IOS

Apple Releases iOS 13.5.1, Patching Out the Unc0ver Jailbreak (theverge.com) 13

Apple has released iOS 13.5.1 today, which the company says "provides important security updates and is recommended for all users," albeit without much detail in the change log. But as noted by Twitter account Apple Software Updates, the update is meant to patch out the kernel vulnerability used by the recent Unc0ver jailbreak. The Verge reports: Apple's support page lays things out more clearly -- the update was designed to prevent an application from being able to "execute arbitrary code with kernel privileges." In other words, iOS 13.5.1 is designed to block jailbreaking. The Unc0ver jailbreak was particularly notable in the iOS jailbreaking community because it was available on the then-current iOS 13.5, allowing users of the latest Apple devices to install new software features outside of Apple's gated App Store.
Bug

Finding Serious 'Sign In with Apple' Hole Earns Security Researcher a $100,000 Bug Bounty (forbes.com) 21

An anonymous reader quotes Forbes: When Apple announced Sign in with Apple at the June 2019 worldwide developers conference, it called it a "more private way to simply and quickly sign into apps and websites." The idea was, and still is, a good one: replace social logins that can be used to collect personal data with a secure authentication system backed by Apple's promise not to profile users or their app activity... Unsurprisingly, it has been pushed as being a more privacy-oriented option than using your Facebook or Google account.

Fast forward to April 2020, and a security researcher from Delhi uncovered a critical Sign in with Apple vulnerability that could allow an attacker to potentially take over an account with just an email ID. A critical vulnerability that was deemed important enough that Apple paid him $100,000 through its bug bounty program by way of a reward. With the vulnerability already now patched by Apple on the server-side, Bhavuk Jain published his disclosure of the security shocker on May 30.

It applied "only to third-party apps which used Sign in with Apple without taking any further security measures," the article points out , adding that the researcher who found it "said Apple carried out an internal investigation and determined that no account compromises or misuse had occurred before the vulnerability was fixed."

But they also quote an SME application security lead at ImmersiveLabs who said he "would have expected better testing around this from a company such as Apple, especially when it is trying to set itself a reputation as privacy-focused."
Businesses

Apple Opens 100 More US Stores -- With Mandatory Temperature Checks For Customers (appleinsider.com) 68

"Apple is in the process of reopening 100 U.S. retail stores," reports Apple Insider, adding "as expected, those outlets look a lot different post-coronavirus." For example, the company is performing temperature-checks at the door and requiring facial coverings before entering the store. Apple has also indicated that it will provide facial coverings to customers if need be. As you approach the Apple Store, you should notice some changes right away. In the Lynnhaven Mall in Virginia Beach, Virginia, the Apple Store had multiple employees outside to guide customers into lines — one line for walk-ups, and another for reservations. While waiting in line, an employee asks you a series of four questions and takes your temperature:

- Do you currently have a fever?
- Do you currently have a cough?
- Are you currently experiencing any respiratory issues?
- Have you been in contact with any suspected or confirmed cases of COVID-19 in the last 14 days?

Answering "yes" to any question will prevent you from entering the store, even if wearing a mask. Answering "no" across the board will allow you to have your temperature checked. Apple assures customers that data isn't being recorded...

Apple retail is enforcing social distancing measures by mandating six feet of space between customers, reducing the number of products on display, and rearranging store features to allow for more space between them... If a device is handed from customer to employee, the employee will wipe it down on receipt, before beginning service or operation of the device. There are multiple stations with disinfecting wipes and hand sanitizer...

Customer occupancy and store hours have also been reduced, with Apple encouraging customers to purchase online or opt for curbside pickup when possible.

EU

Tile Writes to EU Accusing Apple of Abuse of Power (bloomberg.com) 48

Bluetooth accessory maker Tile has written to the European Union accusing Apple of abuse of power and of illegally favoring its own products. From a report: According to a report by Financial Times, in a letter sent on Tuesday to the European Commissioner for Competition, the accessory maker said that Apple is making it harder for users to use Tile products on iPhone because it has its own rival Find My app. Tile asked the EU to investigate Apple's business practices, echoing previous calls made by the accessory maker in the United States. Specifically, Tile complains about changes Apple made to location services in iOS 13, which encourage customers not to use always-on location tracking. In addition, Tile said changing these options involve navigating between "complex settings not easy to find."
IOS

Why You Shouldn't Make a Habit of Force-Quitting iOS Apps or Restarting iOS Devices (tidbits.com) 90

Adam Engst, writing for TidBITS: Because force-quitting apps and restarting or shutting down devices are necessary only to fix unanticipated problems, there are two notable downsides to engaging in such behavior as a matter of habit: reduced battery life and wasted time. Why would these behaviors reduce battery life? Remember, iOS is a modern operating system that's built on top of Apple's proprietary hardware. Apple has put a great deal of effort into ensuring that iOS knows the best ways to manage the limited hardware resources within your iPhone or iPad. No one, possibly short of an iOS systems engineer armed with Apple's internal diagnostic and debugging tools, would be able to outguess iOS itself on issues like memory usage, power draw, and CPU throttling.

