Tighten Pro C/C++/Cocoa tool for codesign security, Developer ID, & Mac App Store Receipt Validation
Tighten Pro - in the Mac App Store
Tighten Pro is now available in the Mac App Store.
Simply click on the icon to the left to purchase directly from Apple.
Or choose PKCS#7Viewer.app by clicking the image to the right.
|
Mac Developer: Researchers poke hole in custom crypto built for Amazon Web Services | Ars Technica
Researchers poke hole in custom crypto built for Amazon Web Services | Ars Technica Underscoring just how hard it is to design secure cryptographic software, academic researchers recently uncovered a potentially serious weakness in an early version of the code library protecting Amazon Web Services.
Might be a little paranoid. Although the NSA already cracked it. And if quantum computing is here, your 2048-bit RSA is tasty morsel for that 3 letter agency. Labels: security fix, security flaw
|
|
|
Mac Developer: TrueCrypt is safer than previously reported, detailed analysis concludes | Ars Technica
TrueCrypt is safer than previously reported, detailed analysis concludes | Ars Technica The TrueCrypt whole-disk encryption tool used by millions of privacy and security enthusiasts is safer than some studies have suggested, according to a comprehensive security analysis conducted by the prestigious Fraunhofer Institute for Secure Information Technology.
The rumors of my death have been greatly exaggerated. Labels: security
|
|
|
Mac Developer: Half of data connections by top 500 Android apps are 'covert' with no effect on user experience
Half of data connections by top 500 Android apps are 'covert' with no effect on user experience The new study, summarized on Thursday by MIT News, looked at data transferred to and from the 500 most popular applications available on Android. Specifically, MIT was interested in so-called "covert" communications being silently sent by the top apps.
I highly doubt that iOS is any different at all. The only truly free applications are the ones that don't require network entitlements to function. Labels: security policy
|
|
|
Mac Developer: New Free Version of Tighten now available FREE DOWNLOAD MAC
A new version of TightenFREE is now available for download in the downloads area of this web site.
CHANGES IN THIS UPDATE
- Fixes for handling app bundles containing receipts signed with "Mac App Store Receipt Signing" certificate which expired on 2015.11.11
- Updated to verify receipts signed with "Mac App Store and iTunes Store Receipt Signing" certificate expires 2017.10.23 or 2023.02.07.
- Fixes for 10.8.5 and higher (exception thrown when App bundle opened).
- Light dusting and cleaning for (32/64) standard binary.
Labels: mac app store, mac app store receipt validation, tighten app
|
|
|
Mac Developer: Tighten Pro V2 Generated Receipt Validation Code Patch for Recent Mac App Store Update
On November 11, 2015, the certificate (CN "Mac App Store Receipt Signing") the Mac App Store was using to sign receipts expired. It was replaced by an intermediate certificate (expires: 2017.10.23) which has subsequently been replaced by another certificate ("Mac App Store and iTunes Store Receipt Signing" - expires 2023.02.07).
Code generated by Tighten.app (standard edition) is not affected by the change.
Code generated using the V2 Mac App Store receipt signing template in Tighten Pro must be patched to properly validate the new certificate. In particular, the SHA1 fingerprint of the signing certificate has changed. The new 24-byte value must be updated in two locations:
IN FUNCTION ___MAS_VerifySigningCertificate
static const unsigned char kMASReceiptSigning_CA_SHA1_Bytes[] = { 0x27,0xE2,0x53,0xE3,0x28,0x97,0xD6,0x77,0xB9,0xC9,0xFF,0xCB,0xC2,0xE4,0x8B,0xCD,0xC3,0xFB,0x11,0x01
};
IN FUNCTION: ___MAS_VerifyTrustCertificates
static const unsigned char kLEAFFingerprintBytes[] = { 0x27,0xE2,0x53,0xE3,0x28,0x97,0xD6,0x77,0xB9,0xC9,0xFF,0xCB,0xC2,0xE4,0x8B,0xCD,0xC3,0xFB,0x11,0x01 };
The changes are straightforward and should function correctly through 2023.02.07.
