Stolen credentials are blamed for a fraudulent App Store offering -- and could easily have been prevented
Earlier this week, my colleague Simon Phipps discovered several fraudulent apps on the Apple App Store.
He was able to reach one of the developers, who claimed his Apple
developer credentials had been stolen, and someone else put up the fake
version of Quickoffice using those credentials.
If those credentials were stolen, they didn't need to be — Apple has a
strong second-factor authentication system in place to prevent account
hijacking. But it was rolled out only in the last year, so many
developers may not have implemented it, relying instead on the
still-available, basic security system that isn't as secure.
Android developers can
also use second-factor authentication to secure their Google Play
accounts, but the method is much harder to do find than with Apple and
Microsoft. Even new Google Android developers are probably going with
the less-secure method that Apple also long employed: a second email to
send alerts about account changes.
Receiving
an email that tells you someone updated your account is better than
nothing, but doesn't prevent a hijacking — it merely lets you know
you've been hijacked. At that point, you have to wade through the
automated systems at both Apple and Google to recover your accounts.
All
the while, your legitimate apps' payments may be going to someone else,
and that person can use your credentials to publish fake apps and even
malware. (The fraudulent apps that Phipps discovered this week have
shaken my faith in Apple's vaunted app review process. Clearly, it's not
all it's claimed to be.)
Second-factor authentication is no cure-all, but it's a good baseline.
Securing your Apple developer account
In
Apple's case, you register an iOS device as your second factor, so any
account changes have to be validated from that device, similar to how
Apple uses your iOS devices and Macs as a second-factor authenticator
for changes to your iCloud account. You still have to know the first
factor: your account password.
This is the same system Apple
provides for all Apple IDs, not only for developer accounts, so you
should also use it for your personal Apple ID. In addition, you should
not use your personal Apple ID as your developer Apple ID, even with
second-factor authentication in place. In case one account is
compromised, why risk the other?
To set up second-factor authentication, go to the Apple ID password and security page (sign
in with your user ID and password, of course). Have your iOS device at
hand (I recommend using an iPhone to get verifications no matter where
you are). After you sign in, click or tap the Get Started link under the
Two-Step Verification heading. Follow the prompts. It's that easy!
Apple also provides a recovery key for use if you've forgotten your
password or lost your device, acting as a substitute factor for one of
the two (but not both at the same time). I suggest you save the recovery
key in a separate system, whether in iCloud Drive linked to your
personal Apple ID or to a separate service like 1Password, Dropbox, Box, or Evernote that employs a different password and perhaps even user ID than your developer Apple ID.
Keep
in mind that Apple will make you use the second-factor authentication
every time you make an account change in the future, even from the
computer or device you always use. That's a pain, but it means a stolen
MacBook can't be used to bypass second-factor authentication
requirement, as is possible with Google's approach.
Securing your Android developer account
It's
not so easy to secure your Android dev account. You won't find links to
enabling second-factor authentication in the Play Store's developer
accounts page, for example. But Google has a second-factor account creation page; I found it via Google search, then parsing a help page that buried the link. You can skip the goose chase by using the link here. You'll of course have to sign in with your account credentials.
Follow
the prompts to set up the second-factor authentication. (You can apply
second-factor authentication to any Google account, not only your
developer account.)
Google's second-factor authentication works
like that of many banks: You get a text message or phone call with a
one-time code that you then enter on the website from which you are
trying to make an account change.
You can tell Google not to require a code from that specific browser
on that specific computer in the future, so you don't have to use the
second factor every time you make a change — only when you (or someone
else) tries to make a change from another device. Of course, if you
disable the code requirement on a computer or device and someone steals
it and knows your ID and password, you're no longer protected by that
second factor.
I strongly recommend you use a different Google
account as your Android developer credentials than you use for personal
Google services. That's a pain in the Google world, I know, because
Google likes to automatically use the current ID on all its services; it
will even transfer calendars and so on to the current account if you
let it.
Switching between Google accounts is not simple, since
Google usually asks several times — and its prompts are designed in a
way that you can easily but accidentally transfer your data from one
account to another. (Google wants you to use one account so that it has
that complete picture of you for data-mining purposes. That's not safe
for you.)
Still, given how extensively Google accounts are used by
many providers' services, they're a big target for cyber thieves.
Keeping work and personal accounts is even more important for Google
account holders. It's a necessary pain.
Securing your Microsoft developer account
Should
Windows Metro apps ever take off, such as after Windows 10 is released
next year, you many want to develop apps for the Microsoft Store as
well.
It too has a second-factor authentication method: the
Microsoft Authenticator app you can run in Android or Windows Phone or
the Google Authenticator app you can run in iOS. You need to download
the appropriate app to your device, sign into the Protect Your Account security management page, then click or tap the Set Up Two-Step Verification link in the Two-Step Verification part of that page.
Again,
follow the prompts to select your authentication device and pair it
with your Microsoft account. You'll then need that device to confirm
account changes via the authenticator app.
At the risk of sounding like broken record, I
strongly urge you to use a separate Microsoft account for your
development work than you do for your personal account. Note that
Microsoft will by default associate your developer credentials to any
Microsoft account you're already using, so be careful not to let it do
that. Be sure to sign out of your Microsoft account if you start the
registration process from a personal account, then create a new one to
register as a developer.
Source: http://www.infoworld.com
No comments:
Post a Comment