![]() ![]() We take every report of a potential security issue seriously. Thank you for contacting the Apple Product Security team. At the time, they did not consider it an issue and replied with the following: When I first discovered that Photos communicates with AWS S3 without encryption, I submitted a security report to Apple. Even if Apple's apps are not insecure, using plain HTTP does mean that they leak at least some extra metadata (HTTP headers) and that they are not following the rules they're pushing 3rd party developers to follow.Īs an aside, it's fascinating just how many different CDNs Apple makes use of, and how heavily they rely on S3 for Photos and iMessage content. Most of the apps using port 80 still encrypt or or sign their content. So far I've encountered 9 separate OS X services or first-party apps that are still relying on plaintext HTTP:ĭisclaimer: It's worth noting that although some HTTP requests are happening over plain HTTP on port 80, this does not mean that Apple's apps are insecure. ![]() IMTRANSFERAGENT LITTLE SNITCH SOFTWAREFunny enough, even Little Snitch didn't use HTTPS for its initial download or software updates until very only a few months ago. Since the announcement on Monday, I've been monitoring these requests using a firewall called Little Snitch. Here's an example from the brand new Photos app, communicating with AWS S3 over port 80: There are many OS X components and Apple apps that still do not use encryption exclusively, relying on HTTP over port 80. The writing is also on the wall that Apple intends to make this feature mandatory at some point, essentially deprecating plaintext HTTP altogether.Īpple, however, has yet to take their own advice. The feature that will benefit the privacy and security of millions of Apple customers. It's essentially HTTP Strict Transport Security for apps, making it much harder for developers to inadvertantly disclose private user information. The ideas behind App Transport Security are great. Apps that want to continue to use plaintext HTTP on port 80 will need to explicitly disable the feature in their app manifests. While encryption is not yet a requirement, it is the new default. Apple is strongly encouraging developers to use HTTPS exclusively on new apps, and to make plans to migrate old apps to HTTPS in the near future. Thanks to Jeffrey Paul for pointing out that this could be misconstrued.Īt WWDC this week, Apple announced the App Transport Security feature for iOS and OS X. Updated to make it clear that using port 80 does not mean that Apple's software is insecure. ![]() Apple encourages HTTPS for third-party iOS and OS X apps, but will they take their own advice? ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |