The IT Nerd

Software developer Jeff Johnson discovered and told Apple about a privacy bypass vulnerability opening up protected files in macOS Mojave, macOS Catalina, and the upcoming macOS Big Sur. This he thought was the responsible thing to do. But that was over six months ago. And the best Apple could come up with was that it was “investigating” what he reported. So after feeling that the folks at 1 Apple Park weren’t taking this security issue seriously, he’s decided to go public via this blog post that went online yesterday. In this blog post he’s laid out the timeline in terms of when it was reported and what happened next. Then he says this:

For technical reasons, I don’t believe that the issue will be fixed by Apple before Big Sur is released to the public in the Fall. I’ve seen no evidence that Big Sur makes any effort in this direction, and Apple’s email to me shows no evidence of that either. Therefore, I’m disclosing the issue now. It’s been over 6 months since I reported the issue to Apple. This is well beyond the bounds of “responsible disclosure”, which is typically 90 days after reporting an issue to a vendor. It’s also becoming obvious that I will never get paid a bounty by Apple for anything I’ve reported to them, or at least not within a reasonable amount of time. I’m not interested in waiting years for a bounty. I can’t speak for anyone else, but my personal experience is that the Apple Security Bounty Program has been a disappointment, and I don’t plan to participate again in the future. 

Well, that’s a pretty damming statement when it comes to Apple’s Security Bounty program. If people don’t have confidence that Apple will act on the things that they report, then they won’t use it. And what is really bad is that  he revealed a similar issue last October after reporting it in February of that year and waited eight months for Apple to fix it without success.

Besides that, he gives readers this to think about:

Should you be worried about this issue? That depends on how you feel in general about macOS privacy protections. Prior to Mojave, the privacy protections feature did not exist at all on the Mac, so you’re not any worse off now than you were on High Sierra and earlier. My personal opinion is that macOS privacy protections are mainly security theater and only harm legitimate Mac developers while allowing malware apps to bypass them through many existing holes such as the one I’m disclosing, and that other security researchers have also found. I feel that if you already have a hostile non-sandboxed app running on your Mac, then you’re in big trouble regardless, so these privacy protections won’t save you. The best security is to be selective about which software you install, to be careful to avoid ever installing malware on your Mac in the first place. There’s a reason that my security research has focused on macOS privacy protections: my goal is to show that Apple’s debilitating lockdown of the Mac is not justified by alleged privacy and security benefits. In that respect, I think I’ve proved my point, over and over again. In any case, you have the right to know that the systems you rely on for protection are not actually protecting you.

Here’s my $0.02 worth. Apple makes a lot of noise about privacy and security. But reading the above statement makes it appear that Apple is only paying lip service to privacy and security. If Apple were actually serious about this, they would not only respond to this developer in public and address his claims in public, but they would also make a statement about why users of their products should trust in their products to keep them secure, and what they are going to do to walk the walk as opposed to just talking the talk. But I am not naive. That won’t happen because Apple isn’t that sort of company. They never have been. And clearly they never will be. And that will come back to haunt them sooner or later.

Rumors have been circulating for a week or so that Apple is about to make some radical changes as to what comes in the box of the iPhone 12. The rumors come from a couple of reliable sources. The first being Ming-Chi Kuo who is a reliable source for this sort of information. The second is a Twitter user that goes by the handle of L0vetodream who is a recent entrant into the Apple rumor game and has an excellent track record in terms of accuracy. His latest tweet is below:

Now Apple dropping the earphones makes sense on a number of fronts. First of all, I am going to go out on a limb and suggest that only a handful of people use the earphones that come from the box. Most users will use their own earphones because they have better sound quality, and/or they are wireless. Thus the supplied earphones that come with iPhones are wasted a lot of the time. Plus if people really wanted them, they could easily buy them as an add on when they get their iPhone. Or they could by AirPods or Beats headphones when they get their iPhone. Regardless, I don’t see this as being a big deal.

Now not including a charger in the box is a big deal. Apple has taken flack for not including a fast charger in the box in the past. This despite the fact that modern iPhones are fast charge capable if you use a Lightning to USB-C cable and a USB-C fast charger. They sort of fixed that when the iPhone 11 Pro and Pro Max came out by including those items in the box. But I guess that because the iPhone 11 wasn’t a “Pro” device, they left it out of that. Still, there was a charger in the box.

I have to assume that Apple either has a reason related to the environment, or a reason related to cost (as in they want to use this as a vehicle to lower the cost of the iPhone) as to why they would ever consider going this route. In terms of the former, I am guessing that they would argue that people charge wirelessly using third party wireless chargers, or they buy third party fast chargers. So there’s no need for a charger to be put into the box. Now there is some truth in that. But not enough truth in my opinion to omit a charger from the box. The latter reason is simply cynical on Apple’s part if they are actually thinking that.

Here’s why this is a big deal. It is handy to have a wired charger for traveling, or for emergency reasons. Plus with all of us working from home because of the pandemic, it is simply faster to use a wired charger to give your phone a quick jolt of energy before your next conference call. And that doesn’t include first time iPhone users who get a phone and are shocked to find that there’s no charger in the box. Imagine how they would feel and how they would perceive Apple. Thus including one in the box is in my mind something that Apple should do as a matter of course.

Potentially not including a charger in the box of future iPhoens is a step too far for Apple as far as I am concerned. They are a company that will take bold moves like this and try to convince us that it’s for our own good. But this isn’t bold. It’s stupid. And hopefully Apple will reconsider this move before it’s too late.