You are currently browsing the category archive for the ‘Apple’ category.

Through one of my colleagues I learned yesterday about the infamous iOS SSL bug that resulted in iOS devices accepting any certificates whether they were correct or incorrect. This could allow an attacker or man in the middle to eavesdrop or intercept traffic theoretically secured through, for example, https.

I am not going to write today about what the bug does and the potential impact. I will, however, highlight the fact that this bug seems to have gone unnoticed since iOS 6 in 2012, which is quite scary. If you are interested in the bug and more details on the media burst it has created, you can read about it here, here or here.

I want to focus specifically on what the bug was. This bug that has terrifying consequences is just a basic and simple human mistake, probably originated at a classic copy-paste of code. Let’s look at the code, which I found here and is, in turn, from the Apple’s published open source code (which, obviously, is already fixed).

static OSStatus
SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams,uint8_t *signature, UInt16 signatureLen)
{
    OSStatus        err;
    ...

    if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
        goto fail;

    if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
        goto fail;
        goto fail;

    if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
        goto fail;
    ...

fail:
    SSLFreeBuffer(&signedHashes);
    SSLFreeBuffer(&hashCtx);
    return err;
}

Essentially, after the second check, the line of code that goes to fail is repeated. Therefore, the third and last check for the hash is never executed and this subroutine always goes to fail. As you can see, this is not the fanciest bug ever. On the contrary, it is most likely a classic copy-paste human error.

I have always been very particular when coding in C and Java and I ALWAYS use {} for condition statements. So, although this

if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
    goto fail;

is exactly the same as this

if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0){
    goto fail;
}

using the latter would have avoided this bug. So, long story short, the conclusion is: always use {}. And a related corollary, vi and vim for Unix are cool and you look very cool and smart using them, but always use an IDE when coding. They are very smart and helpful. An IDE would have highlighted in bright annoying yellow the third hash check and labeled it as “dead code“. If you are a Unix user, I recommend Eclipse.

Advertisements

As usual in Fall, Apple is ready to unveil some new products today. Nothing has been announced officially yet, but everything indicates that we’ll see a new model of the iPad (rumored to be thinner and lighter and, possibly, with a fingerprint scan), a new release of the iPad Mini (we’ll see about this one, but there’s plenty of room for improvement, starting with a retina display… not I don’t like it. I own one and I love it!) and perhaps new versions of the MacBook.

If you want to follow the iPad 5 and new iPad mini presentation live, you can use either of the following links:

a-lot-to-cover-640x631

Did you install iOS 7 because you did not want to wait. Well, in that case, you should make sure you do not loose your phone or get it stolen. The reason is a quite preoccupying and basic security flaw in iOS 7 that allows to bypass the lock screen.

This flaw was found by a Spanish soldier, who posted a video on YouTube to prove it. Now Apple representatives say they are working on fixing it.

You can read more about it in La Vanguardia (news in Spanish).

By the way, note that the flaw affects every type of device able to run iOS 7 *except* the new iPhone 5S.

Tomorrow is the day chosen by Apple to unveil its new iPhone and, probably, a new set of colorful “low-cost” iPhones for emerging markets. Despite most believe that the new devices will just be an iPhone 5 with an improved processor, a better camera and iOS7 (so, not really any innovations), some rumors indicate it might come with a fingerprint reader at the home button.

What is clear is that no wearable device will not be presented (except for a major surprise), so Apple will this time be behind Samsung and their new smart watch, the Samsung Galaxy Gear.

Follow live the iPhone 5S presentation at any of these sites:

Apple will announce whether they stream the event live on www.apple.com

EDIT: Updated links. Go check the new iPhones out!

Cellular operators must be happy – iMessage is down. The popular service that sends SMS messages over IP between iOS devices is down since 3pm ET. So, as of now, many people is spending money, most likely even without realizing about it, by sending SMS the “traditional way“. Perhaps people with unlimited messaging plans do not care too much, but if you are on pre-paid, you might be spending a lot of money. All in all, it will for sure getting cellular operators.

