Normally, I blog about apps from Magic App Factory, but from time to time if I see something of interest in the tech world, I’ll post it here. For example, here’s Reuters, credulously hyping a security researcher’s claim that iOS has a fundamental security flaw:
Apple iOS bug makes devices vulnerable to attack: experts
Researchers have warned that a bug in Apple Inc’s (AAPL.O) iOS operating system makes most iPhones and iPads vulnerable to cyber attacks by hackers seeking access to sensitive data and control of their devices.
Cybersecurity firm FireEye Inc (FEYE.O) published details about the vulnerability on its blog on Monday, saying the bug enables hackers to access devices by persuading users to install malicious applications with tainted text messages, emails and Web links.
The malicious application can then be used to replace genuine, trusted apps that were installed through Apple’s App Store, including email and banking programs, with malicious software through a technique that FireEye has dubbed “Masque Attack.”
So some bad guy can replace Gmail or your banking app with a fake version and steal all your info. Oooh, scary!
Except that in order to do this, the bad guy would need to convince you to:
- Click a link to install an app on your iPhone or iPad without using the App Store.
- When your iPhone informs you that the web site you’ve visited is requesting to install an app on your phone, you would have to give the web site permission to install the app.
- After giving the website permission, you’d have to approve yet another warning alert asking you whether to you want to install a certificate on your phone from a developer that you have never heard of.
So not once, not twice, but three times you would have to affirmatively take actions that literally scream “PLEASE INSTALL MALWARE ON MY iPHONE!!”
I suspect it’s possible a handful of people will make this mistake, and that’s unfortunate, but there isn’t much more Apple can do to make the iPhone any safer. Perhaps they could add an additional warning when a new developer is trying to perform an in-place replacement of an app when the developer certificate doesn’t match, there isn’t much that they should do. And while they will probably have to do something for PR reasons if nothing else, anyone with sensitive data on their phone shouldn’t be installing apps from unknown developers, and when they do, they shouldn’t hold Apple responsible for bad things that happen.