When you invoke the App Switcher in iOS, you can swipe right to see all the apps you've used, possibly since you got your device. (The very first app in my iPhone 11 Pro's App Switcher is Apple's Tips, which I think came up automatically when I turned the iPhone on last year and hasn't been touched since. It's difficult to count apps in the App Switcher, but I probably have at least a hundred in there.) As the number of apps in the App Switcher should indicate, those apps are not necessarily running -- they merely have run at some point in the past. They're much more like the contents of the Mac's Apple > Recent Items menu. In normal usage, iOS devotes the lion's share of CPU and memory resources to the app that you're using. That's sensible -- the performance of that app is paramount. However, the next few apps in the App Switcher may also be consuming some CPU and memory resources. That's because iOS correctly assumes that you're most likely to return to them, and it wants to give you the best experience when you do. The screen shouldn't have to redraw multiple times, Internet-loaded content shouldn't have to update, and so on. [...]

The Almighty Buck

Apple Assisting Authorized Repair Shops With COVID-Related Expenses (macrumors.com) 13

NoMoreACs writes: According to an article from MacRumors, Apple is helping offset increased costs incurred by their third-party Authorized Repair Shops due to the COVID-19 forced closures and other COVID-related expenses, such as cleaning supplies and personal protective equipment. The retroactive reimbursements will come in the form of increased payouts for repairs and will remain in effect depending on each country's (and I assume localities') Stay-at-Home orders. And for those who don't think such things exist, the article included a handy guide (albeit with a little digging) to Apple's Authorized Third-Party Repair Shops.
Iphone

Newly-Released Jailbreak Tool Can Unlock Every iPhone and iPad (techcrunch.com) 40

An anonymous reader quotes TechCrunch: A renowned iPhone hacking team has released a new "jailbreak" tool that unlocks every iPhone, even the most recent models running the latest iOS 13.5. [9to5Mac points out it also works on iPads.]

For as long as Apple has kept up its "walled garden" approach to iPhones by only allowing apps and customizations that it approves, hackers have tried to break free from what they call the "jail," hence the name "jailbreak...." The jailbreak, released by the unc0ver team, supports all iPhones that run iOS 11 and above, including up to iOS 13.5, which Apple released this week. Details of the vulnerability that the hackers used to build the jailbreak aren't known, but it's not expected to last forever...

Security experts typically advise iPhone users against jailbreaking, because breaking out of the "walled garden" vastly increases the surface area for new vulnerabilities to exist and to be found.

IOS

How iPhone Hackers Got Their Hands on the New iOS Months Before Its Release (vice.com) 9

Security researchers and hackers have had access to a leaked early version of iOS 14, the iPhone's next operating system, since at least February, Motherboard reported Friday. From the report: That's almost eight months before the expected official release of iOS 14, given that Apple usually publishes the new iOS in September along with the announcement of new phones. Sometimes, screenshots and descriptions of new features leak before the official reveal. This time, however, an entire version of the operating system has leaked and is being widely circulated among hackers and security researchers. Motherboard has not been able to independently verify exactly how it leaked, but five sources in the jailbreaking community familiar with the leak told us they think that someone obtained a development iPhone 11 running a version of iOS 14 dated December 2019, which was made to be used only by Apple developers. According to those sources, someone purchased it from vendors in China for thousands of dollars, and then extracted the iOS 14 internal build and distributed it in the iPhone jailbreaking and hacking community.
AI

Siri, What Time Is It in London? (daringfireball.net) 181

John Gruber, writing at Daring Fireball: Nilay Patel [Editor-in-Chief of news website The Verge] asked this of Siri on his Apple Watch. After too long of a wait, he got the correct answer -- for London Canada. I tried on my iPhone and got the same result. Stupid and slow is heck of a combination. You can argue that giving the time in London Ontario isn't wrong per se, but that's nonsense. If you had a human assistant and asked them "What's the time in London?" and they honestly thought the best way to answer that question was to give you the time for the nearest London, which happened to be in Ontario or Kentucky, you'd fire that assistant.

