Archive for April 20, 2020

Monday, April 20, 2020

There Should Be an iCloud Keychain App

Bradley Chambers:

The problem with managing passwords on iOS and macOS at the moment is the functions are scattered around. Some of the syncing happens on in the backend with no way to quickly see (especially on iOS). A prime example of this is the syncing of Wi-Fi passwords. It’s easy to remove old networks on the Mac, but on iOS, it’s all happened without being able to remove anything.


As our devices continue to store ever more personal information, Apple should release a dedicated app to view, add, change, or delete anything being stored in iCloud Keychain.

Update (2020-04-22): R0MK1N:

And also api for other apps to use that. What’s the point of keychain if I can’t use it in Firefox on a Mac.

What does a browser need that the regular keychain API can’t do?

W. Butcher:

I live in terror of accidentally enabling iCloud Keychain with an OS update. Last time that happened it deleted a bunch of passwords and imported a bunch of prior ones from God knows when.

Matt Birchler:

A standalone app would do a couple things.

Privileged Operations on macOS

Objective by the Sea has posted slides from Julia Vashchenko’s talk on SMJobBless() and XPC:

Operation system’s security depends a lot on the way developers handle privileged operations. Is it easy to make a mistake? Is the recommended way actually better than a deprecated API?

Recently, we gained insight into these questions during our company’s bug bounty program, which led to some surprising conclusions, which we’ll share today.

This stuff is under-documented, and the sample code is buggy.

See also: Csaba Fitzl (tweet).


Update (2020-08-28): Ilya Kulakov:

A refined advice was published by @justkwin regarding XPC peer validation. There is an interesting detail regarding “the second message”. I’m still confused how this solves peer validation though.

Csaba Fitzl:

This is the third post in my series which is trying to help Apple developers to avoid typical insecure coding practices. This one will highlight why XPC client hardening and proper verification is extremely important when we use XPC messaging on macOS between clients that run as a normal user and services that run as root. If this validation is not right, it opens up the possibility for an attacker to run privileged commands or worse case, achieve full privilege escalation on the system.

Update (2021-01-22): Alexis Bridoux:

I will make some research to better understand the possible exploits to know what is the best thing to do. Meanwhile, here are some advices:

  • The Helper should be removed when the application is removed. A Helper left behind has no use and it’s a risk that can be avoided. This post explains that.
  • The current preferred solution to prevent a malicious attack is to check the calling code identity. This post is great to understand the problem and applies this solution.
  • This repository also offers a ready-to-use solution in Swift.

Update (2021-06-13): Thomas Clement:

lo and behold, seems like finally Apple is adding a public API to validate xpc connections.

Previously: is an interactive reference for date format strings and has some good tips (via Kyle Howells):

  • Use dateStyle and timeStyle over dateFormat whenever you can. Explain the date fallacies to your designer if you need to.
  • If you can’t find a fitting dateStyle/timeStyle to format your UI dates, then at least use dateFormatter.setLocalizedDateFormatFromTemplate(…) to account for the user’s locale.
  • When parsing ISO8601 internet dates, always use ISO8601DateFormatter
  • If you can’t because your API format doesn’t fit ISO8601 and you still absolutely need to use a custom dateFormat, then be sure to also set your dateFormatter.locale to the special value Locale(identifier: "en_US_POSIX").

See also:,


Update (2020-04-22): Tyler Hall:

Why wasn’t it crashing for us in our testing?


Apple’s documentation for that method says…

Returns a date representation of a given string interpreted using the receiver’s current settings.


The customer dictated their bug report to us via email using Siri. They speak English, live outside Boston, but their phone’s region was set to Uzbekistan instead of United States (or anything else more common).

Malicious RubyGems Packages

Dan Goodin (via Hacker News):

More than 725 malicious packages downloaded thousands of times were recently found populating RubyGems, the official channel for distributing programs and code libraries for the Ruby programming language.


The accounts, which ReversingLabs suspects may be the work of a single individual, used a variation of typosquatting—the technique of giving a malicious file or domain a name that’s similar to a commonly recognizable name—to give the impression they were legitimate. For instance, “atlas-client,” a booby-trapped package with 2,100 downloads, was a stand-in for the authentic “atlas_client” package.


Once installed, the packages executed a script that attempted to intercept Bitcoin payments made on Windows devices.