There's nothing like a reminder that IT Security Is Difficult when examples emerge of companies with significant development resources falling victim to security holes. Such is the case with this exploit of iOS in-app purchases exposed a few days ago.
In this particular case, I don't think the consequences of the flaw will necessarily be so terrible. To implement it, you apparently need to install certificates, fiddle with DNS settings and hand over your iTunes account credentials to Russian hackers-- I suspect that at least one of these steps may be a hurdle for the average user of a platform generally chosen specifically by users who want to avoid this kind of hackery-pokery. But it serves as a wakeup nonetheless.
The wakeup call to Javamex readers is that the main programming flaw appears to have been a failure to adhere to a basic principle of secure connections: ensure that the server that you think you're talking to actually is the server that you're talking to!
No comments:
Post a Comment