Results 1 to 2 of 2

Thread: Ne koristite AppSinger, online baziranu zamenu za Cydia Impactor

  1. #1
    Administrator zabrljanje's Avatar
    Join Date
    Jul 2011
    Location
    Beograd
    Posts
    18,688
    Thanks
    909
    Thanked 7,930 Times in 5,566 Posts

    Default Ne koristite AppSinger, online baziranu zamenu za Cydia Impactor

    Nedavno se pojavila AppSinger web-bazirana "alternativa", za Cydia Impactor koji se koristi za sideload-ing aplikacija na iUredjaje, a najcesce za za jailbreak aplikacije kao sto su Electra i unc0ver jailbreak aplikacije.

    Ovo je nesto sto ne bi trebali da koristite.

    Saurik je na Reddit-u napisao i zasto misli da je to nebezbedno. On se direktno nadovezao na bazicni deo gde pise

    ...your apple Credentials are directly sent to apple only.

    Ovo jednostavno nije tacno, kako pise Saurik, iz jednostavnog razloga, zbog "cross-origin" restrikcija.
    Prakticno sve informacije, user name i vasa sifra za Apple ID, trebale da idu na njihov server a onda INDIREKTNO ka Apple-u. On je ovo mogao da ugradi u Cydia Impactor (sto bi bilo mnogo lakse) ali nije zeleo.

    Sustina je da, u toj varijanti, vas Apple ID je bezbedan onoliko koliko je bezbedan neciji server na koji se prvo salju informacije, a to je za njega nedopustivo po pitanju sigurnosti.


    To znaci da bi on, ako bi hakovao taj server, koji cak nema ni firewall mogao da vidi sve sifre.
    Takodje, taj sajt i ne koristi ni SSL i, ako bi on bio na istoj mrezi kao i korisnik, mogao da vidi sve sifre kao "plain text".

    Upravo ovako funkcionise ova sajt.


    Kompletan Saurikov post, ako sam ja nesto lose preveo ili preskocio


    ...your apple Credentials are directly sent to apple only.


    So, this couldn't possibly be true (due to cross-origin restrictions): you must be having these identifiers go to your server and then having your server send this information indirectly to Apple. I could have chosen to have built Impactor to do stuff like this (and it would have been way way easier)...

    ...but I didn't, because the idea that peoples' Apple account information is only as secure as that server of yours (whether or not people should trust that you aren't storing anything yourself) is unacceptable for something this critically important (this is way more sensitive even than payment information).
    This means that if I hack your server/app--which is apparently some kind of ASP.NET app running on IIS with no firewall for any ports at all, including for the SQL Server instance, which does not inspire confidence in the slightest--I can just watch all of these passwords flow through...
    ...or, you know, if I just happen to be on the same network as the user, given that this website doesn't use SSL (so all of these passwords are going over plain text across not just the Internet at large but your local network; and yes, I did verify that this is how this website works: I am not throwing FUD).
    Seriously: this site is extremely insecure for what it is asking of the user: don't use it; (and really: stuff like this frankly shouldn't be allowed on this subreddit; the fact that I never felt able to establish rules here that prevented mis- and mal- information was one of the key reasons why I gave up on it).



    Reddit


    Pwn20wnd je podrzao Saurikovu izjavu i preko Twittera

    There’s a new "Web-Based" Cydia Impactor alternative. Stay away from it (See the linked comment for Saurik’s explanation).


    https://twitter.com/Pwn20wnd/status/1080698061578334209




    iDownloadblog

  2. #2
    iPhoneBigFan
    Join Date
    Feb 2018
    Location
    BG
    Age
    33
    Posts
    108
    Thanks
    34
    Thanked 9 Times in 9 Posts

    Default Re: Ne koristite AppSinger, online baziranu zamenu za Cydia Impactor

    Čitam dva puta naslov i nikako da shvatim o kakvoj to bizarnoj zameni pričaš

    Elem, mislim da je inače dobra praksa ne koristiti svoj primarni Apple ID za potpisivanje aplikacija.
    Napraviš sekundarni acc, koristiš ga isključivo u svrhe potpisivanja aplikacija i mirna bačka
    iPhone 7/iOS 10.1.1/yalu , iPad 2017/iOS 10.3.2

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •