"iOS Secuirty is fucked" -Zerodium Stops Accepting iOS Exploits Because of too Many Submissions

[Guest]

I’d be worried if this news was real

[Curious Pineapple]

4 hours ago, Ashley said:

it only gets delivered through a browser if you visit a malicious site, and this is true for all platforms, not just iOS or android. it's sad that people liked that post, but whatever. you need to use common sense browsing the web on all platforms. 

As I said, I got a tech scap popup ad through eBay last year, I may  have even posted about it on here. Only takes one hijacked forum account to post something malicious, one bad advert.

[Bombastinator]

On 5/14/2020 at 7:08 AM, Windows9 said:

Time to switch to Android

No t2 chip.  No decent policing of App Store.  There may be easier exploits, but android is still worse.

[Jaxseven]

So easiest safe bet is AOSP with latest security patches and FOSS apps? I try to make it works at least. Doesn't always though.

[Bombastinator]

22 minutes ago, Jaxseven said:

So easiest safe bet is AOSP with latest security patches and FOSS apps? I try to make it works at least. Doesn't always though.

The solution for the true paranoid is no smartphone. A dumb phone that runs an embedded Linux and can be hardened.  Know one guy like that.

[Kisai]

On 5/14/2020 at 5:05 AM, LAwLz said:

 

Personal opinion since that's necessary: I agree with Patrick that it's probably a bit of a PR stunt, but also a real issue. I also think it's important to distinguish from the various different "categories" of security there is in a product. For example it seems like iOS still has better on-device encryption than Android. It also seems like from a privacy standpoint, iOS is also better. But for executing code from a browser, or gaining escalated privileges, Android (at least AOSP) is better. Which one is most relevant for the average Joe is up for debate.

I still wouldn't switch to Android. Android is a dead OS that only persists because LG and Samsung haven't been able to push their far buggier OS's instead. It's all on Google.  18 months of updates vs 5+ years is a no brainer.

 

What I really really hate, and this applies to iOS as well, is that some software pushes updates so frequently that it reasonable makes me suspect that these aren't security updates at all, rather they are changes in some apps to work-around things Apple told them to stop doing.

 

Dear mobile app developers: Start saying what CVE's you're fixing to encourage me to update your app *right now*, rather than wait till the weekend when I can review all 40 apps change logs. Stop trying to be cute with this nonsense:

 

 

It's this kind of "oh we fixed bugs" but didn't say what they were, that makes me think they are pushing needless updates and the software quality is rubbish. Like nearly every app is "fixed bugs and improved performance", for every update, in every app.

 

 

 

[Jaxseven]

51 minutes ago, Bombastinator said:

The solution for the true paranoid is no smartphone. A dumb phone that runs an embedded Linux and can be hardened.  Know one guy like that.

Yeah I get that sort of thing a lot in privacy forums and chats I frequent. It just doesn't work for a normal person, especially if you work for a big company. I've gone further than anyone I know in life, but honestly deleting Facebook and switching to AOSP is much further than people I know. Once the Librem 5 is a more consumer ready product maybe we'll be there, but it'll be hard. Web Apps and AOSP is the best I got right now.

[Bombastinator]

Just now, Jaxseven said:

Yeah I get that sort of thing a lot in privacy forums and chats I frequent. It just doesn't work for a normal person, especially if you work for a big company. I've gone further than anyone I know in life, but honestly deleting Facebook and switching to AOSP is much further than people I know. Once the Librem 5 is a more consumer ready product maybe we'll be there, but it'll be hard. Web Apps and AOSP is the best I got right now.

Yep.and people know it.  Regulation could fix it so the people who don’t want it fixed prevent regulation and complain about it.

[TopHatProductions115]

Anyone wanna make their own mobile OS? Or are we sitting here trying to tell multi-million dollar corporations what to do with their software and massively uninformed userbase(s) again?

 

/jk

 

 

Edited May 16, 2020 by TopHatProductions115

[Trik'Stari]

looks at Apple's abysmal hardware designs

 

Y'all are surprised?

[Letgomyleghoe]

23 hours ago, Ashley said:

that's a bad thing. you make it sound liek apple is evil for making sure that it's app store is secure. 

I honestly think at this point after reading a lot of your posts in this thread and others, that you are trying to get reactions and anger out of people rather than add to the convo.

