Pentagon to grant security clearance for Apple's IOS, some Samsung devices
Specifically, the DoD will reportedly grant clearance for both iOS 6, Apple's current mobile operating system, as well as iOS 5, the company's previous-generation software."

I'm sure this will be great for the iOS platform, but there is something fundamentally weird about the DOD embracing Apple technology. It's like the DOD is the opposite of the Apple ethic. Or maybe the original Apple ethic.

Maybe we could let BlackBerry and Android have this market.

Labels: encryption, security

BadNews Shows a New Direction for Mobile Malware : "And while we’re on the subject of hacking and malware, if you’re the user of Android phone "

I suppose it's good that Google can pull the plug, but it shows that malware writers can create companies and get signing certificates just like a bonafide developer. And they are more aggressive.
I often wonder if any of my apps have been re-signed and put up for sale in a localized market. Who would know?

Labels: security

Computer Security Legend Mudge Leaves DARPA for Google Job - Arik Hesseldahl - News - AllThingsD: "Zatko didn’t specify what he’ll be doing at Google, and he didn’t immediately answer an email from me asking for a little more detail, though its a pretty sure bet it will involve doing some kind of research on security. I’ll add more if I hear back from him."

Even Google is tightening security!

Labels: security, tighten

Apple updates XProtect.plist to block Yontoo: "Shortly after news emerged of a new adware trojan targeting OS X web browsers, Apple has updated its malware and adware detections list to block Yontoo."

Trojans and malware. The reason we have sandboxed & code signed binaries in the Mac App Store is to ensure that your application is not a launch vector for same.

Labels: security, tighten, xprotect.plist

Everything You Wanted To Know About Apple’s New Anti-Virus Spotter | Cult of Mac: "The British security firm Intego has published a security memo that provides a clear and detailed view of Apple’s new XProtect anti-virus system in Snow Leopard."

Here's an older post on Xprotect.plist.

Apple acknowledges evad3r jailbreakers found 4 of 6 exploits fixed with iOS 6.1.3: "Evad3rs leveraged some of the exploits to create the evasi0n jailbreak, which allowed iPhone 5 and iPad mini owners to 'liberate' their devices. "

Sounds like the hackers are very helpful in this case. And maybe most cases.

Labels: hacking, hacking iphone

Apple marketing chief uses rare Twitter post to take shot at Android security issues: "Schiller took to Twitter on Thursday for just the 172nd time since opening his account in 2008"

He tweets but lightly where others rant incoherently.

Labels: security

Meet Some of the People at Apple Responsible for Fighting Hackers - Arik Hesseldahl - News - AllThingsD: "But that’s not to say that Apple hasn’t been preparing — quietly as always — for the kind of eventualities that tend to crop up when hackers and other digital miscreants are taken to probing your systems for vulnerabilities."

Everyone could stand to tighten their security a little bit more.

Labels: security

iOS 6 jailbreak arrives; URL detection bug crashes most OS X apps: "For the first time ever, iPhone 5 and iPad mini owners can jailbreak their device with the release of Evasi0n, the new jailbreak for Apple's iOS 6 mobile operating system. "

I always laugh when someone says "This one can't be hacked." Some people obsess over opcodes. They don't need a disassembler, they don't need a guide.

Labels: jailbreak, tighten pro

SBPL - SandBox Policy Language: "This is a description of the different primitives available in the SBPL - a language derived from TinyScheme used to describe what is allowed or denied to a process running on MacOSX 10.5 or higher operating system."

If you're trying to figure out what you might need to script up to get your app into the store with a custom sandbox profile, see this handy guide.

Labels: sandbox, sandbox kext, sandbox policy language, sandboxd

Apple quietly blocks Java 7 in OS X [U] | MacNN: "Apple has disabled the Java 7 browser plug-in on Macs through an updated OS X blacklist file, notes MacRumors."

It's all about the tightening of security.

Labels: java, security, tighten

Yahoo Confirms It Has Fixed A Vulnerability In Mail - Arik Hesseldahl - News - AllThingsD: "We were recently informed of an online video that demonstrated a vulnerability. We confirm that the vulnerability has been fixed."

Hopefully AOL will fix their leaky boat next.

Labels: security

The Apple Sandbox by Dionysus Blazakis

The rest of the paper is organized as follows. Section 2 gives a brief overview of the entire system. Section 3 describes the public interface and the utility function provided by the OS. Next, Section 4 walks through the details of the userspace libraries used to turn policies into sandbox syscall arguments for installing a sandbox. After the userspace interface is fully explored, Section 5 begins by brie y describing the TrustedBSD interface and how the sandbox implements this interface. Next, each kernel extension is examined.
http://dl.packetstormsecurity.net/papers/general/apple-sandbox.pdf

Labels: sandbox, sandbox kext, sandbox policy language, sandboxd

Hacker: jailbreaking iOS 6 hard, 6.1 may prove impossible | iPodNN: "Jailbreaking an iOS device in order to install unofficial apps, add customization options or simply to unlock a locked device has gotten tougher, as evidenced by the hacking community's inability to produce an untethered jailbreak for iOS 6."

