back to article iOS storing enterprise credentials in directory anyone can read

Security bod Kevin Watkins says Apple is storing enterprise credentials in a readable-by-anybody directory that is ripe for data theft. The sandbox vulnerability (CVE-2015-3269) affects all apps that use the managed app configuration setting in devices that have not applied the most recent iOS 8.4.1 update. Watkins says …

  1. Chairo

    How times have changed

    ... some 70 percent of Apple mobile users run outdated iOS versions even "several months" after a fix is released

    Thanks to the buggy releases since IOS7, even Fanbois think twice before risking to update their hardware, nowadays.

    That said - at least they have the choice...

    1. Steve Davies 3 Silver badge

      Re: How times have changed

      Perhaps those that won't apply the update are waiting for the promised land of IOS 9?

      But as you say, at least they have a choice.

      1. Hans 1 Silver badge

        Re: How times have changed

        >But as you say, at least they have a choice.

        You have a choice between security + grinding halt and vulnerabilities + performance.

        Now, imagine, over in Android-land, what is going on there ... I am pretty sure some 80% of Android users are vulnerable to a threat or more, even despite patches being available. I know Google are trying to tackle this, there was an article just the other day, but still ...

        I say, go BB10, safe bet.

  2. gregthecanuck
    Facepalm

    Cal me a skeptic...

    Bets on Apple being "encouraged" or "paid" to create this vulnerability? Something like "do this or your offshore cash stockpile becomes taxable"?

    It seems so entirely obvious to be a gigantic security hole? Surely some bright spark would have realized the gaping hole being created?

    (Puts down conspiracy hat, walks away...)

    1. Destroy All Monsters Silver badge
      Holmes

      Re: Cal me a skeptic...

      Doing business under fascism is always a tad difficult. You have to wiggle your arse and hustle...

    2. DougS Silver badge

      Re: Cal me a skeptic...

      So are you also assuming that the rash of multiple Android vulnerabilities and botched patches was a similar evil conspiracy by Google?

      All operating systems have vulnerabilities, I'm sure the NSA knows about a few that are otherwise unknown to anyone on both Android and iOS. No need to force them to knowingly add a hole until they have secured them so much that a deliberate hole is the only way in. I wouldn't hold my breath...

  3. Anonymous Coward
    Anonymous Coward

    So, not a real problem then..

    (from the report) Although this sandbox violation has been patched by Apple, the patch only protects devices which update to iOS 8.4.1; Appthority has identified that up to 70% of iOS devices are not running the latest version of iOS, even several months after an update is issued.

    So what they're really saying is that unpatched devices are vulnerable, and people don't patch timely. Well, that's a major surprise, duh.

    I guess we'll now get the usual "but my ancient device cannot upgrade, bad Apple" messages, followed by references to Android not being very update friendly either, with the 3 Windows phone users wisely staying out of it. Wake me when that eventually subsides so we can talk about something that actually has value, like any occurrence of an exploit actually making it past the App Store filter. Otherwise it's a vulnerability that can be addressed, but doesn't need to make it into the risk register on account of being purely theoretical.

    Coffee, I need coffee..

    1. DougS Silver badge

      Re: So, not a real problem then..

      Wow surprising that 70% aren't running a version of iOS that came out a week ago with zero fanfare? Hardly. I hadn't even known it was coming until my phone popped up a message that it was available. I figured "surprise iOS update, must be security" so I applied it.

      But that's because I understand how IT works, the average person, having heard little or nothing about 8.4.1 in the media, won't see any reason to apply it because as far as they know it doesn't do anything useful.

      Contrast that with iOS 9 a month from now, which will be in the news for doing 'something' new...not sure what, but there's always something, so it will get better uptake. Hopefully the extra testing Apple has this time around will make a smooth process because certainly any issues (beyond the usual "iOS xxx killed my battery life" that seem to plague a fraction of updates on both iOS and Android) will only hurt the uptake by making people want to take a wait and see attitude.

      Personally I always wait for X.0.1 and only apply it after a few days just in case, so I guess my quick response to 8.4.1 and slow response to 9.0 is the opposite of how the typical customer would react.

  4. John Smith 19 Gold badge
    Unhappy

    Remind me again of the benefits of being in the Apple walled garden?

    The higher-that-Windows security baked in by integrated design of software and hardware?

    The fast easy upgrade cycle?

    The easy way to buy s**t products vital to your life style at the Apple store?

    The competitive pricing because of the integrated software and hardware design?

    All of which could exist with Apple products.

    But don't.

    1. Hans 1 Silver badge

      Re: Remind me again of the benefits of being in the Apple walled garden?

      >The higher-than-Windows security baked in by integrated design of software and hardware?

      Sorry, but here you are making a fool of yourself, sorry ...as everybody knows...

      >The fast easy upgrade cycle?

      Does not exists at Apple ???? Are you nuts ??? I don't own, but have owned an iphone in the past, updates are regular, trivial to install - yes, they tend to slow down your phone, but you get way more updates than on, eg Android or Windows Phone ... the only competitor who beats Apple in that respect is BB10.

