iOS | Breaking Cybersecurity News | The Hacker News

Are you also one of those 18 Million users using SARAHAH? You should beware of this app because the anonymous feedback application may not be as private as it really sounds. Sarahah is a newly launched app that has become one of the hottest iPhone and Android apps in the past couple of weeks, allowing its users to sign up to receive anonymised, candid messages from other Sarahah users. However, it turns out that the app silently uploads users' phone contacts to the company's servers for no good reason, spotted by security analyst Zachary Julian. When an Android or iOS user downloads and installs the app for the first time, the app immediately harvests and uploads all phone numbers and email addresses from the user's address book, according to The Intercept . While an app requesting access to the user's phonebook is quite common if the app provides any feature that works with contacts, no such functionality in Sarahah is available right now. "The pri

Apple has released iOS 9.3.5 update for iPhones and iPads to patch three zero-day vulnerabilities after a piece of spyware found targeting the iPhone used by a renowned UAE human rights defender, Ahmed Mansoor. One of the world's most invasive software weapon distributors, called the NSO Group, has been exploiting three zero-day security vulnerabilities in order to spy on dissidents and journalists. The NSO Group is an Israeli firm that sells spying and surveillance software that secretly tracks a target's mobile phone. The zero-day exploits have allowed the company to develop sophisticated spyware tools that can access the device location, contacts, texts, calls logs, emails and even microphone. Apple fixed these three vulnerabilities within ten days after being informed by two security firms, Citizen Lab and Lookout, who conducted a joint investigation. Background Story: Malware Discovery Mansoor, 46, ' Martin Ennals Award ' winner from the United Arab Emirate

Identities now transcend human boundaries. Within each line of code and every API call lies a non-human identity. These entities act as programmatic access keys, enabling authentication and facilitating interactions among systems and services, which are essential for every API call, database query, or storage account access. As we depend on multi-factor authentication and passwords to safeguard human identities, a pressing question arises: How do we guarantee the security and integrity of these non-human counterparts? How do we authenticate, authorize, and regulate access for entities devoid of life but crucial for the functioning of critical systems? Let's break it down. The challenge Imagine a cloud-native application as a bustling metropolis of tiny neighborhoods known as microservices, all neatly packed into containers. These microservices function akin to diligent worker bees, each diligently performing its designated task, be it processing data, verifying credentials, or

Last month, it was reported that the European Commission is planning to impose a record antitrust fine of about 3 BILLION euros ( US$3.4 Billion ) on Google for violating antitrust laws. Not just Europe, Google also lost an anti-monopoly appeal in Russia two months back against ruling for violating its dominant position with the help of its Android mobile OS by forcing its own apps and services like Google Map, Youtube, and others, on users — reducing competition. Now to put an end to the monopoly of major mobile Operating System, Russians are developing their own mobile operating system to compete with Android, iOS, and Windows mobile OS. The Minister of Russian Communication Ministry, Nikolai Nikiforov tweeted last month about the initiative to develop a new Russian mobile operating system, for which the Russian company Open Mobile Platform (Открытая Мобильная Платформа) is hiring developers, testers and security engineers. Open Mobile Platform is developing a Linux-ba

A security researcher could have stolen as much as $25 Billion from one of the India's biggest banks ‒ Thanks to the bank's vulnerable mobile application. Late last year, security researcher Sathya Prakash discovered a number of critical vulnerabilities in the mobile banking application of an undisclosed bank that allowed him to steal money from any or all bank customers with the help of just a few lines of code. Being a white hat hacker, Prakash immediately reached out to the bank and alerted it about the critical issues in its mobile app and helped the bank fix them, instead of taking advantage of the security holes to steal money from the bank that has about 25 Billion USD in Deposits. While analyzing the mobile banking app, Prakash discovered that the app lacks Certificate Pinning , allowing any man-in-the-middle attacker to downgrade SSL connection and capture requests in plain text using fraudulently issued certificates. Also Read:  Best Password Manager — For

Jailbreakers Beware! Some shady tweaks that you installed on their jailbroken devices are looking to steal your iCloud login credentials, a report said. The iCloud account details, including email addresses and passwords, of nearly 220,000 jailbreak users have been breached , an online Chinese vulnerability-reporting platform WooYun reported . WooYun is an information security platform where researchers report vulnerabilities and vendors give their feedbacks. Backdoor Privacy Attack The security breach, according to the website, was a result of ' backdoor privacy attack ' caused by the installation of a malicious jailbreak tweak. It appears that Hackers are using a variety of " built-in backdoors " that could be numerous of malicious jailbreak tweaks in an effort to acquire victim's iCloud account information. Once installed, these malicious tweaks transferred the iCloud login details of the jailbreak users to an unknown remote se

