iOS | Breaking Cybersecurity News | The Hacker News

Despite the contrary regarding NSA's DROPOUTJEEP program, Apple had always denied working with the NSA in the creation of any backdoors used to spy on its users and also claimed that the NSA doesn't have backdoor access to its data. But, Apple could legally share your phone data with the law enforcement agencies if asked for. Being a secretive company, Apple is very clear at its point of sharing its users' data with the government when U.S. law enforcement agencies request data relating to the company's users. With the release of a set of new guidelines late Wednesday regarding requests for customer data from the U.S. law enforcement agencies, Apple specifies what information can and cannot be lifted from its users devices upon the receipt of disclosure requests, search warrants, or legal orders. " These guidelines are provided for use by law enforcement or other government entities in the U.S. when seeking information from Apple Inc. about users of Apple

A new piece of malicious malware infection targeting jailbroken Apple iOS devices in an attempt to steal users' credentials, has been discovered by Reddit users. The Reddit Jailbreak community discovered the malicious infection dubbed as ' Unflod Baby Panda ', on some jailbroken Apple iOS devices on Thursday while a user noticed an unusual activity that the file was causing apps such as Snapchat and Google Hangouts to crash constantly on his jailbroken iPhone. CHINA WANTS YOUR APPLE ID & PASSWORDS Soon after the jailbroken developer uncovered the mysteries ' Unfold.dylib ' file and found that the infection targets jailbroken iOS handsets to captures Apple IDs and passwords from Internet sessions that use Secure Socket Layer (SSL) to encrypt communications and is believed to be spreading through the Chinese iOS software sites, according to the researchers at German security firm SektionEins . The researchers found that the captured login information is been sent

Identities now transcend human boundaries. Within each line of code and every API call lies a non-human identity. These entities act as programmatic access keys, enabling authentication and facilitating interactions among systems and services, which are essential for every API call, database query, or storage account access. As we depend on multi-factor authentication and passwords to safeguard human identities, a pressing question arises: How do we guarantee the security and integrity of these non-human counterparts? How do we authenticate, authorize, and regulate access for entities devoid of life but crucial for the functioning of critical systems? Let's break it down. The challenge Imagine a cloud-native application as a bustling metropolis of tiny neighborhoods known as microservices, all neatly packed into containers. These microservices function akin to diligent worker bees, each diligently performing its designated task, be it processing data, verifying credentials, or

Is Air Travel expensive for You?? Of course it's costly for Common people. But, hackers have found a way out of it too. If you have an iPhone then there is no need to buy airline tickets, as a simple iPhone hack can fool any modern airport and get you a seat in first class for free. Anthony Hariton , an 18 year-old computer science student at the University of Crete in Greece, claims he has found a plough to fetch free flight tickets across Europe by generating fake boarding passes designed for Apple's Passbook app. The student prepares to give his presentation entitled " Exploiting Passbook to Fly for Free, " in a hacking conference next month, in which he will theoretically demonstrate on how to generate fake boarding passes using only a computer and an iPhone, then get through all the Security Airport checks and then eventually ending up on your first class seat to the destination of your choice. HACKING iPHONE APP TO GET FREE BOARDING PASSES The iO

Cryptocat , an open source encrypted web-based chat client, is now available for iOS Devices from the  Apple's App store , which was initially rejected by the Apple last December. It is not clear why it was rejected previously, but the good news is that, now ' Cryptocat ' is available for all iOS Devices. So far Cryptocat was only available for Linux and Mac OS X, and as an extension for web browsers Mozilla Firefox, Google Chrome 3, Apple Safari and Opera . Cryptocat has become quite popular in the wake of the NSA Controversy, because of its end-to-end encryption that doesn't allow anyone in the middle to read your messages. Cryptocat for iPhone uses the OTR protocol for private conversations, a cryptographic protocol for secure instant messaging, and perfect forward secrecy, a system that constantly generates new user keys. So, snoops cannot decrypt older messages. It doesn't require any username or account rather just one time nickname makes the

