Skip to main content

Will Strafach

See All Stories

AccuWeather iOS app misleads users as it sends location data even when denied access

AccuWeather

Update #2: AccuWeather has released a joint statement with Reveal Mobile. From the statement:

Despite stories to the contrary from sources not connected to the actual information, if a user opts out of location tracking on AccuWeather, no GPS coordinates are collected or passed without further opt-in permission from the user.

Other data, such as Wi-Fi network information that is not user information, was for a short period available on the Reveal SDK, but was unused by AccuWeather. In fact, AccuWeather was unaware the data was available to it. Accordingly, at no point was the data used by AccuWeather for any purpose.

Update: Reveal Mobile has issued the following statement to 9to5Mac in response to Strafach’s audit:

We don’t attempt to reverse engineer a device’s location if someone opts out of location services, regardless of the data signal it comes from. In looking at our current SDK’s behavior, we see how that can be misconstrued. In response to that, we’re releasing a new version of our SDK today which will no longer send any data points which could be used to infer location when someone opts out of location sharing.

AccuWeather on iOS may be violating Apple’s developer agreement as well as user trust, a new security audit reveals. Will Strafach, a security researcher, discovered that the iOS weather app is potentially sending out the identifiable user and device information to a third-party company even when location data sharing is denied.


Expand
Expanding
Close

Ex-Jailbreakers now working to secure iOS for consumers and enterprises with comprehensive platform

Site default logo image

For nearly half a decade, teams of hackers and programmers have worked tirelessly to crack Apple’s iOS software code in order to inject new features, themes, and applications. Now, a team led by noted former jailbreak developers Will Strafach, otherwise known as “Chronic”, and Joshua Hill, known as P0sixninja, is working to secure Apple’s mobile platform. The duo, along with a list of unnamed former jailbreak developers, has been working on a new comprehensive platform to secure iOS devices for both enterprises and consumers. Strafach provided us with a preview of the platform known as “Apollo,” the first security product from his new company Sudo Security Group.


Expand
Expanding
Close

XRY’s two-minute iPhone passcode exploit debunked

Site default logo image

Late last month, we reported Swedish security firm Micro Systemation claimed its “XRY” application was capable of cracking an iOS device’s passcode, logging keystrokes, and accessing data like GPS, call logs, contacts, and messages. The video showing the app in action is now removed, but the firm’s claims are coming under scrutiny by at least one fellow hacker. Will Strafach, better known in the jailbreaking community as “@chronic,” just posted his summary of what is really happening with the software to clarify the issue.

While explaining XRY does not use exploits similar to jailbreak programs, as claimed by many covering the story, Strafach clarified the tool is “simply loading a custom ramdisk by utilizing the publicly available ‘limera1n’ exploit by George Hotz. The ramdisk is not even very special, because anyone could put together their own using open source tools.” He continued by explaining the “two-minute” claim of Micro Systemation is only true if a passcode is “0000.” The time increases when a more complex passcode is set.

Chronic also noted XRY cannot be used on iPhone 4S, iPad 2, and third-gen iPads, something most publications are not reporting. Here is his explanation:

 


Expand
Expanding
Close