Apple and Others Revoke All Security Certificates from Chinese Provider

In recent days, several major tech companies have formally disavowed and discontinued use of a Chinese security certificate provider, WoSign. The abandonments began when Mozilla announced that WoSign was not following best practices in issuing its certificates. The primary concern lies in the fact that WoSign was back-dating certain website certificates to circumvent checks that prevent expired certs from working. After Mozilla’s announcement, Apple quickly also said that they would distrust and ban all WoSign certificates. Not long after, Google followed by announcing the search giant would also distrust WoSign …

Apple Releases macOS Sierra, Provides Feature Updates and Security Updates

Every fall without fail, Apple does two things: unveils a new iPhone and releases new operating systems for its mobile and desktop devices. As of Tuesday, September 20th, the new operating system update for desktop and laptop computers is available. Called macOS Sierra, the operating system is the first Mac OS not to bear the OS X name. It also adds several new features, including Mac support for Siri (previously only available on iOS devices), iCloud optimization, greater integration with the iPhone and the Apple Watch, and more.

Unsurprisingly, …

Apple Urges iOS 9.3.5 Upgrade in Response to Spyware

At one point in time, the idea that we might have to worry about hackers attacking our phones would have been fanciful. Similarly, the thought of a private group using software to spy on individuals through their phones might have felt more at home in a movie. Yet with Apple’s release of the iOS security update 9.3.5 and their urgent insistence for all users to upgrade immediately, it’s hard to deny that is the technological reality.

Known as Pegasus, the software exploited a now-patched vulnerability which allowed it …

Apple Releases Security Updates for OS X El Capitan, Yosemite, and Safari

Apple released a trio of security updates on Thursday to patch vulnerabilities in their desktop operating systems and web browser. Users running OS X El Capitan should download Security Update 2016-001, while those still using OS X Yosemite will need Security Update 2016-005.

As MacRumors noted in their report on the updates, it is not customary for Apple to release standalone security updates for OS X. Instead, security updates tend to be bundled in with more overarching version updates. MacRumors theorized that the distribution of these two standalone updates …

A Security Exploit Using Live Photos Showcases the Need for Biometric Scrutiny

Personal biometric data, such as our faces and fingerprints, is increasingly used as a set of digital keys for unlocking access to many of our important devices and services. For example, many banks now take advantage of the iPhone’s built-in fingerprint scanner to allow quick and easy access to their mobile banking applications. This application affords a great deal of convenience for the user, generating a positive experience.

Beneath the “cool” factor, though, these new technologies must be strictly evaluated in terms of their real world effectiveness. Are we …

Ivan Krstic Announces Bug Bounty Program

Apple’s head of Security Engineering and Architecture made the announcement (which everyone is by now well aware of) about their soon-to-be-implemented bug bounty program at Black Hat 2016. Krstic expanded upon the parameters of the program in greater detail. Apple is offering cash payouts of varying amounts, depending on type of vulnerability discovered:

SecureBoot firmware components – Up to $200,000
Extraction of confidential material protected by the Secure Enclave Processor – Up to $100,000
Execution of arbitrary code with kernel privileges – Up to $50,000
Unauthorized access to iCloud account data on Apple servers …

Apple’s Clash with Banks Over Apple Pay & NFC Chips

You’ll recall that Apple recently got into a row with four large Australian banks (Bendigo and Adelaide Bank, Commonwealth Bank, NAB, and Westpac) over Apple Pay and their NFC (near field communication) mobile payment hardware. For those who are unaware, Apple Pay allows iPhone and Apple Watch users to make convenient, contactless retail payments at various outlets instead of a credit or debit card. The banks joined forces to resist signing deals to use Apple Pay, and (from Apple’s perspective at least) stifle their ability to compete. In a formal …

Apple to Start Requiring HTTPS for iOS Apps

You’re browsing the Internet, and you take a glance up at the address bar. What do you see? In most cases, the first characters in the URL of the website you are looking at will be “HTTPS.” HTTPS, or HTTP Secure, is the most secure version of Hypertext Transfer Protocol. This protocol allows for communication over a computer network, with said communications encrypted by either Transport Layer Security (TLS) or Secure Sockets Layer (SSL). On the Internet, HTTPS allows for private and safe exchange of data between a website …

Apple Releases Important iOS Update to guard against Malware

iPhone and iPad users should update to the latest version of iOS as soon as possible, following the latest security update from Apple. The new patch—iOS 9.3.5—arrived on Thursday, August 25th and was dubbed by Apple as an “important security update.” It addresses dangerous malware that was recently developed in the Middle East.

