Microsoft warns iOS isn't as secure as you think


Microsoft has warned customers that iOS is no more secure than Android, contradicting commonly held beliefs about the relative security of the two platforms. The company said that recent attacks targeting iOS prove it's as vulnerable as Android.

Brad Anderson, Microsoft's corporate vice president for enterprise and client mobility, set out his views in a company blog post last week. He used the Pegasus iOS spyware, revealed last month, as an example of severe vulnerabilities present in iOS. Pegasus is capable of monitoring everything a user does on their device, leaving them vulnerable to further attack.

The malware was analysed by Lookout Security, a Microsoft partner. In its report, Lookout described Pegasus as "the most sophisticated attack we've seen on any endpoint." Since it originates from a leading iOS security firm, Anderson said the statement reveals a lot about the state of security on Apple's platform.

Anderson is attempting to challenge the trust that consumers typically place in Apple. Android threats are far more numerous and gain more widespread attention than attacks on iOS. iOS is not immune to potentially devastating malware though, in contradiction of the views of some customers. Anderson said Pegasus should be a "pretty startling wake-up call" that everyone is "under constant persistent attack" on every platform.

Microsoft executives have reportedly indicated "unwavering implicit trust" in Apple's iOS "countless times," revealing how strong the association between Apple and security has become. The belief that Apple's platform is stronger than Android appears to derive from iOS' closed nature. Because it's a more controlled ecosystem, the attack surface is lower than for Android malware.

This view is dangerous, according to Anderson. Every mobile device is at constant risk of attack, regardless of the platform it runs. "I know for a fact that all the providers of mobile operating systems go to superhuman lengths to harden their platforms and do everything they can to deliver the most secure operating system possible," said Anderson.

However, iOS, Android and Windows all have vulnerabilities that expose them to potentially devastating attacks. Some platforms are targeted more frequently than others but this shouldn't influence people to make assumptions about a platform's security. Pegasus demonstrates that even a closed ecosystem can be infiltrated by some of the most complex mobile malware ever observed.

Coming from Microsoft, Anderson's argument represents a powerful message to businesses and consumers that iOS may not be all it seems. Pegasus has proven iOS presents a viable attack vector to cybercriminals. It has also demonstrated that malware has been commercialised to the point that it's an off-the-shelf product, available for purchase from the secretive NSO Group. According to Microsoft, the idea of a single platform being more secure than others is an urban myth. In real-world terms, any device can be hacked and every user is a target.

Tim Cook defended Apple's approach to security: 'Encryption is inherently great'

Apple CEO Tim Cook has robustly defended his company's strident approach to security in a new on-stage Q&A, declaring: "Encryption is inherently great."

The Cupertino tech exec spoke in Salt Lake City, Utah, as part of the US state's "Utah Tech Tour" event

Microsoft adds 'non-security updates' to security patches

MS16-023, billed as a “Security update for Internet Explorer” and issued on March 8, includes six “General distribution release (GDR) fixes”.

Five are innocuous as they address glitches like “Empty textarea loses its closing tag in Internet Explorer 11 after conversion from XML to HTML.”

But the last item on the list item 3146449, has the rather more interesting title “Updated Internet Explorer 11 capabilities to upgrade Windows 8.1 and Windows 7.”

A great many users just accept all Windows updates, so will never see item 3146449. Even if you are diligent enough to visit the page for MS16-023 you'll probably miss it, because it's far enough down the page that scrolling is required to see it.

Only once you visit 3146449's knowledge base page you'll find the following explanation for the patch:

This update adds functionality to Internet Explorer 11 on some computers that lets users learn about Windows 10 or start an upgrade to Windows 10.

We've no idea what that means, so have asked Microsoft what that sentence means in an effort to understand the sentence and the purpose of item 3146449.

Some users report that the update adds ads to older versions of Windows. Those ads include a button to initiate a Windows 10 upgrade.

Windows 10 is growing nicely, gaining one per cent of global market share in February alone. Microsoft's made no secret of its ambitions to quickly kill off Windows 8.x and its predecessors.

ASP.NET MVC OWIN and Microsoft account

  1. Register an app in the Microsot Account Developer Center

    Go to the Microsoft Account Developer Center and create a new application. After you have registered the application take note of the App ID and App Secret:


  2. Install the Nuget Package

    Install the Nuget Package which contains the Microsoft OAuth provider.

    Install-Package Microsoft.Owin.Security.MicrosoftAccount
  3. Register Provider

    Locate the file in your project called \App_Start\Startup.Auth.cs. Ensure that you have imported the Owin namespace:

    using Owin;

    In the ConfigureAuth method add the following lines of code:

        clientId: "Your client ID", 
        clientSecret: "Your client secret");
  4. Advanced Configuration

    To use the advanced configuration options, be sure to use the Microsoft.Owin.Security.MicrosoftAccount namespace:

    using Microsoft.Owin.Security.MicrosoftAccount;
    Request extra permissions

    If no scope is specified, the Microsoft OAuth provider will request permissions for the wl.basic scope. If you would like to request any other scopes, your will need to pass these scopes in the Scope property. For example, to request the wl.calendars permission, you can register the Microsoft provider as per the following example:

    var options = new MicrosoftAccountAuthenticationOptions
        ClientId = "Your client ID",
        ClientSecret = "Your client secret",

    For the full list of available permissions, see Scopes and permissions on the MSDN.

    Specify an alternative callback path

    By default the Microsoft provider will request Microsoft to redirect to the path /signin-microsoft after the user has signed in and granted permissions on Microsoft. You can specify an alternative callback path:

    var options = new MicrosoftAccountAuthenticationOptions
        ClientId = "Your client ID",
        ClientSecret = "Your client secret",
        CallbackPath = new PathString("/oauth-redirect/microsoft")

    You need to also make sure that the Redirect URI of your application in the Microsoft Account Developer Center matches this new callback path.

    Retrieve access token and other user information returned from Microsoft

    You can retrieve the access token and other user information returned from Microsoft in the OnAuthenticated callback function which gets invoked after the user has authenticated with Microsoft:

    var options = new MicrosoftAccountAuthenticationOptions
        ClientId = "Your client ID",
        ClientSecret = "Your client secret",
        Provider = new MicrosoftAccountAuthenticationProvider
            OnAuthenticated = async context =>
                // Retrieve the OAuth access token to store for subsequent API calls
                string accessToken = context.AccessToken;
                // Retrieve the user ID
                string microsoftUserId = context.Id;
                // Retrieve the user's full name
                string microsoftFullName = context.Name;
                // You can even retrieve the full JSON-serialized user
                var serializedUser = context.User;

Happy coding!



Planet Xamarin

Planet Xamarin