In October 2014, a group of six researchers successfully bypassed all of Apple's security mechanisms to place an app on the Mac App Store and the App Store. In practice, they could get malicious applications into Apple devices that would be able to obtain very valuable information. According to an agreement with Apple, this fact was not to be published for about six months, which the researchers complied with.
Every now and then we hear about a security hole, every system has them, but this one is a really big one. It allows an attacker to push an app through both App Stories that can steal the iCloud Keychain password, the Mail app, and all passwords stored in Google Chrome.
[youtube id=”S1tDqSQDngE” width=”620″ height=”350″]
The flaw can allow malware to obtain a password from virtually any app, whether pre-installed or third-party. The group managed to completely overcome sandboxing and thus obtained data from the most used applications such as Everenote or Facebook. The whole matter is described in the document "Unauthorized Cross-App Resource Access on MAC OS X and iOS".
Apple has not commented publicly on the matter and has only requested more detailed information from researchers. Although Google removed the keychain integration, it does not solve the problem as such. The developers of 1Password have confirmed that they cannot 100% guarantee the security of stored data. Once an attacker gets into your device, it's no longer your device. Apple has to come up with a fix at the system level.
It's definitely a mistake, but the advice depends on the person, which application he installs..
and if I install applications from the ofiko App Store, which I access from the default "bookmarks" of the iPhone, I have no "cracked" iOS system, it will / has endangered even my little thing, ptm. my iPhone with iOS 8,3? According to the article, I have the feeling that it is... And what applications do I install? From the "free" option.
The point here is that these malware applications can get into the App Store through the official way, and the user then downloads them thinking that they are fine when they have passed Apple's inspection. So it is better not to install applications from unknown developers. At least that's how I understand it.
Exactly as you say. In any case, I am rather surprised, if the information is true, that Apple has allegedly known about it for over half a year and has not done anything about it.
I estimate that Apple probably supplemented the control in the App Store after receiving the information, and the risk in this regard is minimal for the iPhone/iPad.
However, it doesn't have to be so negligible with MAC, where applications outside the MacAppStore are installed quite normally.