Hacker News new | ask | show | jobs
by keehun 1002 days ago
Not publicly that I have seen, but I can assure you networking and cybersecurity companies (and others) saw this pretty quickly when the bug was first released. I was just glad to see a relatively big company calling out this rather egregious issue.
1 comments
LeoNatan25 1002 days ago
Security companies should be much more open about these issues, rather than quake the notion that if they go public, they’d lose their hush hush secret contacts at Apple that give them private entitlements for private functionality. (Source: first hand experience)
link
pdimitar 1002 days ago
Your comment is pretty vague but intriguing. Are you allowed to share an example?
link
mrcode007 1002 days ago
they're called managed capabilities and require apple's approval for unlocking access. CarPlay is an example:

https://developer.apple.com/documentation/carplay/requesting...

edit: tap to pay is another: https://developer.apple.com/documentation/proximityreader/se...

link
LeoNatan25 1002 days ago
Those are public capabilities that require explicit approval from Apple in the form of an entitlement. That’s not what I am saying.

I’m talking about capabilities Apple officially denies having, or only gates to “partners”, and vends them using private header files and entitlements. One example is VPN service, which, before the NetworkExtension, were limited to the “Cisco”-branded user UI in Settings and MDM configuration files. Unless you had the (legacy) network manager private header files and a super private entitlement in you provisioning profile, allowing you to create VPN on-device without any MDM or configuration profile (or user consent), there was no way for an App Store app to create a VPN tunnel. We used to get these by mailing a contact inside Apple, asking for the latest headers before each major and minor iOS release. Before NetworkExtension, any public inquiry about creating VPN tunnels was denied by Apple and only officially supported by the Cisco app at the time.

Over the years, I’ve heard of many other such “features” only available to big “partners”.

link
mrcode007 1002 days ago
These are broken out as standard entitlements in Xcode now and require standard approval process.

Private features are a standard practice pretty much everywhere you look around. Don’t believe me? Ask big google or facebook advertisers

link
dcow 1002 days ago
Blizzard had a hardcoded exception in OSX (pre macOS) for the longest time.
link