I've also submitted updates to TightenPro and Tighten to the Mac App Store, but apparently the ingest pipeline is like a Rube Goldberg machine and the updates are currently stuck in a dreaded "processing" state which is code language for: don't expect it ever to make it to the next stage of the submission pipe. Labels: mac app store receipt validation, tighten pro
|
|
|
Mac Developer: Mac App Store and iTunes Store Receipt Signing - NEW CERTIFICATE ATTRIBUTES
The following is the OpenSSL information dump of the current (and presumably canonical until 2023) certificate used to sign receipts in the Mac App Store. I've extracted the three known certificates that have been historically used to sign Mac App Store bundle receipts and placed them in a disk image (password: 'macappstore') for regression testing and debugging purposes.
openssl x509 -fingerprint -sha1
SHA1 Fingerprint=27:E2:53:E3:28:97:D6:77:B9:C9:FF:CB:C2:E4:8B:CD:C3:FB:11:01
--
--openssl x509 -noout -text -in '10.8.5-20230207.darwin.12.6.0.pem'
--
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0e:eb:57:87:e7:9e:09:8d
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=Apple Inc., OU=Apple Worldwide Developer Relations,
CN=Apple Worldwide Developer Relations Certification Authority
Validity
Not Before: Nov 13 02:15:09 2015 GMT
Not After : Feb 7 21:48:47 2023 GMT
Subject: CN=Mac App Store and iTunes Store Receipt Signing,
OU=Apple Worldwide Developer Relations, O=Apple Inc., C=US
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:a5:cf:81:fd:25:a2:81:5b:d6:87:ed:23:da:33:
1c:8e:e2:23:c0:a5:c4:26:cb:3d:c6:9f:ec:4a:0d:
55:86:ff:a4:02:d7:97:ca:39:54:6d:7d:7f:b2:54:
18:9d:c4:2c:52:71:8e:64:7b:82:ce:89:ba:49:d6:
08:e5:b4:88:71:cf:3f:5b:46:2e:c6:c4:1d:b8:03:
a9:58:a2:04:3e:21:78:d5:db:b7:d0:8e:12:8d:83:
4c:5b:2a:68:37:93:c2:f2:bd:1e:c4:d2:a1:0c:4a:
58:52:ab:12:e3:ed:dd:1f:98:15:90:35:2d:c2:cc:
12:ca:8d:48:81:f7:58:78:54:6b:e8:8c:31:36:1f:
4a:06:0c:47:54:f3:37:90:b8:b2:92:89:7d:5f:a4:
85:4a:e1:c0:9c:e0:ba:a4:bb:82:97:63:f4:2b:93:
c1:fd:3e:6f:ca:c1:f5:3c:a9:8f:52:1a:c0:25:0a:
76:0e:de:fe:99:fe:ff:c2:6b:f5:5b:5e:ac:73:51:
49:08:56:89:cc:43:90:cc:8e:81:02:d0:a0:97:b6:
5c:b1:a1:69:69:87:90:10:68:26:26:39:b8:1d:10:
73:b0:0a:5d:c5:73:d0:df:76:3b:d8:2d:d9:88:1e:
e3:ec:07:cf:e2:8e:d0:d3:fa:26:55:81:ef:e2:03:
49:23
Exponent: 65537 (0x10001)
X509v3 extensions:
Authority Information Access:
OCSP - URI:http://ocsp.apple.com/ocsp03-wwdr04
X509v3 Subject Key Identifier:
91:A4:9C:FC:C4:76:B7:9F:A0:8A:F4:4D:F5:8F:36:5D:ED:2B:04:85
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:88:27:17:09:A9:B6:18:60:8B:EC:EB:BA:F6:47:59:C5:52:54:A3:B7
X509v3 Certificate Policies:
Policy: 1.2.840.113635.100.5.6.1
User Notice:
Explicit Text: Reliance on this certificate by any party assumes acceptance
of the then applicable standard terms and conditions of use,
certificate policy and certification practice statements.
