This brief post will show you how hackers are able to download an App Store application, patch the binary, and upload it to a non-jailbroken device using its original App ID, without the device being aware that anything is amiss – this can be done with a $99 developer certificate from Apple and [optionally] an $89 disassembler. Also, with a $299 enterprise enrollment, a modified application can be loaded onto any iOS device, without first registering its UDID (great for black bag jobs and the intelligence community).
Now, it’s been known for quite sometime in the iPhone development community that you can sign application binaries using your own dev certificate. Nobody’s taken the time to write up exactly how people are doing this, so I thought I would explain it. This isn’t considered a security vulnerability, although it could certainly be used to load a malicious copycat application onto someone’s iPhone (with physical access). This is more a byproduct of developer signing rights on a device, after it’s been enabled with a custom developer profile. What this should be is a lesson to developers (such as Snapchat, and others who rely on client-side logic) that the client application cannot be trusted for critical program logic. What does this mean for non-technical readers? In plain English, it means that Snapchat, as well as any other self-expiring messaging app in the App Store, can be hacked (by the recipient) to not expire the photos and messages you send them. This should be a no-brainer, but it seems there is a lot of confusion about this, hence the technical explanation.
As a developer, putting your access control on the client side is taboo. Most developers understand that applications can be “hacked” on jailbroken devices to manipulate the program, but very few realize it can be done on non-jailbroken devices too. There are numerous jailbreak tweaks for unlimited skips in Pandora, to prevent Snapchat messages from expiring, and even to add favorites in your mentions on TweetBot. The ability to hack applications is why (the good) applications do it all server-side. Certain types of apps, however, are designed in such a way that they depend on client logic to enforce access controls. Take Snapchat, for example, whose expiring messages require that the client make photos inaccessible after a certain period of time. These types of applications put the end-user at risk in the sense that they are more likely to send compromising content to a party that they don’t necessarily trust – thinking, at least, that the message has to expire.
Below is a letter I’ve sent to Royal Media today regarding a journalist who has gone far beyond his ethical and professional boundaries to harass and attack me. Why you ask? Because I didn’t think a particular subject I was researching was credible enough yet to warrant a story. I wanted to bring this to the attention of the tech community as a lesson to be very careful about which journalists you choose to speak with. When you have new findings to share, the choice of which journalists you discuss them with can be harmful if you choose unethical or unprofessional reporters, who are not willing or able to come to an understanding of the details surrounding your work.
Unfortunately, this is not the first time I have had to deal with less than ethical journalists. If you recall, I’ve recently had to deal with a smear campaign from a ZDNet writer, who seemingly used her position in journalism to launch a libelous attack against me, motivated by my religious beliefs (or what she thinks they are), with the full support of the ZDNet staff, who never took any action. Sadly, today, any hack can become a “reporter”, in today’s sense of the word, regardless of what kind of journalism training, or even ethical training, they’ve had. News agencies rarely hold their own writers accountable, especially in tech, where misogyny / misandry thrive, and where personal attacks generate headlines.