Like, WOW, man!
His study has also shown that a user's data may not be as safe as Cupertino is making out.
Ya think? An American company surreptitiously placing "sekrit" access in its products? I'm shocked...shocked!!...I say....
An analysis of Apple's iOS operating system by a security expert has revealed various tools in the software that could be used for surveillance if one were so inclined. Jonathan Zdziarski concluded that the vast majority of iThing owners are unaware of lax mechanisms protecting their data. Data forensics expert and author …
it's clear Apple owes customers some answers.
Apple won't want to say anything, and if they are forced they will say something like it's part of their quality control and information is only used in the aggregate and users are not personally identified etc etc. Same ol' Apple B.S.
Your Android App requires the following permissions:
1) Access to Everything
2) I said Everything
3) All of it...
4) I might even make some long distance telephone calls, hope you don't mind.
Six of one, half dozen of the other.
"
1) Access to Everything
2) I said Everything
3) All of it...
4) I might even make some long distance telephone calls, hope you don't mind.
"
5) User clicks Do Not Install and gets another app that does the same thing without requiring all those permissions.
>Of course, to access all these hidden tools you'd need access to the target's iPhone, and Apple's security is invincible, right? Not so fast there: Zdziarski has also uncovered a way to get around this that, while hard for hackers, wouldn't be too tough for law enforcement.
I can only presume that this means "with some help from Apple".
> it's clear Apple owes customers some answers.
I doubt that Apple will provide much of anything to these kinds of findings, they have a new product about to be launched so their interests lie elsewhere for the moment.
If Apple have these kinds of undocumented APIs, it is safe to presume that everyone else does too, whether it be with or without the NSAs blessing.
API : ( Access to Privates Interface) - Don't let coders make you beleive that it means something else.
Hello:
> If Apple have these kinds of undocumented APIs, it is safe to presume that everyone else does too,
> whether it be with or without the NSAs blessing.
Indeed ...
Particularly the fellows at Redmond.
And the XP/Win7 etc. 'end of life' putsch on behalf of MS is nothing but the polishing up of the back door tools to integrate them as seamlessly as possible into the OS.
To be fair, though, if Android contained something like this we'd already know about it, assuming that the version that's put in phones is [almost] the same as the open source version.
Whilst most people are probably not going to give a monkey's nut about these kind of things, it's a bit disconcerting, particularly in light of Apple ranting about how good a company they are.
if Android contained something like this we'd already know about it, assuming that the version that's put in phones is [almost] the same as the open source version
That's a rather massive "if", especially since its originator specialises in getting their grubby hands on any data they can scurry out of your life.
That is as simple as it gets, really. I have been a longtime blackberry user who has decided to move to Android, but am doing so knowing that I am accepting much more risk in doing so. It means I will not store banking passwords, etc. on my mobile... and I will look to run anti-malware on my device.
BlackBerry may not be as app-rich of an ecosystem, but the darned things are pretty solid in terms of core function, reliability and security..... or at least, that is what the USA's NSA want's us to think... lol.
Blackberry rolls over for law enforcement on a regular basis. And there are few rollovers for law enforcement that aren't also accessible by hackers.
http://en.rsf.org/blackberry-gives-way-to-pressure-11-10-2011,41159.html gives a summary of several instances of government pressure and varying degrees of caving.
"...a summary of several instances of government pressure and varying degrees of caving."
What's speleology got to do with this?
If you are going to use a cliche, at least get it right.
It should be "... a summary of several instances of government pressure and varying degrees of caving in"
Ending a sentence with a proposition is something up with which we shall not put!
The phrase "cave in" is a non-hyphenated compound word that, whilst it might apparently contain the preposition "in", is not itself a preposition. A sentence ending with "cave in" is grammatically valid, though for clarity it might be best to hyphenate it as "cave-in".
Never say never.
==-
Two guys at a Boston streetcorner:
MIT guy: Excuse me, can you tell me where the bookstore is at?
Other guy: At HAH-vaad, we don't end a sentence with a preposition.
MIT guy: [Looks down at sidewalk] You're right. I'll rephrase it. [Looks up] Can you tell me where the bookstore is at, ASSHOLE?
—Faye Kane ♀ girl brain
Sexiest astrophysicist you'll ever see naked
Arrogant semiotic pedantics like this is why girls won't let you fu ck them. Even I won't, and I'm a geek myself. Stupid guys do everything fast and hard and brutally, with naught a whit of thought as to whether it's "correct."
LEARN, Poindexter.
You're supposedly good at that.
♥,
-faye kane ♀ girl brain
Sexiest astrophysicist you'll ever see naked
Pix: tiny url dot com slash nakedfaye1
Blackberry rolls over for law enforcement on a regular basis. And there are few rollovers for law enforcement that aren't also accessible by hackers.
I hear good things of their implementation of QNX, though, and that's from people who I know to be thorough in their fact checking. I plan to check them out, provided they have adopted standards like IMAP and ActiveSync instead of this BES malarky - it's what put me off last time round.
"I hear good things of their implementation of QNX, though, and that's from people who I know to be thorough in their fact checking. I plan to check them out, provided they have adopted standards like IMAP and ActiveSync instead of this BES malarky - it's what put me off last time round."
IMAP and ActiveSync already there. I use ActiveSync on a Z10, seems to work very well. BB10 does a good job of messaging.
There is know way to secure any wall garden CrapApple devices. Never has been, Never will Be, Apple users are eye candy controlled zombies who can't think for themselves,
Like Steve Jobs said "We control the widgets, The widgets control the widget users", Never did he speak truer words, has for me I don't use Apple, Facebook, Google or M$ products, I can think for and act for myself. Smartphones are for the not so smart people who haven't got the brains they were born with,
Quote:- Users are so damn stupid - won't they ever learn to use Apple's products correctly?
