[conspire] 21st century web platforms

Rick Moen rick at linuxmafia.com
Sat Feb 15 23:54:47 PST 2020 

I wrote:

> Possibly this Nov. 3, 2015 screed by Steve Gibson on 'Security Now':
> https://twit.tv/shows/security-now/episodes/532
> Looks like he finally gets to the point around 1:49:00.
[...]

Heh, just after posting that, I found informed comments at 
https://www.reddit.com/r/technology/comments/3rjr4m/ios_is_fundamentally_unsecurable_against_rogue/
.  My favourite so far:

  You can tell it's bullshit because they don't even talk about it until
  1:50 hour in a 2 hour podcast. It's a shamelessly trumped up hook to get
  you to listen.

  Apps on Android and iOS run in a sandbox. To do anything else it has to
  break out of the sandbox. This Chinese "hacked" x-code just inserts some
  extra but normal code into the app, code that does normal app things but
  just not intended by the app developers.

  To tell you how retarded this is, Gibson says that C is verifiable
  because the functions an app calls were compiled in, but Objective C is
  insecure because you can call another function by name. But in C you can
  just take any function and add or subtract any amount you want and call
  it. You can call into the middle of a function if you want.

  This Gibson knows nothing about how to hack. This podcast calls into
  question everything else he's said security-wise.

Ding!  Exactly.  Couldn't have said that better, myself.  Also:

  Privileged platform functions can only be accessed via RPC (Apple's
  flavor is called XPC), and all XPC connections need to be allowed using
  an appropriate entitlement. Apple won't allow arbitrary entitlements for
  App Store apps, and entitlement blob is a part of a signed binary, so
  they're not forgeable in runtime.

  What they're talking about are private APIs, and those aren't privileged
  (at least not supposed to be), and you can access those just as easily
  in C calling function addresses directly instead of names.


FYI, the 13-page paper Gibson keeps referring to is archived here
(and theoretically available if ACM will let you have access):
https://dl.acm.org/doi/10.1145/2810103.2813675

...and discussed briefly in this blog post:
http://web.archive.org/web/20151019213008/https://sourcedna.com/blog/20151018/ios-apps-using-private-apis.html

More information about the conspire mailing list