Nedavno se pojavila AppSinger web-bazirana "alternativa", za Cydia Impactor koji se koristi za sideload-ing aplikacija na iUredjaje, a najcesce za za jailbreak aplikacije kao sto su Electra i unc0ver jailbreak aplikacije.

Ovo je nesto sto ne bi trebali da koristite.

Saurik je na Reddit-u napisao i zasto misli da je to nebezbedno. On se direktno nadovezao na bazicni deo gde pise

...your apple Credentials are directly sent to apple only.

Ovo jednostavno nije tacno, kako pise Saurik, iz jednostavnog razloga, zbog "cross-origin" restrikcija.
Prakticno sve informacije, user name i vasa sifra za Apple ID, trebale da idu na njihov server a onda INDIREKTNO ka Apple-u. On je ovo mogao da ugradi u Cydia Impactor (sto bi bilo mnogo lakse) ali nije zeleo.

Sustina je da, u toj varijanti, vas Apple ID je bezbedan onoliko koliko je bezbedan neciji server na koji se prvo salju informacije, a to je za njega nedopustivo po pitanju sigurnosti.

To znaci da bi on, ako bi hakovao taj server, koji cak nema ni firewall mogao da vidi sve sifre.
Takodje, taj sajt i ne koristi ni SSL i, ako bi on bio na istoj mrezi kao i korisnik, mogao da vidi sve sifre kao "plain text".

Upravo ovako funkcionise ova sajt.

Kompletan Saurikov post, ako sam ja nesto lose preveo ili preskocio

So, this couldn't possibly be true (due to cross-origin restrictions): you must be having these identifiers go to your server and then having your server send this information indirectly to Apple. I could have chosen to have built Impactor to do stuff like this (and it would have been way way easier)...

...but I didn't, because the idea that peoples' Apple account information is only as secure as that server of yours (whether or not people should trust that you aren't storing anything yourself) is unacceptable for something this critically important (this is way more sensitive even than payment information).
This means that if I hack your server/app--which is apparently some kind of ASP.NET app running on IIS with no firewall for any ports at all, including for the SQL Server instance, which does not inspire confidence in the slightest--I can just watch all of these passwords flow through...
...or, you know, if I just happen to be on the same network as the user, given that this website doesn't use SSL (so all of these passwords are going over plain text across not just the Internet at large but your local network; and yes, I did verify that this is how this website works: I am not throwing FUD).
Seriously: this site is extremely insecure for what it is asking of the user: don't use it; (and really: stuff like this frankly shouldn't be allowed on this subreddit; the fact that I never felt able to establish rules here that prevented mis- and mal- information was one of the key reasons why I gave up on it).


Pwn20wnd je podrzao Saurikovu izjavu i preko Twittera

There’s a new "Web-Based" Cydia Impactor alternative. Stay away from it (See the linked comment for Saurik’s explanation).
