Over 225,000 Apple Accounts Compromised Via iOS Malware

An anonymous reader writes: Researchers from Palo Alto Networks and WeipTech have unearthed a scheme that resulted in the largest known Apple account theft caused by malware. All in all, some 225,000 valid Apple accounts have been compromised. The theft is executed via variants of the KeyRaider iOS malware, which targets jailbroken iOS devices. Most of the victims are Chinese — the malware is distributed through third-party Cydia repositories in China — but users in other countries have also been affected (European countries, the U.S., Australia, South Korea, and so on). "The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device," Palo Alto researcher Claud Xiao explained. "KeyRaider steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads."

Jail broken devices?

[Anonymous Coward]

Only jail broken devices were affected. Anyone who jail breaks is aware of the risk they are taking.

Re:Jail broken devices?

[geogob]

Anyone who jail breaks is aware of the risk they are taking.

I think they just heard me laugh all the way to China. Seriously, most people can't even grasp the concept of risk when think of software and operating systems. How in the world do you expect them to understand those risk?

No. Contrary to some believes, most (as in almost) all jailbrokers have no clue what they do and have no idea of what are the risks involved and how important (or not) they are.

Re:

[BasilBrush]

You're right, most of them don't have a clue. Yet they are still responsible for what they've done.

Re:

[war4peace]

Correct question is "why do they jailbreak?".

Re:

[Spy Handler]

Correct question is "why do they jailbreak?".

It said most of the affected devices were in China, infected via a third-party Cydia site. Meaning, they jailbreak so they can install pirated apps for free instead of paying Apple in the official app store.

Headline leaves out one very important detail

[berj]

Headline leaves out the fact that this isn't just any old iOS malware. It affects only *jailbroken* devices.

That's a pretty important distinction.

Re:

[Anonymous Coward]

Well, it's the same distinction that people miss on over 99% of android malware. The overwhelming majority of the malware is only viable on rooted devices and is spread via third-party app stores and "free" APK download sites.

Re:Headline leaves out one very important detail

[gstoddart]

Oh, really?

The theft is executed via variants of the KeyRaider iOS malware, which targets jailbroken iOS devices. Most of the victims are Chinese â" the malware is distributed through third-party Cydia repositories in China

The headline might leave it out, but the summary sure makes it plain.

Re:Headline leaves out one very important detail

[dimeglio]

Pretty much. That's the point of living in a walled garden. You break the wall, who knows what's going to step inside.

Re:

[MachineShedFred]

You do know there's a massive gulf between "I can root it because I have physical access to the device and all the passwords" and "omg my device got rooted over the air by unknown parties!" ... right?

Re:

[exomondo]

You do know there's a massive gulf between "I can root it because I have physical access to the device and all the passwords" and "omg my device got rooted over the air by unknown parties!" ... right?

Forgotten JailbreakMe? Where your device could be jailbroken just by visiting a website?

Re:Headline leaves out one very important detail

[berj]

Your ridiculous post borders on a tautology.

It's true... if you bypass security measures then you're no longer secure.

That's hard for you to understand?

You expect the lock maker to be liable if you leave your door open?

Re:

[infolation]

You expect the lock maker to be liable if you leave your door open?

I expect to be able to remove the housebuilder's lock (so the housebuilder can't wander into my house whenever they want) and put my own lock on the front door.

Re:

[jerk]

And it seems that 225,000 people did the first part, but just left the lock off their door and didn't bother installing a new lock.

Re:

[exomondo]

The question that seems to have been missed is whether the jailbreak is just a mechanism to get the malware on the device or not. If this slipped through the curators of Apple's app store would devices be vulnerable to the exploit? Also we have seen web-based jailbreaks before that you could do just by visiting a website, doing that and installing malware in the process appears pretty viable.

Given the history, sweeping this under the rug and saying it doesn't matter because it only affects jailbroken device

Re:Headline leaves out one very important detail

[swillden]

I expect to be able to go in and out of my door. That's what doors are for. Apple doesn't even give you a door. You have to break your way through the wall. Then there's a hole there. That's why Apple products are only sufficient for sheep. They don't break down walls, they just wander through holes.