 

On 5/14/2020 at 2:44 PM, mr moose said:

I hate this excuse for poor security.  You know it's really hard to avoid dirty websites when the average user is trying to navigate the internet with only google for directions and a very basic knowledge of how malware works. Hell, even us experienced users who understand what sites to visit and when to close the browser and start again still get caught out occasionally, the last thing you need is a zero click exploit because it's too late once you're on the site to realize it wasn't the site you thought it was. 
 

 

Honestly, I haven’t had really any problems, I don’t exactly venture the internet, but I don’t think most people have the need to, only time I’ve got viruses is when I tried to download pirated movies and games back in 2010 lol.

 

 

 

another thing that’s been happening, is I’ll get a call from a “local” number, and I’m pretty sure they’re getting my info from a caller I’d of sorts, but for the next 30 mins I’ll get bombarded with “insurance policy expiration” calls.

sadly I have to pick up all the calls I can, so I know if I have an employee calling out, so it’s not exactly practical to just noT answer unknown calls, especially when they’re “local.

-I doubt it’s just ios 

[DrMacintosh]

"THIS PLATFORMS SECURITY IS BAD"

shows nothing to backup this claim* 

 

Could just be that this company is running out of cash and they needed some publicity to keep things going. 

 

Not saying that iOS security does not need to be worked on, but you know....these guys kinda thrive on hype...

[LAwLz]

5 hours ago, Kisai said:

I still wouldn't switch to Android. Android is a dead OS that only persists because LG and Samsung haven't been able to push their far buggier OS's instead. It's all on Google.  18 months of updates vs 5+ years is a no brainer.

I'm what way is it "dead"? 

Why do you call the other OSes like I presume Tizen "buggier"? 

 

I feel like you're just throwing words around to sound cool and edgy, but you're compleley misusing them and they make no sense in the context. 

 

 

5 hours ago, Kisai said:

What I really really hate, and this applies to iOS as well, is that some software pushes updates so frequently that it reasonable makes me suspect that these aren't security updates at all, rather they are changes in some apps to work-around things Apple told them to stop doing.

 

Dear mobile app developers: Start saying what CVE's you're fixing to encourage me to update your app *right now*, rather than wait till the weekend when I can review all 40 apps change logs. Stop trying to be cute with this nonsense:

While I agree that app developers should be better at describing what changes were made, CVE listing would be pretty useless.

1) CVE isn't for bugs (unless they are security related). 

2) Not all security issues gets CVE listings (only publicly known ones). 

[LAwLz]

1 hour ago, DrMacintosh said:

"THIS PLATFORMS SECURITY IS BAD"

shows nothing to backup this claim* 

 

Could just be that this company is running out of cash and they needed some publicity to keep things going. 

 

Not saying that iOS security does not need to be worked on, but you know....these guys kinda thrive on hype...

They don't really need to show proof. Their entire business model is based on supply and demand. Telling people "we don't want anymore exploits for ios" would be extremely counter productive if they were running out of cash. 

 

You have to remember that their entire business is based on getting info about security vulnerabilities. If they are going "please don't give us more info about ios related security issues" then they are not struggling for money. 

I mean, what you're saying makes as little sense as saying "the iPhone is sold out? Must be evidence that Apple is struggling for money. If they weren't they would make more, but instead they try to limit how many people can buy their product!". 

[suicidalfranco]

completely left iOS 6 years (used to carry 2 phones one of which was an iPhone for a couple of years before that) and never looked back. And i'm glad i did.

[Curious Pineapple]

10 hours ago, Bombastinator said:

No t2 chip.  No decent policing of App Store.  There may be easier exploits, but android is still worse.

And why is the T2 a good idea?

[Bombastinator]

20 minutes ago, Curious Pineapple said:

And why is the T2 a good idea?

Good idea?  I didn’t say that.  T2 has big ramifications for repairability.  It is technically a security feature though.  So while Apple OS apparently has serious bug problems it’s backstopped by t2 even though t2 has other issues.  Makes this thread effectively an argument for why t2 can’t be removed even if it might need to be.

