Skip to content

Posts from the ‘iPhone’ Category

17
Oct

Securing Siri on a Locked iPhone 4S

Although I haven’t had the chance to play with her myself (does that sound wrong?), Siri seems like an awesome addition to the iPhone. It’s worth pointing out, however, that it is still possible to use Siri when the iPhone is locked – presumably for convenient ease-of-use. Unfortunately this means that anyone with physical access to your phone can access information including contacts, calendar items, SMS/iMessages, and also make calls and send emails or messages from you.

[Update] There have been a whole bunch of people crying about how this is a major security flaw. Just to dispel some of the myth… this is not a security flaw, it’s a design decision that Apple made based on usability. Yes, it’s a default setting that may introduce some vulnerabilities, but then again there are still lots of people who run around without passcodes. To be honest I’m usually the first to secure the hell out of everything, but in this case I feel they made the right decision for two reasons. First, Siri is obviously less useful as a hands-free assistant if you need to unlock your phone every time; and secondly making it easier to use will help drive the adoption of Siri.

Luckily Apple thought of this on at least two levels. First, if you ask Siri to unlock your iPhone she’ll respectfully tell you that she “can’t unlock your phone for you”. Secondly – and this is the important one – it is possible to disable the use of Siri when the iPhone is locked. The option now lives in Settings > General > Passcode Lock, where you can set Siri to Off.

Needless to say (contrary to the screenshot), I recommend setting ‘Require Passcode’ to Immediately, turn Simple Passcode off so you can set a 5-or-more-digit PIN, set ‘Siri’ to off to prevent access when your  iPhone is locked, and turn on Erase Data after 10 failed passcode attempts.

Siri is great, but let’s not make it easy for someone to social-engineer her into betraying you. See my other post for more details on protecting your iPhone from loss and theft.

In other news… you can tell Siri to use a specific nickname when talking to you. It’s important to note, however, that the nickname will be put into your VCard. So be careful if you tell her to call you her pimp, and then send someone your contact details ;)

13
Oct

Apple Releases Slew of Security Updates (OSX, Safari, iTunes, iOS 5, aTV)

I wasn’t going to post about last week’s fairly significant iTunes update, but then Apple went and patched a whole bunch of vulnerabilities across the board. Some of these are fairly significant so I thought I would provide a short breakdown of the changes. Either way, you should definitely be patching all of your Apple devices and software tonight.

Hit the jump for a summary of the key vulnerabilities patched in Apple’s security updates.

Read moreRead more

27
Jul

Key iOS Security Updates Patch PDF and Certificate Validation Vulnerabilities (4.3.4 and 4.3.5)

The two latest iOS updates are fairly significant in that they patch two critical vulnerabilities. iOS update 4.3.4 patched a number of bugs including comex’s PDF/FreeType vulnerability used to create the latest JailbreakMe exploit. If you’re a jailbreaker, it’s essential that you run comex’s ‘PDF Patcher 2’ within Cydia, in order to patch the underlying vulnerability. iOS update 4.3.5 released a couple days ago, patches a fairly significant bug in the way iOS validates SSL/TLS certificates. This vulnerability can allow an attacker to intercept and/or modify data protected within an SSL session without the user knowing it. This was possible to due the fact that iOS didn’t validate the basicContstrains parameter of SSL certificates in the chain.

If you’re only an occasional patcher – now is the time.

6
Jul

Jailbreak iOS 4.3.3 with JailbreakMe 3.0

JailbreakMe.com has been updated to allow easy untethered jailbreak of your iOS devices, just follow the instructions on the site. Thanks to a new PDF exploit from comex (with the help of chpwn), it is now possible to jailbreak iPhones, iPads (including iPad 2) and iPod Touches running iOS 4.3.3 (note this doesn’t yet include any versions below that). During the jailbreak, saurik’s Cydia app store is automatically installed.

Interestingly, users with jailbroken devices can protect themselves by patching the PDF vulnerability by using ‘PDF Patcher 2’ in Cydia. Normal users will have to wait for iOS 4.3.4 from Apple. Note, however, that having a jailbroken iPhone or iPad still makes you slightly more vulnerable to other attacks, as the iOS sandbox is essentially bypassed.

10
Jun

Locate Lost or Stolen Macs with ‘Find My Mac’ in Lion and iCloud

Apple’s popular Find My iPhone feature of MobileMe is being extended to Macs as well, as part of iCloud and Lion (10.7.2). It will also allow the person who found or stole the machine to login using a limited guest account (with only access to Safari), in order to allow your Mac to connect to the internet. As with the iOS version, Find My Mac will allow you to remotely send a message, lock or even wipe your computer.

I’m guessing the geolocation will be limited to triangulating local wireless networks, but I’m hoping it will also send back the public IP address of the network it’s currently connected to, which would help significantly when trying to recover a stolen device. I wonder how developers of commercial Mac tracking software are feeling right about now?