It's worth pointing out that if you root your Android device you're doing the same thing, breaking through a wall. That's fine if it's what you want to do, but you are giving something up in terms of security.

As a member of the Android security team, I'm involved in lots of discussions about lots of different threat models and attack vectors, and while we do think about trying to maintain security on rooted devices, I'd say that 90% of the time we end up deciding that we just can't, so "device is running an official image[*] and is not rooted" becomes a foundational assumption of the analysis.

This isn't because rooting is inherently bad, or because we're trying to control user's devices, but because it's impossible to reason about security in a vacuum. You have to know what you can depend on. For example, we might argue that apps can't break out of their sandbox in a particular way because the information they need to do it is managed by a particular system daemon which validates access in a particular way... but in a rooted device that daemon may be modified, or simply bypassed. We just can't know that stuff is still working the way it's intended to. Some members of the modding community do an outstanding job of adding flexibility without breaking the security model, but many others don't.

Ideally, devices should provide enough native flexibility to allow users to achieve what they want while staying entirely within the normal mode of operation. In the case of Android that means staying within Google's "walled garden": install apps only from the play store, keep Verify Apps enabled (and follow its recommendations), don't root, definitely don't disable SELinux, etc. Where that ideal fails, and users want to do stuff that can't be done in the garden, they should have the option of stepping out of it, and they should be able to do so in a progressive way, not all-or-none... but each step they take increases the probability that they'll change something that violates a security assumption and thereby increases their risk of compromise.

I suspect that Apple security engineers even more strongly assume that devices are not jailbroken. That's just a guess, but it's consistent with the general philosophy of iOS and, if correct, it means that jailbreakers have even less expectation of security. iOS users also live in a software monoculture, which exacerbates the risk. (Android users get security benefits from ecosystem diversity, though there are obvious costs to that diversity as well. Including the update problem.)

[*] Note that given the state of updates in the Android ecosystem, we often don't assume that the device is running an up to date system image. From our perspective that's often easier to work with than a rooted device because at least we know how it behaves and can look at trying to mitigate risks at other layers. We're also working on the update situation, but that's hard given the nature of the ecosystem.

Re:

[macs4all]

I expect to be able to go in and out of my door. That's what doors are for. Apple doesn't even give you a door. You have to break your way through the wall. Then there's a hole there. That's why Apple products are only sufficient for sheep. They don't break down walls, they just wander through holes.

Oh, PUH-LEASE!!!

Re:

[mwvdlee]

There are alternatives besides "IOS" and "jailbroken IOS", you know.

Re:

[drinkypoo]

There are alternatives besides "IOS" and "jailbroken IOS", you know.

Apple has already brought some of the magic of the iOS ecosystem to OSX, and will only bring more. Also, how the fuck did Apple make OSX so slow? It's agony. NeXTStep was about as responsive on an '030 as OSX is on modern processors.

Re:

[Noah Haders]

its cuz they have clearly decided that computers are "fast enough", and are trading off benefits in speed for other characteristics for instance, they make the computer slimmer while keeping performance the same.

Re:

[BasilBrush]

What are you running OSX on? It's certainly not slow here.

Re:

[macs4all]

I know it's a security feature. Problem is, it's for Apple's security first, and yours second.

Prove it.

Re:Headline leaves out one very important detail

[Anonymous Coward]

So, if I run OpenBSD, but replace OpenSSH with Bob'sSSH, and there is a security problem with Bob'sSSH, it's OpenBSD's fault?

Re:Headline leaves out one very important detail

[Applehu Akbar]

The technical term for jailbroken, insecure versions of iOS is "Android."

Re: Headline leaves out one very important detail

[cyber-vandal]

You still have to change a setting in order to install shady third party apps on Android.

Re:

[swillden]

The technical term for jailbroken, insecure versions of iOS is "Android."

