Archive for Apple

Apple Needs To Make Sure iOS 14 Improves In Three Key Areas…. Or Face Significant Consequences

Posted in Commentary with tags on May 25, 2020 by itnerd

When iOS 13 shipped it was buggy and missing features. And Apple has been on the back foot ever since trying to get features like iCloud Folder Sharing into iOS 13, and fixing bugs that seem to be never ending.

The net result is that iOS 13 is a total disaster for Apple. And by “total disaster” I mean it’s the worst version of iOS in history.

Thus Apple has no choice but to ensure that iOS 14 is better than iOS 13. And by “better than iOS 13” I feel that Apple has to focus on three key areas:

Security: iOS used to have the reputation of being the most secure mobile OS out there. That’s no longer the case. Exploit acquisition firm Zerodium announced this week that it’s no longer buying certain types of iOS exploits due to a surplus in those exploits, and the company expects prices to drop in the near future.

What’s worse is that the CEO of Zerodium said this:

If you’re Apple, you have to be seriously embarrassed that your mobile OS is this insecure. Thus Apple has to make sure that security is top of mind or they will pay a heavy price.

Stability: iOS 13 shipped buggy. And it was seriously buggy in subsequent updates. And it only really became stable with iOS 13.5. That’s something that cannot happen with iOS 14. Apple needs to focus on stability as much as it needs to focus on security because to be frank, iOS users deserve better from Apple.

Feature Complete: Apple when it shipped iOS 13 didn’t ship features like Deep Fusion for the iPhone 11 series, and more recently iCloud Folder Sharing. That cannot be the case for iOS 14 as consumers expect OSes to ship complete. They don’t want to wait weeks or months for promised features to appear. And given the first two items that I mentioned, you can bet that the patience of features to appear will be at an all time low. Thus Apple would be well advised to make sure that everything that it promises in terms of the feature set of iOS 14 ships on time.

So here’s what happens to Apple, if they don’t focus on these three key areas. Apple’s reputation, which isn’t very good at the moment, will take a serious nosedive. Consumer trust will be lost, and that will translate to less iPhone sales. Since Apple is addicted like a crack addict to the money that it makes from the iPhone, that will be a huge problem for Apple. One that it will likely have great difficulty recovering from. So if I were Tim Cook and company, I would work very hard to ensure that iOS 14 is a far better, far more stable, and far more secure product than iOS 13 ever was.

An Alleged Jailbreak Exists For EVERY iDevice With Any Version Of iOS…… Yikes! [UPDATE: Now Available]

Posted in Commentary with tags on May 22, 2020 by itnerd

I rarely cover anything having to do with jailbreaking iOS devices as the process of jailbreaking your iDevice can simply make said device insecure. But conversely, I have to admit that there is a rather healthy jailbreaking community who wants to use jailbreaking to free themselves from the “walled garden” that is iOS.

Well, it appears that there might be a jailbreak exploit that exists in the newly released iOS 13.5 that affects every iDevice on the planet. This is different from previous jailbreaks which tend to only be applicable to a subset of iPhones and iPads.

Here’s the Tweet that brought this to light:

Here’s why you should care. Jailbreaks are taking advantage of bugs in iOS that can be exploited by anyone from nation states who want to spy on other nations, companies like GrayShift and Cellebrite who want to crack iPhones for law enforcement, or companies like NSO Group who use exploits like this to create the means for nation states who want to spy on their citizens. Thus this is bad if this is true as this could threaten you in some way shape or form.

Thus if this is true, you can fully expect Apple to come out with an update to iOS 13.5 to close this hole once this jailbreak becomes public. But until that happens, all the usual advice applies. As in don’t download software from unknown sources, don’t click on shady links in emails. Etc.

UPDATE: This jailbreak has now been released:

Not only that, but it’s been updated in the last day or so. You can fully expect Apple to release an update to kill whatever exploit that this relies on this week. After all, Apple likes control and they do anything to make sure that they have control at all times.

The Siri Listening Controversy Is Back, And Apple Really Needs To Be Open And Transparent About This

Posted in Commentary with tags on May 22, 2020 by itnerd

You might recall that last year, it came to light that contractors hired by Apple were listening to Siri recordings and they were hearing all sorts of “interesting” things. Now this was nothing nefarious on the surface as this is done to improve the ability of Siri to work, but the fact that contractors were doing that was problematic. Apple apologized for that, which is rare for that company to do by the way, and stopped this program while making changes to their operating systems to give users more control over this. Though the fact that they may have been facing a significant fine might have had something to do with all of that.

Well, this controversy is back. According to The Guardian, we are learning that nothing has changed. The whistleblower has now gone public and has a lot to say:

In a letter announcing his decision, sent to all European data protection regulators, Thomas le Bonniec said: “It is worrying that Apple (and undoubtedly not just Apple) keeps ignoring and violating fundamental rights and continues their massive collection of data.

“I am extremely concerned that big tech companies are basically wiretapping entire populations despite European citizens being told the EU has one of the strongest data protection laws in the world. Passing a law is not good enough: it needs to be enforced upon privacy offenders.”

