Thing about Apple

[MrColin]

The big big security problem is the user jail. Not the local permissions jail that keeps you from overwriting the executables and configs, but the the jail with you, your single sign-on(SSO) for your iCloud, and your credit card just sitting there like ducks in a cage.

As I was looking to get Songs of Innocents out of my phone's iTunes library (which I still have very little idea how to manage myself) I came across this link That page provides you with another link that supposedly removes the bonus U2 album pushed out to iDevices in various countries.

The problem that I see here is it habituates iOS and OSX users to go and visit a website and punch in their precious creds to get something done on their device which should be relatively straightforward locally. Users who don't know how SSL certs work, when habituated in this way, can become easy targets for phishing/spearphishing attacks. I would be willing to bet this is how the celebrity iCloud leaks happened.

We all know it has more to do with the proprietary lock-in strategy than lack of UI space for managing your own music library on your own damn device. Apple Inc. owes it to its users to put more good guys and time on working out this issue a little better IMHO.

 

[KeithP]

The big big security problem is the user jail. Not the local permissions jail that keeps you from overwriting the executables and configs, but the the jail with you, your single sign-on(SSO) for your iCloud, and your credit card just sitting there like ducks in a cage.

You can have separate IDs for iCloud and iTunes purchases. And, of course, you don't have to leave your credit card info attached to your iTunes account.

The problem that I see here is it habituates iOS and OSX users to go and visit a website and punch in their precious creds to get something done on their device which should be relatively straightforward locally.

Apple has had a web portal for Apple ID management for quite some time. I don't think signing into a special web page to remove the U2 album does anything other than make the user's iTune library safer for all listens. Anyway, don't other vendors such as Amazon and Google do the same thing?

Phishing is a problem for all users and all platforms.

-KeithP

 

[Savatar]

The 'user jail', in my opinion, does actually help to protect users. Most compromised iOS (and Android) devices are actually jailbroken, as most of the tools/techniques to do so require that.

The iCloud leaks/attacks, from what I have read, were mostly accomplished through abusing one of three things. First, in a few select cases a vulnerability in the 'Find my Phone' feature was perhaps to blame, which has since been patched. Second, most of the attacks were allegedly accomplished through a phishing attack to high-profile accountholders. Finally, some sites speculated that attacks may have abused forgotten password functionality - since most pictures were synched to the cloud even if they were deleted on the device itself (potentially in combination with the former technique to escalate from one account or service to another).

At least the second and third kind of attacks aren't particular to any individual service or company. However, companies are starting to take note and make their services more resistant to such attacks by promoting adoption of two-factor authentication and ensuring notifications are sent for account actions like changing a password or logging on from unfamiliar locations.