"Triangulation" infected dozens of iPhones belonging to employees of Moscow-based Kaspersky

Shoganai said:
I was just looking for context and was confused.

Looks like there still isn't side-loading coming, but weird alternative stores that still need to pass Apple's approval, which defeats the purpose of alternative stores. I get the security thing, but Apple is being as stubborn as humanly possible.
Click to expand...
Well they have one hell of a “good thing” (for them) going. Why mess with it?

Work makes me work enough so the brain dead stupidity of iOS is a welcome thing when I get home. So personally I’m fine with it, and professionally it irks me, but that’s what the bar is for.
 
Lakados said:
Well they have one hell of a “good thing” (for them) going. Why mess with it?

Work makes me work enough so the brain dead stupidity of iOS is a welcome thing when I get home. So personally I’m fine with it, and professionally it irks me, but that’s what the bar is for.
Click to expand...
The simpleness of iOS is why I use it, so I'm right there with you. I do still think Apple is quite petty, though.
 
Shoganai said:
I was just looking for context and was confused.

Looks like there still isn't side-loading coming, but weird alternative stores that still need to pass Apple's approval, which defeats the purpose of alternative stores. I get the security thing, but Apple is being as stubborn as humanly possible.
Click to expand...
Apple makes bank on their App Store and I'm sure they have plans to expand it. I believe that at some point Apple will merge iOS with MacOS and push everyone onto their App Store. So it makes sense that Apple would make it as painful as possible to avoid side loading on iOS. Shitty move from a shitty company, but I doubt Apple will get away with it for very long.

Lakados said:
Well they have one hell of a “good thing” (for them) going. Why mess with it?

Work makes me work enough so the brain dead stupidity of iOS is a welcome thing when I get home. So personally I’m fine with it, and professionally it irks me, but that’s what the bar is for.
Click to expand...
Good thing for Apple? Sure, but good thing for consumers? Who is this bad for actually? Would you install a third party app store if it meant getting an app that you really wanted? Maybe get a discount by downloading your app from another store? Maybe there's an app that isn't offered in your country and you need to side load it? If you're an Apple iOS enjoyer and you cannot lie but all you other brothers can't deny then you'll be happy to know you can avoid those "risky" apps or sideloading all together. Nothing will likely change for someone like you. For those who want a proper FireFox web browser or maybe they want to finally be able to download an emulator to run Mario Bros then side loading is there for them. Also, think of the developers who are still waiting for approval who can now bypass it all together.

EAI5byLUYAIbn9N.jpg
 
Make good apps then :D

I have paid for a few apps over the years that have vanished, so something was up with them.
 
DukenukemX said:
This is not about Apple but very interesting either way. It does say it infects mobile devices but how and in what way?
Click to expand...

10-Year-Old Open Source Flaw Could Affect 'Almost Every Apple Device' (thecyberexpress.com)16

Posted by BeauHD on Tuesday July 02, 2024 @09:00AM from the stay-vigilant dept.
storagedude shares a report from the Cyber Express:Some of the most widely used web and social media applications could be vulnerable to three newly discovered CocoaPods vulnerabilities -- including potentially millions of Apple devices, according to a report by The Cyber Express, the news service of threat intelligence vendor Cyble Inc. E.V.A Information Security researchers reported three vulnerabilities in the open source CocoaPods dependency manager that could allow malicious actors to take over thousands of unclaimed pods and insert malicious code into many of the most popular iOS and MacOS applications, potentially affecting "almost every Apple device." The researchers found vulnerable code in applications provided by Meta (Facebook, Whatsapp), Apple (Safari, AppleTV, Xcode), and Microsoft (Teams); as well as in TikTok, Snapchat, Amazon, LinkedIn, Netflix, Okta, Yahoo, Zynga, and many more.

The vulnerabilities have been patched, yet the researchers still found 685 Pods "that had an explicit dependency using an orphaned Pod; doubtless there are hundreds or thousands more in proprietary codebases." The newly discovered vulnerabilities -- one of which (CVE-2024-38366) received a 10 out of 10 criticality score -- actually date from a May 2014 CocoaPods migration to a new 'Trunk' server, which left 1,866 orphaned pods that owners never reclaimed. While the vulnerabilities have been patched, the work for developers and DevOps teams that used CocoaPods before October 2023 is just getting started. "Developers and DevOps teams that have used CocoaPods in recent years should verify the integrity of open source dependencies used in their application code," the E.V.A researchers said. "The vulnerabilities we discovered could be used to control the dependency manager itself, and any published package." [...] "Dependency managers are an often-overlooked aspect of software supply chain security," the researchers wrote. "Security leaders should explore ways to increase governance and oversight over the use these tools.""While there is no direct evidence of any of these vulnerabilities being exploited in the wild, evidence of absence is not absence of evidence." the EVA researchers wrote. "Potential code changes could affect millions of Apple devices around the world across iPhone, Mac, AppleTV, and AppleWatch devices."

While no action is required by app developers or users, the EVA researchers recommend several ways to protect against these vulnerabilities. To ensure secure and consistent use of CocoaPods, synchronize the podfile.lock file with all developers, perform CRC validation for internally developed Pods, and conduct thorough security reviews of third-party code and dependencies. Furthermore, regularly review and verify the maintenance status and ownership of CocoaPods dependencies, perform periodic security scans, and be cautious of widely used dependencies as potential attack targets.
 
You must log in or register to reply here.
Back
Top