Le Bonniec, 25, worked as a subcontractor for Apple in its Cork offices, transcribing user requests in English and French, until he quit in the summer of 2019 due to ethical concerns with the work. “They do operate on a moral and legal grey area,” he told the Guardian at the time, “and they have been doing this for years on a massive scale. They should be called out in every possible way.”

Well, this is pretty damming. And it suggests that Apple, who claims that “Privacy is a fundamental human right” may be playing fast and loose on that front. This deserves further scrutiny. Oh wait. That’s actually happening:

Ireland’s Data Protection Commissioner (DPC), Apple’s main regulator in the European Union, on Thursday said it was in contact with the company after a whistleblower called for action over a programme that listens to users’ recordings. 

The regulator acted after Thomas Le Bonniec, a former Apple contractor, wrote to European data protection regulators on May 20 to push for investigations into these practices. 

“The DPC engaged with Apple on this issue when it first arose last summer and Apple has since made some changes,” Graham Doyle, Deputy Commissioner at the Irish DPC, said in an emailed statement to Reuters.

“However, we have followed up again with Apple following the release of this public statement and await responses,” he said, in reference to the letter. “In addition, it should be noted that the European Data Protection Board is working on the production of guidance in the area of voice assistant technologies.” 

Apple did not immediately respond to a request for comment on Thursday.

In the meantime if this bothers you in any way, here’s the list of changes that you can make to your iDevice to make this go away:

  • Go to Settings > Privacy > Analytics & Improvement > Improve Siri & Dictation and check it is off
  • Then go to Settings > Siri & Search > Siri History and tap ‘Delete Siri & Dictation History’
  • To enable further restrictions, such as revoking location tracking and third-party app integration with Siri, read Apple’s Ask Siri, Dictation & Privacy page.

In the meantime, Apple truly needs to explain this. Right now they look shady as hell and for a company who claims that “Privacy is a fundamental human right” that’s not a good look. So how about it Apple? Will you come out and be open and transparent for a change about all of this?

Roughly 1.5 billion iDevice users are waiting.

iOS 13.5 Is Out, But Apple Still Has To Address Their Issues With How They Handle Security Issues

Posted in Commentary with tags on May 21, 2020 by itnerd

Yesterday, Apple released iOS 13.5 which addresses  a zero day iOS Mail exploit which despite what Apple thought, was so serious that Germany said that the flaw was critical and they recommends the removal iOS Mail so that users could protect themselves. But on top of that, there was a Messages bug that can cause your iDevice to crash. Now Apple promised that an emergency patch would be released a couple of weeks to address the Messages bug at the very least. But that didn’t happen. And I among others have been critical of Apple’s response to this ever since.

So now that Apple has released iOS 13.5 which fixes these two bugs, is everything okay on this front?

No. Absolutely not!

Before I tell you way Apple doesn’t deserve to be let off the hook. Let me tell you what they (finally) did right. Let’s start with the release of iOS 13.5. According to ZecOps who are the people who found the iOS Mail exploit, which by the way has been around since iOS 3.1.3, this is now fixed:

Also, Apple released iOS 12.4.7 alongside iOS 13.5 which one would think would contains the same fix. That’s good news for users who cannot or will not upgrade to iOS 13.x. But that’s a guess for reasons that I will get into momentarily. When it comes to the text message bug that can crash your iOS device, that’s apparently been fixed as well based on people who have been brave enough to test this. But we don’t know for sure because as I type this, Apple has not yet updated their security documentation with this information. And I am typing this on the day after these updates were released. Here’s a screenshot that illustrates this:

It’s pretty bad when you have to rely on third parties to help you decide whether to install a software update because a software company like Apple doesn’t want to provide you that information for whatever reason. I’m sure it will eventually appear, but you have to wonder why Apple didn’t put this information out there when they released these updates.

But despite all of that good news, there are things that Apple needs to explain.

Apple needs to really to explain why they had exploits hanging out there for so long a national government had to call them on it. Apple needs to explain why they had fixes ready to go, but didn’t release them in the emergency patch that they promised. And finally Apple needs to explain why hold its users in such disdain. Because this whole episode has left many Apple users with the feeling that the security of their products is an afterthought which Apple only has to worry about when it makes the press in a very negative way.

Apple is a company that claims to want to protect their users from threats. Apple is also a company that claims to want to get into the enterprise. To do both of those things, Apple seriously needs up their game when it comes to dealing with exploits like this because responding to them as badly as they have in this case erodes the belief that Apple is different than Google or Facebook. Plus it takes away any credibility that Apple is trying to build in the enterprise. On top of that, Apple’s lack of action takes away one key advantage that they have over Google for example. If they update something in iOS, the majority of their users will install it almost instantly because updates come directly from Apple. They’re not filtered through the handset manufacturer, then to the carrier before they maybe get to you as is the case with Android. And iPhones tend to get software updates for years unlike many Android handsets who may stop getting updates a year after you bought them. Thus you would think Apple would leverage that by using it as a vehicle to quickly distribute fixes for exploits like this. But as demonstrated in this case, that may not be the case.

