Skip to main content

Keychain

See All Stories

Feature Request: Create a user-friendly standalone iOS Keychain app

Standalone iOS Keychain app

A couple of disturbing reports revealed the comparative ease with which criminal gangs were able to use stolen iPhones to access the owner’s bank accounts. The initial report didn’t explain the method used, but a subsequent one did: swapping the SIM to a new device in order to reset the Apple ID password.

Apple is already working on one security measure – making it easier for users to remotely wipe data from a stolen iPhone – but the reports also highlight a security weakness that seems worryingly common among non-techies: using the Notes app to store passwords …

Expand Expanding Close

Major zero-day security flaws in iOS & OS X allow theft of both Keychain and app passwords

Site default logo image

mac-os-x-ios-hack

Researchers from Indiana University and the Georgia Institute of Technology said that security holes in both iOS and OS X allow a malicious app to steal passwords from Apple’s Keychain, as well as both Apple and third-party apps. The claims appear to have been confirmed by Apple, Google and others.

We completely cracked the keychain service – used to store passwords and other credentials for different Apple apps – and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps

The Register says the team reported the flaws to Apple in October of last year. At that time, Apple said that it understood the seriousness of the flaws and asked the researchers to give it six months to address them before the exploit was made public. In February, Apple requested an advance copy of the paper, yet the flaws remain present in the latest versions of both operating systems … 
Expand
Expanding
Close

Review: TrackR Bravo locates lost items with Bluetooth 4, and without requiring yearly replacement

Site default logo image

bravo-5

Two years ago, the Tile Bluetooth tracking device raised over $2.6 million in a crowdfunding campaign, thanks in part to an expansive ad run that seemed to blanket the entire Internet. Elegantly designed with a square plastic housing, Tile paired a low-energy Bluetooth chip with a battery, letting you track any attached item using a Bluetooth 4-enabled iPhone. Each Tile can track keys, a purse, or even a roaming pet for a year before the battery dies, at which point you are supposed to replace it. The first Tiles shipped last year, and can now be had for $20 each versus their standard $25 retail price.

I skipped Tile because I don’t like products that need to be replaced when their batteries die. Over the course of reviewing thousands of Apple accessories, I’ve watched some companies waste vast quantities of plastic, metal, magnets, and packing materials, and I try not to buy things that are designed to be worthless after a short period of time. (Note: Users are encouraged to recycle Tiles by buying discounted replacements and mailing old units back to the company.) So a new Tile competitor called TrackR Bravo ($29) appealed to me. Made partially from anodized aluminum, it’s shaped like a dog tag and designed to be kept rather than tossed away. The core functionality is the same as Tile’s, but Bravo’s battery can be replaced with ease. You can also use Bravo to locate a misplaced iPhone, and optionally sound a separation alarm whenever your iPhone and Bravo get too far away from one another…


Expand
Expanding
Close

iOS 8 lets apps access Safari AutoFill credentials for quick & easy login

Site default logo image

In iOS 8, Apple is making the process of logging into apps a much smoother experience by allowing native iOS apps to access usernames and passwords stored in Safari. The new feature, which works by letting iOS apps tap into Safari’s AutoFill & Passwords feature, will allow users to login to apps with a simple tap rather than having to type login info. Imagine your username and password are stored in Safari’s AutoFill for Facebook, for example. When launching the native Facebook iOS app, the feature will let users select from passwords stored in Safari to quickly login (as pictured above with Apple’s demo “Shiny” app).
Expand
Expanding
Close

Review: Proximo, the feature-packed Bluetooth tagging system for the forgetful

Site default logo image

We’ve all done it. You put your keys down, and five minutes later you have no idea where they are. You could swear you put your phone on the kitchen table last night, but it’s not there now. You put your bag under the restaurant table and then walk out without it. Doing all three in the same week might suggest the help you need is more medical than technological, but for those occasions when you do one or other of them, Proximo is designed to help.

Bluetooth tags also provides some degree of protection against theft, where you’ll be alerted to any of your tagged items walking off.

There are a number of different tagging systems on the market, with varying levels of functionality. Proximo is one of the more sophisticated, offering five different features …
Expand
Expanding
Close

Security consultant takes less than a day to exploit OS X bug to capture all SSL traffic

Site default logo image

ssl

Update: The bug has been fixed in OS X 10.9.2

Security consultant Aldo Cortesi said in a blog post (via ZDNet) that it took him less than a day to exploit the goto fail bug in OS X to capture all SSL traffic, and that there’s a good chance he isn’t the first to have done so – an implicit suggestion that the vulnerability may already be being used in man-in-the-middle attacks.

I’ve confirmed full transparent interception of HTTPS traffic on both IOS (prior to 7.0.6) and OSX Mavericks. Nearly all encrypted traffic, including usernames, passwords, and even Apple app updates can be captured. This includes:

  • App store and software update traffic
  • iCloud data, including KeyChain enrollment and updates
  • Data from the Calendar and Reminders
  • Find My Mac updates
  • Traffic for applications that use certificate pinning, like Twitter … 
    Expand
    Expanding
    Close
Site default logo image

The worst password of all is no longer ‘password’ according to hacked accounts chart

passwords

You might have thought that it would be hard to come up with a worse password than ‘password,’ but according to a chart compiled by SplashData from hacked accounts, it has been edged out by ‘123456’.

The far more secure ‘12345678’ (33 percent more secure!) retains its position as number three, while a new entry in sixth place goes as far as ‘123456789’. Sadly, ‘letmein’, a password I always felt deserving of classic status, dropped seven places to achieve a mediocre ranking of 14.

Apple introduced iCloud Keychain as part of Mavericks and iOS 7.0.3, and if you’re not already using it, you can read our how-to guide. If you’re using older versions of OS X or iOS, we also ran a how-to guide on using a password manager to have unique, secure passwords for each website.

Via re/code

Site default logo image

Apple releases OS X 10.8.2 Supplemental Update 2 for 2012 Macs, fixing Keychain issues

Yesterday, we reported the 2012 Mac mini, Retina 13-inch MacBook Pro, and iMac were unable to update to OS X 10.8.2 after Apple pulled the first update from the App Store last Friday. Today, the folks in Cupertino have released their second supplemental update for OS X 10.8.2 that should allow those users to install the update. Additionally, Apple said the update “is recommended for all Mac systems introduced in 2012” and mainly “fixes an issue with Keychain that can affect 2012 Mac systems.” Grab it from the source link below, and let us know how the update experience fares in the comment section down south.

[Apple]
Expand
Expanding
Close