Reply :- Don't kid yourself, There is only one way to use Apple product. That's the way Mac programmed it, to control their widget users, The only good Apple users are the ones that have jail broke theirs. They are the ones with common sense
Well, if Apple builds back doors into their products like everyone else, then having a closely guarded app store doesn't prevent the hackers from reverse engineering that back door info, does it? What's the point of choosing any platform for it's better security, if every platform is Swiss cheese, security wise, anyway?
It doesn't matter how secure your phone is, you still have to connect it to a public facing network in order to use it. So the likes of Vodafone can track you, monitor your usage and sell your data to the advertisers. (as they are currently doing with their targeted advertising texts!) They are also more likely to respond to police inquiries about your usage at specific times than Apple/Google/Microsoft as well.
It doesn't matter how secure your phone is, you still have to connect it to a public facing network in order to use it
Yup, which produces some of that annoying meta data like location. However, a mobile device should treat *any* network as hostile for data connectivity, be it GPRS (remember that?), 3/4/nG or WiFi.
pcapd - so top sekret it's been a documented developer tool for years
https://developer.apple.com/library/mac/qa/qa1176/_index.html
lockdownd - the daemon which provides information to things like device activation, DRM services, ability to use emergency call or connect to itunes
http://theiphonewiki.com/wiki/Lockdownd
mobile.file_relay - appears to be the service which supports applications sending and receiving files through itunes sharing or local network sharing. Here's someone's client implementation on github from 4 years ago.
https://github.com/bryanforbes/libimobiledevice/blob/master/src/file_relay.c
Calling these "undocumented" is simply incompetent, and bringing the NSA into it is just alarmist bull.
"pcapd - so top sekret it's been a documented developer tool for years"
No - the developer doc you linked to is about analyzing traffic from another device on the network, not by the device itself which is what pcapd does, allegedly. The doc you linked to says "iOS does not support packet tracing directly". That's contradicted by Jonathan's claims.
The other things you link to are not documented by Apple officially (AFAIA). They may well have been known for a while. There's no harm in a serious security researcher joining up all the dots for everyone.
Unless you're just happy doodle dandy with everything as it stands.
C.
I've no issue with anyone asking Apple to explain things in more detail, and in the current environment all such companies need to allay fears about privacy, but the assumption that they're in bed with the NSA handing over all our data, based on not having an official explanation, is frankly ridiculous.
It was the same with the discovery of a location cache, everyone blogged about how Apple was spying and the sky was falling in, until Apple explained what it was for and common sense ensued.
"Unless you're just happy doodle dandy with everything as it stands" - pretty much, yes. "As it stands" there are some poorly documented, not secret functions and no evidence of any spying. Much as I might enjoy becoming a conspiracy loon in the absence of any real details on these functions I think I'll wait to see what Apple actually have to say.
pcap is the packet capturing library used by wireshark, and pretty much every other packet analysing tool on any platform.
pcapd is a daemon, running on an iphone, that provides the possibility of doing packet captures on an iphone, ported to run on that platform, that's been demonstrated (by this guy) to allow you to do packet captures on the device, like anyone familiar with pcap would expect.
Apple docco says there is no native way to do packet captures on iOs devices.
EIther that's a lie, or some developer has gone rogue, and installed a pcap daemon in iOs without Apple knowing.
Neither possibility bothers you? Cool.
Bothers me.
@DMDeck16, Either that or that, eh? Thanks for clearing that up with impeccable logic and hard evidence.
Given your earlier, much more nuanced reply I will assume you ran out of caffeine there :) - I think the question is valid (although I'd be grateful if someone could point me at the docs which confirm that "Apple docco says there is no native way to do packet captures on iOs devices" because it's AFAIK pretty much a standard diagnostics tool on any Unix-alike platforms).
There is nothing wrong with raising questions, but I also agree with you that being all alarmist about it is stupid. However, that's what the press trained us to expect now - anything is either the end of the world or not worth reporting (reminds me of a clip that showed what a falling tea cup looks like in a US movie - it explodes - but sadly I cannot locate it on Youtube).
I would like to see this sort of work done on *any* mobile platform. The only functional weapon against subversion is transparency.
Thankyou, caffeine reinstated. I suspect the pcap daemon has a legitimate use but is not officially supported for end users or it is used during internal development and should have been disabled. ie at best misunderstood, at worst cockup. But conspiracy is far more interesting and entertaining.
I think Apple need to explain themselves pronto, but my point is that leaping to conclusions of conspiracy immediately makes all rational discussion that much more difficult. Eg another media outlet is reporting this as "Backdoors and surveillance mechanisms in iOS devices", another says "Your iPhone May Be Rigged to Spy on You" and so, tediously, on.
The jury has spoken before the evidence has even been heard. It's tiresome because there are plenty of examples of privacy abuse taking place WITH evidence all over the place in IT, government, corporations, public sector, which hardly raise an eyebrow because they're not as sexy as the idea of iPhones and Apple spying on you.
Apple's done an excellent job of managing security (see their latest whitepaper) but their propensity to stay tight lipped isn't going to see this one go away.
http://www.apple.com/ipad/business/docs/iOS_Security_Feb14.pdf
"I suspect the pcap daemon has a legitimate use but is not officially supported for end users or it is used during internal development and should have been disabled. ie at best misunderstood, at worst cockup"
Oh right, that's a much more convincing, evidence based assessment right there. You suspect. Cracking.