That's a common belief. In practice, I don't think it's true. In particular, although the Android world sees lots of announcements of vulnerabilities that affect X hundred million devices, the actual exploitation doesn't seem to follow. One reason is that many of the vulnerabilities aren't actually as widespread or are harder to exploit in practice than the researchers describe. Another is that the diversity of the Android ecosystem often means that an exploit has to be customized for each different manufac

Re:

[gstoddart]

Would this be any different with Android or Microsoft?

Root your device, and install software from unknown places ... and guess what ... it doesn't matter whose damned platform you're running.

Hell, you can get malware from using download.com, cnet and other places too.

News flash ... installing software from unknown sources can be a security risk no matter what your damned platform.

Apple (or any other vendor) can't do a damned thing to protect your security when you go to great lengths to install software fro

Re: Headline leaves out one very important detail

[fluffernutter]

When I purchased my Android phone I wanted a true Open VPN client and native access to the filesystem. Fortunately I could do that without rooting it. On the contrary I would have had to root an iPhone to get those features.

Re:

[flopsquad]

When I purchased my Android phone I wanted a true Open VPN client and native access to the filesystem. Fortunately I could do that without rooting it. On the contrary I would have had to root an iPhone to get those features.

This, I discovered the hard way, is not a universal quality of Android devices. Depending on the manufacturer and carrier, some are quite a bit less open than even iDevices.

Re:

[Noah Haders]

+1, that's not a bad point.

Re:

[MachineShedFred]

You are also a member of a small minority based on your requirements. Nothing wrong with that at all, and clearly an iPhone doesn't satisfy those requirements. I'm glad you found a device that did.

I don't understand why Slashdot can't figure out that the type of people that frequent this site have very different requirements than other people, and that all devices must not meet the superset of requirements found here and elsewhere.

It's a damn tool, like a socket set. If the socket set doesn't have the sp

Re: Headline leaves out one very important detail

[fluffernutter]

Perhaps an iPhone is like a socket set, but one that only works on apple built products. I prefer a standard hex socket set that works on everything.

Re:

[flopsquad]

I would have had to root an iPhone to get those features and would have exposed myself.

AFAIK, they recommend flashing the firmware, not a bus full of nuns.

Re:

[MachineShedFred]

Access to the filesystem, yes. OpenVPN - no. [apple.com]

I use this on my iPad quite frequently to access systems in our AWS VPC.

Re:

[narcc]

You're really upset about this. I can only guess as to why. Relax, Apple doesn't need you to help them. They'll be fine.

Why not direct some of that energy at trying to figure out why so many users want to jailbreak their phones? Why aren't they satisfied with the 'experience' Apple provided? What could they do differently so as to make jailbreaking less attractive?

Re:

[macs4all]

You're really upset about this. I can only guess as to why. Relax, Apple doesn't need you to help them. They'll be fine.

Why not direct some of that energy at trying to figure out why so many users want to jailbreak their phones? Why aren't they satisfied with the 'experience' Apple provided? What could they do differently so as to make jailbreaking less attractive?

I'm "really upset" at the idiot (drinkypoo) that keeps posting stuff like it is somehow Apple's responsibility, or even its power, to control the behavior of modified devices.

You will notice that it is primarily Chinese users; who have a culture of wanting to rip off basically every bit of software they run on any Device. So, rather than pay the princely sum of 99 cents (equiv.) to get some stupid little App, they would rather go to some grey-market site and download a malware-infested knockoff.

Then, th

Re:

[narcc]

Okay. Some perspective: It's a forum post. There's no reason to get stressed-out. Who the hell cares what he thinks?

You will notice that it is primarily Chinese users; who have a culture of wanting to rip off basically every bit of software they run on any Device.

Bigotry aside for the moment, can you think of no other reason someone would want to jailbreak their device? The first time someone asked me to jailbreak an iOS device, it was because they wanted to use it as a wifi hotspot. The second time was for a guy who wanted webgl to work on his iPad.

There's a guy here who wanted to jailbreak his device to make it easier for him to transfer files

Re:

[gnasher719]

I asked you to consider the question: "What can Apple to do make jailbreaking less attractive?" The answer should be obvious by now, so why hasn't Apple reacted? In that way, Apple encourages jailbreaking. Some blame is justified.

Ask yourself: What's in it for Apple? If you buy an iPhone with the intent of jailbreaking, Apple has made a sale. Convincing people to not jailbreak doesn't give much benefit to Apple. And frankly, your claim that Apple encourages jailbreaking is ridiculous: They do their hardest to prevent jailbreaking from happening.

But what Apple is really interested in is any improvement that makes more people buy an iPhone. And things that people jailbreak for are usually things that affect suitability of the iPhon

Re:

[narcc]

And things that people jailbreak for are usually things that affect suitability of the iPhone for everyone, and would eventually reduce sales.

People end up jailbreaking because they expect certain features that, after purchase, they discover aren't available. Further, things like "the ability to copy a file to and from the phone" aren't going to hurt the "experience" as users who don't need that feature aren't encumbered by it in any way.

What does hurt users, of course, are the missing basic features. Apples stubborn refusal to address these issues is what drives users to jailbreak their phones. That's what I mean by "encourages".

They do their hardest to prevent jailbreaking from happening.

The best way

Re:

[macs4all]

People end up jailbreaking because they expect certain features that, after purchase, they discover aren't available. Further, things like "the ability to copy a file to and from the phone" aren't going to hurt the "experience" as users who don't need that feature aren't encumbered by it in any way.

There are about two dozen (or more) File-Transfer Apps for iOS. Most just start up a little web server, and tell you where to point your browser to copy files to/from. Next!

What does hurt users, of course, are the missing basic features.

What "basic features" is iOS missing? Seriously, I really can't think of any "basic" features that iOS is missing, and although you keep trumpeting that phrase over and over, you have yet to come up with a list, and your "file copy" example is addressed in many ways. Fuck, GoodReader alone can talk to ftp, SFTP, afp, WebDAV, SMB, DropBox

Re: Headline leaves out one very important detail

[fluffernutter]

All of those solutions lock the transferred file in the app itself, so you can only manipulate the file in the way that the app allows. Do any of them allow you to execute a windows exe off the device? I find it handy to have portable apps on my phone. Plug in a USB cable and they're all available.

Re:

[macs4all]

Why do so many people install Cyn on their androids? Or OpenWRT on routers? Because they want features not offered. Same shit different toilet my friend.

That too.

Re:

[berj]

Has nothing to do with coming to anyone's defence. It as to do with people knowing, at a glance, that this doesn't affect them if their device isn't jailbroken.

Re:

[gstoddart]

So, read the entire summary ... and you too, can knowing at a glance, that this doesn't affect you.

Just like the rest of us knowinged it.

The knowing is available for anybody willing to read as many as four sentences.

The glancing and the knowing are free. The lack of glancing at the knowing isn't a limitation of the story or the submission.

Re:

[berj]

Yes.. it's important enough that it should be in the headline. It's just about the most salient fact about this exploit.

Re:

[gstoddart]

It's not a tweet, it's a story submission ... if headlines read like "Over 225,000 Apple Accounts Compromised Via iOS Malware but only if you jailbroke your phone and installed from a separate source but then that's your damned problem because you did it to yourself but it's Monday so who cares anyway because I need more coffee" it would be annoying and would get truncated.

Honestly, this is you complaining about your lack of attention to read TFS.

The story submission is fine. It's demanding you not have to

Re:

[berj]

Over 225,000 Apple Accounts Compromised Via jailbroken iOS Malware

One extra word.. easy peasy.

Or maybe:

Malware on jailbroken iOS devices. Over 225,000 Apple accounts compromised.

Two extra words.. still easy peasy.

Other slashdot headlines are just as long so it can't possibly be about "too long for a submission headline".

It's really not very hard to be concise and accurate in a headline.. if one is really interested.

Re:

[ColdWetDog]

Ok, you're hired. You can take Timothy's place.

Are you happy now?

Re:

[macs4all]

Headline leaves out the fact that this isn't just any old iOS malware. It affects only *jailbroken* devices.

That's a pretty important distinction.