For more info and pictures check out this post at Cult of Mac. In other news, iOS 5 will finally bring the ability to delete entries from your call history.

8
Jun

Poll: What iOS 5 feature are you most looking forward to?

iOS 5 will be a major update to Apple’s portable OS, to be released in the Fall of 2011. It’s got a whole bunch of new features, which one are you interested in?

 

What iOS 5 feature are you most looking forward to?

  • iMessage (31%)
  • Notification Center (23%)
  • iCloud Integration (21%)
  • Wifi Sync and Backup (19%)
  • Twitter Integration (4%)
  • Location-based Reminders (2%)
Loading ... Loading ...

If your preferred option isn’t available, I’d be interested to hear what it is in the comments!

7
Jun

Find My iPhone Brings Improved Offline Device Support

Apple has released an update to their free Find My iPhone offering, which greatly improves the support for tracking devices that are offline at the time. Note that this doesn’t mean you can track an iPhone or iPad that is turned off, or out of signal range (not possible). Instead, if a device is offline when you try to locate it, Apple will later send you an email with its location the next time that device gets back online. Thanks to this, it’s no longer necessary to constantly be checking the Find My iPhone app/webpage. Here is Apple’s summary of the changes:

  • When you are unable to locate a device because it is offline, you will receive an email if the device comes online and is located.
  • Ability to remove an offline device from the list using the app.

Note, it appears this updated feature is only available using the Find My iPhone app (version 1.2) available in the App Store – it is not yet available in the MobileMe web interface. I assume it won’t be updated until the new iCloud Find My iPhone web interface is launched. [Update: I was right.]

For more information on how to use this great free service to recover your iOS devices, check out Protecting and Recovering Your iPhone and iPad from Loss and Theft.

5
May

iPhone/iPad iOS 4.3.3 Fixes Location Tracking Bugs

Following the recent over-hyped “location tracking scandal“, Apple has released iOS 4.3.3 which fixes bugs in the Location Services on iPhone and iPad devices that caused them to store excessive location information. As detailed by Apple’s Q&A on Location Data, the location data stored on iOS devices (and backed up by iTunes) are merely a subset of Apple’s crowd-sourced location database of Wifi hotspots and cell towers, used to facilitate Location Services when GPS is unavailable or unreliable. The bugs were causing iOS to download this location cache even if Location Services were turned off, and to store the cache indefinitely, instead of being regularly purged.

This update contains changes to the iOS crowd-sourced location database cache including:

  • Reduces the size of the cache
  • No longer backs the cache up to iTunes
  • Deletes the cache entirely when Location Services is turned off

It’s nice to see Apple resolve this issue so swiftly, and these changes will help improve the privacy of iPhone and iPad users, regardless of whether they use Location Services. The only thing I would have added if I were Apple, is the ability for the user to clear the location cache in the device settings. It’s a button that could be easily added in Settings > Location Services.  Just sayin’!

26
Apr

Everything You Need to Know About the iPhone Tracking ‘Scandal’ [Updated]

Seeing as I cover OSX/iOS security and privacy, I figured it’s about time I weighed in on this whole iPhone/iPad tracking ‘scandal’. I have to admit I was surprised when I first heard of the iPhone storing location data, especially that it does so with Location Services turned off. This issue is not new, however, and was described in a fair amount of depth by Alex Levinson several months ago. What has made it so popular this month is the release of the iPhoneTracker app, developed by Pete Warden and Alasdair Allan, that creates a visual map of your visited locations. I promptly tested iPhoneTracker, and sure enough it showed a bunch of areas that I’d visited. Upon closer inspection, however, I noticed that it didn’t specifically geolocate me in two places where I’d spent a lot of time; namely home and work. On top of that, there were a number of locations I’d never even been to.

[Updated] According to the info recently published by Apple, this stored location data is not the location of the iPhone itself, but rather a subset of crowd-sourced location information for local cell towers and wifi networks, which is only used to rapidly provide the user with location information. Full details at the bottom of this post. Read moreRead more

15
Apr

Updates: Mac OS X 2011-002, Safari 5.0.5, iOS 4.3.2

Apple has released several security updates which patch vulnerabilities in the way Mac OS X and iOS handle certificate trust. This comes off the back of the recent Comodo hack in which several fraudulent – yet valid – SSL certificates were created for a number of prominent websites, rendering users vulnerable to potential man-in-the-middle attacks. These updates (2011-002 and iOS 4.3.2/4.2.7) improve the way certificate verification is performed in OSX and iOS. The Safari 5.0.5 update patches two critical bugs which could result in remote code execution.

In other news: Updates to Safari in Mac OS X 10.7 “Lion” have shown that the browser will bring support for the new Do-Not-Track functionality, intended to give users the ability to opt-out from tracking by Third Party tracking and ad companies. Whether or not this functionality will be fully respected by third parties remains to be seen. Lastly, a tethered jailbreak for iOS 4.3.2 has already been released.

css.php