Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Apple

Mac App Store Apps 'Damaged' Following Security Certificate Bug (thestack.com) 66

An anonymous reader writes: A slew of complaints are emerging against Apple after users were forced to delete and re-install Mac App Store apps in the wake of a major security management error. The problem manifested with the apparent expiry of security certificates which validated the apps, but even after the certificates were updated yesterday to expire in 2035, the problems were not resolved; some users were unable to verify the new certificates, and others could not even connect to the internet. In some cases the programs had to be reinstalled from scratch, deleting the user's existing settings.
This discussion has been archived. No new comments can be posted.

Mac App Store Apps 'Damaged' Following Security Certificate Bug

Comments Filter:
  • by Anonymous Coward on Friday November 13, 2015 @03:46AM (#50920235)

    You're using the store wrong..

  • That can't be a good idea to make the certificate valid for 20 years.
    • That can't be a good idea to make the certificate valid for 20 years.

      Why not, since they can be Revoked at any time?

  • by Anonymous Coward

    Applications are now compiled to self destruct after their security certificates "expire".

    No doubt, when the developers seek to recompile or rebuild their applications so they can distribute them again, they'll have to use a newer version of the SDK that only supports the most recent version of the host operating system, thereby forcing users to upgrade lest their programs begin to die out one by one. So much for "don't upgrade if you don't want to, nobody is forcing you to do that".

    Recently, I've had the p

    • Just use some GNU/Linux, or better, GNU/Hurd, if you want so much stand apart from the "masses".
    • by supercrisp ( 936036 ) on Friday November 13, 2015 @08:23AM (#50921011)
      I don't think it's just protecting against idiot users. It's also about shoving us into the "cloud" where we can be somehow monetized, either by network access, storage volume, or information collection. Why else would iPhoto drop local networking except to put your photos in Apple's servers? Or Android Marshmallow require you to allow MTP every time you hook up a USB cable except to make noncloud file exchange a little bit more of a PITA? Sure there's "curation" at the Apple Store, but there's also control, information gathering, the possibility of add revenue and so on. I guess I sound cynical, but I'm not sure you can actually be cynical enough about all this.
      • Photos doesn't support local networking because it's an entirely new application and Apple is notorious for being extremely minimalist when they redesign things. Their product design team was tasked to come up with the "perfect" photo app and that means older features that very few people use go out the window. Apple really really really doesn't care about information monetization, it's just not part of their business model. It does genuinely seem like their leadership believes protecting user privacy is mo
        • Apple works hard on usability and sometimes misses (hockey puck mouse, anyone?). The Apple idea is that functionality is what their customers can use easily, rather than what someone like Linus can use easily, and with that criterion they do try for functionality.

        • Um. Photo's doesn't support local networking because they know the dollars come when you put yourself in the middle. Why do you think companies love cloud infrastructure? Because Data centers are fun to run? Because they want to protect people for local events? Because storage is order of mag cheaper than its ever been? *** They want to be squarely in-between people and their data. And once the data is firmly encased in the cloud, they will set up a toll booth. *** They will then modulate the terms and pri
    • Bzzzt! Mac and iOS applications can be re-signed using a new private key/certificate pair without recompiling. This is especially useful for the dozens of enterprise iOS apps that I've built for customers. These apps are signed with an Apple Enterprise Distribution cert so they can be installed directly on devices without using the app store or going through the approval process. Their provisioning always expires after one year though so I have an automated method of unpacking the apps, replacing the old pr
  • Web serfers (Score:2, Informative)

    by Anonymous Coward

    The joys of not controlling what you supposedly own.

    • The joys of not controlling what you supposedly own.

      Some people wax poetic for yesteryear of scratched CDs and lost keys.
      And some don't.

  • by hackertourist ( 2202674 ) on Friday November 13, 2015 @06:19AM (#50920557)

    I noticed something odd was going on when yesterday morning my OS wanted me to sign into the App Store to 'validate' a program I purchased recently.

    Now I have to read about the cause on a news website instead of hearing directly from Apple (you know, the people who already have my email address along with those of all their customers).

    • I noticed something odd was going on when yesterday morning my OS wanted me to sign into the App Store to 'validate' a program I purchased recently.

      Now I have to read about the cause on a news website instead of hearing directly from Apple (you know, the people who already have my email address along with those of all their customers).

      More people would bitch about "being spammed" than would appreciate the notification, of that I am sure.

      And when was the last time Microsoft or your friendly Linux Distro, sent you such a Notification?

  • by BitZtream ( 692029 ) on Friday November 13, 2015 @07:12AM (#50920711)

    Let's start with user settings. User settings are neither stored with the app not digitally signed or encrypted. They are buried in a semi hidden folder that resides in the users home directory. Deleting an app doesn't delete your settings. It can't. Intentionally.

    You can't really 'update' a cert once it's been used, so if something expired all apps with that cert in they're chain of trust would need to be resigned to validate them. There is no way to magically make apps signed with the old cert work with a new one. That would be a massive whole in the entire PKI process.

    I'm not saying something didn't break, but the summary is 100% factually incorrect.