Jailbreaking a device is in effect the same as installing a rootkit, so already at the first step here iOS has been severely compromised in a way it shouldn't have allowed. Yes, the user did install the rootkit (at least now, earlier there were drive-by iOS jailbreaks/rootkits) -- same way rootkits for Windows usually gets installed -- but for the OS to allow to be compromised this way is a security failing.

Boy, talk about damned if you do, and damned if you don't!

So, if Apple battens down iOS such that NO ONE can jailbreak, then the slashdot crowd whines that Apple is Teh Evilz, and if Apple looks the other way when someone jailbreaks, then they are lax on their security.

Which way do you guys want it, anyway???

paper cash-only society

[AndyKron]

I'm pretty sure technology will drive us toward a paper cash-only society.

Re:

[linuxguy]

> I'm pretty sure technology will drive us toward a paper cash-only society.

This story isn't about someone's bank account being depleted because of software security issues.

For every story you show me where someone lost cash electronically because of software security issue, I will show you 10 where someone lost paper cash. Either it was stolen from their house, work or they were robbed on the street.

Is paper cash more secure than electronic cash and transactions? The data certainly does not show it.

Re:

[AndyKron]

I think paper cash is more secure than electronic cash. What data do you have?

Never understand jailbreaking an Apple iOS device

[Aqualung812]

I'm an Apple iOS user, and a former Palm/Windows CE/Blackberry/Windows Phone/Android user.

I simply don't understand jailbreaking an iPhone. The whole point of me having an iPhone is to take advantage of the walled garden.

If I want something with better hardware on a lower price that I can customize any way I want, I'd have an Android again.

Since having a reliable and secure phone is more important to me than features, I have have decided to get an iPhone and not jailbreak it.

Can those that do jailbreak explain why they don't go to Android?

Re:

[brunes69]

If you had ever used a jailbroken iPhone and realized the capabilities it unlocks, you would change your mind.

The idea that a jailbroken iPhone is more or less secure than an unjailbroken one is a fallacy. The people got this malware by downloading and installing pirated iOS applications that were infected with it - something that is ENABLED by jailbreaking. Just because a phone is jailbroken does not put it into some unsecure state, you have to do that yourself.

Re:Never understand jailbreaking an Apple iOS devi

[joh]

Of course jailbreaking iOS puts it into some insecure state. Quite literally. Jailbreaking circumvents code signing for all code that runs on the device which means that every bit of code that makes its way onto the phone will happily run now. Also using the repositories means that you will install undocumented binary code from unknown people. Since you don't have the sources there is no way to check what this code does and since whoever wrote that code faces no risk when his code is discovered to be malware there's very little you can do after the fact.

This is less secure than a device that is not jailbroken.

I mean, do what you want to do by all means, but at least try to know what you're doing so you can correctly balance the risks and advantages you get by what you're doing.

Re:

[Aqualung812]

If you had ever used a jailbroken iPhone and realized the capabilities it unlocks, you would change your mind

I'm aware of the capabilities it unlocks, but I'm just curious why I'd accept the lost stability, not just security, that happens when using an iPhone outside of the way it was designed.

Apple is great at doing the things they intended you to do with the device. It is well known that if you try to use an Apple device in a way it wasn't designed for, it will be frustrating and difficult.

You're swimming upstream on a jailbroken Apple iOS. Why not use an Android, which was designed with a totally different and

Re:

[brunes69]

Nearly all Android phones come carrier bootloader locked so I would hardly say they have a "different and open mentality".

Even Google's Nexus phones come with a locked bootloader that needs to be unlocked in order to root the phone and do the equivalent of what you do with a jailbroken iphone.

Re:

[jo_ham]

You mean like the jailbreak exploit that left an open SSH listen with a default root username and password?

Mm. Super secure, just like before it was rooted.

Re: Never understand jailbreaking an Apple iOS dev

[fluffernutter]

How exactly does one take advantage of walls that only prevent you from enjoying more garden?

Re:

[Aqualung812]

How exactly does one take advantage of walls that only prevent you from enjoying more garden?

