Archive for Apple

« Older Entries
Newer Entries »

Popular iPhone Apps Secretly Record Your Screen for Analytics Purposes….. With No Way To Detect That It Is Happening

Posted in Commentary with tags , on February 7, 2019 by itnerd

A rather scary report from TechCrunch details that popular iPhone apps may be secretly recording your screen for analytics purposes. As in they captures detailed data like taps, swipes, and even screen recordings without your knowledge. These apps use an API (application programming interface) called Glassbox to do this and details on what they do can be found here. Apps that are known to do this include:

  • Abercrombie & Fitch
  • Hotels.com
  • Air Canada
  • Hollister
  • Expedia
  • Singapore Airlines

So if you have any of those apps on your phone, I’d be wondering if they should stay on your phone. That’s because in the case of the Air Canada app, it doesn’t properly mask data that’s recorded. Which means it is exposing information like passport numbers and credit card information. Which makes this a good time to point out that Air Canada was recently pwned by hackers with their app being the source of the pwnage of passport data among other types of data. So clearly the fact that a company could record your screen secretly has huge ramifications.

What makes this worse is that all of the apps have a privacy policy, but not one makes it clear that they’re recording a user’s screen. Not only that, iOS doesn’t alert you that this is going on with a dialog box that states an app wants control of the screen. Which means if this had not hit the news, nobody would ever know this was going on. But now that this is out there, you can expect a lot of people to start asking questions. And that will likely include Apple as I am going to go out on a limb and say that they’re going to look at what Glassbox does and come up with counter measures to it. In the meantime, these guys aren’t the only ones doing this:

Glassbox is one of many session replay services on the market. Appsee actively markets its “user recording” technology that lets developers “see your app through your user’s eyes,” while UXCam says it lets developers “watch recordings of your users’ sessions, including all their gestures and triggered events.” Most went under the radar until Mixpanel sparked anger for mistakenly harvesting passwords after masking safeguards failed.

It’s not an industry that’s likely to go away any time soon — companies rely on this kind of session replay data to understand why things break, which can be costly in high-revenue situations.

Thus, consider yourself warned. And hopefully someone comes up with a way to identify apps that use this tech so that I can punt them off my phone forever.

UPDATE: Here’s a video that shows what the Air Canada app records:

1 Comment »

Security Researcher Discovers Exploit That Steals Passwords Stored In The macOS Keychain… But He Won’t Talk To Apple

Posted in Commentary with tags on February 6, 2019 by itnerd

Well here’s an interesting situation. Security researcher Linuz Henze has shared a video of an exploit that allows someone to steal passwords that are stored in the macOS (Mojave specifically) keychain without needing admin level access. Not only that, there is almost no way to stop the exploit. Here’s the YouTube video of the exploit in action:

The only way to stop it is to password protect the login keychain. But that would add complexity from a user experience perspective which may not make this the best way to approach fixing this. Thus Apple likely needs to step in and fix this. And that’s where the problems begin as Henze isn’t handing over the details to Apple because Henze is frustrated that Apple’s bug bounty program only applies to iOS and not macOS according to this German publication. That likely means that others will try to reverse engineer this and turn it into something that can be weaponized unless Apple can reverse engineer it and quickly fix it. Or they play nice with the security community and improve their bug bounty program. We’ll see which path they take.

1 Comment »

The Feds Call Apple Onto The Carpet Over The FaceTime Bug

Posted in Commentary with tags on February 5, 2019 by itnerd

Apple is now in very big trouble. The U.S. Committee on Energy & Commerce is now seeking answers from Apple over the Group FaceTime flaw that allowed people to eavesdrop on conversations:

The Committee Chairs requested written responses to a series of questions by no later than February 19, 2019, including:

  • When did your company first identify the Group FaceTime vulnerability that enabled individuals to access the camera and microphone of devices before accepting a FaceTime call?  Did your company identify the vulnerability before being notified by Mr. Thompson’s mother?  Did any other customer notify Apple of the vulnerability?
  • Please provide a timeline of exactly what steps were taken and when they were taken to address the vulnerability after it was initially identified.
  • What steps are being taken to identify which FaceTime users’ privacy interests were violated using the vulnerability?  Does Apple intend to notify and compensate those consumers for the violation?  When will Apple provide notification to affected consumers?
  • Are there other vulnerabilities in Apple devices and applications that currently or potentially could result in unauthorized access to microphones and/or cameras? 

The letter is available HERE.

This is a huge problem. If these guys don’t like Apple’s responses, you can bet that congressional hearings will follow. And those won’t go well for Apple. So if I were Tim Cook, I’d get that software fix out ASAP, and be completely transparent about what happened here with this bug. By not doing this, Apple risks tarnishing their brand more than it already has.