CPS: http://www.apple.com/certificateauthority/
X509v3 Key Usage: critical
Digital Signature
1.2.840.113635.100.6.11.1:
..
Signature Algorithm: sha1WithRSAEncryption
0d:a6:1b:d3:2e:3d:e3:5b:2b:07:6e:42:96:6c:d3:e8:8c:43:
30:82:5f:e0:5c:d1:8d:be:bd:0f:bd:1a:fc:25:92:db:8c:85:
c3:80:59:df:e3:e2:d7:2e:05:14:ac:0d:db:b6:b8:fe:fc:35:
2e:7c:cb:ad:17:6b:8e:7f:1f:e4:77:b9:b1:67:95:b4:13:5e:
a6:19:86:76:f8:5a:20:95:e7:63:8c:0f:73:fc:e8:ed:c6:1f:
ae:99:f8:65:48:5c:a0:e0:28:3a:c0:10:37:2d:b9:a0:04:39:
1f:73:b9:c8:05:fd:f2:de:7f:1a:2a:2a:6e:2b:01:fc:a0:20:
5c:d9:eb:7d:27:a6:33:f8:f5:98:e0:be:44:db:b1:4c:67:fc:
6e:0a:4f:c9:e2:06:a8:d2:97:f3:a7:8e:6b:51:a2:5a:84:75:
65:d1:16:04:62:e3:c1:5f:f5:08:a9:cf:68:d9:92:00:c9:c1:
8c:b3:f8:8d:00:64:ba:58:60:c0:7c:af:8f:75:ca:69:b9:5b:
2a:d6:1d:68:6e:98:42:f5:4c:a7:37:19:9b:cc:3b:1c:7a:19:
43:f3:a3:6d:bf:48:60:06:0c:36:92:2b:ec:de:18:b5:11:da:
2d:23:d0:8e:fc:a0:69:9c:17:1b:9e:80:7b:39:47:45:30:61:
2f:c7:13:a8
Labels: certificate receipt signing, mac app store receipt validation
|
|
|
Mac Developer: Apple apologizes to developers for Mac App Store certificate flap, explains fix
Apple apologizes to developers for Mac App Store certificate flap, explains fix The caching issue was compounded by apps running receipt validation code containing "very old versions" of OpenSSL not compatible with SHA-2 certificates. Apple replaced the SHA-2 certificate with a SHA-1 certificate last Thursday.
Well, the recommendations from the Apple Developer site were to use a static version of OpenSLL compiled into the application binary. And that would be whatever was available at the time the binary was uploaded. Not everyone yearns to rabidly update their applications every 2 weeks. Some of us have a software engineering ethic. Just keep that in mind next time you call strstr() which was first specified in the 60s.
Labels: software engineering
|
|
|
Mac Developer: Mac App Store Receipt Signing - Certificate Expiration and Replacement
As described in many blogs and news outlets, the certificate that Apple servers were using to sign receipts for apps downloaded from the Mac App Store expired on 2015.11.11. There was an interim certificate that was used briefly for a few days. Ultimately, Apple issued a third certificate (expires 2023.02.27) which we can assume is going to be valid going forward.
For your testing purposes, I have extracted all three certificates, dumped their primary attributes with OpenSSL and bundled them into a disk image (password: 'macappstore') for your inspection and testing.