The walls that keep me in keep the pests and intruders out. Sure, there is garden I'm missing out on, but I have enough garden to meet my needs and I never find that my vegetables are stolen or burned when I go to my garden.

More freedom has more risk, in pretty much any venue.

I used to do some CRAZY shit with my non-Apple phones. Then came the day that the latest app I installed and modified kept me from making a business call while travelling away from a computer which was needed to regain control of my de

Re: Never understand jailbreaking an Apple iOS de

[fluffernutter]

I'm not talking about pests and bugs. Providing regular user access to the filesystem does not introduce pests and bugs.

Re:

[Aqualung812]

Oh, I agree with you there. I really wish they would add that.

I'm not an Apple Fanboi, I really disagree with how heavy-handed they are.

Still, they fit my balance of risk/functionality right now.

Re:

[danbob999]

There is no advantage to the iPhone's walled garden.
On Android, you can allow "unknown sources" if you want to. That option is disabled by default. You would be free not to check it on Android.

I understand that some people prefer the iPhone and/or iOS, for various reasons, but the walled garden is really not something I even consider an argument.

Re:

[flopsquad]

There are quite a few nifty features and tweaks available to a JB device that aren't possible on stock iOS. As others have mentioned, finer grained OS controls like f.lux, the ability to actually interact with the filesystem (on the device or plugged in), disallowed apps like emulators, removing stock apps, etc. It drove me nuts that on my first iPhone, I could silence every singe sound and vibration--but every time I plugged it in, it buzzed at me. I had to jailbreak to get rid of that.

As another pos

Re:

[Aqualung812]

Many of those features would be trivial for Apple to implement as advanced settings (hell, solitary coders are writing this stuff and giving it away for free), and not against the Apple ethos (unlike, say, emulators). But for now you have to expose yourself to security risks in order to do all this useful stuff with your expensive pocket computer.

I 100% agree with everything you're saying there. My Motorola RAZR had per-person MMS custom ringtones before the iPhone was even released, and it took them until iOS 5 or so until they allowed that. Stupid.

Worst case, make it something that can only be enabled with a bit of work, like how you have to use their tool to install certificates and other higher-level stuff.

While it annoys me that I can do many things that should be trivial and some UX god at Apple is preventing me from doing it, the main reason

Re:

[TrancePhreak]

Since having a reliable and secure phone is more important to me than features, I have have decided to get an iPhone and not jailbreak it.

You obviously didn't do any research then. The iPhone can be compromised via malicious websites with no user interaction. Apple is also really slow to fix such problems (fixes are often available via Cydia the same day, Apple can take months). How many malicious text message bugs does it take before people realize what Apple's focus is, making money, not security.

Re:

[Aqualung812]

Do you have a single example of a in-the-wild vulnerability that will run on factory iOS devices?

Re:

[Overzeetop]

"android device last 3+ years with continued OS support and also not slow to a crawling POS"

Well, that's difficult for iOS devices, too. iPhone 4 devices were sold until September 2013 and can't be updated to iOS 8, which was released in September 2014. One year to obsolescence. My daughter's iPod Touch stopped getting updates after about 2 years. Same with the iPad1 I have. (both were, admittedly, bough near the release of the next model).

I actually gave up all my paid apps in iOS to move to Android. Compa

Re:

[Flavianoep]

Now that I have a rooted Android phone, I can't imagine going back to even a jailbroken iOS device. I can just do more with it, and many apps in the official stores are written for those with root permissions so I don't have to go nosing around in Cydia to find apps that do things which Steve has forbidden.

You gave the best argument for a rooted Android device instead of jailbroken iOS one. Even if Apple's products are better.

Re:

[danbob999]

I'd only switch for a stock Android device but if I were to switch now, I'd be giving up all my paid apps

You should have thinked twice before vendor locking-in yourself like that.
I personally don't buy applications that can only be executed on devices from a single vendor.

Re:

[Aqualung812]

I personally don't buy applications that can only be executed on devices from a single vendor.

Why not?

I'm perfectly happy to buy some $1-$10 apps that I know full well may be vapor in a few years.

I spent more than that on lunch yesterday, and flushed it today.

