
Your bank data may be at risk if you use an iPhone - codegeek
http://www.cnbc.com/id/101456532
======
lstamour
I sense a pattern here.

(Read more: scary headline.)

I had to laugh at "Apple security flaw could let hackers beat encryption"

Funny thing about this article, it makes me not want to trust app developers
like Level -- since, by chance, apps like Chrome were not affected. Now, does
this really mean I'm suggesting don't use SecureTransport? No, but "The only
fix is to install the latest security patch, which Apple released Feb. 21." is
a lie, as is "Level [...] is requiring that users update their OS before they
can use the app—a necessary step, according to Fuentes."

Frankly, "It's a lot more technical and hard for nontechnical people to
grasp," is silly too. What's so hard to understand about "if you're running
iOS 6 or 7 before the recent updates, the padlock you see in your Safari
browser is meaningless"? Of course, it's harder to tell if any other apps are
using SSL in the first place, but you shouldn't trust apps with your data
unless they're from reputable developers who will take responsibility for
risks. (E.g. banks) And at that point, it's the developer's job to release an
update that doesn't use SecureTransport for older OSes -- as well as
encouraging people to update and disallowing prior releases from being
automatically downloaded through the App Store (unless they target iOS 4 or 5
specifically).

------
37prime
"You may be misinformed if you believe everything CNBC says."

------
gress
Typically misleading headline. How about "Your bank data may be at risk if you
install software updates"

~~~
mintplant
You mean, "if you _don 't_ install software updates".

------
zeckalpha
Shouldn't bank apps check the cert manually?

~~~
lwf
The issue wasn't with the cert, but with the signature verification,
<[https://www.imperialviolet.org/2014/02/22/applebug.html>](https://www.imperialviolet.org/2014/02/22/applebug.html>):

> Because the certificate chain is correct and it's the link from the
> handshake to that chain which is broken, I don't believe any sort of
> certificate pinning would have stopped this.

~~~
zeckalpha
I still think a well-put-together banking application wouldn't be vulnerable
to this.

~~~
jleader
If a bank app wrote their own security code, and didn't use the standard
platform library, then when a bug was found, they'd get piled on here for
rolling their own and not going with the much more widely tested platform
implementation.

Should a well-put-together banking application re-implement the entire OS?
After all, there are lots of places where security bugs can hide throughout
the OS.

------
line-zero
"may be"??

~~~
bithive123
Exploits are theoretical; their mere existence does not mean your data is
compromised. Other circumstances must exist first in order for particular
people to be affected.

