The IT Nerd

If you’ve just updated to iOS 9 or iOS 9.0.1, you might want to watch this video that demonstrates a new flaw found in either of those versions of iOS:

Here’s an explanation of what you’ve just seen. There appears to be a bug in the Siri lock screen access and iOS 9’s five-attempt lockout policy. Under a specific set of circumstances invoking Siri from an iPhone or iPad’s lock screen grants limited system access. I’ve tried out this attack and verified that this is an issue.

To protect yourself, you have two choices:

• Disable Siri lock screen access by navigating to Settings > Touch ID & Passcode, entering their current passcode and deactivating Siri under the “Allow access when locked” heading.
• Create a custom alphanumeric passcode.

Now it is unclear whether Apple is aware of this (but I am guessing that as this makes the rounds, they will become aware of it) or when a fix will be issued. Thus the best thing you can do is to use one of the above methods to mitigate this.

If you’re an iDevice user running iOS 9, you might want to update to iOS 9.0.1 which was released to the world a few minutes ago and contains these fixes:

• Fixes an issue where some users could not complete setup assistant after updating
• Fixes an issue where sometimes alarms and timers could fail to play
• Fixes an issue in Safari and Photos where pausing video could cause the paused frame to appear distorted
• Fixes an issue where some users with a custom APN setup via a profile would lose cellular data

In my case, it was a 35 MB update so I did it over the air. This came out a week after iOS 9 appeared which is about the same as last year’s iOS 8 to 8.0.1 release. Though they did kind of butcher that release. Since I’m the brave sort, I’m downloading it now and I will update you with what happens.

UPDATE: It’s installed. Nothing bad happened. I also don’t notice any spectacular changes either.

UPDATE #2: One thing that I do notice is with the Belkin Netcam App. When I updated to iOS 9, it had problems logging into my Netcam Cameras, or it would say that another user account was forced out which I assumed was my wife as we both have the app and use it on the same account. Those issues have gone away since installing iOS 9.0.1.

A couple of days ago, I wrote about the threat posed by Xcode Ghost and the fact that this slipped through Apple’s code review process. It now appears that Apple has added an XcodeGhost question and answer page to its Chinese website today that explains what the malware is, how some users may be affected and next steps the company is taking to ensure that developers and end users alike are protected against malicious software going forward.

That’s good and all. But it really concerns me that this happened in the first place. Hopefully the steps that Apple has taken will ensure that this never happens again.

If you’re an Apple Watch user who was waiting for watchOS 2 to ship after being delayed last week due to a serious bug, wait no longer. It is available to download. Key features for this update include:

• You can have apps that run directly on the Apple Watch rather than run on the iPhone
• New watch faces
• A nightstand mode
• A”time travel” feature to look at upcoming appointments, alarms and events

The update requires iOS 9 and can be downloaded over-the-air through the Apple Watch app on the iPhone by going to General –> Software Update. If you’ve downloaded the update, please leave a comment and share your thoughts.

If you’re an iOS user, you have a really dangerous piece of malware to worry about. Called XcodeGhost, it affects stock and jailbroken iOS devices. MacRumors has a FAQ on this new threat, but here’s what you need to know:

A malicious version of Xcode was uploaded to Chinese cloud file sharing service Baidu and downloaded by some iOS developers in China. 

Chinese developers then unknowingly compiled iOS apps using the modified Xcode IDE and distributed those infected apps through the App Store. 

Those apps then managed to pass through Apple’s code review process, enabling iOS users to install or update the infected apps on their devices. 

Lovely. There’s more:

Palo Alto Networks has shared a full list of over 50 infected iOS apps, including WeChat, NetEase Cloud Music, WinZip, Didi Chuxing, Railway 12306, China Unicom Mobile Office and Tonghuashun. 

Plus there’s this:

iOS apps infected with XcodeGhost malware can and do collect information about devices and then encrypt and upload that data to command and control (C2) servers run by attackers through the HTTP protocol. The system and app information that can be collected includes: 

• Current time 
• Current infected app’s name 
• The app’s bundle identifier 
• Current device’s name and type 
• Current system’s language and country 
• Current device’s UUID 
• Network type Palo Alto Networks also discovered that infected iOS apps can receive commands from the attacker through the C2 server to perform the following actions: 
• Prompt a fake alert dialog to phish user credentials; 
• Hijack opening specific URLs based on their scheme, which could allow for exploitation of vulnerabilities in the iOS system or other iOS apps; 
• Read and write data in the user’s clipboard, which could be used to read the user’s password if that password is copied from a password management tool.