It isn't like we're talking about $900 software.

Re:

[danbob999]

It's a matter of principle. I don't want to support vendor lock-in.

Re:

[Aqualung812]

It's a matter of principle. I don't want to support vendor lock-in.

Interesting. Where does the line exist for this in your mind?

Isn't watching a movie at a theater a type of vendor lock-in? You can only watch that movie while at the theater that one time, and you have no rights to watch it again.

What about a buffet? You're unable to take the food that you've paid for out of the restaurant.

A pay-per-view event? Movie rental?

Re:

[danbob999]

A software is meant to be reusable. You can't compare that to an admission ticket. If I were renting a software for 2 hours I wouldn't care as much about vendor lock-in either. The same goes for food. It is meant to be eaten only once. Eating in one restaurant doesn't force me to eat there next week. If it did, I would consider another restaurant instead. I wouldn't buy a car which could only bring me to one restaurant, however.

Re:

[Aqualung812]

A software is meant to be reusable

It isn't software. It's an "app".
I'm not being a smartass, I'm pointing out that smartphone apps are not comparable to PC software any more than a Big Mac is.
It is meant to work only on the ecosystem it was purchased in, which is highly hardware dependent.

It seems like you're cutting your nose off to spite your face.

Re:

[danbob999]

An app is a software. Yes you are being a smart ass, and yes, it is comparable to PC software.
PC software too is "meant to work on the ecosystem it was purchased in". It can be highly hardware dependent or not, just like PC software.

The vendor will always want you to be locked-in as much as possible. As a consumer, my goal is to be as free as possible.

Re:

[Aqualung812]

As a consumer, my goal is to be as free as possible.

As a consumer, my goal is to purchases items to meet as many of my requirements for as long as possible with the lowest price.

Apps, that might be vapor one day, fit those requirements often. I can't imagine not buying one that will give me usefulness out of some sort of protest vote.

But, bully for you. Keep fighting the good fight.

Re:

[danbob999]

The short term price can be costly in the long run. That's why I sometimes accept to pay *more* for something. Even tough some cheaper alternative would satisfy my requirements, in the long run they could be more expensive to own/repair/replace. Being vendor locked-in increase long-term costs, or at least the expectation of these costs.

So I avoid vendor lock-in as much as possible. And you know what, it's not even hard in this case. It's not as if I were missing some important software that would improve my

Re:

[jo_ham]

So you don't own a car at all then, I take it?

I mean, if contains vendor-locked software.

Same with your TV I assume that you don't own.

Re:

[danbob999]

You are confusing vendor lock-in and proprietary software. Vendor lock-in always implies two purchases. A software by itself can't be "vendor-locked", whatever that means.

Re:

[danbob999]

Also the problem isn't only that these apps may be vapor in a few years. They can be vapor *tomorrow* if your phone breaks.... that is, unless you buy another phone from the exact same vendor, which also implies that this vendor must still agree to sell you compatible phones. That's why you are vendor locked-in. You don't have the same freedom that I have to walk away and choose another vendor.

Re:

[Aqualung812]

They can be vapor *tomorrow* if your phone breaks.... that is, unless you buy another phone from the exact same vendor

Same is true if you buy a Windows application, but you're locked into the OS vendor, not the hardware vendor.

Re:

[danbob999]

Which is still better. Being vendor locked-in in both hardware and software is worse than being locked-in for software only. Of course the ideal is not to be locked at all.

J.A.I.L.B.R.O.K.E.N.

[gumbright]

"Jailbroken" needs to be in the title of this story and and in the first sentence. It is the critical factor to the story. Not having it there simply makes this a troll.

Apple account theft caused by malware ..

[nickweller]

"The theft is executed via variants of the KeyRaider iOS malware, which targets jailbroken iOS devices"

How exactly does the KeyRaider malware get onto the device without the end user visiting a compromised repository and downloading and installing the malware?

Re:Rotten apple ?!?

[Anonymous Coward]

Affect only jail-broken devices. How is the even relevant news?

Re:Rotten apple ?!?