Just two days before Apple has disclosed a critical Security flaw in the SSL implementation on the iOS software that would allow man-in-the-middle attacks to intercept the SSL data by spoofing SSL servers. Dubbed as CVE-2014-1266 , the so-called ' goto  fail; ' vulnerability in which the secure transport failed to validate the authenticity of the connection has left millions of Apple users vulnerable to Hackers and Spy Agencies, especially like the NSA . Last Friday, Apple had also released updated version iOS 7.0.6 to patch the vulnerability, which was first discovered in Apple's iOS Devices, but later company had acknowledged its presence in Mac OSX also, that could allow hackers to intercept email and other communications that are meant to be encrypted in iPhone, iPad and Mac computer. Affected versions include iOS up to version 7.0.5 and OS X before 10.9.2. Security Researchers confirmed , ' Nearly all encrypted traffic, including usernames, passwords, and

Apple's latest 35.4 MB update of  iOS 7.0.6  doesn't seem important at first, but it contains a critical security patch that addresses a flaw with SSL encryption. Yes, a very critical security vulnerability that could allow hackers to intercept email and other communications that are meant to be encrypted in iPhone, iPad and Mac computer. Apple provides very little information when disclosing security issues, ' For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. ' said in the security advisory . Cryptography experts immediately tried to figure out what was wrong with Apple's implementation of Secure Sockets Layer (SSL) and the details are: Impact:  The vulnerability assigned CVE-2014-1266 and  affects both the iOS and OS X operating systems , describes as ' Secure Transport failed to validate the authent

Last October, the social network ' LinkedIn ' launched a controversial Smartphone app called ' Intro ' that intercepts and route all of your emails through LinkedIn servers to inject LinkedIn profiles of the sender directly into the mails. The app was released for Android , as well as iOS devices. Why Controversial? The app puts the security and privacy of your data entirely in the company's hands, and at that time everyone criticized and reacted negatively, but LinkedIn defended Intro, claiming that all information was fully encrypted and deleted from LinkedIn's servers immediately. Just two days back, I got an e-mail from LinkedIn with the subject line " We're retiring LinkedIn Intro. " i.e. LinkedIn is giving up so quickly just four months of the launch! In a blog post today, LinkedIn SVP of products Deep Mishar explained, " We are shutting down LinkedIn Intro as of March 7, 2014. The intro was launched last year to bring the power of LinkedIn to your emai

Smartphone manufacturers are adding ways for owners to track and manage their phones if they ever get lost or stolen. Find My iPhone is a service that comes with every iOS device that allows you to track your iPhone, whether it was lost or stolen. Normally, the iPhone requires a password if you want to deactivate " Find My iPhone ", but it isn't entirely perfect and thieves are now smart enough to disable ' Find My iPhone ' on devices running iOS 7.0.4 and lower version, without having to enter a password. The exploit was discovered and demonstrated security researcher ' Bradley Williams ' and performing a successful bypass means you won't be able to locate, make sound and wipe out. The vulnerability could put the devices at risk, and the exploitation method involves a few simple steps that involve making changes in the iCloud settings, even if they don't know the password. Steps to hack 'Find My iPhone': Navigate to iCloud in the settin

Smartphones are powerful and popular, with more than thousands of new mobile apps hitting the market everyday. Apps and mobile devices often rely on consumers' data, including private information, photos, and location, that can be vulnerable to data breaches, surveillance and real-world thieves. When developing a mobile application, developer has to fulfill high security requirements, established for apps that deal with confidential data of the users. If you are a developer then responsibilities for providing security to the users is very high in comparison to functionality you are going to feed into the app. e.g. A vulnerability found in Starbucks' iOS app could have caused a massive financial data loss. It is always important for all app developers to have enough knowledge about major Mobile platform Security threats and its countermeasures. Today we would like to introduce open source ' Damn Vulnerable IOS App (DVIA) ' developed by Prateek Gianchan

