Saurik warns against using ‘AppSigner’ Cydia Impactor alternative, says it’s unsafe

If you’ve ever used a semi-tethered jailbreak before, then you should be familiar with Cydia Impactor. Saurik (Jay Freeman) created this multi-platform application to let you side-load apps on your iPhone or iPad, especially of the jailbreak flavor, such as Electra and unc0ver.

Recently, a web-based alternative to Cydia Impactor called AppSigner received some public attention on /r/jailbreak, and as you might come to expect, prominent members of the jailbreak community are speaking up to explain why you should not use it.

The first to voice this opinion was Saurik himself, expressing in the comments section of the /r/jailbreak thread that the web-based AppSigner is unsafe and that users shouldn’t use it if they care about their privacy. The full quote can be read below:

IN RESPONSE TO: “…your Apple credentials are directly send to Apple only.”

So, this couldn’t possibly be true (due to cross-origin restrictions): you must be having these identifiers go to your server and then having your server send this information indirectly to Apple. I could have chosen to have built Impactor to do stuff like this (and it would have been way way easier)…

…but I didn’t, because the idea that peoples’ Apple account information is only as secure as that server of yours (whether or not people should trust that you aren’t storing anything yourself) is unacceptable for something this critically important (this is way more sensitive even than payment information).

This means that if I hack your server/app–which is apparently some kind of ASP.NET app running on IIS with no firewall for any ports at all, including for the SQL Server instance, which does not inspire confidence in the slightest–I can just watch all of these passwords flow through…

…or, you know, if I just happen to be on the same network as the user, given that this website doesn’t use SSL (so all of these passwords are going over plain text across not just the Internet at large but your local network; and yes, I did verify that this is how this website works: I am not throwing FUD).

Seriously: this site is extremely insecure for what it is asking of the user: don’t use it; (and really: stuff like this frankly shouldn’t be allowed on this subreddit; the fact that I never felt able to establish rules here that prevented mis- and mal- information was one of the key reasons why I gave up on it).

Hacker and unc0ver lead developer Pwn20wnd supported Saurik’s statement on Twitter, adding that users should “stay away from it:”

As always, we advise following the wise advice of the jailbreak community’s head honchos. Those who don’t risk exposing their confidential information with third-parties and having their data compromised.

For those that had any doubt, Saurik cares about the jailbreak community. More importantly, he cares about your personal data and how it is handled. Given the circumstances, we’ll go out on a limb and recommend that you stick with Cydia Impactor.

Leave a Reply