Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

FREAKish apps still have security holes

Glenn Fleishman | March 20, 2015
Apple patched iOS and OS X, but apps can still be vulnerable due to Apple's limited update policy.

One technique is known as pinning, in which a domain (such as or an app can specify precisely which CAs are allowed to issue certificates that are valid. A certificate issued by any other authority is rejected and the user warned. Google has experimented with pinning for years, and was able to detect a falsified certificate in Iran as a result of including a warning in Chrome in 2011 when a non-approved certificate was presented for a Google domain. The affect user notified Google, which led to discovering a security breach at a CA.

App developers can also pin, and it's a recommended practice by security experts. Marco Arment, the creator of Instapaper and the developer behind the Overcast app, uses pinning with Overcast, as do many other, but not all, developers. It's not required.

Arment noted a few weeks ago that he has 200,000 registered users; other apps have millions or tens of millions, such as Instagram. These are juicy bits of information to a hacker or a government agent, because intercepting logins would allow them to check those same account credentials at other services or gain access to a stream of personal data that could be mined or misused.

The downside is that failure to update and manage one's certificates carefully could cause an app's connections to fail and require a quick app update! But the benefits are high.

Users can't determine these sorts of security improvements, but they can request them. Apple can also shift some of its effort from enforcing absurd interpretations of rules to examining security issues like these in its app-review process, and give developers guidance.

The old gray OS ain't what it used to be
Apple folks have long liked to poke Android users about the lack of upgradability of many handsets and other devices--some sold with an implicit promise that the device would support new major releases. And many manufacturers still ship Android devices with earlier, non-supported releases, some of them years old.

Now Apple needs to face some of the same finger pointing. While Apple stops selling new hardware that can't run the latest iOS release whenever they put out a major update--moving from 7 to 8, say--with the FREAK update, they've cut adrift those customers who have outdated hardware or have chosen to not upgrade.

Apple stopped selling the last hardware that couldn't be upgraded to iOS 8 a year before that version was released (the iPhone 4s). But there are at least 100 million perfectly satisfactory iOS devices, if not more, that cannot (or will not) run releases later than iOS 7. Apple's own data show that 20 percent of iOS devices are running iOS 7, and 3 percent earlier versions, and it's shipped over a billion devices. (Assume some decent percentage are dead.)


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.