Writing for ZDNet, Zack Whittaker noted that iOS 9.3.5 is a patch for three different malware vulnerabilities, not just one. Working together, security researchers Citizen Lab and Lookout discovered the vulnerabilities and notified Apple about their existence. Lookout …

Apple Bounty Program

Taking a page from the playbook of a number of other high-profile companies, Apple intends to implement a bounty program to enlist the aid of third parties in tracking down and eliminating bugs in their software. Recently, The Verge reported that Apple would, at last, join the ranks of the other tech giants currently offering cash-for-bugs and that the program would take off sometime in September. Though the company has long maintained a tip line, this would be the first time they are explicitly sanctioning money in exchange for sniffing …

iOS 9.3.4 Bug Fix

iOS 9 has received yet another update – this one designed to tackle recently discovered security flaws – CNET reports. This marks the fourth update to iOS 9.3 (which was released in March). It is also speculated to be the last update to iOS 9.3, as iOS 10 is slated to be released next month. You may be thinking, “what gives?” as this update was released suddenly, and without the numerous rounds of beta testing and public review that iOS 9.3.3, entailed. Interestingly, this update is also devoid of …

Security Flaws in WhatsApp & iMessage

WhatsApp, the popular cross-platform messaging program, may have a security flaw. That security flaw might also be present in Apple’s iMessage feature. This is according to security researcher Jonathan Zdziarski, via a post on his blog Zdziarski’s Blog of Things on July 28th. First, a bit of background. You’ll recall from a few months ago that WhatsApp introduced new encryption protocols for communications sent via the app. The so-called “end-to-end encryption” was implemented in an effort to secure user privacy and ensure that no individuals or groups could access the …

Apple is Leaving the Kernel Unencrypted in iOS 10

As always, Apple unveiled a slew of intriguing new announcements at their annual Worldwide Developers Conference in June. Among the headline-worthy revelations were the new versions of the Apple Watch, an overhauled Apple Music app, and the “raise and wake” feature of iOS 10. Perhaps the most surprising thing about the conference concerned what was under the hood for iOS. Specifically, Apple has decided to leave the kernel of their mobile operating system unencrypted.

For those who are unfamiliar with the terminology, a “kernel” is considered an operating system’s …

Apple releases key security updates

Apple recently released the latest round of security updates for all of its operating systems and key software programs. The updates all hit the web on July 18th and are officially available for download as we speak. Here’s a brief rundown of each update, what it includes, and why you should make a point to install it ASAP.

OS X El Capitan v10.11.6 and Security Update 2016-004: Apple’s rundown of security fixes for El Capitan should be more or less familiar to anyone who has ever read the notes …

Apple Releases Firmware Update for AirPort

Users of Apple’s AirPort base station should make a point to install the recently released firmware update. The update, Firmware Version 7.6.7 and 7.7.7, corrects a vulnerability with DNS data parsing that resulted in memory corruption. The vulnerability could also have allowed for arbitrary code execution. So far, there have been no reports about anyone exploiting this particular vulnerability. However, just to be safe, AirPort users should install the firmware update as soon as possible.

DNS data parsing is a key feature of wireless routers. DNS stands for domain …

Apple Releases Series of Patches for All Operating Systems

If you haven’t updated your Apple devices in the past month, now would be a good time. On May 16th, Apple unveiled security patches for not just one of its operating systems, but for all of them. Last Monday, Apple unveiled security patches for not just one of its operating systems, but for all of them. The patches represented the first across-the-board updates that Apple has released for its operating systems since March 21st.

These patches apply to OS X El Capitan and iOS, as well as to the …

Outdated Git Version in OS X Puts Developers at Risk

Update: May 4, 2016 –  Apple has released an updated version of Xcode to patch this vulnerability. Users can download Xcode 7.3.1 directly from Apple’s developer site at: https://developer.apple.com/xcode/download/

An outdated Git client in Apple’s Command Line Tools Package is putting OS X developers at risk by opening them up to remote code execution. According to a report from MacWorld, developers will typically use Xcode when developing apps for OS X or iOS, which means they are working on Macs that use Apple’s Command Line Tools package. The issue is that the …

New iOS Threat Capable of “Bricking” iPhones and iPads

If you haven’t updated your iPhone or iPad to the most current version of iOS—iOS 9.3.1—you should make it a priority to do so. That was the advice of security expert Brian Krebs in an April 12 blog post about a potentially devastating new iOS threat. Interestingly, this new threat is as simple as it is dangerous—to the point where any given iPhone or iPad user could manually trip the vulnerability on their own.

To understand what Krebs is talking about, we need to look back a few months …

Meet AceDeceiver: The First iOS Trojan Horse

Users of iOS devices should be on alert after the arrival of what looks like the first Trojan Horse malware developed for Apple’s mobile operating system. According to a post by Palo Alto Networks, this malware—which is known as AceDeceiver—is unique among other iOS threats in that it doesn’t use counterfeit enterprise certificates to gain access to your device. AceDeceiver doesn’t use an enterprise certificate at all. Rather, it manipulates a major vulnerability in Apple’s DRM (digital rights management) and uses it to install malicious apps on your phone …

New Version of iOS Will Let You Know If Your Employer is Monitoring Your iPhone

If your employer gave you an iPhone when they hired or promoted you, then they are free to track what you do with that phone. This statement has always been true and is one of the top reasons not to send any nasty messages about your boss on a company-owned piece of hardware.

Apple’s mobile operating system has always played into this privilege well for employers, making it easy for your bosses to track your phone if it gets lost, view your internet history, and more. Those features …