You wouldn't fire them for getting that one answer wrong, you'd fire them because that one wrong answer is emblematic of a serious cognitive deficiency that permeates everything they try to do. You'd never have hired them in the first place, really, because there's no way a person this stupid would get through a job interview. You don't have to be particularly smart or knowledgeable to assume that "London" means "London England", you just have to not be stupid. Worse, I tried on my HomePod and Siri gave me the correct answer: the time in London England. I say this is worse because it exemplifies how inconsistent Siri is. Why in the world would you get a completely different answer to a very simple question based solely on which device answers your question? At least when most computer systems are wrong they're consistently wrong.

Education

Students Are Failing AP Tests Because the College Boards Can't Handle HEIC Images (theverge.com) 204

Many high school students around the country completed Advanced Placement tests online last week but were unable to submit them at the end because the testing portal doesn't support HEIC images -- the default format on iOS devices and some newer Android phones. The Verge reports: For the uninitiated: AP exams require longform answers. Students can either type their response or upload a photo of handwritten work. Students who choose the latter option can do so as a JPG, JPEG, or PNG format according to the College Board's coronavirus FAQ. But the testing portal doesn't support the default format on iOS devices and some newer Android phones, HEIC files. HEIC files are smaller than JPEGs and other formats, thus allowing you to store a lot more photos on an iPhone. Basically, only Apple (and, more recently, Samsung) use the HEIC format -- most other websites and platforms don't support it. Even popular Silicon Valley-based services, such as Slack, don't treat HEICs the same way as standard JPEGs.

[Nick Bryner, a high school senior in Los Angeles] says many of his classmates also tried to submit iPhone photos and experienced the same problem. The issue was so common that his school's AP program forwarded an email from the College Board to students on Sunday including tidbits of advice to prevent submission errors. "What's devastating is that thousands of students now have an additional three weeks of stressful studying for retakes," Bryner said. The email Bryner received doesn't mention the HEIC format, though it does link to the College Board's website, which instructs students with iPhones to change their camera settings so that photos save as JPEGs rather than HEICs. The company also linked to that information in a tweet early last week.
In a statement emailed to The Verge, the College Board said that "the vast majority of students successfully completed their exams" in the first few days of online testing, "with less than 1 percent unable to submit their responses." The company also noted that "We share the deep disappointment of students who were unable to submit responses."
Apple

'Apple Glass' Rumored To Start at $499, Support Prescription Lenses (macrumors.com) 109

Front Page Tech host Jon Prosser this week shared several details about Apple's rumored augmented reality glasses, including an "Apple Glass" marketing name, $499 starting price, prescription lens option, and more.The marketing name will be "Apple Glass" According to Prosser, who has established a reliable track record for Apple's product roadmap in recent months, here are some other key details about the Apple Glass: The glasses will start at $499 with the option for prescription lenses at an extra cost.
There will be displays in both lenses that can be interacted with using gestures.
The glasses will rely on a paired iPhone, similar to the original Apple Watch.
An early prototype featured LiDAR and wireless charging.
Apple originally planned to unveil the glasses as a "One More Thing" surprise at its iPhone event in the fall, but restrictions on in-person gatherings could push back the announcement to a March 2021 event.
Apple is targeting a late 2021 or early 2022 release.

Google

Apple and Google Launch Digital Contact Tracing System (go.com) 110

Apple and Google announced today that they have rolled out a COVID-19 exposure notification system, "essentially a unified programming interface that will allow public health departments to create their own contact tracing applications," reports ABC News. "Apple and Google are not building contact tracing apps." From the report: "Starting today, our Exposure Notifications technology is available to public health agencies on both iOS and Android," Apple and Google said in a statement. "Today, this technology is in the hands of public health agencies across the world who will take the lead and we will continue to support their efforts."

After an individual downloads and enables a contact tracing application on his phone, he would subsequently receive an alert if he is exposed to anyone who is diagnosed with or likely to have COVID-19. Of course, that assumes that the COVID-19-positive individual also has the application enabled on his phone. The companies said that digital contact tracing is meant to argument traditional human-to-human tracing, not replace it. Digital contact tracing is faster than traditional tracing, requires fewer resources and since it doesn't rely on human memory, can make it easier to track exposure in crowded spaces, or contact with strangers. On the other hand, for such applications to be effective, they require users to download and enable the applications on their phones, and it's not yet clear that Americans will be willing to do so en masse.
"Once they download the app, users will have to consent to make their information available to the health authorities and can turn it on and off when they choose to," the report adds. "Data collection will be kept private and only used by health authorities for COVID-19 exposure, not stored in a central database."