The original (SHA1) certificate:
CN=Mac App Store Receipt Signing
EXPIRES=Nov 11 21:58:01 2015 GMT
SHA1 Fingerprint=4A:7B:3A:17:00:A4:DA:4A:D4:EA:43:3A:83:61:43:2E:CF:1C:A1:AF
The interim and deprecated (SHA256) certificate:
CN=Mac App Store and iTunes Store Receipt Signing
EXPIRES: Oct 23 19:09:31 2017 GMT
SHA1 Fingerprint=15:0C:E7:C4:1F:13:8F:ED:97:3E:94:78:BD:60:29:7A:A8:CB:BC:3F
The current (SHA1) certificate:
CN=Mac App Store and iTunes Store Receipt Signing
EXPIRES= Feb 7 21:48:47 2023 GMT
SHA1 Fingerprint=27:E2:53:E3:28:97:D6:77:B9:C9:FF:CB:C2:E4:8B:CD:C3:FB:11:01
Labels: certificate, mac app store receipt validation
|
|
|
Mac Developer: Here's what's happening with the Mac App Store and 'damaged' apps | iMore
Here's what's happening with the Mac App Store and 'damaged' apps | iMore In order to fix the current problem, Apple will need to roll back the MAS certificate to SHA-1 or developers will need to update their receipt validation to use OpenSSL that supports SHA-2. Obviously a roll back on Apple's side would be faster, a developer update better in the long run. Hopefully we'll get both.
I'm not sure this is a good description of the problem. In my case, we were testing for the authenticity of the "Mac App Store Receipt Signing" certificate by testing the SHA1 fingerprint of the certificate. Obviously, when the certificate expired (30 years would have been a good length for that vert), the new certificate would have failed the test, yet still be an authentic Apple cert.
This particular test was part of Tighten's "most restrictive" or "paranoid" receipt validation. Less stringent validation (such as code generated by Tighten App) was not affected in the same way. Labels: mac app store, mac app store receipt validation
|
|
|
Mac Developer: Validating Receipts Locally
Validating Receipts Locally
/* For additional security, you may verify the fingerprint of the root certificate and verify the OIDs of the intermediate certificate and signing certificate. The OID in the certificate policies extension of the intermediate certificate is (1 2 840 113635 100 5 6 1), and the marker OID of the signing certificate is (1 2 840 113635 100 6 11 1). */
I suppose the moral of the story is: don't say I didn't warn ya.
Labels: secure coding mac, security, security fix
|
|
|
Mac Developer: Op-ed: (How) did they break Diffie-Hellman? | Ars Technica
Op-ed: (How) did they break Diffie-Hellman? | Ars Technica Earlier this year, a research paper presented a new attack against the Diffie-Hellman key exchange protocol. Among other things, the paper came with a reasonable explanation of how the NSA might be able to read a lot of the Internet’s VPN traffic. I wrote a blog about this in May.
Did they break Diffie-Hellman? Find out now.
Labels: security flaw
|
|
|
Mac Developer: A single malicious Chrome link is enough to give attackers control of your Android phone
A single malicious Chrome link is enough to give attackers control of your Android phone It’s by no means the first time, but security researchers have demonstrated a weakness present in pretty much all versions of Google’s Android OS.
The bad news? All it takes is opening a website containing the malicious code and an attacker can have full control of your phone, and do things like download additional apps without your interaction.
What news is this?
Labels: android vs. ios, security flaw
|
|
|
Mac Developer: Microsoft building data centers in Germany that US government can’t touch | Ars Technica
Microsoft building data centers in Germany that US government can’t touch | Ars Technica Microsoft has launched a new kind of cloud service in Germany where user data is controlled by a "data trustee" operating under German law. Microsoft is unable to access user data without the permission of the data trustee or the customer, even if it is instructed to do so by the US government. If permission is granted by the data trustee, Microsoft will still only do so under its supervision.
My prediction for the fallout of TTP is an explosion of hosting facilities outside the TTP zone.
Labels: security policy
|
|
|
Mac Developer: Tor Project Claims FBI Paid $1 Million For Carnegie Mellon Researchers To Uncloak Users - Forbes
Tor Project Claims FBI Paid $1 Million For Carnegie Mellon Researchers To Uncloak Users - Forbes In one of the more startling blogs to come out of the Tor Project, the team responsible for maintaining the Tor anonymizing network has claimed the FBI paid researchers at Carnegie Mellon University $1 million to disclose techniques they’d discovered that could help uncover the identities of users.
