Archive for Apple

My Apple Watch Face And Complication Choices

Posted in Commentary with tags on February 11, 2019 by itnerd

Frequent readers of this blog will know that I am a huge Apple Watch Fan. I’ve had the Series 2, the Series 3 with GPS, and the Series 3 with GPS + Cellular and most recently I have had the Series 4 with GPS+ Cellular. Just recently I did a story on my Apple Watch band choices. And that’ has led to requests to do a story on which watch faces I use. Generally I flip between two watch faces that are useful for anyone who has a Series 4 because of the bigger screen. However, for the benefit of earlier Apple Watch users, I will recommend a watch face for you as well. My logic when it comes to watch face choices is that I want to either see as much information as possible at a glance, or have easy access to the info that I want to see so that I don’t have to reach for my iPhone. The first watch face that I use fully accomplishes both of those goals:

fullsizeoutput_cab

This is the Infograph watch face. I normally don’t go for analog watch faces, but I have really grown to like this watch face because of the number of complications (Apple’s weird name for shortcuts) on this watch face. Which is eight of them. As a result, this is my default watch face at present. As for the complications that are present, starting from the top left:

  • Temperature with the daily high and low pulled from the built in Weather app.
  • The top right has the amount of battery life remaining.
  • The inside center has the date as well as the next appointment in my appointment book.
  • The inside left has a complication to get to the mail app. Now to be clear, I never respond to mail using the mail app on the Apple Watch, but it is handy to see what mail that is sitting in my inbox without pulling out my iPhone.
  • The inside right has a complication to get to messages. It is not unusual for me to look at and respond to messages using the dictation feature or the pre-defined responses that are present.
  • The inside bottom has the weather conditions from the Weather app.
  • The bottom left is a complication to get to the heart app which allows me to check what my heart rate is whenever I feel the need to.
  • The bottom right has the status of my activity rings which is pulled from the Activity App.

Now I really like how the outer complications wrap around the corners to really use the space that’s available in the Apple Watch Series 4 screen. But there are times that I want slightly less info. For that reason, I have this watch face:

fullsizeoutput_cac

This is the Infograph Modular watch face. It’s a digital watch face that is a bit cleaner which will appeal to some who want something that is clean but information dense. But to get this look you only get six complications. And they are:

  • The top left has the amount of battery remaining.
  • The top right has the date.
  • The middle is my calendar which is pulled from the Calendar app.
  • The bottom left has the status of my activity rings which is pulled from the Activity App.
  • Temperature with the daily high and low pulled from the built in Weather app is on the bottom center.
  • The bottom right has the weather conditions from the Weather app.

Both of those are great options for Apple Watch Series 4 users. But what happens if you have an earlier Apple Watch with a smaller screen? This is what I would recommend:

fullsizeoutput_caf

This is the Utility watch face which works with any Apple Watch. It gives you four complications. In my case they are:

  • The top left has the status of my activity rings which is pulled from the Activity App.
  • The top right has the temperature pulled from the built in Weather app.
  • The center right has the date.
  • The bottom is my calendar which is pulled from the Calendar app.

It’s very clean but still useful for displaying info at a glance.

I’d love to know what Apple Watch faces that you’re using and what complications that you have configured. Please leave a comment and share what you’re rocking on your Apple Watch.

The Reason Why You Need To Update To iOS 12.1.4 And Install The macOS Mojave Update RIGHT NOW Goes Beyond The FaceTime Bug

Posted in Commentary with tags on February 8, 2019 by itnerd

Apple yesterday released iOS 12.1.4 to fix that rather horrific FaceTime bug. I should also note that Apple also released a macOS Mojave update to do the same thing. And you should install them right now because the FaceTime bug is the least of your problems.

First of all Apple because it was caught with its pants down metaphorically speaking did a security audit to find out if there were any other issues that they should fix. After all, with the the existence of the FaceTime bug being out there, it was likely that people who look for security issues both good guys and bad guys would be looking for anything else that they could exploit. And based on the release notes of the iOS update and the macOS update, they found something. Specifically this:

Impact: A thorough security audit of the FaceTime service uncovered an issue with Live Photos 

Description: The issue was addressed with improved validation on the FaceTime server. 

CVE-2019-7288: Apple

What is the issue? Who knows. A search for the CVE that is mentioned brings up nothing that says what the issue was. But it was clearly serious enough that they had to fix it and limit the ability to capture Live Photos to updated iDevices and Macs.

The other bugs are far more serious. They were brought to the Apple’s attention by  “an anonymous researcher, Clement Lecigne of Google Threat Analysis Group, Ian Beer of Google Project Zero, and Samuel Groß of Google Project Zero”:

  • CVE-2019-7286 affects the Foundation framework and is a memory corruption issue that could be exploited by an app to gain elevated privileges
  • CVE-2019-7287 affects the IOKit framework and is a memory corruption flaw that could be exploited by an app to execute arbitrary code with kernel privileges.

