Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Users No Longer Need to Jailbreak Apple iOS To Load Rogue Apps
Newest First  |  Oldest First  |  Threaded View
ZucchiniW940
50%
50%
ZucchiniW940,
User Rank: Apprentice
1/6/2016 | 3:28:57 AM
Re: Vetting Process?
The people operating these marketplaces are criminals.  They have elaborate schemes to pay people to impersonate companies and fraudulently obtain enterprise distributions certificates.  Our research shows that companies in China and the United Arab Emirates have been faked, and those identities used to get around Apple's vetting process.  

 

Dave

Proofpoint

 
WCLoehr
50%
50%
WCLoehr,
User Rank: Strategist
12/30/2015 | 6:21:42 PM
Re: Vetting Process?
Let's say your company is Acme, Inc. and you develop apps. you apply to Apple for an enterpise cert so your Acme employees can use it for installing "enterprise approved" apps. What then prevents you from using that for others? Outside of the agreement you accepted when getting the cert from Apple...nothing. There probably is little monitoring of how pwoplw are using these certs once they get them, see no eveil, hear no eveil, perhaps? At this point, its hard to say whether Apple should be doing more, but my bet would be they have a process deficiency that needs to be solved now.
melgross
50%
50%
melgross,
User Rank: Apprentice
12/30/2015 | 10:51:08 AM
Re: Vetting Process?
I just hope that when people using these, and other unapproved stores, get malware, they blame themselves, rather than Apple. There is a very good reason why iOS is so secure from malware, as opposed to Android. That is, other than the poor way that Android itself was written.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/30/2015 | 10:33:18 AM
Vetting Process?
How are these enterprise certificates provided? I would imagine by Apple but is there a stringent vetting process in place to provide these certs to an enterprise? This article would make me believe there is not.


COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
10 iOS Security Tips to Lock Down Your iPhone
Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6342
PUBLISHED: 2020-05-28
An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4.
CVE-2020-11082
PUBLISHED: 2020-05-28
In Kaminari before 1.2.1, there is a vulnerability that would allow an attacker to inject arbitrary code into pages with pagination links. This has been fixed in 1.2.1.
CVE-2020-5357
PUBLISHED: 2020-05-28
Dell Dock Firmware Update Utilities for Dell Client Consumer and Commercial docking stations contain an Arbitrary File Overwrite vulnerability. The vulnerability is limited to the Dell Dock Firmware Update Utilities during the time window while being executed by an administrator. During this time wi...
CVE-2020-13660
PUBLISHED: 2020-05-28
CMS Made Simple through 2.2.14 allows XSS via a crafted File Picker profile name.
CVE-2020-11079
PUBLISHED: 2020-05-28
node-dns-sync (npm module dns-sync) through 0.2.0 allows execution of arbitrary commands . This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This has been fixed in 0.2.1.