I think this is disturbing. Hard to tell. Does it mean that service providers on the TOR network were actually attacking the users of the TOR network? More details are needed. Maybe the hacking community will find the details I'm referring to. Labels: security policy, security research
|
|
|
Mac Developer: Cult of Android - WTF?! Study finds Android is actually safer than iOS
Cult of Android - WTF?! Study finds Android is actually safer than iOS While 36 percent of Android apps were found to have “potentially catastrophic vulnerabilities for system stability and data protection,” that figure rose to 40 percent on iOS, crushing the common misconception that iOS is a safer platform overall.
So it's primarily a war of the press. I guess this means the mobile market is rapidly becoming like the pharmaceutical market.
Labels: security policy
|
|
|
Mac Developer: Apple pulls popular Instagram client 'InstaAgent' from iOS App Store after malware discovery
Apple pulls popular Instagram client 'InstaAgent' from iOS App Store after malware discovery Before being yanked from the App Store, InstaAgent was a chart-topping free app in multiple countries including Canada and the UK, suggesting thousands of unsuspecting users unwittingly handed over their Instagram credentials. Hard numbers are currently unavailable, but the developer guesses as many as 500,000 users downloaded the app. The metric matches up with InstaAgent's performance on the Google Play app store, which removed the title earlier today.
Hmmm. Labels: security flaw, security leak
|
|
|
Mac Developer: NSA phone records collection 'likely violates constitution', US judge rules | US news | The Guardian
Nothing like a clear and unambiguous statement written by a judge. Labels: security policy
|
|
|
Mac Developer: HTTPS certificates with forbidden domains issued by “quite a few” CAs | Ars Technica
HTTPS certificates with forbidden domains issued by “quite a few” CAs | Ars Technica Browser-trusted certificate authority (CA) Comodo said it mistakenly issued transport layer security credentials for "mailarchive," "help," and at least five other forbidden names and warned that "quite a number" of unnamed competitors have committed similar violations.
My guess is the Kim Dot Com's truly alter.net internet will have better protections now that the corporations are your security best friend.
Labels: security policy
|
|
|
Mac Developer: Belgium orders Facebook to stop tracking non-users within 48 hours | VentureBeat | Business | by Ken Yeung
Belgium orders Facebook to stop tracking non-users within 48 hours | VentureBeat | Business | by Ken Yeung A judge in Belgium has ordered Facebook to stop tracking Internet users, specifically those who don’t have an account, based on apparent lack of consent. The court warned that failure to do so within the next 48 hours could result in fines of up to $269,000 a day (250,000 euros).
We're going to keep doing it as long as our market cap says we can afford it.
Labels: security policy
|
|
|
Mac Developer: NSA says how often, not when, it discloses software flaws | VentureBeat | Security | by Reuters
NSA says how often, not when, it discloses software flaws | VentureBeat | Security | by Reuters The U.S. National Security Agency, seeking to rebut accusations that it hoards information about vulnerabilities in computer software, thereby leaving U.S. companies open to cyber attacks, said last week that it tells U.S. technology firms about the most serious flaws it finds more than 90 percent of the time.
The re-assurances may be misleading, because the NSA often uses the vulnerabilities to make its own cyber-attacks first, according to current and former U.S. government officials.
It would seem the entire business of client side surveillance requires remote exploits, so why would they reveal them?
Labels: security policy
|
|
|
Mac Developer: MI5 carried out secret mass surveillance for a decade | Ars Technica
MI5 carried out secret mass surveillance for a decade | Ars Technica MI5 has been secretly collecting vast quantities of data about UK phone calls for the last 10 years. According to a report on BBC News, the newly-revealed programme was "so secret that few even in MI5 knew about it, let alone the public." Meanwhile, as part of GCHQ's continuing charm offensive to bolster the case for wider surveillance powers, a senior officer named "Peter" has taken the unusual step of writing an article in The Guardian.
Bond, James Bond: all up in your arse.
Labels: security policy
|
|
|
| |
|