES 2015 | The Mac Security Blog: "You already know where to turn for the best Mac security products on the planet. But as any good security practitioner will tell you, it's important to take a layered approach to security."
Love the Noke padlock, would hate if it ran out of battery power!
Mac Developer: OS X 10.10.2 will fix years-old Thunderbolt hardware vulnerability
OS X 10.10.2 will fix years-old Thunderbolt hardware vulnerability: "The so-called 'Thunderstrike' hardware exploit was publicized late last year, but the hack takes advantage of a flaw in the Thunderbolt Option ROM first disclosed in 2012. Until now, that flaw hasn't been patched, but according to iMore, the latest beta of Apple's OS X 10.10.2 update fixes the problem."
Labels: security fix, security flaw, thunderstrike
Mac Developer: Twitter’s war on developers continues: Tweetbot for Mac falls victim to token limit, gets pulled from App Store | 9to5Mac
Twitter’s war on developers continues: Tweetbot for Mac falls victim to token limit, gets pulled from App Store | 9to5Mac: "In November, 9to5Mac brought you an exclusive interview on Twitter’s limitations on third-party developers with the Iconfactory’s Gedeon Maheux. In the original article, Maheux said that development on Twitterrific 5 for Mac had stalled due to Twitter’s strict limits on how many users can login to a particular application."
All in good fun until somebody loses an eye.
Labels: devwars, twitter
Mac Developer: Google's Project Zero reveals three new zero-day exploits in Apple's OS X [u]
Google's Project Zero reveals three new zero-day exploits in Apple's OS X [u]: "An internal software security research team at Google has publicly revealed three of recently-discovered zero-day exploits in Apple's Mac OS X desktop operating system, though the severity of each vulnerability is unknown."
Don't like the sound of sandbox escape via XPC.
Labels: security flaw, XPC service
Mac Developer: Security bug Heartbleed may be forgotten, but it's not gone | VentureBeat | Security | by Ruth Reader
Security bug Heartbleed may be forgotten, but it's not gone | VentureBeat | Security | by Ruth Reader
However, a new bill called the Cyber Supply Chain Management and Transparency Act of 2014, would require software makers to provide a bill of materials for all the code components used in the software.
Obviously, bureaucracy will provide a solution that software engineers themselves cannot provide. Right.
Mac Developer: What Blackhat Gets Right: A Chat With Former Hacker Kevin Poulsen
What Blackhat Gets Right: A Chat With Former Hacker Kevin Poulsen: "Back in Kevin Poulsen's hacker days, before he became writer and Wired editor, he pulled stunts like taking over the phone lines in a radio contest to win himself a Porsche, or breaking into the FBI's computer system when he ended up on the agency's Most Wanted list to change his physical description. He served a five-year sentence for his crimes. Now he's consulting for Hollywood hacker films."
It's an interesting plot, low on tech details that runs toward an ever-closing noose. Instead of ever heightening public stakes. I enjoyed it.
Labels: blackhat, hacker movie
Mac Developer: This USB wall charger secretly logs keystrokes from Microsoft wireless keyboards nearby | VentureBeat | Security | by Emil Protalinski
This USB wall charger secretly logs keystrokes from Microsoft wireless keyboards nearby | VentureBeat | Security | by Emil Protalinski: "Privacy and security researcher Samy Kamkar has released a keylogger for Microsoft wireless keyboards cleverly hidden in what appears to be a rather large, but functioning USB wall charger. Called KeySweeper, the stealthy Arduino-based device can sniff, decrypt, log, and report back all keystrokes — saving them both locally and online."
It ain't getting better...
Labels: security, security flaw
Mac Developer: Today's computers face more attacks than ever - CNET
Today's computers face more attacks than ever - CNET: "Kaspersky saw four times more mobile malware attacks in 2014 than the year before, said Patrick Nielsen, a researcher with the company."
Dang! Glad most of those are for the Windows.
Mac Developer: Quarantino - xattr com.apple.quarantine in an App
Introducing Quarantino.app for Mac OS X (10.6.8 through 10.10.x) - a simple and effective way to view the signing credentials of an app downloaded from the internet, and if so desired, remove the quarantine attribute (xattr -l com.apple.quarantine).
The fact of the matter is, some OS features are not available to properly signed applications if they are in the quarantine. Don't believe me? See if you can spot the differences in operation between Quarantino.app (quarantined) and after you remove it from the quarantine.
Available for download now
from this website (DeveloperID credentials) and coming soon to the App Store (fingers crossed - in review)!
Labels: com.apple.quarantine, quarantino, secure coding mac, security, utility
Mac Developer: Mac OS X Security Overview
Nice security overview of Mac OS X. Different features and advantages are covered.
Labels: mac runtime sandbox detection, sandbox policy language, secure coding mac, security, xprotect.plist
Mac Developer: Security researcher rewrites Mac firmware over Thunderbolt, says most Intel Thunderbolt Macs vulnerable | 9to5Mac
Security researcher rewrites Mac firmware over Thunderbolt, says most Intel Thunderbolt Macs vulnerable | 9to5Mac: "Once installed, the firmware cannot be removed since it replaces Apple’s public RSA key, which means that further firmware updates will be denied unless signed by the attacker’s private key"
Most hardware manufacturing is done overseas.
Labels: security flaw
Mac Developer: Technical notes, my online memory: Gatekeeper, XProtect and the Quarantine attribute
Technical notes, my online memory: Gatekeeper, XProtect and the Quarantine attribute: "Apps can opt-in to Gatekeeper and Xprotect protection by adding LSFileQuarantineEnabled to their Contents/Info.plist. This means that any files created by that app will get tagged with the apple quarantine HFS+ extended attribute.
Everything you wanted to know about quarantine but were afraid to ask.
Labels: gatekeeper, quarantine, secure coding mac, security
Mac Developer: Touch ID hackers attempt to take things to next level, no need for physical fingerprint | 9to5Mac
Touch ID hackers attempt to take things to next level, no need for physical fingerprint | 9to5Mac: "The hacker who successfully used a fingerprint captured from an iPhone to fool Touch ID now believes it may be possible to perform the same hack without needing access to a physical fingerprint."
Anyone who has already seen a Bond film knew that.
Labels: security, security flaw