Earlier this year, Microsoft had announced to bring its Office 2016 soon to the world. Also, Office 2016 software version for Mac was released in July 2015. Now speculations gearing up are hinting towards a final release date of Office 2016 for Windows as 22nd September 2015. Though, for Window users it may not be quite a change, because in the new Office suite as compared to its predecessor Office 2013 no such major improvements are visible. Office 2016 for Windows is supposedly debuting in less than a month away and will be available for home and professional users initially. Improvements in Office 2016 Office 2016 is going to be more colorful, with bright and dark colored theme options. Also, this time Microsoft has made it pretty clear that people are required to have Office 365 subscriptions because this time Microsoft is going to send new updates of Office along with the updates of Office 365. Mostly, modifications are done in the Outlook applicat

" Change is the only constant thing ," as it is known could be now modified as " Change is the only constant thing* ," where the * means Terms and conditions apply ! A change ( Mobile Device Management solutions-MDM , Bring Your Own Device-BYOD ) was brought to the organizations, (which later became necessities) for smooth workflow and management of an organization; where resides mobile and other computing devices in masses. The devices, as well as the MDM solutions, are at risk , as reported. Security researchers at Appthority Mobile Threat Team, have found a vulnerability in the sandbox app within the Apple's iOS versions prior to 8.4.1, which makes the configuration settings of managed applications to be openly accessed by anyone. QuickSand – Loophole in Sandbox The vulnerability is assigned CVE-2015-5749 and is named as ' QuickSand ' because of the loophole being present in the Sandbox. Mobile Device Management (MDM) refe

As you may be aware, you need an Android smartphone to use an Android Wear smartwatch , but if you carry an Apple iPhone or iPad, you'll soon be able to use the same Android Wear smartwatch, without relying on unofficial third-party app support. Google is reportedly going to release its a new iOS app over to the App Store that will allow iPhone and iPad users to pair Android Wear devices such as Moto 360 and LG G Watch with their Apple products, French outlet 01net claimed . OFFICIAL ANDROID WEAR APP FOR iOS Google's new move to go cross-platform with an iOS app would expand support for the wearable platform beyond Android devices and target the potential market of tens of Millions of Apple users that may not be interested in purchasing an Apple Watch. As well as, with lower prices and strong design, a fair amount of Android Wear smartwatch demand would likely be there. The search engine giant is possibly planning to launch the Android Wear app for iOS at Google's annual develop

Security researchers have discovered a new type of "Man-in-the-Middle" (MitM) attack in the wild targeting smartphone and tablets users on devices running either iOS or Android around the world. The MitM attack, dubbed DoubleDirect , enables an attacker to redirect a victim's traffic of major websites such as Google, Facebook and Twitter to a device controlled by the attacker. Once done, cyber crooks can steal victims' valuable personal data, such as email IDs, login credentials and banking information as well as can deliver malware to the targeted mobile device. San Francisco-based mobile security firm Zimperium detailed the threat in a Thursday blog post , revealing that the DoubleDirect technique is being used by attackers in the wild in attacks against the users of web giants including Google, Facebook, Hotmail, Live.com and Twitter, across 31 countries, including the U.S., the U.K. and Canada. DoubleDirect makes use of ICMP (Internet Control Message P

Google is offering its users a completely new and better experience of its mailing service. And in an effort to do this, the company has launched a new email service, an alternative to Gmail, called " Inbox " on Wednesday that aims to make email more useful and preview next-generation capabilities. Inbox will not replace Gmail, the company's popular 10-year-old email product, instead it will sit next to its Gmail service and will provide users' better organize their emails with live alerts for appointments, flight bookings and package deliveries in a more user-friendly way. "Years in the making, Inbox is by the same people who brought you Gmail, but it's not Gmail: it's a completely different type of inbox, designed to focus on what really matters," wrote Sundar Pichai, Google's senior vice president of Android , Chrome and apps, in a blog post . According to the company, the Inbox service was designed to deal with the problem of ge

The allegations from a data forensic expert and security researcher that iOS contains a " backdoor " permitting third parties to potentially gain access to large amount of users' personal data instigated Apple to give a strong response. The company has completely denied to the claims published over the weekend by Jonathan Zdziarski, a forensic scientist and iOS security expert. The researcher, better identified as the hacker moniker " NerveGas ", detailed a number of undocumented features in a paper presentation titled, " Identifying Backdoors, Attack Points, and Surveillance Mechanisms in iOS Devices " showing his findings, from his talk at the Hackers On Planet Earth (HOPE X) conference held in New York on Friday. ALLEGATIONS ON APPLE The issue, what he explained in his finding, arises from the way Apple encrypts or fails to encrypt data from the iPhone's native apps, leaving over 600 million personal iOS devices vulnerable to third parties. &q

