Archive for Apple

Apple Removing VPN Apps From Chinese App Store… Russia Banning VPN Apps Too

Posted in Commentary with tags , on July 31, 2017 by itnerd

The news is popping up all over the place when it comes to VPNs. First to China where Apple is removing VPN apps from the Chinese app store:

The BBC understands that as many as 60 VPNs were pulled over the weekend.

Apple said it was legally required to remove them because they did not comply with new regulations.

It refused to confirm the exact number of apps withdrawn, but did not deny the figure. It added that dozens of legal VPN apps were still available.

This of course ties into a story that I’ve been reporting on for the last month or so. This of course has VPN operators nervous. Marty P. Kamden, NordVPN’s CMO, said this:

“We never had an Apple app in China as we were expecting similar issues – that’s why we didn’t get affected by the removal from the App store. NordVPN works in China on desktop apps, and we are currently developing a solution for mobile apps, including iOS and Android. Currently, our VPN works with Windows with no problems.”

“At the same time, we are shocked to see how big companies comply with China’s censorship of free word. NordVPN stands for freedom of speech, and we will do all we can to make sure Internet users in China have full access to Internet. We think that Apple might not realize full repercussions of removing VPN apps from China, since there are also many freedom fighters or those in opposition to the government who need VPNs to remain anonymous or face a serious danger to their safety.”

At the same time this is going on, Russia is going to ban VPN apps as well staring on the 1st of November:

The law, already approved by the Duma, the lower house of parliament, will ban the use of virtual private networks (VPNs) and other technologies, known as anonymizers, that allow people to surf the web anonymously. It comes into force on Nov. 1.

Leonid Levin, the head of Duma’s information policy committee, has said the law is not intended to impose restrictions on law-abiding citizens but is meant only to block access to “unlawful content,” RIA news agency said.

Now, this is likely an attempt to ban any sort of access to outside content that these two countries don’t like. But beyond that, how will this affect VPNs that are brought into China and Russia by those who travel to those two countries? If I have a VPN on my computer, will it still work if I travel to one of those countries and try to connect? That is where I can see a business getting screwed over by this. If I am protecting corporate communications with a VPN, and it is now banned and off-line what happens then? Also, what happens if you are clearing customs and there’s VPN software on my computer? Will it get seized. There’s a lot of unknowns here that I hope get answered and quickly.

UPDATE: Marty P. Kamden, NordVPN’s CMO reached out to me after seeing this story and gave me a comment about the Russian situation:

“The most worrying aspect of banning VPNs in Russia, the same way as in China, is the fact that many political activists would lose their anonymity and can face a very real danger. We are watching the Internet regulation developments in Russia and China with great concern, and want to express our will to continue providing access to unrestricted Internet to the people of those countries.”

Advertisements

Hackers Claim They Can Pwn Apple Pay Via WiFi

Posted in Commentary with tags on July 28, 2017 by itnerd

This week in Las Vegas is the Black Hat conference. This of course is the conference where hackers of all descriptions will show up to show off security related research and show how to pwn everything. Case in point is research by Positive Technologies that The Register is reporting on where they have two attack vectors for Apple Pay. The first one requires malware to be injected into a jailbroken device. Thus illustrating why you should never jailbreak a device. But the second attack vector does not require a jailbroken device and utilizes WiFi:

The first step in the second attack is for hackers to steal the payment token from a [targeted] victim’s phone. To do that, they will use public Wi‑Fi, or offer their own ‘fake’ Wi‑Fi hotspot, and request users create a profile. From this point they can steal the ApplePay cryptogram [the key to encrypting the data].

Apple states that the cryptogram should only be used once. However, merchants and payment gateways are often set up to allow cryptograms to be used more than once.

As the delivery information is sent in cleartext, without checking its integrity, hackers can use an intercepted cryptogram to make subsequent payments on the same website, with the victim charged for these transactions.

Take home message. Don’t use WiFi when you use Apple Pay. But even if you don’t use WiFi, you have to wonder how long it will be before hackers figure out how to pull off an attack like this over a cellular network. If that is in the works, they better hurry because the researchers informed Apple about these attack vectors. Which means that Apple is likely working on a fix. Though, there might be a problem with that:

Fixing the issue will require action from all points in the chain, including the banking merchants, payment gateways, and card issuers, the security firm claimed.

We’ll see if Apple gets that co-operation to close this attack vector.

Apple Is Quietly Exiting Music Player Biz

Posted in Commentary with tags on July 28, 2017 by itnerd

Remember the days when you bought an iPod and you had hundreds if not thousands of songs in your pocket? Well, those days are apparently over as the iPad Nano and iPod Shuffle are dead as of yesterday if you check Apple’s website. On top of that, the iPod Touch lineup has been pared down. You can now only get the 32GB and 128GB variants. Other than that, the device has otherwise been basically unchanged since 2015. Thus you have to wonder how much longer it will be along.