Looks like they are tightening security.

Labels: tighten

25-GPU cluster cracks every standard Windows password. A password-cracking expert has unveiled a computer cluster that can cycle through as many as 350 billion guesses per second.

We'll be in for some trouble if strong encryption turns out to be not that strong after all. Personally, I prefer to use the GPU to emulate retro photography techniques.

Labels: encryption

Apple hires former Windows security hacker to strengthen OS X: "It was discovered on Thursday that famed hacker and former Microsoft employee Kristin Paget is now working for Apple as a core operating system security researcher."

Everyone is tightening.

Labels: hacking, hacking osx, security, tighten

Tighten App, designed for developers creating $0.99 apps (apps costing less than $5) is now available on the Mac App Store. Tighten App generates custom receipt validation code and provides basic security measures.

Labels: code, mac app store receipt validation

The new release of Tighten Pro 1.0.11 is now available on the Mac App Store. This release includes a total rewrite of the Mac App Store receipt validation code generator including extensive checking of the security trust/certificate chain and new code to parse and validate in-app purchase receipts. The in-app purchase receipt validation code is 100% inline-able and as such can be used throughout your application code (ie. salted). Other new features include security code generation for DeveloperID/Gatekeeper applications and more. Tighten Pro represents a comprehensive solution for application developers dealing with the complexities of deploying to the Mac App Store and protecting their work from piracy.

Labels: app store, mac app store receipt validation, sandbox, tighten pro, validation

Apple Tweaks Design Of App Store Category Pages
In its weekly App Store refresh, it appears Apple has today tweaked the design of App Store categories to include the same design of the App Store’s home page.

Of interest to most Mac App Store developers.

Labels: app store

The Steve Jobs I Knew - Walt Mossberg - Mossblog - AllThingsD: "That Steve Jobs was a genius, a giant influence on multiple industries and billions of lives, has been written many times since he retired as Apple’s CEO in August. He was a historical figure on the scale of a Thomas Edison or a Henry Ford, and set the mold for many other corporate leaders in many other industries."

This is a terrific article. Delayed by 15 minutes.

Labels: apple

ARM-Based Chips Make Better Windows PCs, Says Qualcomm CEO - Ina Fried - Mobile - AllThingsD: "Qualcomm has sponsored a contest to encourage developers to write Windows RT apps as well as, in some cases, help to fund their development. Jacobs said that Microsoft isn’t really being given the benefit of the doubt here, despite its long track record of attracting developers."

Unfortunately, nothing as powerful as Cocoa is likely to debut on any platform any time soon.

Labels: cocoa, windows rt

Third-party manufacturers in China are supposedly mass-producing Lightning cables: with working authentication chips allegedly reverse engineered from Apple's official model, and are shopping their wares to overseas resellers...

No security technology is foolproof. Do your best to protect your work, keep innovating.

Labels: hacking osx, hardware hacking

The com.apple.security.temporary-exception.sbpl entitlement seems to have been given bona fide status: login to itunesconnect and you can at least add it to your list of requested entitlements for submitting.  Good news, because I'm not sure how you can write code in a posix environment without posix shared memory and semaphores.

Labels: entitlements, sandbox policy language

FileXaminer: "FileXaminer is an award winning 'Get Info' application. FileXaminer allows you to modify file and folder attributes that the Finder cannot. FileXaminer is powerful and easy to use – making it the best 'Get Info' application for Mac OS X."

I'm trying to figure out why some code I'm working on will not work correctly in the sandbox and I believe it has to do with file permissions. I had a hankering for a GUI tool and had a bit of trouble finding something.

Labels: finder, finder getinfo, plugin

Mac OS X 10.4 Tiger | Ars Technica: "Access control lists, or ACLs, are a finer-grained, more flexible way to control file permissions: who can do what to which files. In Tiger, ACLs are a supplement to the traditional Unix file permissions. Since I've never covered Unix file permissions in a Mac OS X article before, I'd like to do so now. "

Good article on ACL permissions I found googling.

Labels: access control lists, mac os x, security

If you're adopting sandboxing outside the App Store, the syntax for the sandbox policy language temporary exception entitlement is:

  <key>com.apple.security.temporary-exception.sbpl</key>
    <string>
        (begin
            (allow system-fsctl))
    </string>



Labels: sandbox policy language, temporary entitlement

Michael Tsai - Blog - Aperture 3.4, Sandboxing, and FlickrExport

mjtsai.com/blog/2012/09/23/aperture-3-4-sandboxing-and-flickrexport/

The short answer is, a complex application like Aperture cannot be sandboxed using the typical rules.

Labels: sandbox, sandbox policy language