      People cry about Apple no longer supporting phones released 3 or 4 years ago, when a number of Windows Phone 8.1 devices will not be able to upgrade to 10, and most Android vendors, like Sony (BASTAAAAAAARDS!!!!), only shipping one OS update in the same time frame my BB10 got 5.

      1. Sandtitz Silver badge

        Re: Remind me again of the benefits of being in the Apple walled garden? @Hans 1

        People cry about Apple no longer supporting phones released 3 or 4 years ago, when a number of Windows Phone 8.1 devices will not be able to upgrade to 10

        Has there been announcements about the lack of upgrades for WP8.1 phones?

        Wikipedia lists obscure non-Nokia/Microsoft models and makers I've never heard of and I wouldn't be surprised if some/many of them get no love from the manufacturers after the sale, but AFAIK all WP8.x Lumias are getting the upgrade at some point, including my trusty 820 which was the first WP8 phone released almost 3 years ago.

        Will MS provide the WP10 for free for each manufacturer? If it costs more than the labor needed to integrate drivers then there can't be much incentive for the no-name manufacturers to support devices that were sold for pittance (less than €100 or so) in the first place. Same thing with no-name Android devices.

        Apple however has always asked premium prices for their phones and since they have 100% control of the device and OS I think it goes without saying that minimum of 4 years of support since launch is something that I'd expect if I ever bought an iPhone.

        1. Anonymous Coward
          Anonymous Coward

          Re: Remind me again of the benefits of being in the Apple walled garden? @Hans 1

          Two problems with you (infantile) post:

          1. Baaaad Apple. How dare they charge what the market will bear! Seriously.

          2. So one rule for one company because you just don't like 'em and different for everyone else? You, sir, are a hypocrite. That makes your views and opinions instantly worthless.

          1. Sandtitz Silver badge

            Re: Remind me again of the benefits of being in the Apple walled garden? @AC

            Two problems with you (infantile) post:

            Only two?

            1. Baaaad Apple. How dare they charge what the market will bear! Seriously.

            I didn't say anything like that. I said that Apple is charging a premium for their luxury product. I'm not condemning them for making money.

            ...and even if I did you shouldn't take Apple bashing personally. Take a stress pill and think things over. You'll live longer.

            2. So one rule for one company because you just don't like 'em and different for everyone else?

            No, you misunderstood. I don't dislike iPhones. I said they're expensive.

            If I buy a premium phone for a premium price I expect better customer service than from some Chinese fly-by-night company that sells landfill phones. If Microsoft/Google decides to sell Lumia/Nexus phones with the Apple prices then I would expect similar support from them too.

  5. J J Carter Silver badge
    Trollface

    Imagine a vendor that helps lusers to help themselves by pro-actively pushing them security updates. Nah, can't happen....Wait, that would be beyond wrong!

    1. Anonymous Coward
      Anonymous Coward

      Imagine a vendor that wrote software, took time to test it and actually released a version of it that worked as touted without any security holes or bugs.

      Now I'd buy that for a dollar!

  6. Gary 24

    I call Bullshit

    Where are your sources for 8.4.1 adoption? IOS 8.4 has a 70% adoption in it's first week and thats across devices from 4S - 5 - 5S - 6 iPad 2 +

    How is that a fail? The level of "journalism" at the register and it's anti apple attitude is boring.

    1. Anonymous Coward
      Anonymous Coward

      Re: I call Bullshit

      Citations?

      OK:

      https://developer.apple.com/support/app-store/ (pulled the morning)

      IOS 8.4 or better - 86%

      IOS 7 - 13%

      Earlier - 2%

      ...which while it equals 101% of devices does suggest that 70% of people won't upgrade IOS even months after a release.

      Even more that that, 2 weeks after IOS 8.4 had only hit 40% of devices, so again 70% hadn't updated, so El Reg is clearly right!

      Oh, hang on a moment, to mis quote Jobs "they're reading it wrong"...

      :o)

    2. DougS Silver badge

      Re: I call Bullshit

      They are probably saying that 8.4.1 only has 30% adoption at this point. As I said in another post, I think that's not surprising if true. It is has only been out a week, and was released without any media attention like 8.4 received for iTunes Radio. I didn't even know it was coming until it popped up on my phone last weekend.

      I think for the average person who doesn't know IT, if an update is in the news they are much more likely to apply it then if they get one out of the blue like 8.4.1. I knew immediately that this surprise update had to be security related - the gap between 8.4 and 8.4.1 was much too long for it to be some sort of critical bug fix for a problem with 8.4.

  7. Stevie Silver badge

    Bah!

    Interesting, mostly because the exhortation to upgrade from Apple I got blithered only about "improvements" to the music ap.

  8. yokelizer

    CVE Numbers

    Is the CVE number wrong? Googling that seems to take me to something else entirely.

    Is it CVE-2015-3793 and 2015-5749?

  9. Anonymous Coward
    Anonymous Coward

    iOS storing enterprise credentials in directory anyone can read

    The artwork for this article looks very similar to the club artwork Keith Haring was doing in the Eighties.

    https://www.google.co.uk/search?q=keith+haring&client=safari&rls=en&source=lnms&tbm=isch&sa=X&ved=0CAcQ_AUoAWoVChMIrOvw4dC6xwIV8RbbCh3KNAF_&biw=1629&bih=930

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019