Given the fact that some big names in Google’s Threat Analysis Group and Project Zero are involved, these two security issues are serious. And that view is backed up by this tweet:

So who is Ben Hawkes and why should you care? Ben Hawkes is the team leader at Google’s Project Zero security team, He’s in a position to know how serious this is. Thus if he’s saying that exploits were already in the wild, you should take that seriously.

Thus, my advice is that you should update your iDevices and your Macs ASAP as there are clearly some serious holes that have been exploited that Apple has fixed in these updates. And while you’re at it, you should update the Shortcuts app as well as there were a couple of security issues fixed in that app as well. After all, you can’t be too secure.

Apple Drops The Hammer On Apps That Record Your Screen Without Your Knowledge Or Consent

Posted in Commentary with tags on February 8, 2019 by itnerd

Yesterday, I told you about popular iPhone apps using an API that recorded your screen without your knowledge and your consent. At the time I said this:

But now that this is out there, you can expect a lot of people to start asking questions. And that will likely include Apple as I am going to go out on a limb and say that they’re going to look at what Glassbox does and come up with counter measures to it. 

Apple took less than 24 hours to do just that According to TechCrunch:

In an email, an Apple spokesperson said: “Protecting user privacy is paramount in the Apple ecosystem. Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity.”

“We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary,” the spokesperson added.

And:

TechCrunch began hearing on Thursday that app developers had already been notified that their apps had fallen afoul of Apple’s rules. One app developer was told by Apple to remove code that recorded app activities, citing the company’s app store guidelines.

“Your app uses analytics software to collect and send user or device data to a third party without the user’s consent. Apps must request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity,” Apple said in the email.

Apple gave the developer less than a day to remove the code and resubmit their app or the app would be removed from the app store, the email said.

Clearly Apple is aware of whom is using this tech. Thus I am going to go out on a limb and suggest that if you check your iPhone for app updates over the next week or so, you should get a rough idea of who might have been recording your screen without your consent or knowledge. You can then make a decision as to if that app should be on your phone or not.

 

Apple Has Completely Mishandled Their Response To The FaceTime Bug

Posted in Commentary with tags on February 7, 2019 by itnerd

We are now approaching the end of the second week of the FaceTime bug which is a bug that allows people to listen in on conversations without user interaction or knowledge. Which of course is a big, big deal. This is easily the biggest and most serious bug that Apple has had to deal with. At least since the Root access bug. At least in that situation, Apple owned responsibility quickly and pushed out a software update to address the problem in under 24 hours. But with the FaceTime bug, all Apple has done is disable the Group FaceTime feature from their end and given vague promises of when this will be fixed. First it was going to be last week, then at the end of last week it was going to be this week. In the meantime, Apple has been sued, and then sued again. New York State is investigating the bug, and the US Congress is asking some very pointed questions about the bug and how Apple handled it. Not to mention that Apple didn’t respond to the teenager who found the bug, and then thanked them after his discovery went viral when his parents went to the media due to the fact that Apple didn’t respond to them. It also didn’t help Apple when news of them sitting on the bug until it went public surfaced:

Clearly this all points to one thing. Apple is mishandling their response to this bug. Badly. This is a company that’s approaching a market cap of a trillion US dollars. But something like this seems to throw them off kilter easily which is quite shocking. After all, with the root access bug they proved that they could take a problem and fix it quickly. So why isn’t that happening here? Perhaps the bug is more complex to fix? Perhaps they’re taking extra time to make the fix perfect? Who knows? Apple is not saying and that is part of the problem. Two public statements about the biggest bug that Apple has had to deal with with vague timelines to a resolution is no longer going to cut it. Especially since they took Group FaceTime which is a major feature that they bragged about less than year ago completely offline to mitigate the threat that this bug causes. The optics of having that feature offline for almost 2 weeks cannot be good.

Here’s the bottom line. Apple really needs to be a hell of a lot more transparent here because this is doing great damage to their reputation. So far they haven’t done so, and this crisis has now reached the point that even if they release a fix for the FaceTime bug today, it will do little to change the view that Apple has completely botched their response to this issue. If I were Tim Cook, I’d put all my cards on the table right now as to how and when this will be fixed. Plus I would outline in detail why this will not happen again. I would be 100% transparent and be open to answering questions from anyone on this. If Apple wants to regain the trust of their users, that is the only way it will happen.

UPDATE: The fix is coming today for iOS in the form of iOS 12.1.4. Not that it helps to fix their reputation. But it is a start I suppose.

