Tighten Pro C/C++/Cocoa tool for codesign security, Developer ID, & Mac App Store Receipt Validation
Tighten Pro - in the Mac App Store
Tighten Pro is now available in the Mac App Store.
Simply click on the icon to the left to purchase directly from Apple.
Or choose PKCS#7Viewer.app by clicking the image to the right.
|
Mac Developer: First malware in the wild found exploiting Bluebox's Android app signing flaw
First malware in the wild found exploiting Bluebox's Android app signing flaw: "Earlier this month, the popular Facebook app was caught harvesting users' entire phone books for upload into the social network's vast graph, without notice, and subsequently 'sharing' information with other users 'having some connection to them' on the site. "
They're getting into the American spirit popularized by the NSA! This is an important read because it highlights the reasons that an application bundle needs both external (system verified) and internal (application self-verified) code signatures.
At least, that's my opinion. Labels: android, facebook, security
|
|
|
Mac Developer: fseventer [fernLightning]
fseventer [fernLightning]: "Observes filesystem changes using the same underlying API as Spotlight Provides a graphical representation of the file activity Example use could be to determine what files are changed via software installation, preferences, etc"
Very handy tool that shows what processes are opening and writing to files. Very cool. Labels: development tools mac, security tools mac
|
|
|
Mac Developer: Your PC may already be compromised — by the NSA | VentureBeat
Your PC may already be compromised — by the NSA | VentureBeat: "Steve Blank is a retired serial entrepreneur and has been a founder or participant in eight Silicon Valley startups since 1978. This article originally appeared on his blog."
Steve Blank's secret history of Silicon Valley is a compelling, important read. For anyone with libertarian values. Labels: security
|
|
|
Mac Developer: osx - DYLD_INSERT_LIBRARIES doesn't work for app signed with entitlements on Mountain Lion
osx - DYLD_INSERT_LIBRARIES doesn't work for app signed with entitlements on Mountain Lion - Stack Overflow: "dyld strips all DYLD_ environment variables on applications it considers to be restricted, which includes setuid/setgid binaries and those signed with particular entitlements. You can see how this work by looking at the dyld source. In particular, processRestricted is responsible for determining whether the restrictions should be applied and pruneEnvironmentVariables does the special handling of the environment variables."
This looks like some good news. Of course, if the code sign is stripped from your binary it's not going to be a problem so this is more of a system-wide security feature. i.e. no loading dylibs into every GUI process... Labels: DYLD_INSERT_LIBRARIES, mountain lion
|
|
|
Mac Developer: mikeash.com: Friday Q&A 2009-01-30: Code Injection
mikeash.com: Friday Q&A 2009-01-30: Code Injection: "Basically, to override NSApplicationMain, you can do something like this:
#define DYLD_INTERPOSE(_replacment,_replacee) \ __attribute__((used)) static struct{ const void* replacment; const void* replacee; } _interpose_##_replacee \ __attribute__ ((section ('__DATA,__interpose'))) = { (const void*)(unsigned long)&_replacment, (const void*)(unsigned long)&_replacee };
DYLD_INTERPOSE(_SAApplicationMain, NSApplicationMain); "
mikeash.com seems to be a particularly rich source of low-level darwin techniques. In this case, a commenter has pointed out an easy (but unsupported/not for shipping applications) technique of chaining system functions. Check lists.apple.com for reasons why it's not supported.
Use the force, er, I mean source:
opensource.apple.com/source/dyld/dyld-132.13/include/mach-o/dyld-interposing.h
And take a look at the unit tests. Labels: DYLD_INTERPOSE, sandbox, security, store receipt validation
|
|
|
Mac Developer: osx - Mac OS X Lion no longer recognizes environment.plist? - Stack Overflow
Mac OS X Lion no longer recognizes environment.plist?: "Whether or not Apple officially supports this mechanism, the current tech note Technical Q&A QA1067 is still accurate. An important caveat, however, is absent: the Property List needs to be in binary format.
Since DYLD_INTERPOSE seems a likely bypass point for application security checks like Mac App Store receipt validation, you'll want to be aware of all the techniques that can be used to load an extra .dylib or .framework into your app's process. Labels: DYLD_INTERPOSE, LSEnvironment
|
|
|
Mac Developer: Security flaw opens all modern Android devices to "zombie botnet" takeover [u]
Security flaw opens all modern Android devices to "zombie botnet" takeover [u]: "A newly discovered flaw in Google's Android security model enables rogue apps to gain full access to the Android system and all installed apps, read all data on the device, harvest passwords and create a botnet of 'always-on, always-connected and always-moving' spy devices tracking users' location while secretly recording."
Yikes! Looks like someone needs to tighten up security. Labels: security
|
|
|
| |
|