This is almost as bad as that 1-2-3 stupidity
A fraction harder to exploit because you need the victims birthdate, but essentially the same level of carelessness / ineptitude.
You're holding doing it wrong.
Don't get too hammered this Friday night in case you wake up to find you've forgotten your Apple password, as Cupertino has been forced to pull down its iForget service due to an embarrassing new security flaw. This was supposed to be a good week for Apple on the security front. On Tuesday the company fixed a password-bypass …
"but the irony is that the comments are being made by Fandroids who still have no idea that their Android phone is full of malware, adware and diallers hidden away in the Apps on their phones"
I've got to say it's some of the most respectful malware, adware and diallers I've not known about having. Not a single CPU cycle wasted, no effect on the battery and not a single bill increase. It's almost as if it wasn't even there.
If you weren't a fanboi I'd suspect you worked for an AV company with FUD like that.
Except, try as you might to cast iOS security in a bad light, it's not FUD. This is a repost but it's wholly relevant to that statement.
Over 51% of Android devices need patching against exploits. Over 79% mobile malware targets Android.
iOS - less than 1%.
No one is denying the latest and most patched version of Android will be reasonably secure and you will tend not to get malware if you only go to trusted sources. That was always the case for Windows too BTW. The problem is Android license policy is such that there are far too many insecure unpatched carrier devices out there:
http://www.abs-cbnnews.com/business/03/08/13/android-rises-top-malware-threats-survey
http://www.dazeinfo.com/2012/09/17/malware-attack-on-android-platform/
"try as you might to cast iOS security in a bad light"
You've just discredited yourself as a fanboi troll. Answer me this, who in reply to your post has even mentioned iOS except you? The original poster is talking about the oversight that caused this vulnerability and not iOS itself.
If you'd bother to read a few sources, or even the ones you linked, you'd know that almost all Android malware is installed by users being duped and have nothing to do with the security of the OS itself. From your first link: "One of these, called Eurograbber, came as a PC virus but tricked users into installing a version on their mobile device"
is that manufacturers are really loathe to release security updates for anything but their latest 'shiny-shiny' toy.
Samsung are still selling phones with Android 2.3 installed. Are there any security updates? Are there heck.
Until the manufacturers take updates more seriously then I will keep using my Nokia 6310.
I guess that this is the price of having no walled garden. Sometimes it seems that the Apple way isn't far wrong. Now I'll get downvoted into oblivion for saying that but before you do please consider what I'm trying to say. Android device makers are really reluctant to release security updates to phones that are not currently being sold with their latest version of Android installed.
Well I hope you won't get downvoted to oblivion - you at least have a point other than "Android sux init".
I agree that OS upgrade cycles are a big problem - although I don't personally see this as an Android problem but a device/manufacturer problem. You can't blame Microsoft for a Dell PC running Windows XP.
As well as being a developer and geek who likes to tinker, this is the reason I've always bought the Nexus line of phones. I think the only way I would switch is if manufacturers gave some guaranteed commitment to updates, something along the lines of: we will keep this device up-to-date for 2 years from <date> and will ensure updates are released within 3 months of the source drop from Google. Obviously, this will never happen.
...and there are so many of them about. It's frightening.
I just know this was coded up by some twentysomething lanky T-shirt wearing know-it-all with a pube-like wispy beard who still has no idea what he did wrong, but is as cocky as hell about working at Apple because it makes him 'special'.
I sort of take exception to this - but in the very best of British, stiff upper lipped way! I'm a twenty-something programmer, wear t-shirts and am pretty well bearded, though I'm only just a twenty-something (not for much longer, sadly), t-shirt wearing and so on, but I gotta say, the crowd of people who develop with more than a passing care for security seems to get increasingly lower as time goes on. People don't care about security all the time it affects their convenience.
I'm in that awkward situation where everything I do is in PHP, and before anyone whines too much about how PHP is the devil and it eats your children or something, the sad truth is that the crapfest that is PHP is pretty much everywhere and it can't hurt to have someone who does have *some* idea about security running around in the camp. Too many times I've had to deal with people who want <feature X> added to their site but don't care about any of the security implications or anything else. Yes, of course I want to downgrade password security from salted SHA-256 to unsalted MD5 to integrate with your other crappy app. Right after I run out of thermal underwear at Satan's winter ski lodge.
Anyway, as you were.
Pete Spicer: "People don't care about security all the time it affects their convenience"
I sort-of understand how this happens in some applications, but this is a fracking Password Reset application. The PRIMARY function is security related - this is not adding <feature X> to an application.
This isn't just a (ludicrous) coding failure - this is a failure of testing, and indeed management. We are at the mercy of "crappy everyone" and the buck stops at management. They will blame the coder - not the people who hired him, the people who managed him, the people who reviewed his code, the people who tested his work and the people who signed it off for production. All of them have failed in their jobs as much as the coder, and it shows a total disregard for user security.
To then say "We take customer privacy very seriously" seems to me to almost be the equivalent of saying "we know X is very important but we have no idea how to do it"
If I read the article correctly the app allowed a URL in a date (of birth) entry box. Any programmer who would allow a non-date as a valid entry on such a critical system should not be allowed within 100 yards of a keyboard. Checking that inputs are valid for the expected datatype and does not have any sneaky embedded SQL or similar scripty type stuff, is so trivial that forgetting it is inexcusable.
That one required you to actually call apple with 4 digits of your cc number. This one is just a web page asking for info publicly available on your fb page. Apparently there's a difference.
I agree with the guy saying there are too many idiots doing programming. I've yet to see someone coming out of college that has any idea about proper security. However they ALL seem to have the idea that its impossible to make good software.
I've beat god knows how many of those idiots up the side of their head due to the crap they put out. In many cases taking control of their twitter or fb accounts to prove the point while training them. In our rush to get programmers no one has bothered to give them a decent level of training. I don't care if you wrote a multi user operating system that actually half assed worked to graduate. If the code you put out for simple web sites has SQL injections then your professors failed; if you don't even know what that is then you failed.
Can we please get a standards body in place to limit which of these winners can call themselves a "programmer"?
OK, so we all like a good laugh. Schadenfreude is such fun. And it's easy to think you're big if you can troll.
Right kiddies, time for a lesson:
There are lots of Apple devices out there - I know because I have one. There are lots more Android devices out there - I have some of those too. They BOTH have flaws. I DON'T TRUST EITHER OF THEM
It's worse than the Muslims and the Christians on here - "my imaginary friend is better than your imaginary friend". ffs
Right, off for an El Reg bacon buttie until someone takes that bait :)