Popular iPhone Apps Secretly Record Your Screen for Analytics Purposes….. With No Way To Detect That It Is Happening

Posted in Commentary with tags , on February 7, 2019 by itnerd

A rather scary report from TechCrunch details that popular iPhone apps may be secretly recording your screen for analytics purposes. As in they captures detailed data like taps, swipes, and even screen recordings without your knowledge. These apps use an API (application programming interface) called Glassbox to do this and details on what they do can be found here. Apps that are known to do this include:

  • Abercrombie & Fitch
  • Hotels.com
  • Air Canada
  • Hollister
  • Expedia
  • Singapore Airlines

So if you have any of those apps on your phone, I’d be wondering if they should stay on your phone. That’s because in the case of the Air Canada app, it doesn’t properly mask data that’s recorded. Which means it is exposing information like passport numbers and credit card information. Which makes this a good time to point out that Air Canada was recently pwned by hackers with their app being the source of the pwnage of passport data among other types of data. So clearly the fact that a company could record your screen secretly has huge ramifications.

What makes this worse is that all of the apps have a privacy policy, but not one makes it clear that they’re recording a user’s screen. Not only that, iOS doesn’t alert you that this is going on with a dialog box that states an app wants control of the screen. Which means if this had not hit the news, nobody would ever know this was going on. But now that this is out there, you can expect a lot of people to start asking questions. And that will likely include Apple as I am going to go out on a limb and say that they’re going to look at what Glassbox does and come up with counter measures to it. In the meantime, these guys aren’t the only ones doing this:

Glassbox is one of many session replay services on the market. Appsee actively markets its “user recording” technology that lets developers “see your app through your user’s eyes,” while UXCam says it lets developers “watch recordings of your users’ sessions, including all their gestures and triggered events.” Most went under the radar until Mixpanel sparked anger for mistakenly harvesting passwords after masking safeguards failed.

It’s not an industry that’s likely to go away any time soon — companies rely on this kind of session replay data to understand why things break, which can be costly in high-revenue situations.

Thus, consider yourself warned. And hopefully someone comes up with a way to identify apps that use this tech so that I can punt them off my phone forever.

UPDATE: Here’s a video that shows what the Air Canada app records:

Security Researcher Discovers Exploit That Steals Passwords Stored In The macOS Keychain… But He Won’t Talk To Apple

Posted in Commentary with tags on February 6, 2019 by itnerd

Well here’s an interesting situation. Security researcher Linuz Henze has shared a video of an exploit that allows someone to steal passwords that are stored in the macOS (Mojave specifically) keychain without needing admin level access. Not only that, there is almost no way to stop the exploit. Here’s the YouTube video of the exploit in action:

The only way to stop it is to password protect the login keychain. But that would add complexity from a user experience perspective which may not make this the best way to approach fixing this. Thus Apple likely needs to step in and fix this. And that’s where the problems begin as Henze isn’t handing over the details to Apple because Henze is frustrated that Apple’s bug bounty program only applies to iOS and not macOS according to this German publication. That likely means that others will try to reverse engineer this and turn it into something that can be weaponized unless Apple can reverse engineer it and quickly fix it. Or they play nice with the security community and improve their bug bounty program. We’ll see which path they take.

The Feds Call Apple Onto The Carpet Over The FaceTime Bug

Posted in Commentary with tags on February 5, 2019 by itnerd

Apple is now in very big trouble. The U.S. Committee on Energy & Commerce is now seeking answers from Apple over the Group FaceTime flaw that allowed people to eavesdrop on conversations:

The Committee Chairs requested written responses to a series of questions by no later than February 19, 2019, including:

  • When did your company first identify the Group FaceTime vulnerability that enabled individuals to access the camera and microphone of devices before accepting a FaceTime call?  Did your company identify the vulnerability before being notified by Mr. Thompson’s mother?  Did any other customer notify Apple of the vulnerability?
  • Please provide a timeline of exactly what steps were taken and when they were taken to address the vulnerability after it was initially identified.
  • What steps are being taken to identify which FaceTime users’ privacy interests were violated using the vulnerability?  Does Apple intend to notify and compensate those consumers for the violation?  When will Apple provide notification to affected consumers?
  • Are there other vulnerabilities in Apple devices and applications that currently or potentially could result in unauthorized access to microphones and/or cameras? 

The letter is available HERE.

This is a huge problem. If these guys don’t like Apple’s responses, you can bet that congressional hearings will follow. And those won’t go well for Apple. So if I were Tim Cook, I’d get that software fix out ASAP, and be completely transparent about what happened here with this bug. By not doing this, Apple risks tarnishing their brand more than it already has.