Category Archives: Vulnerability

More security processes go wrong

Posted on 2013-05-14 by Graham

I just signed a piece of card so that I could take a picture of it, clean it up and attach it to a document, pretending that I’d printed the document out, signed it, and scanned it back in. I … Continue reading →

Posted in Authentication, Vulnerability | Comments Off

On the top 5 iOS appsec issues

Posted on 2011-05-20 by Graham

Nearly 13 months ago, the Intrepidus Group published their top 5 iPhone application development security issues. Two of them are valid issues, the other three they should perhaps have thought longer over. The good Sensitive data unprotected at rest Secure … Continue reading →

Posted in buffer-overflow, code-level, Crypto, Data Leakage, Encryption, iPad, iPhone, ssl, Updates, user-error, Vulnerability | 2 Comments

On the broken(?) Mac App Store

Posted on 2011-01-07 by Graham

A day after the Mac App Store was launched, people are reporting that it has been cracked. There are two separate stories here, a vapourware circumvention of the FairPlay DRM used to generate the receipts and a report that certain … Continue reading →

Posted in Business, Crypto, Encryption, Mac, Vulnerability | 1 Comment

Careful how you define your properties

Posted on 2010-05-19 by Graham

Spot the vulnerability in this Objective-C class interface: @interface SomeParser : NSObject { @private NSString *content; } @property (nonatomic, retain) NSString *content; – (void)beginParsing; //… @end Any idea? Let’s have a look at a use of this class in action: … Continue reading →

Posted in iPad, iPhone, Mac, Vulnerability | 2 Comments

On localisation and security

Posted on 2010-05-09 by Graham

Hot on the heels of Uli’s post on the problems of translation, I present another problem you might encounter while localising your code. This is a genuine bug (now fixed, of course) in code I have worked on in the … Continue reading →

Posted in buffer-overflow, l10n, Mac, Vulnerability | 2 Comments

Which vendor “is least secure”?

Posted on 2010-04-30 by Graham

The people over at Intego have a blog post, Which big vendor is least secure? They discuss that because Microsoft have upped their game, malware authors have started to target other products, notably those produced by Adobe and Apple. That … Continue reading →

Posted in Business, Responsibility, threatmodel, Vulnerability | 2 Comments

Security flaw liability

Posted on 2010-03-29 by Graham

The Register recently ran an opinion piece called Don’t blame Willy the Mailboy for software security flaws. The article is a reaction to the following excerpt from a SANS sample application security procurement contract: No Malicious Code Developer warrants that … Continue reading →

Posted in Malware, Policy, Responsibility, Vulnerability | Comments Off