The companies said that they will not monetize the data that comes out of the system.
Iphone

Apple May Stop Bundling Free Earphones With Its iPhone Starting This Year (inputmag.com) 120

TF International Securities' reliable analyst Ming-Chi Kuo is at it again with another ominous note on the iPhone 12: it won't come with wired EarPods included in the box. From a report: We can already feel the palpable anger bubbling up inside of you as you read these words, shaking your head in disbelief and crossing your fingers in hopes it's not true. But this is news coming from Kuo, an analyst who rarely misses when he spreads his gospel, so there's a good chance the information is right and Apple is summoning up its infamous courage once again. Every version of the iPhone has shipped with wired earbuds in the box and removing them would make the iPhone 12 less accessible. Imagine ponying up the big bucks for a shiny new iPhone 12 and not being able to listen to music in private unless you shell out separately for wired or wireless earbuds.
Privacy

Apple Whistleblower Goes Public Over 'Lack of Action' (theguardian.com) 54

A former Apple contractor who helped blow the whistle on the company's programme to listen to users' Siri recordings has decided to go public, in protest at the lack of action taken as a result of the disclosures. From a report: In a letter announcing his decision, sent to all European data protection regulators, Thomas le Bonniec said: "It is worrying that Apple (and undoubtedly not just Apple) keeps ignoring and violating fundamental rights and continues their massive collection of data. I am extremely concerned that big tech companies are basically wiretapping entire populations despite European citizens being told the EU has one of the strongest data protection laws in the world. Passing a law is not good enough: it needs to be enforced upon privacy offenders."

Le Bonniec, 25, worked as a subcontractor for Apple in its Cork offices, transcribing user requests in English and French, until he quit in the summer of 2019 due to ethical concerns with the work. "They do operate on a moral and legal grey area" he told the Guardian at the time, "and they have been doing this for years on a massive scale. They should be called out in every possible way." Following the revelations of Le Bonniec and his colleagues, Apple promised sweeping changes to its "grading" program, which involved thousands of contractors listening to recordings made, both accidentally and deliberately, using Siri. The company apologised, brought the work in-house, and promised that it would only grade recordings from users who had explicitly opted-in to the practice.

Television

Apple Buys Older Shows for TV+, Stepping Up Netflix Challenge (bloomberg.com) 37

Apple is acquiring older movies and shows for its TV+ streaming service, aiming to build a back catalog of content that can better stack up against the huge libraries available on Netflix, Hulu and Disney+. From a report: The company's video-programming executives have taken pitches from Hollywood studios about licensing older content for TV+ and have bought some shows and movies, according to people familiar with the matter. The move represents a subtle strategy shift for Apple TV+, which launched in November with a lineup of original programs. The company plans to keep TV+ focused on original shows, and hasn't yet acquired any huge franchises or blockbusters for its back catalog, according to the people, who asked not to be identified because the deliberations are private.
Encryption

AG Barr Seeks 'Legislative Solution' To Make Companies Unlock Phones (engadget.com) 92

stikves shares a report from Engadget: Last December, a Saudi Arabian cadet training with the U.S. military opened fire at Naval Air Station Pensacola, killing three soldiers and wounding eight others. The FBI recovered two iPhones, and after failing to access their data, asked Apple to unlock them. The company refused, but eventually the FBI unlocked at least one of them without Apple's help, and discovered substantial ties between the shooter and terrorist group al Qaeda. U.S. Attorney General Barr suggests forcing Apple to take action in the future, saying "...if not for our FBI's ingenuity, some luck, and hours upon hours of time and resources, this information would have remained undiscovered. The bottom line: our national security cannot remain in the hands of big corporations who put dollars over lawful access and public safety. The time has come for a legislative solution."
The Courts

Rainbow Six 'Copy' Lands Apple and Google In Copyright Court (bbc.com) 44

Ubisoft is suing Apple and Google over a Chinese mobile game it says is "a near carbon copy" of one of its most popular games, Rainbow Six: Siege. The BBC reports: Area F2 is "designed to closely replicate... virtually every aspect" of the game, it alleges, in a 43-page document, complete with screenshots. It is also suing the developer, Ejoy, owned by Chinese tech giant Alibaba. Characters, game modes, game maps, animations, and even the user interface were copied, the document alleges. "Virtually every aspect of AF2 is copied from R6S, from the operator selection screen to the final scoring screen and everything in between," Ubisoft claims. "In fact, the games are so similar that an ordinary observer viewing and playing both games likely would be unable to differentiate between them."

