
Getting root with benign AppStore apps - lelf
https://theevilbit.github.io/posts/getting_root_with_benign_appstore_apps/
======
saagarjha
> it’s a good idea to double check if the App is compiled with the library-
> validation option (flag=0x200). That would mean that the OS will verify if
> all dylibs are signed or not

Actually, library validation will check if the binary is signed with the same
team ID.

> I signed up with a new Apple ID for the Apple developer program just because
> I had the fear that they will ban me, once I introduce an app that can be
> used for private escalation. In fact they didn’t.

Apple has a history of going after people who try to find holes in the App
Store’s security model. This was a _huge_ gamble; they could have your life
quite miserable if they figured out who was behind this.

~~~
floatingatoll
He had an open unpublished conversation with Apple Security and notified them
of his own published app, so “if they figured out who” seems inapplicable
here.

~~~
saagarjha
Yes, hence why it was a gamble. There was a significant chance that they’d go
after him after he told them he put an exploitable app on the App Store.

------
liquid9
Has this also been fixed in High Sierra?