This essentially brings an end to an era for the iPod. I remember when the device first popped up in 2001 with 5GB of storage which held up to 1000 songs and had a then unusual Firewire interface. It was a Mac only device at the time, but soon migrated over to the PC side of the fence. It also kicked off the iTunes software along with the iTunes store to buy music. The latter proved that digital music sales could work. I guess now that everybody and their dog has a smartphone, standalone music players aren’t a viable business. Thus it shouldn’t come as a shock that Apple has started to put an end to their stand alone music players.

Force Quitting iOS Apps…. Yes Or No?

Posted in Tips with tags on July 25, 2017 by itnerd

Something that I come across from time to time are people who insist of force quitting iOS apps which is done by double clicking the home button, and then swiping the app or apps that they want to force quit. The word on the street is that you save your battery life, RAM and CPU power by doing so. But is that true or not? The answer is perhaps a bit more nuanced than a simple yes or now answer. Let’s start discussing this by looking at what Apple says in this document:

When you double-click the Home button, your recently used apps appear. The apps aren’t open, but they’re in standby mode to help you navigate and multitask. You should force an app to close only when it’s unresponsive.

In other words, the apps that are in the background aren’t consuming that much RAM and they aren’t using any CPU or battery life. And the thing is, iOS is exceptionally good at making sure that these apps behave. In fact, it actually takes more CPU and battery power to force quit and restart an app than it does to simply leave it there. Thus you shouldn’t force quit an app unless it’s crashed or something.

Now there is one scenario where I can see where that you might save some CPU and battery power by force quitting an app. It is possible that an app that uses location services functionality that is set to always active may not be put into standby as it is periodically polling for your (or more accurately the iPhone’s) location. Thus logic suggests that force quitting one of these apps may actually save you battery life if you don’t need the functionality that the app provides.

Now you’re likely wondering what I do. I will admit to force quitting apps like Garmin Connect, Runtastic Pro among other fitness apps that I have on my iPhone for the reasons that I stated above. But most of my other apps like Maps, Calendar and the like are always running. I can’t say if that makes a difference or not and perhaps someone should take a look at this empirically to see what the truth is. In the meantime the question of whether you should force quit an app on the iOS platform is not a yes or no answer. At least not at the present time.

Apple has released updates to iOS, watchOS, tvOS, and macOS…. Here’s Why You Should Care

Posted in Commentary with tags on July 19, 2017 by itnerd

At 1PM EST Apple Apple released iOS 10.3.3, watchOS 3.2.2, tvOS 10.2.2, and macOS 10.2.6. The release notes for all the above basically say some that the focus was performance and security improvements. But the the latter is why you should care. I’ve been browsing the documents that list the security improvements that have been made and these ones jump out at me. I’ll start with iOS 10.3.3:

Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation

Impact: Notifications may appear on the lock screen when disabled

Description: A lock screen issue was addressed with improved state management.

CVE-2017-7058: an anonymous researcher

Lock screen issues are not new to iOS, but this one could have privacy implications.

Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation

Impact: Visiting a malicious website may lead to address bar spoofing

Description: An inconsistent user interface issue was addressed with improved state management.

CVE-2017-2517: xisigr of Tencent’s Xuanwu Lab (tencent.com)

And:

Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation

Impact: Visiting a malicious website may lead to address bar spoofing

Description: A state management issue was addressed with improved frame handling.

CVE-2017-7011: xisigr of Tencent’s Xuanwu Lab (tencent.com)

This is kind of dangerous as it could lead to you and your iDevice getting pwned by hackers through no fault of your own.

Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation

Impact: Processing a maliciously crafted movie file may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved bounds checking.

CVE-2017-7008: Yangkang (@dnpushme) of Qihoo 360 Qex Team

This is really dangerous. There have been examples of this in the past where it would crash an iOS device. It sounds like this attack vector has become a bit more sophisticated. I should also note that the same thing was fixed in tvOS.

iOS, tvOS, macOS and watchOS share one interesting security fix:

Available for: All Apple Watch models

Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2017-9417: Nitay Artenstein of Exodus Intelligence

I should note that this fix is available for iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation. Not to mention macOS users running 10.12.5 and 4th Generation Apple TV users. Which is good as this is not the first time that Apple has fixed an issue where a device could be pwned via WiFi, and the fact that this can be done at all is very serious.

There’s a bunch of interesting tvOS security fixes that look like this:

Available for: Apple TV (4th generation)

Impact: A malicious website may exfiltrate data cross-origin

Description: Processing maliciously crafted web content may allow cross-origin data to be exfiltrated by using SVG filters to conduct a timing side-channel attack. This issue was addressed by not painting the cross-origin buffer into the frame that gets filtered.

CVE-2017-7006: David Kohlbrenner of UC San Diego, an anonymous researcher

There’s of course many other fixes, but none as serious as these. Thus consider updating to the latest version of whatever OS your iDevice runs so that you can protect yourself from the attacks that are sure to come.

