iOS Apps Could Really Benefit From the Newly Proposed Security.plist Standard (zdnet.com) 13
Security researcher Ivan Rodriguez has proposed a new security standard for iOS apps, which he named Security.plist. From a report: The idea is simple. App makers would create a property list file (plist) named security.plist that they would embed inside the root of their iOS apps. The file would contain all the basic contact details for reporting a security flaw to the app's creator. Security researchers analyzing an app would have an easy way to get in contact with the app's creators. Rodriguez said the idea for Security.plist came from Security.txt, a similar standard for websites, that was proposed in late 2017. Security.txt is currently going through an official standardization process at the Internet Engineering Task Force (IETF), but it has been widely adopted already, and companies like Google, GitHub, LinkedIn, and Facebook, all have a security.txt file hosted on their sites, so bug hunters can get in touch with their respective security teams. Rodriguez, who is an amateur bug hunter in iOS apps, said he decided to propose a similar thing for iOS apps because getting in touch with an app's dev or security team has been a problem in the past. "I spend most of my free time poking mobile applications which has lead me to find many vulnerabilities and I have yet to find one that has an easy way to find the correct channel to responsibly disclose these issues,"Rodriguez told ZDNet.
In related news... (Score:1)
In sincerity though... once again this is a "security was an afterthought and now we're trying to bolt it on later" problem, all too common in the programming world.
Telling the world... (Score:3)
Is faster based on what history shows. Just make sure you properly evaluate the risk of taking credit for discovering the vulnerability.
Gets you hacked faster, if it's readily exploitabl (Score:2)
Telling the world certainly does let the bad guys know faster, so they can hack Sir Astral faster, before there is anything you can do to prevent it.
I've generally seen pretty good response when I'm able to contact the security tram at the company or government agency. Going through a customer service agent has a significantly lower rate of success, in my experience.
A lot of stuff I report isn't easily exploited by itself to have a major impact. It's a weakness, something configured wrong so they aren't a
Spammers, here is my e-mail address (Score:1)
Re: (Score:3)
I've got about 30 websites with a security.txt, that direct interested parties to a contact form on a single site. The link includes the URL of the site you came across the security.txt, and inserts that into the form. All you need to do is fill out the message, your email if you want, and hit send.
No spam.
No bots (recaptcha V3 plus some aggressive CloudFlare filtering).
I would recommend people do the same if possible
Re: (Score:1)
No bots (recaptcha V3 plus some aggressive CloudFlare filtering).
I would recommend people do the same if possible.
I'd recommend you make your own captcha so we don't have to deal with bullshit sellout Cloudflare or Google, but hey, I just manage a fuckton of HIPPA-compliant networks (down to outright blocking and banning any attempts at tracking) for a living. If you truly cared about security, you'd avoid using either of those companies.
Re: (Score:2)
I recommended that people link to a form instead of put their email in the security.txt file if they were worried about spam. Yes, you do seem to do that for a living as it has you mad at the world. Any threads mentioning Google or Cloudflare today that you can jump in on?
Who is worried about tracking? What is being tracked? Google or Cloudflare will track the visitor who arrived from a security.txt file? Why would I care about that? If YOU truly cared about security, you'd understand there a
Re: (Score:3)
If you are going to publish an app, you should have a public email address so your users can contact you. You'll get spam, but there are lots of ways to filter it these days. It's part of being a responsible developer.
You already have contact info for apps... (Score:5, Informative)
All iOS apps have to provide contact links for the app maker, so there's already kind of a path to find someone to reach out to defined already... Not sure how much more this ads other than possibly a more direct security contact. But I would start with the app support link before I started looking in the app binary for a plist (which takes some work to get to).
Re: (Score:2)
Also with a non-jailbroken iOS device, this seems to be difficult for the normal person to verify.
Re: (Score:2)
Well I think this is really targeted at security testers / researchers. The kind of person that gets interested in some common architectural flaw in iOS apps and wants to see how common it really is; or the sort of person that is evaluating a specific application for use, maybe internal security at some org to see if an app really meets with their compliance needs etc.
The very first thing that sort of person does is deploy the package to rooted device so they can get a look the contents. Going thru the plis
Customer service doesn't know what ECB is (Score:2)
I've had the same experience as the person who made this proposal. When I want to notify the security team of a security issue, the customer service folks don't have any idea what I'm talking about.
My most successful strategy, if I don't know somebody at that organization, has been to search LinkedIn for people working in security at the appropriate company or government agency.
Right now I have two outstanding issues with state of New York web sites. I sent the first notices at least two weeks ago and it d
Re: (Score:1)
But I would start with the app support link before I started looking in the app binary for a plist (which takes some work to get to).
I'd wager those contacting through the more-effort method would be more likely considered to know WTF they're talking about because of their diligence/kmowledger in using said link, since you'd have to know where to look (and most iOS users, opposed to iOS coders, are clueless to begin with so...)