Category Archives: Apple

Apple MAY Join Many Others in Separating Security Patches from System Upgrades

Since the beginning of Apple-time (or is it i-time?), Apple has always bundled security fixes into iOS upgrades. This means that a user could not install a security update without also upgrading the OS. In general, Apple has always forced users to upgrade their iPhones and other mobile devices. This tends to make Apple products more secure because a higher percentage of the users are on the current version of the OS.

This is different than, say, Microsoft, who will push out monthly security patches even though they might only add new features once or twice a year.

According to 9to5Mac, Apple may be planning to separate security fixes from feature upgrades in the next version of iOS.

Of course, sometimes, Apple may release a new version of their OS just to patch a bug, but users never know what else might be bundled inside that upgrade.

But there is a new setting in the software update menu called “Install Security Updates”.

It could be that this is only a feature to install emergency fixes, something that has become more common at Apple as their software becomes more complex.

It also appears that if a user installs a security update they may have to uninstall it prior to installing a version upgrade. If this turns out to be true, this would be very unlike Apple and this makes it harder for users to stay current.

iOS 14.5 is going to be a big deal. One feature in it is that checks for fraudulent web sites will be run through Apple’s servers to protect user privacy and that could, possibly, break things or slow things down. This new update also requires users to opt-in to data sharing.

iOS 14.5 is expected to be released officially in a couple of months. Credit: The Hacker News

Google Reveal Data It Captures

Since Apple doesn’t make a lot of money by selling your data to others (or selling targeted ads to others based on data that it captures), it loves poking Google in the eye about its data collection practices.

Apple required “privacy nutrition labels” by vendors, including themselves, for all new releases of software distributed in the app store as of December 8th of last year.

Google’s response was to stop updating its software. Some people said that was because Google didn’t want to tell people what they were collecting. I suspect that it is more likely that Google was trying to figure out exactly what data they were collecting.

Here is an example of some of the data that Google collects:

This is an effort on Apple’s part to give people more information and help them understand whether they want use an app or not. But this is not where they are ending and the next step will hurt Google (and others) even more.

The graphic below compares the data the the search engine Duck-Duck-Go collects compared to the data collected by Google Chrome and the Google App. Click on the graphic below to expand it. Even before that you can see just by the number of bullets the difference between Duck-Duck-Go and Google.

Starting with iOS 14, all apps will not only have to tell users what data they are collecting but also get their permission to do it – what is known as “OPT-IN”. Opt-in is the advertiser’s nightmare. Basically, it requires the advertiser to say to the user “we want to collect, store forever and sell all this data we collect about you and your browsing or other habits, use it however we want without telling you how, not give you any control over that and in exchange – in exchange we are going to give you this app or maybe shove a bunch of ads in your face that you don’t want to see”.

In fairness, if you say no you will still see ads – they just won’t be targeted to you.

This means that the companies won’t be able to get as much money for those ads since the advertisers won’t know who those people are that are seeing those ads. WHAT IS UNKNOWN IS HOW MANY PEOPLE WILL ACTUALLY OPT IN.

Add to that, consumers have to trust app makes to tell the truth. After all, what is the downside if you lie? If Apple finds out, they could ban you from the App Store.

In iOS 14.5, Apple will require apps to get your permission to track you across other apps and websites. Apple has something called an ID for advertising or IDFA. Using IDFA, if Facebook showed you an ad for say a phone and you did not click on it, but you went to Google and searched for that phone.

Then you bought the phone. That vendor has your IDFA, can share it with Facebook and then Facebook gets credit an ad that was converted to a sale.

All this goes away, in stages, with iOS version 14 and 14.5 if the user does not opt in.

The reason this is a problem for Google and other advertisers is that users usually choose the default. The default is that if I don’t do anything, I effectively opt out and Google and the advertisers can’t target me.

That alone might be a reason to buy an iPhone.

Don’t expect Google to do that on Android any time soon. Or ever.

Credit: The Hacker News

Security News for the Week Ending March 5, 2021

Google Gives Up On Address Space Layout Randomization (ASLR)

ASLR is a security technique that has been used for years to make it harder for hackers to FIND code in memory to compromise it. There is a problem in the rendering engine in the Chromium project that breaks ASLR and Google says that they won’t fix it. Google says they are resigned to the fact that ASLR cannot be saved. They do have a plan, they say, for something better. Stay tuned. Credit: The Register

TALON: The Nationwide Network of Surveillance Cameras

A company called Flock has built a nationwide network of surveillance cameras using automated license plate readers. They sell to (anyone who’s check clears) police departments, homeowners associations and businesses. The system can record all license plates and detect “non-resident” vehicles or vehicles on a hotlist. The program, called TALON, allows customers to track vehicles and, by extension, people, anywhere in the country. They scan 500 million license plates a month and sell their data to, among others, 500 police departments. Customers of Flock can make the data available to anyone they choose to. Credit: Vice

New ‘unc0ver’ Tool Can Jailbreak All iPhones Running iOS 11-14.3

Like all good software, unc0ver is updated and now, newly released version 6 can jailbreak idevices running iOS 11.0 to 14.3. Apple has patched the bug in iOS 14.4, but they admitted that it may have been used by bad actors. This is a cat and mouse game, so expect version 7 of unc0ver. Credit: The Hacker News

Microsoft Tries to Catch up to Zoom with End to End Encryption in Teams

Months after Zoom was roundly criticized for not having adequate encryption and then implementing it, Microsoft says that they will implemented end to end encryption, but only on one-to-one calls. Note that it will not be on by default. They will also, separately, add customer key support to allow customers to encrypt chat, meeting recordings and other information that is not now currently encrypted. All of this will require customers to take actions to make it happen. Credit: Bleeping Computer

Facebook Considers Begging iOS Users: Let us Track You

Apple is preparing to add a new prompt to iOS that requires users to opt-in to tracking by app developers like Facebook. It used to be that you could opt-out — if you could find the place to do that.