[Anonymous Coward]

I'd argue that it's relevant news but I would also say that people who are employing hacks on their devices should realize that the original vendor can't be held accountable for shoddy modifications from a bunch of script kiddies.

Re:Rotten apple ?!?

[Noah Haders]

You buy an iPhone, you get your just desserts.

I would say you jailbreak your iphone using software from unidentified hackers, then install software from unknown parties that can access root processes, you get your just deserts [grammarist.com].

Re:

[Stan92057]

Hacking news is a big part of /. so why wouldn't this be news AND why shouldn't they get notified the devices they hacked are in danger?

Re:

[thesupraman]

Because apple, who make a huge amount of noise about wanting to protect their dear beloved users dont disable the storage of and access to the security tokens when their devices are jailbroken?

THATS the story here, they could, however they do not. Hence they have left the apple IDs knowingly open to theft.

Users, for better or worse, have convinced themselves that Apple keeps them magically out of any such trouble, however this is a clear
case where they could, but they do not. Which is a pity.

Come on Apple,

Re:

[farble1670]

Affect only jail-broken devices. How is the even relevant news?

the same way Android exploits that require the user to enable side loading, disable google's APK checking service, and go to some shady website and install an APK are news. also, the exploit is only theoretical.

What's the leading reason for jailbreaking at all?

[swb]

There's lots of possible reasons, like sideloading or pirating apps, exposing features or customization hidden in the stock settings or apps, curiosity/technical/tinkering, or ideological reaons/free software advocacy.

Which is most common? I figure pirating might be kind of popular, but a lot of useful software is pretty inexpensive to begin with and how many people want a hacked candy crush that has free powerups?

I could see where customization/hidden features could be a big reason. Apple are kind of des

Re:

[macs4all]

Which is most common? I figure pirating might be kind of popular, but a lot of useful software is pretty inexpensive to begin with and how many people want a hacked candy crush that has free powerups?

Because a certain segment of the Chinese public seems to think that paying for ANY software is a sign of stupidity; and so they will go to almost any lengths to rip off even the most inexpensive of Apps.

Sorry, but these people are getting EXACTLY what they deserve.

Re:

[macs4all]

Less people would feel the need to jailbreak them thus making them totally vulnerable. Let's keep in mind that most of the Apple walled garden is to force people to use Apple services and pay for Apple products and nothing to do with security.

Even YOU don't really believe that; do you?

Re: Perhaps if Apple devices weren't so locked dow

[fluffernutter]

It's well known that apple designs the garden to keep people in their products.

Re: Perhaps if Apple devices weren't so locked dow

[fluffernutter]

You talk as if there aren't an infinite amount of compromises in between. When I plug a device into USB I expect to be able to see and manipulate non privileged files. Why must an iPhone be rooted for that feature?

Re:

[jo_ham]

There are no non-privileged files on the iPhone.

The filesystem doesn't use the same model that a PC does, but you know that going into the purchase and would decide such a device is not for you and buy an Android device instead.

You're criticising the iPhone for not doing things you think it should be able to do. If it doesn't work the way you want it to then there are other smartphones that do.

Do you expect that Apple should make the iPhone work the way you want it to, just because?

That's no different than

Re: Perhaps if Apple devices weren't so locked do

[fluffernutter]

Well it depends on whether Apple wants the iPhone to be a full computing device or a dumb appliance. Too bad they have trouble getting past dumb appliance when even the most basic mp3 player offers filesystem access.

Re: Perhaps if Apple devices weren't so locked dow

[fluffernutter]

Unless ios has really changed, it is super difficult to ssh transfer arbitrary file types from a server and later transfer to a computer. Case in point the other day I wanted to get an epub file from my house. I did not have mobile service but I found myself in a public hotspot. It seems to me that apple forces you to use all kinds of container apps to do that and then you glut up your device with apps and can't really interact with anything beyond what the app will let you do. It's not like I do that s

Re: Perhaps if Apple devices weren't so locked do

[fluffernutter]

Who cares what percentage of users want to do that? It's a lot of extra capibility they are excluding and they could implement it almost for free!