A well known iPhone hacker and forensic scientist has unearthed a range of undocumented and hidden functions in Apple iOS mobile operating system that make it possible for a hacker to completely bypass the backup encryption on iOS devices and can steal large amounts of users' personal data without entering passwords or personal identification numbers. Data forensics expert named Jonathan Zdziarski has posted the slides ( PDF ) titled " Identifying Backdoors, Attack Points, and Surveillance Mechanisms in iOS Devices " showing his findings, from his talk at the Hackers On Planet Earth (HOPE X) conference held in New York on Friday. Jonathan Zdziarski, better identified as the hacker " NerveGas " in the iPhone development community, worked as dev-team member on many of the early iOS jailbreaks and is also the author of five iOS-related O'Reilly books including " Hacking and Securing iOS Applications ." The results of his overall research on the iOS

BigBoss repository, one of the biggest and most popular repositories for jailbreak tweaks in Cydia , has reportedly been hacked by either an individual or a group of hackers. Cydia is a software application for iOS that enables a user to find and install software packages on jailbroken iOS Apple devices such as the iPhone, the iPod Touch, and the iPad. Most of the software packages available through Cydia are free, but some require purchasing. The BigBoss repository is default repository in jailbroken iOS devices and has long been one of Cydia's biggest and best, but it may have just been targeted by cybercriminals. The hackers, who go by the name "Kim Jong-Cracks", managed to gain access to all packages , including all paid as well as free, and made their own repository available with all BigBoss repository applications for free. " The other post more than likely broke rule 1 because it linked the site directly. To anyone that didn't see the post the BigBoss rep

Google has failed to provide a very important security measure in its Gmail application for iOS that left millions of its Apple device users to Man-in-the-Middle (MitM) attacks capable of monitoring encrypted email communications. Researcher at mobile security firm Lacoon has discovered that Google's Gmail iOS application, run on Macintosh mobile devices, does not perform what's known as "certificate pinning" when establishing a trusted connection between the mobile applications and back-end web services, which means an attacker can view plaintext emails and steal credentials in MitM attack. WHAT IS CERTIFICATE PINNING Certificate Pinning is a process designed to prevent user of the application from being a victim of an attack made by spoofing the SSL certificate . Certificate pinning automatically rejects the whole connection from sites that offer bogus SSL certificates and allow only SSL connections to hosts signed with certificates stored inside the application, whic

Security researchers from MetaIntell, the leader in intelligent led Mobile Risk Management (MRM), have discovered a major security vulnerability in the latest version of Facebook SDK that put millions of Facebook user's Authentication Tokens at risk. Facebook SDK for Android and iOS is the easiest way to integrate mobile apps with Facebook platform, which provides support for Login with Facebook authentication, reading and writing to Facebook APIs and many more. Facebook OAuth authentication or ' Login as Facebook ' mechanism is a personalized and secure way for users to sign into 3rd party apps without sharing their passwords. After the user approves the permissions as requested by the application, the Facebook SDK implements the OAuth 2.0 User-Agent flow to retrieve the secret user's access token required by the apps to call Facebook APIs to read, modify or write user's Facebook data on their behalf. ACCESSING UNENCRYPTED ACCESS TOKEN It is important that

Quite Surprisingly, a team of Chinese hackers, Pangu have released an untethered jailbreak for iOS 7.1 and iOS 7.1.1. This untethered jailbreak is compatible with iPhone 5s, iPhone 5c, iPhone 4S, iPhone 4, iPad Air, iPad 4, iPad 3, iPad 2, iPad mini, Retina iPad mini and iPod touch 5G running iOS 7.1-iOS 7.1.1. The jailbreak tool is currently available for Windows but works on every iOS devices. Many iOS users have posted on Reddit that the tool works successfully. Jailbreaking is a process of removing limitations on iOS devices , Apple's operating system, so you can install third party software not certified by Apple. Such devices include the iPhone, iPod touch, iPad, and second-generation Apple TV. One question rises in my mind that when Apple 's system root protections have been greatly enhanced in an effort to make jailbreaks more difficult, then what's the whole story behind the unexpectedly release of this jailbreak tool? STEPS TO JAILBREAK iOS 7.1 &a

The development of self own languages has become emblematic of the hot new trend in business as every big Internet service provider is now developing their own and unique programming languages. Two months ago, Facebook released its modern programming language called ' HACK ', which is specially designed to make the process of writing and testing code of complex websites and other software faster, and the company already drives almost all of the its social networking site to HACK over the last year. This Monday, Apple surprises the gathering of people who build software applications for Apple hardware devices at its World Wide Developers Conference (WWDC) by introducing its whole new programming language called Swift , which probably replace Apple's main programming language - Objective-C that is being loved by the developers who build software applications for Apple hardware devices, from iPhone, iPad to Macintosh. The first app built on Swift is the WWDC ap