Facebook is going to have its own screen telling you how wonderful it is to have your every website click tracked.

Here are sample mockups:

Facebook's message to users about privacy

Facebook’s reasoning is that you get better ads and it helps their bottom line. I am not sure that many people care about Zuckerberg’s income and how many people think that advertising of any type is a benefit.

Facebook’s beg screen is on the left and Apple’s do you really want to do this screen is on the right.

If you agree to this it does not mean that Facebook is going to collect more or different data – although it might if they find it beneficial to them. It means that they want you approve of them continuing to do what they have been doing for years – mostly silently.

This is a follow-on to Apple’s version of a food safety warning when they revealed how much data Facebook is collecting next to the app in their app store.

Since Apple earns no revenue from selling your data or serving up ads, screwing up the business model of a competitor like Facebook is perceived to be a good or at least not negative.

Neither Facebook nor Apple has said when these changes will roll out. Credit: The Register

Security News for the Week Ending January 15, 2021

US Bulk Energy Providers Must Report Attempted Breaches

The Solar Winds attack, from what little we know about it, was bad enough, but what if it was Russia’s trial run for taking down the power grid like they did in Ukraine or taking out the water supply or gas supply? NERC, the electric utility regulator, released CIP -008-6 which requires relevant bulk power providers to report attempted hacks in addition to successful ones.

All cybersecurity incidents, whether actual compromises or attempts to comprise, have to be reported to the DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), now known as National Cybersecurity and Communications Integration Center (NCCIC), as well as the Electricity Information Sharing and Analysis Center (E-ISAC). Unfortunately, the feds have not clearly defined what an attempt is. Credit: CSO Online

Researchers Say Bitcoin Hacks in 2020 Netted $3.78 Billion

In fairness, that is at today’s Bitcoin value, but lets say it is only $2 billion. Does that make you feel better? The most lucrative target was individual Bitcoin wallets, but hackers went after exchanges and apps too. Credit: ZDNet

FAA Changes Rules on Mask Wearing on Airplanes

Up until today, if passengers would not follow flight crew’s instructions to wear masks and were unruly, threatened or intimidated flight crews, the FAA tried to counsel them or hit them with civil fines. Now they have changed the rules and anyone who does that will be charged with interfering with a flight crew, which caries the penalty of up to 20 years in prison and a $35,000 fine. Or both. Ouch. Credit: Vice

Apple Changes Rules That Exempted Themselves from Security Rules

In MacOS 11 Apple created a rule that exempted 53 of its own apps from having to go through the Mac’s firewall. After all, Apple does know best. Apple claimed the exemption was temporary. Why? Because Apple made some changes in MacOS and they didn’t have time to iron out all the bugs in their apps before they shipped the software. That’s comforting. Once 11.2 ships, Apple’s apps will no longer be exempted. Oh, by the way, they forgot to tell their users that they were exempting their buggy apps from the firewall. Because? Don’t know. Probably would not be good PR. Credit: ZDNet

Signal Messaging App Creaking Under The Load

Years ago Facebook bought the privacy oriented messaging app WhatsApp which has become very popular. Last month Facebook created new terms which require users to allow Facebook to mine your WhatsApp data which is sort of unpopular with people who signed up for a privacy oriented app. Under the covers, WhatsApp is really just Signal, Moxie Marlinspike’s privacy oriented messaging app with some lipstick on it. As a result of Facebook’s not understanding that users would be displeased with the change to their terms of service, apparently tens of millions of people are moving from WhatsApp to Signal. Combine that with the shutdown of Parler, and Signal, which is a non-profit, is having trouble managing the load. Last week Elon Musk told his 40+ million followers to use Signal. It is likely that they will get things sorted out but any time a company gets 25-50 million new customers all at once, while it is a good problem, it is a problem. Stay tuned. Credit: The Register

Trump Bans 8 More Chinese Apps

Donald Trump has signed an executive order banning the use of eight Chinese apps, namely Alipay, CamScanner, QQ Wallet, SHAREit, Tencent QQ, VMate, WeChat Pay, and WPS Office.

The EO says that the apps can track users and capture personal data –

Just like, say, Facebook or Fox News or any other American app.

But Trump doesn’t like it that China is collecting that data because, basically, China bad. And, realistically, that is hard to argue with.

Part of the problem is that users “over share”.

Another part of the problem is that users opt for convenience over security and that means that these apps – including all of the American apps – can vacuum up an amazing amount of data that lives on most user’s phones.

Consider this. The last time YOU installed an app on your phone it probably asked for some permissions. Did you consider whether that app really needed those permissions? Almost no one else does either.

Some how Trump ties what these apps are doing to the Anthem and Office of Personnel Management breaches. I guess in the sense that all of those desire to collect your data – just like Twitter does – that is true. I am sure that even though Trump hates Twitter, he would hate it even more if it was not financially viable and disappeared. Therefore, if they have to harvest your data without any real permission – yes you can disagree, but if you do, they will delete your account, that is okay.

The basic difference here is not WHAT is being done, but rather WHO is doing it. All apps collect, use and monetize your data. Who are the good guys is a little less clear.

The order doesn’t take effect for 45 days, so likely it will be up to the next administration to figure out what to do.

Personally, I would be fine if half of the apps on the Apple and Android stores just went poof. No, actually 90% would be a good number to banish. I would not miss them at all. Just my opinion. Credit: The Register