Are you using a pattern lock for your Smartphone to remain untouched from cyber criminals? But you are not aware that even your swipe gestures can be analyzed by hackers. Neal Hindocha, a security adviser for the technology company Trustwave , has developed a prototype malware for the Smartphones that works the same as a keylogger software for desktop. The malware dubbed as ' Screenlogging ', is capable of monitoring finger swipes on the screen of your smart devices in combination with taking screenshots to know exactly how the user is interacting with their phone or tablet, reported by Forbes . The concept used by him is the same that of Keyloggers, a critical type of malware for cyber criminals, which records the input typed into the keyboard and can easily detect passwords for email, social media and of online bank accounts. In the same way the ' Screenlogger ' take care of the inputs taped and swiped on the screen. It logs the X and Y coordinates where the user ha

Snapchat suffered a massive data breach back in December in which 4.6 million usernames and phone numbers were compromised. Earlier this month, the company launched an update to its iOS and Android apps, added a new security measure to ensure that new users aren't spambots or a robot. While signing up for the first time, it now displays nine images and then ask you to pick which images have a " ghost ". Within 24 hours of Snapchat releasing an improved security feature, a developer has written a computer program capable of cracking it. Another hacker, ' Steven Hickson ' took only 30 minutes to write a script that can crack this new security feature. In this CAPTCHA feature, basically have you choose from amongst a bunch of images, identifying the ones that have the Snapchat ghost to prove you are a person. " The problem with this is that the Snapchat ghost is very particular. You could even call it a template. For those of you familiar with template m

Watch out, coffee drinkers. If you are one of those 10 million Starbucks customers, who purchases drinks and food directly from their Smartphones, this news is for you! If you use Starbucks' official iOS app, you should know that the company is not encrypting any of your information, including your password. The app allows the Starbucks customers to check their balance, transaction history, fund transfer, and store location, etc. A Security researcher Daniel E. Wood found a vulnerability (CVE-2014-0647) in STARTBUCKS v2.6.1. iOS mobile application, that stores your credential details and GPS locations in plain text format into the file system. To extract the information from the mobile, an attacker just needs to connect the device to a computer and accessing ' session . clslog ' file from the location given below: /Library/Caches/ com . crashlytics . data/ com . starbucks . mystarbucks /session . clslog The vulnerability , however, requires that the hacker has physical

In the era of Smartphones, Apple's iPhone is the most popular device that exists, which itself gives the reason to target it. According to leaked documents shared by Security researcher  Jacob Appelbaum , a secret NSA program code named DROPOUTJEEP has nearly total access to the Apple's iPhones, which uses " modular mission applications to provide specific SIGINT functionality. " While giving the presentation at the Chaos Communications Congress (30C3) in Hamburg, Germany on Monday, Appelbaum revealed that NSA reportedly sniffing out every last bit of data from your iPhone. DROPOUTJEEP is a software implant for the Apple iPhone that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device. SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control and data exfiltration can occur over SMS messaging or a GPRS

LinkedIn's iOS application is prone to a vulnerability that may permit remote attackers to execute arbitrary code. Security Researcher Zouheir Abdallah  has disclosed HTML parsing vulnerability in LinkedIn iOS an app, that can be used to phish for credentials or be escalated into a full blown attack. LinkedIn's vulnerability occurs when the messaging feature of LinkedIn's mobile app parses invalid HTML and an attacker can exploit this vulnerability remotely from his/her account, which could have serious impact on LinkedIn's users.  He created Proof of concept of the flaw and submitted it to the LinkedIn Security team in September 2013. Later in October 2013, the vulnerable application was patched. One of the possible attack vector is that, using this vulnerability attacker can easily phish LinkedIn user on iOS app. As shown in the screenshot, POC message says: Hey, Can you please view my LinkedIn profile and endorse me! Thanks! I appreciate it! The iOS app will d

