Rezultati 1 do 2 od 2

Tema: Ne koristite AppSinger, online baziranu zamenu za Cydia Impactor

  1. #1
    Administrator zabrljanje avatar
    Datum registracije
    23.07.2011
    Lokacija
    Beograd
    Poruke
    18.984
    Thanks
    938
    Thanked 8.165 Times in 5.688 Posts

    Podrazumevano Ne koristite AppSinger, online baziranu zamenu za Cydia Impactor

    Nedavno se pojavila AppSinger web-bazirana "alternativa", za Cydia Impactor koji se koristi za sideload-ing aplikacija na iUredjaje, a najcesce za za jailbreak aplikacije kao sto su Electra i unc0ver jailbreak aplikacije.

    Ovo je nesto sto ne bi trebali da koristite.

    Saurik je na Reddit-u napisao i zasto misli da je to nebezbedno. On se direktno nadovezao na bazicni deo gde pise

    ...your apple Credentials are directly sent to apple only.

    Ovo jednostavno nije tacno, kako pise Saurik, iz jednostavnog razloga, zbog "cross-origin" restrikcija.
    Prakticno sve informacije, user name i vasa sifra za Apple ID, trebale da idu na njihov server a onda INDIREKTNO ka Apple-u. On je ovo mogao da ugradi u Cydia Impactor (sto bi bilo mnogo lakse) ali nije zeleo.

    Sustina je da, u toj varijanti, vas Apple ID je bezbedan onoliko koliko je bezbedan neciji server na koji se prvo salju informacije, a to je za njega nedopustivo po pitanju sigurnosti.


    To znaci da bi on, ako bi hakovao taj server, koji cak nema ni firewall mogao da vidi sve sifre.
    Takodje, taj sajt i ne koristi ni SSL i, ako bi on bio na istoj mrezi kao i korisnik, mogao da vidi sve sifre kao "plain text".

    Upravo ovako funkcionise ova sajt.


    Kompletan Saurikov post, ako sam ja nesto lose preveo ili preskocio


    ...your apple Credentials are directly sent to apple only.


    So, this couldn't possibly be true (due to cross-origin restrictions): you must be having these identifiers go to your server and then having your server send this information indirectly to Apple. I could have chosen to have built Impactor to do stuff like this (and it would have been way way easier)...

    ...but I didn't, because the idea that peoples' Apple account information is only as secure as that server of yours (whether or not people should trust that you aren't storing anything yourself) is unacceptable for something this critically important (this is way more sensitive even than payment information).
    This means that if I hack your server/app--which is apparently some kind of ASP.NET app running on IIS with no firewall for any ports at all, including for the SQL Server instance, which does not inspire confidence in the slightest--I can just watch all of these passwords flow through...
    ...or, you know, if I just happen to be on the same network as the user, given that this website doesn't use SSL (so all of these passwords are going over plain text across not just the Internet at large but your local network; and yes, I did verify that this is how this website works: I am not throwing FUD).
    Seriously: this site is extremely insecure for what it is asking of the user: don't use it; (and really: stuff like this frankly shouldn't be allowed on this subreddit; the fact that I never felt able to establish rules here that prevented mis- and mal- information was one of the key reasons why I gave up on it).



    Reddit


    Pwn20wnd je podrzao Saurikovu izjavu i preko Twittera

    There’s a new "Web-Based" Cydia Impactor alternative. Stay away from it (See the linked comment for Saurik’s explanation).


    https://twitter.com/Pwn20wnd/status/1080698061578334209




    iDownloadblog

  2. #2
    iPhoneBigFan
    Datum registracije
    07.02.2018
    Lokacija
    BG
    Godina
    34
    Poruke
    123
    Thanks
    38
    Thanked 9 Times in 9 Posts

    Podrazumevano Re: Ne koristite AppSinger, online baziranu zamenu za Cydia Impactor

    Čitam dva puta naslov i nikako da shvatim o kakvoj to bizarnoj zameni pričaš

    Elem, mislim da je inače dobra praksa ne koristiti svoj primarni Apple ID za potpisivanje aplikacija.
    Napraviš sekundarni acc, koristiš ga isključivo u svrhe potpisivanja aplikacija i mirna bačka
    iPhone 7/iOS 10.1.1/yalu , iPad 2017/iOS 10.3.2

Informacije teme

Korisnici koji pretražuju ovu temu

Trenutno je 1 korisnik(a) koji pretražuje(u) ovu temu. (Članova: 0 - Gostiju: 1)

Ovlašćenja postavljanja

  • Vi ne možete postavljati nove teme
  • Vi ne možete postavljati odgovore
  • Vi ne možete postavljati priloge
  • Vi ne možete menjati vaše poruke
  •