 

How To Solve Battery Drain Problems On Your Apple Watch

Posted in Tips with tags on June 21, 2017 by itnerd

A few days ago, I noticed that the battery life on my Apple Watch took a significant nosedive. Instead of lasting about two days between charges, it would be requiring a recharge at about 9PM at night. Given that I wake up at 6AM, that wasn’t good. Clearly there was a problem, but I needed to figure out if it was software or hardware as if if it is the latter, I would have to make an appointment with the Genius Bar at my local Apple Store. Here’s how I went about isolating the problem:

  1. Reboot the Apple Watch: It sounds simple, and it is. Sometimes a simple reboot will work. So what I did was I rebooted by pressing and holding the side button and crown at the same time until the screen went blank and the white Apple logo appeared. I did it first thing in the morning so I knew that I was starting out with a fully charged Apple Watch. Then every couple of hours I would note how much battery life I had left by swiping up from the bottom to see control center. I also noted how much battery life I had left at the end of the day. In my case, by the end I would usually have something between 60% and 70% battery life depending on what I was doing that day. For example, if I was out for a ride on my bike, I would be closer to the 60% mark in terms of battery life. In my case, rebooting didn’t work as I was still noticing excessive draining of the battery. Thus, on to step 2.
  2. Un-pair the Apple Watch from your iPhone and re-pair: What this process does is basically reset your Apple Watch from a software perspective. The reason why you would want to do this is that maybe there’s some piece of software that is draining the battery excessively. Thus by doing this, you get the option of starting out with a virgin Apple Watch from a software perspective. Then you can add back all your Apple Watch apps until you find the one that is causing your problem. Or you can simply add them all back and see if things stabilize. I would recommend that you try the former for best results. Though I will admit that it is time consuming. Apple has a document for un-pairing your Apple Watch from your iPhone here. Now you can pair your Apple Watch using these instructions from Apple and I would recommend setting it up as a new watch rather than using a backup so that you avoid the possibility that you are reintroducing a problem that was part of a backup. In my case, doing this process seems to have worked. At least so far. I will continue to monitor this to ensure that it stays “fixed.” Warning: You’ll need around an hour to do this and if you have any credit or debit cards added to the Apple Watch to use with Apple Pay, you’ll need to add those back as well.
  3. Make an appointment with the Genius Bar: Let’s pretend that neither of the above solved my issue. At this point I have eliminated most of the possible software causes and I am left with a hardware issue. That means a trip to the Genius Bar. When you go, you need to make sure that you tell the Genius that you’ve done the above and be prepared to explain it in detail. That way your time at the Genius Bar is minimized and they can either repair or more likely replace the Apple Watch in short order (assuming it is under warranty or AppleCare).

Do you have any other tips for solving battery drain problems with the Apple Watch? If so, please leave a comment below and share your tips.

Shady iOS Developer Using App Store Search Ads To Scam People On An Epic Scale

Posted in Commentary with tags on June 12, 2017 by itnerd

A rather shocking report has come to light over the weekend of a scam app charging people a staggering $400 per month through an in-app purchase disguised as a free trial. Oh yeah, the app does nothing and was approved by Apple who supposedly has tight controls on what get approved in the App store. Now if you read through this story, it’s quite shocking that this was even approved by Apple in the first place. Here’s why:

I scrolled down the list in the Productivity category and saw apps from well-known companies like Dropbox, Evernote, and Microsoft. That was to be expected. But what’s this? The #10 Top Grossing Productivity app (as of June 7th, 2017) was an app called “Mobile protection :Clean & Security VPN”.

Given the terrible title of this app (inconsistent capitalization, misplaced colon, and grammatically nonsensical “Clean & Security VPN?”), I was sure this was a bug in the rankings algorithm. So I check Sensor Tower for an estimate of the app’s revenue, which showed… $80,000 per month?? That couldn’t possibly be right. Now I was really curious.

I tap into the app details to see that the developer is “Ngan Vo Thi Thuy”. Wait so, this is a VPN service offered by an independent developer who didn’t even bother to incorporate a company? That’s a huge red flag. For those of you who don’t know why this is bad, a VPN basically routes all your internet traffic through a third party server. So in this case, a random person who couldn’t piece together a grammatically correct title, who also didn’t bother to incorporate a company, wants access to all your internet traffic.

What’s even worse is that in the description for the app, it is apparently “full of features.”

#EpicFail

So one has to wonder how many people have forked over $80K a month, of which Apple nets a 30% cut, for this scam app? One has to also wonder how many apps like this Apple has approved either through greed, which I would hope isn’t the case, or lack of care and attention, which is more likely the case? All I know is that Apple needs to address this and address this now. Otherwise, they’ll start looking like Google Play which is a app store that they’ve criticized for this sort of thing in the past.