  • by daq man ( 170241 ) on Friday November 13, 2015 @08:52AM (#50921181)

    So, the thing that got hit for me was 1Password. So I couldn't log into websites because 1Password wouldn't run. Fortunately I could use the synced copy on my phone and type in the passwords by hand but the whole reason for using a password manager is so that I can use passwords that are long sequences of random characters which are no fun to type by hand! I found that it was an App store problem from the Mac Rumors website. Running the App caused a box to pop up saying the App was corrupted, to delete it and re-install. So I followed the instructions and, guess what? I couldn't re-download from the App store!

    This whole idea of having software that quits working based on some random policy is useless. I want software that I buy and is there when I need it. Not checking if some certificate has expired or that I paid a subscription or some other BS.

    I've been using Macs since 1985, yes I use Windows and Linux too but Macs were always what I used at home because I could write a file five or ten years ago and still open it. That's fading away. Notice I wrote "what I used at home", I'm shopping around.

    • Had you simply right clicked on 1password and selected run from the context menu it would have started after warning you.

      It didn't fail for a 'random' reason, it worked EXACTLY as intended and configured, someone just made a mistake.

      You can simply turn off the various SECRUITY FEATURES that help protect you from various exploits if bothers you.

      The really mind blowing part is that slashdot has degraded to the point that we get silly posts from someone like you demonstrating you aren't qualified to comment on

  • Let's score this (Score:5, Informative)

    by Maury Markowitz ( 452832 ) on Friday November 13, 2015 @09:13AM (#50921341) Homepage

    "some users were unable to verify the new certificates, and others could not even connect to the internet. In some cases the programs had to be reinstalled from scratch, deleting the user's existing settings."

    Ok, let's look at this...

    1) some users were unable to verify the new certificates

    Sure, I buy that.

    2) others could not even connect to the internet

    I call BS, App certs do not have any use whatsoever in the TCP stack. I'm sure people had problems, but it wasn't due to this.

    3) the programs had to be reinstalled from scratch, deleting the user's existing settings

    I call BS on that too. The app settings are in a text file in the user directories, you can go and open them in your favorite text editor right now. Re-installing an app does not overwrite these settings, which is *the whole reason* they're done this way. It is possible that app did that, but that's a bug in the app and has nothing to do with certs.

    Crappy reportage.

    • by _xeno_ ( 155264 )

      I call BS, App certs do not have any use whatsoever in the TCP stack. I'm sure people had problems, but it wasn't due to this.

      If the app in question is a VPN app, then it's entirely possible that they literally could not connect to the Internet with the app disabled.

      Alternatively what's meant is that they couldn't connect to the Internet at the time and were therefore locked out of their legitimately purchased apps until whatever time they could connect to the Internet. Not everyone has a 24/7 Internet connection. (Seems unlikely for someone who can afford the huge expense of an Apple product, but whatever.)

      I call BS on that too. The app settings are in a text file in the user directories, you can go and open them in your favorite text editor right now. Re-installing an app does not overwrite these settings, which is *the whole reason* they're done this way. It is possible that app did that, but that's a bug in the app and has nothing to do with certs.

      I could have sworn part

      • On OS X, there are two places (by convention) where it is always safe for an application to write anything, because of the file permissions system. Those are:
        ~/Library/Application Support
        ~/Library/Preferences

        The first location is meant for user-specific plugins and metadata per application (e.g. ~/Library/Application Support/Firefox/Bookmarks). The second is the place that user-specific preferences and settings get written, in a reverse-DNS style filename for the app so that it doesn't get

      • ... How does your VPN software work if it is required to use the Internet? VPN software requires a functioning network connection. Internet connections don't require functioning VPNs. Do you start your VPN so you can access the Internet so you can start your VPN?

        When you delete an app all you delete is the app, on both OSX and iOS. What goes away with the app is the GUI to modify those settings, not the settings themselves.

        Reinstall the app, your settings will be exactly like when you deleted it. The

  • I like Apple. I think that Apple does a lot of things right, and that a lot of criticism of Apple is motivated by historical grudges (on the part of techies) and petulance (on the part of business types.)

    That said, this is a stupid, bad mistake. Happily, it's a hiccough, and not likely to have long-term technical ramifications. Unhappily, it's a really, really stupid oversight that should be basically automated--if not by a script, then by a business process.

    I believe that walled gardens are an important pa

  • It is actually possible to delete an app without deleting the associated data -- it's just not particularly user friendly, as it requires a full device backup-and-restore operation. In short: perform a backup of all device data to a computer* (as opposed to iCloud). Then, find the synced copy of the problematic app binary on your computer -- likely, buried somewhere within the iTunes Media folder. Delete that binary from your computer -- but not from the iOS device -- perform a full wipe of the iOS devic

    • Note for others: That information is about preserving iPhone app data using a Mac as a tool. As such it has nothing to do with this slashdot story about Mac apps from the Mac App Store.

Put your Nose to the Grindstone! -- Amalgamated Plastic Surgeons and Toolmakers, Ltd.

Working...