Apple has released the latest version of its mobile platform i.e. iOS 7.0.4 includes bug fixes, security patches with some new features. The update is available for iPhone , iPad and iPod touch, identified as " build 11B554a ." Most importantly Apple has patched a critical security flaw that allowed to purchase stuff from the online Apple Store without having to tap in a valid password. Vulnerability assigned as  CVE-2013-5193 , " A signed-in user may be able to complete a transaction without providing a password when prompted. This issue was addressed by additional enforcement of purchase authorization. " Apple's security bulletin says. The patch restores the aforementioned authentication check and will allow app store transactions only  if the user will provide a valid password. The update also addressed an issue that would cause FaceTime calls to fail for some users. Apple recommended users to update their devices immediately. iOS users ca

At Information Security Conference PacSec 2013 in Tokyo, Apple's Safari browser for the iPhone 5 and the Samsung Galaxy S4 have been exploited by two teams of Japanese and Chinese white hat hackers. In HP's Pwn2Own 2013 contest , Japanese squad Team MBSD, of Mitsui Bussan Secure Directions won won $40,000 reward for zero day exploit for hacking Samsung Galaxy S4. The vulnerabilities allow the attacker to wholly compromise the device in several ways, such as using a drive-by download to install malware on the phone. In order for the exploit to be successful, the group lured a user to a malicious website, gained system-level privileges and installed applications that allowed the team to gather information, including SMS messages, contacts and browsing history. They  Another Hackers Team from Keen Cloud Tech in China showed how to exploit a vulnerability in iOS version 7.0.3 to steal Facebook login credentials and a photo from a device running iOS 6.1.4. They wo

Security researchers Adi Sharabani and Yair Amit  have disclosed details about a widespread vulnerability in iOS apps , that could allow hackers to force the apps to send and receive data from the hackers' own servers rather than the legitimate ones they were coded to connect to. Speaking about the issue at RSA Conference Europe 2013 in Amsterdam, researchers have provided details  on this  vulnerability , which stems from a commonly used approach to URL caching. Demonstration shows that insecure public networks can also provide stealth access to our iOS apps to potential attackers using HTTP request hijacking methods. The researchers put together a short video demonstrating, in which they use what is called a 301 directive to redirect the traffic flow from an app to an app maker's server to the attacker's server. There are two limitations also, that the attacker needs to be physically near the victim for the initial poisoning to perform this attack and t

Your LinkedIn profile is your digital resume. Yesterday, LinkedIn launched a new app for for iOS devices called Intro ' LinkedIn Intro '. With this feature an email on your iPhone will display a picture of the sender, with useful profile info from LinkedIn. Basically, to use the service, a LinkedIn user must route all of their emails (any provider i.e. Hotmail, Gmail, Yahoo, etc.) through LinkedIn's 'Intro' servers, which will inject fancy business centric HTML profile right in your emails, as shown. But this also means that LinkedIn is now able to read the complete content of your emails and also can store the passwords to users' external email accounts. The feature is enough to destroy the security and privacy of your mails. Another point to be noted that, Apple does not provide any APIs or frameworks for developers that would allow this kind of modification of its interface. Instead, LinkedIn is acting as a ' man in the middle ' by inter

Though Apple claims iMessage has end-to-end encryption, But researchers claimed at a security conference that Apple's iMessage system is not protected and the company can easily access it. Cyril Cattiaux - better known as pod2g, who has developed iOS jailbreak software, said that the company's claim about iMessage protection by unbreakable encryption is just a lie, because the weakness is in the key infrastructure as it is controlled by Apple: they can change a key anytime they want, thus read the content of our iMessages . Basically, when you send  an   iMessage to someone, you grab their public key from Apple, and encrypt your message using that public key. On the other end, recipients have their own private key that they use to decrypt this message. A third-party won't be able to see the actual message unless they have access to the private key. Trust and public keys always have a problem, but the  researchers noted that there's no evidence that Apple or