Anyways, I just wanted to post it here in case someone tries to google “iMessage down?”. By the way, you can check the status of all Apple online services here.

I started noticing a couple of days ago that my iPhone went stupid. Do Not Disturb does not turn on when scheduled and, if it does, it does not turn off when it is supposed to. This made me miss a couple of phone calls and, more importantly, several text messages (Mr. Apple, why text messages from my favorite contacts do NOT ring when Do Not Disturb is on?). I was a bit puzzled about it until I read this in the news.

From the NY Times:

On the morning of New Year’s Day, a bug affected the Do Not Disturb feature for many iPhone users. Apple designed the feature to block incoming phone calls and alerts for a set duration — from 10 p.m. to 6 a.m., when the user is asleep, for example. But many iPhone users found that it did not turn off after the designated end time.

On Twitter, many were still complaining about the Do Not Disturb bug on Wednesday, except for those who were happy for the extra sleep.

Awkwardly, Apple highlighted the Do Not Disturb feature in a new commercial broadcast this week. It stars Serena and Venus Williams in a table tennis match that would be a shame to disturb.

This isn’t the first time the iPhone has had problems telling time. In 2010, many European iPhone owners complained that a bug in the iPhone alarm clock caused it to go off an hour late because the software did not automatically adjust to daylight saving time. Some iPhones had a similar problem on Jan. 1, 2011.

Trudy Muller, an Apple spokeswoman, pointed to a troubleshooting bulletin that says the Do Not Disturb feature will work properly again after next Monday. Until then, users will have to manually turn the feature on or off themselves.

According to Apple, this bug will get fixed by itself next Monday. We’ll see…

EDIT (1/11/2013): Apple was right, the problem got fixed by itself last Monday.

My apologies to Apple, the iPhone and the iPad, but the new maps applications is terrible and pretty much everyone agrees with me. Well, problem solved. The Google Maps app for iOS is already available. Go download it now from the App Store here.

I am afraid this will finally prove to Apple that they need to do a low of homework on their maps app. I wonder how many people will download Google Maps and the decrease in traffic Apple will see from its native app.

Anyhow, glad to have decent maps back on my phone!

From Google’s official blog:

People around the world have been asking for Google Maps on iPhone. Starting today, we’re pleased to announce that Google Maps is here—rolling out across the world in the Apple App Store. It’s designed from the ground up to combine the comprehensiveness and accuracy of Google Maps with an interface that makes finding what you’re looking for faster and easier.

The app shows more map on screen and turns mobile mapping into one intuitive experience. It’s a sharper looking, vector-based map that loads quickly and provides smooth tilting and rotating of 2D and 3D views. The search box at the top is a good place to start—perhaps by entering the name of a new and interesting restaurant. An expandable info sheet at the bottom shows the address, opening hours, ratings and reviews, images, directions and other information.

blog_post

Apparently Apple will be broadcasting video of today’s presentation of the iPad mini. Check out Apple’s website for the live video.

Apple is expected to introduce today it’s newest iPad, the so called iPad mini. Despite the fact that Steve Jobs used to claim that a smaller iPad made no sense, it seems that Apple wants to start pushing its competition with the release of a smaller tablet. And if they price it close to the “usual” 200$ for smaller tablets, I am getting one!

Follow live the iPad mini presentation:

UPDATE: It seems that this time Apple is broadcasting the event on a live video. Go to Apple’s website to follow the event live on video.

For those of you who want to follow the highly anticipated iPhone 5 presentation, these are the links to some of the Live Blogs that will be covering the event. Follow the presentation live, starting at 12ET/9PT:

The Engadget link has not been published yet. I will update it on the day of the event. Updated: I just added the Engadget link. It is often the one that responds and updates the best…

About me:

Born in Barcelona, moved to Los Angeles at age 24, ended in NYC, where I enjoy life, tweet about music and work as a geek in security for wireless networks.
All the opinions expressed in this blog are my own and are not related to my employer.
About me: http://rogerpiquerasjover.net/

Blog Stats

  • 137,753 hits

Twitter feed

Enter your email address to follow this blog and receive notifications of new posts by email.

Advertisements