CloudPull 2.7.4 addresses an important security issue

CloudPull 2.7.4 is now available with these improvements:

  • In response to recent news of an OS X keychain vulnerability:
    • When adding or updating Google account credentials, CloudPull first deletes any pre-existing entries that might exist for that account in the keychain and then adds a new keychain entry. It never updates existing keychain entries.
    • The first time this version of CloudPull is run, it will delete its Google account credentials from the keychain and then add them again.
  • Fixed a bug displaying items that have an indeterminate last modified date.

In short, the keychain vulnerability referenced above is this:

  • Developer of Malicious App knows that Good App creates certain keychain items.
  • Before Good App is ever installed or running, Malicious App creates a keychain item with the expected service name and account name. Malicious App is code signed in such a way that its keychain items are available to both itself and to Good App.
  • Good App runs, and updates the keychain item with account credentials.
  • Malicious App now has access to these account credentials.

This is a significant vulnerability in the OS X keychain that I hope Apple addresses very soon. In the meantime, this improvement will help protect the secrecy of the credentials CloudPull uses to access your Google accounts. CloudPull does not store your account password at all, but it does use the keychain to store OAuth tokens that grant it access to your accounts.

For customers running CloudPull on Lion or Mountain Lion, the keychain improvements are also available in a version 2.5.7 update.

Marcato 1.2

Marcato 1.2 is now available in the App Store. This update adds these improvements:

  • Marcato browsers now support a full screen mode. As you scroll down a web page, the navigation bar and toolbar will slide away.
  • Marcato now supports a URL scheme. You can open a browser using the URL com.goldenhillsoftware.marcato:///browsers/[browser name], replacing [browser name] with the name of your browser.
  • The About screen now includes a Documentation area and an Acknowledgements area.
  • Marcato now allows the Initial URL and the Included Hosts settings for browsers created from templates to be modified by the user.

Marcato 1.1 lets you add browsers to your Home Screen

Marcato 1.1 is now available in the App Store. This update incorporates the ability to add a Marcato browser to your home screen. You can add a browser to your home screen by tapping the Activity/Share button in the toolbar, and then tapping “Add to Home Screen” in the resulting Share Sheet.

Tapping that button will open a placeholder page in Safari. You will then need to repeat this process in Safari.

I believe the first non-Apple iOS app to provide a way to add bookmarks to the Home Screen was Workflow. Until Workflow was released, I believed that doing so was not possible from within the iOS app sandbox. I want to publicly thank the Workflow developers for paving the way for Marcato and for other apps with similar needs.

As a side note, Chuck Joiner was kind enough to interview me on MacVoices. Please consider watching the interview and subscribing to MacVoices.

CloudPull 2.7.3

CloudPull 2.7.3 is now available. This update contains these improvements:

  • Added a “Lock backup files” checkbox to the General pane of the preferences window. Backup files are locked when and only when that checkbox is checked. By default, backup files are still locked.
  • Fixed a crasher in some error handling code.
  • Updated the code that asks Google Drive for the last known change number to use a newer HTTPS retrieval mechanism (NSURLSession).

Marcato: Site-specific browsers for your iPhone

I am very excited to announce the release of Marcato. Marcato allows you to create site-specific browsers on your iPhone. Marcato maintains separate cookies, local storage, and cache for each browser. The browsers live within the Marcato app.

I created Marcato because I wanted a way to isolate my web browsing activity for certain sites. I use Facebook, but I prefer not to run the Facebook iPhone app and I prefer not to have my other web browsing activity tied to my Facebook account. I also try to avoid logging in to sensitive accounts from my primary browser, in order to avoid any potential cross-site request forgery attacks. I have been using Fluid on the Mac for years, and I wanted something similar for iOS.

You can buy Marcato in the App Store now for $4.99 (USD). If you would like to learn more about the app, please visit its product page and check out this video.

Archives