So, if you have any of the apps on Palo Alto’s list, you need to uninstall them right now. Then you should reset your device password and your iCloud password. In the meantime, Apple might want to look at their code review process as these apps passed through it and got out to the world. That’s not good.

UPDATE: Reuters reports that Apple has pulled any and all apps that have this malware.

Now available on the Google Play store is Apple’s first Android app which is called “Move To iOS” which as the name implies, helps you move to iOS from Android. To nobody’s surprise, Android fans are none to happy and have flooded Google Play with 1 star reviews. Here’s a few examples:

Ben Bartlett: 1 star — Do not install! Unless you want a lobotomy. Seriously? You think people to move to a restricted ecosystem that won’t even allow you to try apps before you buy?? Google why did you allow them to put this app here? Oh that’s right you promote innovation and don’t charge for it or place restrictions on it..

Marty Ballard: 1 star — Poor functionality I attempted to switch to ios (apparently zombies ate my brain) and my iPhone 3G would not accept my data. Also, my micro USB would not fit.

Jonathan Perez: 1 star — Dear Apple I downloaded this application with hopes of switching over to Ios from android. I’ve burned all my pencils since the only worthy writing tool is the holy apple pencil. I’ve decided to sell one of my kidneys, because I need that gold apple watch. And now I gotta have the iPhone 6s, because 3d touch just sounds like an intimate way to get to know my phone. Hope to throw my money at you soon sincerely- Mr. Complete Sarcasm

Lovely. But like I said, you can’t be surprised at the reaction. Now developers can reply to comments left in reviews, but in this case I do not see that happening. Though I wonder if this will be the same reaction that Apple gets Apple Music ported to Android later this year.

This isn’t good.

ThreatPost is reporting that there’s a bug in iOS and OS X that allows AirDrop which is Apple’s ad-hoc file transfer system to write files anywhere on the filesystem of the receiving devices. And they don’t have to agree to accept the file transfer for bad stuff to happen. Here’s the details:

The vulnerability lies in a library in both iOS and OS X, and Mark Dowd, the security researcher who discovered it, said he’s been able to exploit the flaw over AirDrop, the feature in OS X and iOS that enables users to send files directly to other devices. If a user has AirDrop set to allow connections from anyone—not just her contacts—an attacker could exploit the vulnerability on a default locked iOS device.

In fact, an attacker can exploit the vulnerability even if the victim doesn’t agree to accept the file sent over AirDrop.

Dowd, founder and director of Azimuth Security, was able to use the vulnerability, along with some other tactics to bypass the code-signing protections on iOS. To do this, he used his own Apple enterprise certificate to create a profile for his test app that allowed the app to run on any device. Under normal circumstances, when the app is first installed on a new device, the device would throw up a dialog asking the user if she trusts the app. However, Dowd is able to suppress this prompt by installing an enterprise provisioning profile on the device and marking it as trusted.

Lovely, This attack is apparently mitigated – but not fixed in iOS 9 which is going to hit the streets shortly. But there’s apparently no fix in OS X at present.

My suggestion. Turn off AirDrop and only turn it on when you need it. That should provide some degree of protection. Plus it will give you back a few minutes of battery life too as the device isn’t constantly scanning for devices that it could AirDrop to. In the meantime, let’s hop that Apple comes out with a real fix sooner rather than later.

During Apple’s event last week, it was announced that watchOS 2 would be released alongside iOS 9 today. That’s apparently changed according to Tech Crunch who has a statement from Apple that says that the OS for the Apple Watch family is delayed due to a bug:

Apple has delayed the release of watchOS 2, which was expected to be available today to owners of the Apple Watch.

“We have discovered a bug in development of watchOS 2 that is taking a bit longer to fix than we expected,” an Apple spokesperson told TechCrunch. “We will not release watchOS 2 today but will shortly.”

I actually like this. After the gong show that was iOS 8 and OS X Yosemite which were both clearly kicked out to the world before they were ready for prime time, Apple clearly has learned from that and made the decision to hold the software back until it is actually ready. Kudos to them for doing what’s right.

I’ll posting a story on iOS 9 when that hits the streets, which should be around 1PM Eastern based on Apple’s recent track record.