This is similar to the process that a device goes through when it’s enrolled into a mobile device management system. However, if the address was from China, a different interface would appear that would guide users through installing a provisioning profile. Once installed on a phone, the app behaved as advertised if the user’s IP (Internet Protocol) address was from outside mainland China. The app was submitted to the app store under the name “Happy Daily English” (in Chinese) and was presented as a helper app for learning English. Its creators appear to have tricked Apple’s reviewers by using simple tricks. “We think someone has reverse-engineered Xcode in detail to analyze this part of code so that they can implement exactly the same behaviors with Xcode-in effect, successfully cheating Apple’s server,” the Palo Alto Networks researchers said in a blog post. The exact process in which Xcode obtains the certificates from Apple is not publicly documented, but the ZergHelper creators seem to have figured it out. To generate personal development certificates, app makers have to use Xcode with their phone connected to their computer. This makes it a lot easier to test apps without enrolling in Apple’s Developer Program, which requires a $99 per year subscription. Starting with Xcode 7, developers can build apps, sign them and have them run on their own devices without publishing them in the app store. Xcode is the main tool-or integrated development environment (IDE)-used to develop iOS and Mac OS X apps. According to researchers from security firm Palo Alto Networks, ZergHelper also abuses personal development certificates, a new type of code-signing certificate introduced by Apple with the release of Xcode 7.0 in September.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |