Apple Security Flaw in Application Loader app

There is a security flaw in Apple’s Application Loader app, an app which is used by developers to upload their iOS and Mac binaries for review before they are released in the App Store.

This flaw has been in previous versions of the software, and in the current version as well (2.9.1).

The security flaw is that once you enter Apple ID developer credentials, it will then remember them automatically and there is no way to remove them without entering a different (and valid) set of credentials. This leaves the possibility of somebody possibly having access to something they should not.

There should be a Remember Password checkbox option so that the app will not remember your password, and it would force you to re-enter your password each time you start the app.

Here is the bug report filed on https://bugreport.apple.com

Bug# 16290347
Application Loader remembers Apple ID and Password when you quit

Summary:
I want to know how I can set Application Loader to NOT remember my login credentials each time I quit the application. Currently when I quit Application Loader and start it up again, it has remembered the last Apple ID and Password I used, but I do not want it to remember them. I believe this is Security issue. There should be an option to select whether or not you want it to remember or not.

Steps to Reproduce:
Start Application Loader.
Login using Apple ID and Password.
Quit Application Loader.
Restart Application Loader.
Last used Apple ID and Password are remembered and can be used right away without having to re-enter them.

Expected Results:
I expect an option to let me choose whether or not it remembers my id and password. Would like it to require password everytime I restart the application.

Actual Results:
Does not give me any options, and always remembers the password whether I want it to or not.

Version:
Application Loader 2.9.1
Xcode 5.0.2
OS X 10.8.5

Additional Note:
As additional note, I can go into Keychain Access app and delete iTunes Producer Application Password to remove the credentials, however this does not solve the issue where there should be a Remember Password check box in Application Loader itself.

SHARE THIS POST ON YOUR FAVORITE SOCIAL NETWORK:
  • email
  • Print
  • RSS
  • Facebook
  • Twitter
  • Digg
  • del.icio.us
  • LinkedIn
  • Google Buzz
  • Google Bookmarks
  • Yahoo! Buzz
  • MySpace
  • Reddit
  • StumbleUpon
  • Technorati
  • Slashdot
  • Blogosphere
  • MSN Reporter
  • MyShare
  • Propeller
  • Tumblr

Leave a Reply