tag:blogger.com,1999:blog-6244999628674918029.post3234395977761971099..comments2024-03-28T23:57:50.103-05:00Comments on Bayou Renaissance Man: So much for app security!Peterhttp://www.blogger.com/profile/10595089829300831372noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-6244999628674918029.post-74904926473271539532013-12-19T10:08:59.952-06:002013-12-19T10:08:59.952-06:00The article in question appears to be conflating (...The article in question appears to be conflating (intentionally or not I can't tell) between a "cracked" app meaning "the app you chose to run on your device is compromised" and "cracked" app as in "unofficial, pirated release akin to 'warez' on a regular PC".<br /><br />The former would certainly be a concern, but for 50-75% of the apps in the official app stores (google play or apple app store) to be compromised in that manner, it would require those top tie developers themselves to have been hacked, the application signing keys to have been stolen (at least for iOS, I don't recall if android requires app signing), and the crackers to be submitting replacement versions of the app to the official stores in the name of the developer.<br /><br />Alternatively, it would require that the user has downloaded some other application which has managed to break out of it's "sandboxed" environment, past the phone's own built in security to target the top 100 application's data.<br /><br />In both of these cases, the scenarios are possible, but either scenario being applicable to 50-75% of the top applications in Apple or Google's would be extremely unlikely.<br /><br />On the other hand, having the apps "cracked" in a warez/piracy sense, where unofficial and altered versions are available for download on third party markets (like the one the article refers to Cydia) is a much more likely and believable thing. It's basic software piracy and has been around forever. To install such applications on an Android phone, one would need to activate the option to allow 3rd party application installation (admittedly easy, but still requiring an affirmative step) and on iOS requires jailbreaking the device, which is an even more involved procedure and not something you will accidentally do.<br /><br />After you have done that, you still need to download and install the alternative market or individual application from the 3rd party site, and then yes, you are installing applications that are outside whatever general security checks the official app store review processes have. In theory these apps are still restricted by the built in OS security, but obviously the risk for exploiting flaws in that security are greater. This scenario seems to be one the article is really talking about, both because it is the more believable scenario and because the quoted "security" firm specializes and sells tamper proofing, DRM and anti-piracy packages.<br /><br />In this more likely case, you can protect yourself by following the same rules and advice that has been relevant for every computer since the dawn of personal computers. Only download and install software from the original and trusted source. If you see that "My Great Banking App" is available from "Mega Bank Corp" on the regular App store and it's normally $10, and then you install a 3rd party app store and see the very same app for free from "Mega Banking Corp", well, like the saying goes "If it sounds too good to be true".<br /><br />Long comment short, the article appears to be intentionally inflammatory, using ambiguous terms to make you think that the banking app you download from the official Apple or Google store is compromised, when in reality they're saying that "popular applications are popular targets for piracy and downloading pirated versions of applications might mean you're downloading a compromised version as well"Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-6244999628674918029.post-47805326189786318952013-12-19T07:56:18.382-06:002013-12-19T07:56:18.382-06:00I've got a iPhone, but only run minimal apps a...I've got a iPhone, but only run minimal apps and NO financial stuff ever goes through the phone.Old NFOhttps://www.blogger.com/profile/16404197287935017147noreply@blogger.com