1 Comment »

#FlexGate Is Another Sign That Apple Isn’t What It Used To Be

Posted in Commentary with tags on February 1, 2019 by itnerd

I’ve been saying for a while now that Apple is really not what it is used to be and as a result it’s in deep trouble. The latest example of this is what has become known as #FlexGate.

Yes. We have yet another Apple “gate” style controversy on our hands.

If you have a touch bar MacBook Pro, the flex cable that connects the display to the logic board can fail. This first creates a “stage light” effect on the screen. Then the display can fail outright. And the really bad part is that this happens under normal usage by simply opening and closing the screen.

#Fail

Now if you don’t have AppleCare, replacing this cable which likely costs under $10 requires you to replace the entire display which is $800 or more here in Canada. And despite the fact that this is a pretty obvious design flaw, Apple at present insists on forcing you to pay for their mistake.

#EpicFail

Whats worse is that it appears that Apple is trying to cover this up. There are multiple people who claim to have started threads on Apple’s support site only to have them deleted. That’s pretty shifty on Apple’s part.

Now there’s a petition that is urging Apple to do the right thing. But the fact that they even have to urged to do the right thing is disconcerting to say the least. Here in Canada a fully maxed out MacBook Pro is $10,000. A decently loaded on goes for about half that. You’d think that for that sort of money, the quality would not only be better, but Apple would stand behind their product. But clearly that’s no longer the case. It’s another sign that Apple isn’t what it used to be and as a result is in decline. And #FlexGate combined with #KeyboardGate is the reason why I’m not springing for a new Apple laptop anytime soon.

1 Comment »

Apple Says That Fix For FaceTime Bug Delayed Until Next Week… And Thanks The Family Who Discovered The Issue

Posted in Commentary with tags on February 1, 2019 by itnerd

This morning I was musing on Twitter about whether Apple would meet their self imposed deadline of “later this week” to fix that epic FaceTime bug:

Well, it looks like Apple has answered at least one of the above questions. MacRumors just posted a statement from Apple. It says the following:

We have fixed the Group FaceTime security bug on Apple’s servers and we will issue a software update to re-enable the feature for users next week. We thank the Thompson family for reporting the bug. We sincerely apologize to our customers who were affected and all who were concerned about this security issue. We appreciate everyone’s patience as we complete this process. 

We want to assure our customers that as soon as our engineering team became aware of the details necessary to reproduce the bug, they quickly disabled Group FaceTime and began work on the fix. We are committed to improving the process by which we receive and escalate these reports, in order to get them to the right people as fast as possible. We take the security of our products extremely seriously and we are committed to continuing to earn the trust Apple customers place in us.

So this statement sort of addresses one of the main criticisms of Apple since this debacle began. Which is that they appeared to not respond in any way, shape or form when the bug was first discovered. Something that I pointed out via Twitter:

At least they appear to want to make changes. That I guess they believe will blunt the investigation launched by New York State into their response to this issue. But it won’t help their cause in terms of the two separate lawsuits that have been filed over this issue.

As for the fix being delayed, I guess that they want to make sure that it is bulletproof so that this issue goes away once and for all. Though with two lawsuits and perhaps more likely to come, it won’t go away anytime soon. And it doesn’t help with their reputation when it comes to privacy as that’s a bit of a mess at the moment.

Having said all of that, when the update finally comes out “next week”, I’ll be installing it and trying to replicate the issue as well as look for any other changes. Stay tuned for that.

2 Comments »

Google Has Access To Apple’s Enterprise Certificates Again

Posted in Commentary with tags , on February 1, 2019 by itnerd

It appears that Google much like Facebook before it has left the “sin bin” as Apple has restored the company’s access to enterprise certificates. The ones that got them into so much trouble when they were caught using them to sideload applications outside the app store. This was confirmed by Tech Crunch and by this tweet:

I would have liked to have been a fly on the wall of that conversation as one has to wonder what was said and what Google had to do to make nice with Apple. In any case, like the tweet says, all is well with the world. Except that it isn’t as I fully expect other companies to be “sin binned” by Apple as it’s a safe bet that Apple is taking a very deep look at their enterprise certificate program to find anyone more companies who are flouting the rules.

1 Comment »

Facebook Says That It Has Access To Apple’s Enterprise Certificates Again… But You Should Still #DeleteFacebook

Posted in Commentary with tags , on January 31, 2019 by itnerd

I am sure that there was a very difficult conversation that that happened before Facebook got access to enterprise certificates again. The ones that Apple took away from them for abusing them. And as a side effect they made Facebook employees “pissed” and “angry” in the process. But in a statement to Mike Isaac of The New York Times, a Facebook spokesperson said that the company is “in the process” of making its internal apps functional. The company also confirmed that losing access to enterprise certificates did not have any effect on consumer-facing services:

We have had our Enterprise Certification, which enables our internal employee applications, restored. We are in the process of getting our internal apps up and running. To be clear, this didn’t have an impact on our consumer-facing services.

