Monthly Archives: July 2010

On stopping service management abuse

In chapter 2 of their book The Mac Hacker’s Handbook (is there only one Mac hacker?), Charlie Miller and Dino Dai Zovi note that an attacker playing with a sandboxed process could break out of the sandbox via launchd. The … Continue reading

Posted in launchd, Mac, sandbox | Comments Off on On stopping service management abuse

On private methods

Let’s invent a hypothetical situation. You’re the software architect for an Objective-C application framework at a large company. This framework is used by many thousands of developers to create all sorts of applications for a particular platform. However, you have … Continue reading

Posted in code-level, iPad, iPhone, Mac, PCAS, software-engineering | Leave a comment

On authorization proxy objects

Authorization Services is quite a nice way to build in discretionary access controls to a Mac application. There’s a whole chapter in Professional Cocoa Application Security (Chapter 6) dedicated to the topic, if you’re interested in how it works. The … Continue reading

Posted in Authorization, code-level, Mac, PCAS, software-engineering | Comments Off on On authorization proxy objects

NSConference MINI videos available

During WWDC week I talked at NSConference MINI, a one-day conference organised by Scotty and the MDN. The videos are now available: free to attendees, or $50 for all 10 for non-attendees. My own talk was on extending the Clang … Continue reading

Posted in code-level, NSConf, software-engineering, tool-support | Leave a comment

On Trashing

Back in the 1980s and 1990s, people who wanted to clandestinely gain information about a company or organisation would go trashing.[*] That just meant diving in the bins to find information about the company structure – who worked there, who … Continue reading

Posted in Business, Data Leakage, Policy, Twitter | Leave a comment

On detecting God Classes

Opinion on Twitter was divided when I suggested the following static analyser behaviour: report on any class that conforms to too many protocols. Firstly, a warning: “too many” is highly contextual. Almost all objects implement NSObject and you couldn’t do … Continue reading

Posted in code-level, iPad, iPhone, Mac, software-engineering, tool-support | Leave a comment

On Fitt’s Law and Security

…eh? Don’t worry, read on and all shall be explained. I’ve said in multiple talks and podcasts before that one key to good security is good user interface design. If users are comfortable performing their tasks, and your application is … Continue reading

Posted in iPad, iPhone, Mac, threatmodel, UI, user-error | 1 Comment