Ubisoft estimates Area F2 has been downloaded more than a million times and made "tens of thousands of dollars" on in-game purchases. It says it has raised the issue with both Apple and Google, which both take a cut of sales on their respective app stores. "But rather than take any measures to stop or curtail the infringement... Google and Apple instead decided that it would be more profitable to collect their revenue share from AF2 and continue their unlawful distribution," Ubisoft says in its court filing. Ubisoft is seeking a jury trial over the alleged copyright infringement, in the Central District Court of California.

Encryption

The FBI Successfully Broke Into a Gunman's iPhone, But It's Still Very Angry at Apple (theverge.com) 211

After months of trying, the FBI successfully broke into iPhones belonging to the gunman responsible for a deadly shooting at Pensacola Naval Air Station in December 2019, and it now claims he had associations with terrorist organization al-Qaeda. Investigators managed to do so without Apple's help, but Attorney General William Barr and FBI director Christopher Wray both voiced strong frustration with the iPhone maker at a press conference on Monday morning. From a report: Both officials say that encryption on the gunman's devices severely hampered the investigation. "Thanks to the great work of the FBI -- and no thanks to Apple -- we were able to unlock Alshamrani's phones," said Barr, who lamented the months and "large sums of tax-payer dollars" it took to get into devices of Mohammed Saeed Alshamrani, who killed three US sailors and injured eight other people on December 6th.

Apple has said it provided investigators with iCloud data it had available for Alshamrani's account but did not provide any assistance bypassing iOS's device encryption. Without that help, authorities spent many weeks trying to break in on their own. Wray chastised Apple for wasting the agency's time and resources to unlock the devices. "Public servants, already swamped with important things to do to protect the American people -- and toiling through a pandemic, with all the risk and hardship that entails -- had to spend all that time just to access evidence we got court-authorized search warrants for months ago," he said.

Businesses

Apple Plans to Reopen Some Stores in America This Week, But Customers Must Wear Masks (cnbc.com) 86

An anonymous reader quotes CNBC: Apple released its blueprint Sunday night for how it will reopen its retail stores once it is safe to due so, per official coronavirus health guidelines. It will also open 25 stores in the U.S. this week.

When a store reopens, customers will be required to submit to a temperature check and wear a mask before entering the store, according to the guidelines, written by Apple's retail and human resources boss Deirdre O'Brien. If a customer doesn't have a mask, Apple will provide them with one.

Apple also announced on Sunday several stores in the U.S. that will be reopening this week. Some of the stores will allow customers in, while others will only offer curbside pick-up service. Apple stores will be reopening this week in a handful of states including Florida, California (curbside service), Washington (curbside service), Hawaii, Oklahoma and Colorado. O'Brien said stores would reopen per local official guidelines, and could even close again if lockdown orders in a certain area have to be renacted.

Reuters notes Apple's move is "continuing a gradual process that has unlocked doors at nearly a fifth of its worldwide retail outlets." Around the world nearly 100 Apple stores have already done some form of re-opening, the guidelines state, adding that "In every store, we're focused on limiting occupancy and giving everybody lots of room, and renewing our focus on one-on-one, personalized service... Throughout the day, we're conducting enhanced deep cleanings that place special emphasis on all surfaces, display products, and highly trafficked areas..."

"Down the road, when we reflect on COVID-19, we should always remember how so many people around the world put the well-being of others at the center of their daily lives. At Apple, we plan to carry those values forward, and we will always put the health and safety of our customers and teams above all else."
Bug

Complaining of 'Surplus' of iOS Exploits, Zerodium Stops Buying Them (securityweek.com) 37

wiredmikey writes: An abundance of iOS exploits being submitted to be sold should alarm iPhone/iPad users, according to the CEO of exploit acquisition firm Zerodium. The company announced that it was no longer buying certain types of iOS exploits in the next two to three months [including local privilege escalation, Safari remote code execution, and sandbox escape exploits] due to a surplus. And the company expects prices to drop in the near future.

"iOS Security is fucked," Chaouki Bekrar, CEO of Zerodium said on Twitter, noting that they are already seeing many exploits designed to bypass pointer authentication codes and a few zero-day exploits that can help an attacker achieve persistence on all iPhones and iPads. "Let's hope iOS 14 will be better," he added.

Bekrar said that only pointer authentication codes — which provide protection against unexpected changes to pointers in memory — and the difficulty to achieve persistence "are holding [iOS security] from going to zero."

Slashdot Top Deals