Now do I expect Apple to address these concerns in public? Of course not. This is Apple we’re talking about. A company that is at best opaque about what they do. But if they were smart they would address all of this and explain what they’re going to do to make sure that these are not issues going forward. But I’m not holding my breath on that front. And that’s something that will hurt Apple in the long run.

Germany Says iOS Mail Flaw Is Critical And Recommends The Removal iOS Mail…. Wow!

Posted in Commentary with tags on May 14, 2020 by itnerd

Things go from bad to worse for Apple.

A reader pointed me towards this statement from Germany’s Federal Office for Information Security (BSI). It’s in German so I have taken the liberty of translating it for you here. But in short, it is recommending the removal of the iOS Mail app because the security flaws in iOS mail are so serious and no patch is available.

Wow.

BSI President Arne Schönbohm states the following:

The BSI assesses these vulnerabilities as particularly critical. It enables the attackers to manipulate large parts of the mail communication on the affected devices. Futhermore, there is currently no patch available. This means that thousands of iPhones and iPads are at acute risk from private individuals, companies and government agencies. We are in contact with Apple and have asked the company to find a solution for the security of their products as soon as possible.

This reinforces what I said yesterday, which is that Apple has lost the plot when it comes to security. I say that because when a nation gives this sort of advice, it’s never done for giggles. It’s done because there is a serious threat. One that Apple clearly doesn’t take seriously. And Apple needs to be called out for that.

So Apple, when are you going to put on your big boy pants and release a patch for this issue for your users so that they are fully protected from this patch? A billion iPhone users and at least on nation is waiting for your answer?

We Now Have Proof That Apple Has Completely Lost The Plot When It Comes To Security

Posted in Commentary with tags on May 12, 2020 by itnerd

You might recall that I’ve been covering a rather nasty exploit in iOS Mail that has been exploited in the wild. Now this and one other security issue was promised to be fixed by Apple a couple of weeks ago. But that didn’t happen. Though the other security issue that I mentioned was confirmed to be fixed in a beta of iOS 13.5, there was not any news about this more serious issue with iOS Mail being fixed.

That changed over the weekend when ZecOps who are the people who disclosed this bug and how dangerous it was, posted this which notes this little tidbit:

MailDemon appears to be even more ancient than we initially thought. There is a trigger for this vulnerability, in the wild, 10 years ago, on iPhone 2g, iOS 3.1.3

All together now…. OMG!

This takes a situation where Apple has dropped the ball and made it an absolute #EpicFail. I say that because you would think that if a bug that is beyond critical in nature, and has existed since February 3rd, 2010 which is the date that iOS 3.1.3 was released, you’d think that Apple would fix that ASAP. But clearly Apple doesn’t see things that way. And now that ZecOps has gone into detail about how this exploit works, you can be sure that an already dangerous exploit has just gone nuclear because every miscreant will be trying to take advantage of this.

Now the good news. Sort of. ZecOps has confirmed that a fix was in the beta that was iOS 13.4.5, which has since become the beta for iOS 13.5. Which means that someday Apple will release a fix for this. But what if you don’t run iOS 13 because you are on an iPhone 6 or older? Will Apple release a fix for this exploit for iOS 12 seeing as Apple has done that in the past? Or will Apple just give the middle finger to those users? We’ll have to see.

It really highlights how much Apple has screwed this up in epic fashion. Not fixing an exploit that has existed for this long and is clearly not trivial shows that Apple absolutely doesn’t take the security of its user base seriously. And everything that Apple says about security are just talking points that sound good, but don’t actually mean anything. I have to say, it’s stuff like this that makes it increasingly more difficult for me to want to spend Apple money on Apple hardware and services going forward. And I am sure that once this news gets out, many other people will feel the same way.

Apple Sued Over “FlexGate”

Posted in Commentary with tags on May 8, 2020 by itnerd

I am starting to feel like this blog has become the “bash Apple” destination on the Internet as of late. But really, all I am doing is spotting when they screw up and calling them on it in a balanced way.

But I digress.

Some MacBook Pro models released in 2016 and 2017 have experienced issues with uneven backlighting caused by a delicate flex cable that can wear out and break after repeated opening and closing of the display. This has become known as “Flexgate”. And now a class action lawsuit has been filed over “Flexgate”. In short, the lawsuit claims that Apple knew of these defects and shipped dodgy hardware anyway. And when confronted with this they covered it up. Now to be fair, Apple does have a repair program to fix this. But it only applies to 13″ MacBook Pros from 2016. And they fixed the problem in 2018 when that year’s MacBook Pros came out. Thus for everyone else, Apple has basically said it sucks to be you if you have this problem.

The class action lawsuit seeks restitution for all costs attributable to replacing or replacing the affected MacBook Pro units, and calls for Apple to expand its repair program to cover the 15-inch MacBook Pro. The proposed class is defined as all persons within the United States who purchased a 2016 or newer MacBook Pro.

You know, for a company that sees itself as being a premium product, they get sued an awful lot. You have to wonder if the pursuit of profits have come at the cost of building a quality product.

Oh, I’ll insert the standard disclaimer here: None of the claims have been proven in court yet.