[Curious Pineapple]

Just now, Bombastinator said:

Good idea?  I didn’t say that.  T2 has big ramifications for repairability.  It is technically a security feature though.  So while Apple OS apparently has serious bug problems it’s backstopped by t2 even though t2 has other issues. 

You used it as a point followed by "android is still worse". Kind of reads as if you meant it is a reason for Android to be worse

[Bombastinator]

9 minutes ago, Curious Pineapple said:

You used it as a point followed by "android is still worse". Kind of reads as if you meant it is a reason for Android to be worse

And it is. Doesn’t make t2 a “good idea” generally.  The costs are massive in repairability.  Android may not have this problem with exploits being described (though it might) but t2 makes these exploits less problematic whether or not t2 has other problems (which it seems to) then there is the vetting Apple does for their App Store that keeps these security holes from being exploited.  I agree that leaving them open because they have other mitigation in place is not a good idea, but it doesn’t mean that other mitigation is not in place.

[Curious Pineapple]

1 minute ago, Bombastinator said:

And it is. Doesn’t make t2 a “good idea” generally.  The costs are massive in repairability.  Android may not have this problem with exploits being described (though it might) but t2 makes these exploits less problematic whether or not t2 has other problems (which it seems to) then there is the vetting Apple does for their App Store that keeps these security holes from being exploited.  I agree that leaving them open because they have other mitigation in place is not a good idea, but it doesn’t mean that other mitigation is not in place.

Let me get this straight. Android devices seemingly don't have security holes that require a monster such as the T2 to mitigate, so by not having that mitigation, the platform is worse? That's like advising people to buy Intel over AMD because although Intel processors have had vulnerabilities, they fixed them but AMD didn't because they didn't have the issues to start with.

 

Makes sense. Buy product with fixed security holes that have drawbacks because the product that doesnt have the holes never got fixed.

[Bombastinator]

16 minutes ago, valdyrgramr said:

Even if they police the app store there's still the vulnerabilities in the security of the default browser.  Which is far easier to exploit for a hacker.  They prove it all the time at Pwn2Own.

The default browser has been near useless for a year or so.  Google has been producing “free” SDKs for developers which are supposed to be universal but actually aren’t and break on safari.   No one uses it as a result.  

[Bombastinator]

1 minute ago, valdyrgramr said:

So, what do they use in place of it?   Apparently, the last exploit was iOS itself, but to be fair to Apple, that could have been fixed by now as it was 11.1.   Firefox and Chrome based OSes also have exploits that Pwn2Own competitors manipulate with ease.   So, a hacker doesn't really need you downloading apps from the play store or itunes.   Side loading and the browser are far easier to manipulate for them.

Im currently using firefox, which is also under some attack, with brave as a backup because it’s still slightly less evil than straight chrome even with all its advertising crap.   I miss safari working.

[Bombastinator]

Just now, valdyrgramr said:

Not sure about brave, but Safari/Firefox/Chrome based broswers are the easiest to exploit based on pwn2own.   Still not sure if Apple actually fixed their iOS security flaws since 11.1 or not as I don't follow it that close, to be honest.   And, side loading is just kissing security goodbye on your own while buying dinner for a hacker.   Apparently W8.1 had a lot of problems too.   Oof

Brave is chrome based like edge.  You named All the browsers there.  If pwn2own affects everything it doesn’t matter.  Or it does but it doesn’t change relative strength.

[Brooksie359]

On 5/14/2020 at 7:40 PM, StDragon said:

Online advertisement is high volume but low margin. Many of these 3rd party hosted advertisement providers run on a shoestring budget because it's so competitive. There are large swaths of un-patched servers out there tasked to hosting the banner ads. All it takes is one of them to get hacked and soon they serve drive-by malware as those infected ad servers rotate into view.

This is why I always run adblocker when possible. Honestly I find adblocker to be one key way to protect yourself from viruses and the like. 

[Curious Pineapple]

3 hours ago, AndrzejL said:

For some reason I do not believe in all this nonsense. While back not very long time ago they were paying big money for iOS 0 day. Now they say they have tons? I will take my chances and keep using my iPhone 6s+ with the latest iOS on it.

 

Also I love how the android fanboys are having a field day...

 

Cheers

 

Andrzej

Well it's quite funny that Apple didn't learn from the era of jailbreaking through a browser and STILL has gaping holes in Safari.