I must admit that I am disappointed by this development. I say that because Facebook are the bad boys of the Internet. They’ve always broke rules and then begged forgiveness. That’s not cool for Uber and it shouldn’t be cool for Facebook. If I were Tim Cook, I would have banned every single Facebook app from the App Store just to send a message that this isn’t cool. But they didn’t do that and here we are talking about it because you know that there will be a next time as I guarantee that this company has learned nothing from this experience. And if one company needs to learn a lesson, it’s Facebook.

2 Comments »

Apple Lays The Smack Down On Google For Abusing Enterprise Certificates

Posted in Commentary with tags , on January 31, 2019 by itnerd

That escalated quickly.

Not more than 24 hours ago it came to light that Facebook was not the only one abusing Apple enterprise certificates, but Google was doing that as well and for a much longer amount of time. In the case of the former, Apple revoked their enterprise certificate which is causing chaos within Facebook. Now it appears that Google has had their enterprise certificate revoked by Apple:

Apple has now shut down Google’s ability to distribute its internal iOS apps, following a similar shutdown that was issued to Facebook earlier this week. A person familiar with the situation tells The Verge that early versions of Google Maps, Hangouts, Gmail, and other pre-release beta apps have stopped working today, alongside employee-only apps like a Gbus app for transportation and Google’s internal cafe app.

“We’re working with Apple to fix a temporary disruption to some of our corporate iOS apps, which we expect will be resolved soon,” says a Google spokesperson in a statement to The Verge. Apple also appears to be working more closely with Google to fix this situation. “We are working together with Google to help them reinstate their enterprise certificates very quickly,” says an Apple spokesperson in a statement to BuzzFeed.

From the above statements, it sounds moderately more cordial than the Facebook situation. But if I am a betting man, I am guess that there’s a lot of one way conversations going on with the one way being from Apple to Google. Hopefully they along with other companies get the message that tis behavior isn’t acceptable.

19 Comments »

Canadian Law Firm Launches Class Action Lawsuit Over FaceTime Bug

Posted in Commentary with tags on January 31, 2019 by itnerd

Things go from bad to worse for Apple. After being sued by a lawyer, then having an investigation started by the State of New York, Apple is now facing a class action lawsuit from a Canadian law firm. Montréal-based law firm Lambert Avocat Inc. has applied for a class action lawsuit against Apple with the Superior Court of Québec. The firm seeks damages for all who are affected by this bug. Which are anyone who runs an iPhone, iPod Touch, or iPod with iOS 12.1 or later, as well as anyone who runs a Mac with macOS 10.14.1 or later.

Apple really needs to step up here as this is not only not going away, but is getting progressively worse for the company. Simply saying nothing and putting out a software fix “sometime this week” as it hasn’t appeared as of yet isn’t going to cut it. They have to do a whole lot more to reassure users that they can be trusted. Which if the stars align will take away the incentive for these lawsuits and investigations to be started.

So how about it Apple?

2 Comments »

Facebook Employees “Pissed” And “Angry” At Facebook Over Their Improper Use Of Apple’s Enterprise Certificates

Posted in Commentary with tags , on January 31, 2019 by itnerd

The turmoil caused by Facebook improperly using an Apple enterprise certificate to gather data on users that they payed to run an app that would never have seen the light of day in the App Store has just gotten worse. Appleinsider is reporting that the company is now facing internal strife from Facebook employees:

According to a leaked internal memo from Facebook VP of production engineering and security Pedro Canahuati, the company is “working closely” with Apple to reinstate Enterprise Certificate privileges that were revoked on Wednesday. That information lines up with a summary of the situation provided by AppleInsider sources.

The memo, obtained by Business Insider, seeks to ensure employees that Facebook is working diligently to restore access to an internal version of Facebook’s iOS app, as well as private versions of Workplace Chat, Instagram and Messenger. For now, the company urges employees to download public releases of those same apps. 

Still, with Apple’s lockdown in place, Facebook workers are unable to use apps like Mobile Home and Ride, both of which are not distributed publicly. 

Facebook employees vented their frustration over the situation in statements to Business Insider, saying that colleagues are “pissed” and “angry.” Some hold Facebook responsible for running afoul of Apple’s enterprise developer ruleset, while others pin the blame on Apple. 

“Apple is technically doing their job and has a right,” an employee said. “This is probably one of the worse things that can happen to the company internally.”

Now there are some employees who think that Apple is trying to “take Facebook down”, but it’s still not good if this is going on and it is leaking out to the public. Hopefully Facebook gets the hint that they have to alter their behavior so that they don’t tick off people outside and more importantly inside the company.

 

3 Comments »

« Older Entries
Newer Entries »