Intro
I don’t remember exactly when I started working with FileMaker, it was sometime in the early 2000s. Since then, almost all of my work or home projects have been related to FileMaker in one way or another.
Starting in 2008, I signed up for the Apple Developer Program, and after that I used both platforms, sometimes combining them into one for a single project. Such joint projects allowed me to combine the ability to quickly draw a rather complex interface and internal database of an application in FileMaker with almost unlimited low-level capabilities of Objective-C and Swift, and sometimes C/C++. By the way, I dedicated my presentation at FileMaker DevCon 2017 to this topic.
For the last few years I’ve been fascinated by security issues, primarily related to the Apple platform. Jamf’s product certification has provided a deeper understanding of how Apple devices are secured, and how important it is to not just blindly trust claims of “platform security” but to study the particulars. . The devil, as they say, is in the details.
The Claris website has a section on safety. https://www.claris.com/resources/claris-cloud-services-security/
The website says that the company has been independently certified and certified with the SOC 2® Type 2, ISO/IEC 27001 and ISO/IEC 27018.
That sounds impressive.
Here’s a quote:
Protecting sensitive information is deeply embedded in Claris’ DNA.
Encrypting data in transit and at rest is one of the primary tools Claris employs as a key part of its commitment to customers.
– Claris website
So I decided to look into how secure the platform I’ve been working with for years was.
After finding the first vulnerability in the macOS version of FileMaker Pro, I wrote an email to security@claris.com. In response, I received an email from an Apple/Claris employee who informed me that Claris is now part of Apple’s Bugs Bounty program and to send reports there according to these instructions: https://support.apple.com/en-us/HT201220.
A little bit below I will tell you in more detail what problems were found and what their apparent cause is. Looking ahead, I will say that I think that the company should pay more attention to the security of its products and thus to the protection of its customers’ data.
Also, many resources discuss the use of embedded security mechanisms, but very rarely analyze the overall security of the platform as a whole or the vulnerabilities and exposure to hacker attacks.
And another important point, we as developers often take responsibility for the security of our clients’ data. Therefore, it is important to have a deep understanding of the technologies and protocols of the tools we use.
In order to fill this gap, this website was created.