Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If you think my comment was about the security of iOS, you need to read it again. Carefully.


You're right. I re-read what you wrote.

And all you did was echo the lower portions of my own comment where I admitted that "fake alert" style applications could also take these details. And I'm sure other styles of attack as well.

The author of the article was trying to make a simple point though: If Apple allows an iTunes plugin such low level access that it can proxy a store transaction - ideally the thing they should be the most paranoid about - then they should probably revisit their plugin architecture (possibly taking a page from web browsing plugin sandboxing).

Claiming there will always be problems until the OS is as locked down as iOS is overkill.


There are a million ways to proxy a store transaction. Guess what else the user can do:

- Add trusted CA certificates.

- Configure proxy settings.

- Launch arbitrary applications.

- Delete all the users files.

What you're talking about here is sandboxing to protect the user from themselves, and all the lost utility that results. In other words, iOS.


- Add a trusted CA: will prompt for credentials

- Configure proxy settings: prompt for admin credentials

- Launch arbitrary: already admitted as much

- Delete all users files: yup, that's a problem

But the problems I illustrated aren't limited to the single machine that gets infected.

Just clarifying.


> Add a trusted CA: will prompt for credentials

You've already social-engineered your way to getting somebody to download and run an application, ignoring warnings along the way. Prompts for credentials when installing applications are perfectly normal.

> Configure proxy settings: prompt for admin credentials

??? Not on my machine. There isn't even a padlock icon in the relevant window.


> - Add a trusted CA: will prompt for credentials

IIRC this isn't protected by the actual keychain file, and can be done by simply editing the file manually.

Regardless, peer commentator already noted that password prompts are hardly an issue here.

> - Configure proxy settings: prompt for admin credentials

Actually, it doesn't. Additionally, browsers have per-user local configuration.


Let's assume you're right and Apple should revisit it (I don't think they should; I prefer plugins that can, in fact, do anything they wish). How does that lead to the OP's hysterical conclusion?

Browser plugin sandboxing is a very new phenomenon. Apple doesn't give a shit about security because... they said they'll investigate doing something that has only recently been done for the first time at all? What?




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: