A recently released tool is letting anyone exploit an unusual Mac vulnerability to bypass Apple's trusted T2 security chip and gain deep system access. The flaw is one researchers have also been using for more than a year to jailbreak older models of iPhones. But the fact that the T2 chip is vulnerable in the same way creates a new host of potential threats. Worst of all, while Apple may be able to slow down potential hackers, the flaw is ultimately unfixable in every Mac that has a T2 inside. From a report: In general, the jailbreak community haven't paid as much attention to macOS and OS X as it has iOS, because they don't have the same restrictions and walled gardens that are built into Apple's mobile ecosystem. But the T2 chip, launched in 2017, created some limitations and mysteries. Apple added the chip as a trusted mechanism for securing high-value features like encrypted data storage, Touch ID, and Activation Lock, which works with Apple's "Find My" services. But the T2 also contains a vulnerability, known as Checkm8, that jailbreakers have already been exploiting in Apple's A5 through A11 (2011 to 2017) mobile chipsets. Now Checkra1n, the same group that developed the tool for iOS, has released support for T2 bypass.

On Macs, the jailbreak allows researchers to probe the T2 chip and explore its security features. It can even be used to run Linux on the T2 or play Doom on a MacBook Pro's Touch Bar. The jailbreak could also be weaponized by malicious hackers, though, to disable macOS security features like System Integrity Protection and Secure Boot and install malware. Combined with another T2 vulnerability that was publicly disclosed in July by the Chinese security research and jailbreaking group Pangu Team, the jailbreak could also potentially be used to obtain FileVault encryption keys and to decrypt user data. The vulnerability is unpatchable, because the flaw is in low-level, unchangeable code for hardware. "The T2 is meant to be this little secure black box in Macs -- a computer inside your computer, handling things like Lost Mode enforcement, integrity checking, and other privileged duties," says Will Strafach, a longtime iOS researcher and creator of the Guardian Firewall app for iOS. "So the significance is that this chip was supposed to be harder to compromise -- but now it's been done."

Project xCloud, the Microsoft game-streaming service that comes packed as a bonus in certain Xbox Game Pass subscription plans, may finally have a path to working on Apple's range of iOS devices -- well after a public row between the tech giants that put the possibility into question. From a report: The news comes from a report by Business Insider, which claimed that an internal Microsoft meeting on Wednesday included a vote of confidence from Xbox chief Phil Spencer. "We absolutely will end up on iOS," Spencer reportedly said about getting its streamed Project xCloud game content onto iOS devices in "2021." Previously, Apple shot down existing versions of both Project xCloud (which has since been rolled into the "Xbox Game Pass" app) and Google Stadia as iOS apps. Their public statements hinged on "reviewing" the games included in the subscription against App Store guidelines, though the issue could also stem from in-app purchases within both Xbox and Stadia's offerings. Eventually, Apple offered a revised stance on such apps, but this onerous "approval for every separate game" proposal comes with its own headaches, as opposed to a clear path toward a simple subscription service (as you'll find in popular iOS media apps like Netflix and Amazon Video).

Epic Games "did not win its preliminary injunction in its antitrust action against Apple, which would have forced Apple to allow Fortnite back onto the iPhone, iPad, and Mac," reports BGR, calling it "the decision we warned you about a few weeks ago." Gonzalez Rogers hinted during the injunction relief hearing a few weeks ago that she wasn't inclined to side with Epic when it comes to Fortnite. She pointed out at the time that Epic lied in its business relationship with Apple. "You did something, you lied about it by omission, by not being forthcoming. That's the security issue. That's the security issue!" Gonzalez Rogers told Epic. "There are a lot of people in the public who consider you guys heroes for what you guys did, but it's still not honest...."

Epic engineered a huge PR stunt to turn gamers against Apple over the expected Fortnite ban and then sued Apple for anti-competitive practices at the same time. Even if the antitrust case might have merit on its own, this doesn't change the fact that Epic breached its contract... The judge clarified that Epic has breached a contract unilaterally and cannot claim that it did it because of monopoly concerns. Judge Rogers also said that Epic's failure to show it's willing to work with Apple and the court to have the game reinstated proves that Epic isn't necessarily concerned with the well-being of iOS users. "Epic Games cannot simply exclaim 'monopoly' to rewrite agreements giving itself unilateral benefit..."
Epic did receive some good news in the ruling. "Epic Games is grateful that Apple will continue to be barred from retaliating against Unreal Engine and our game development customers," the company said in a statement which was quoted by Thurrott.com. "We will continue developing for Apple's platforms and pursue all avenues to end Apple's anti-competitive behavior."

And the same site also quotes Apple's own statement on the ruling. "We are grateful that the Court recognized that Epic's actions were not in the best interests of its own customers and that any problems they may have encountered were of their own making when they breached their agreement."

An anonymous reader quotes a report from TechCrunch: China now has a tool that lets users access YouTube, Facebook, Twitter, Instagram, Google, and other internet services that have otherwise long been banned in the country. Called Tuber, the mobile browser recently debuted on China's third-party Android stores, with an iOS launch in the pipeline. The landing page of the app features a scrolling feed of YouTube videos, with tabs at the bottom that allow users to visit other mainstream Western internet services.

While some celebrate the app as an unprecedented "opening up" of the Chinese internet, others quickly noticed the browser comes with a veil of censorship. YouTube queries for politically sensitive keywords such as "Tiananmen" and "Xi Jinping" returned no results on the app, according to tests done by TechCrunch. Using the app also comes with liabilities. Registration requires a Chinese phone number, which is tied to a person's real identity. The platform could suspend users' accounts and share their data "with the relevant authorities" if they "actively watch or share" content that breaches the constitution, endangers national security and sovereignty, spreads rumors, disrupts social orders, or violates other local laws, according to the app's terms of service.

An anonymous reader shares a report: On Tuesday, Congress revealed whether it thinks Amazon, Apple, Facebook, and Google are sitting on monopolies. In some cases, the answer was yes. But also, one app developer revealed to Congress that it -- just like WordPress -- had been forced to monetize a largely free app. That developer testified that Apple had demanded in-app purchases (IAP), even though Apple had approved its app without them two years earlier -- and that when the dev dared send an email to customers notifying them of the change, Apple threatened to remove the app and blocked all updates. That developer was ProtonMail, makers of an encrypted email app, and CEO Andy Yen had some fiery words for Apple in an interview with The Verge this week. We've known for months that WordPress and Hey weren't alone in being strong-armed by the most valuable company in the world, ever since Stratechery's Ben Thompson reported that 21 different app developers quietly told him they'd been pushed to retroactively add IAP in the wake of those two controversies. But until now, we hadn't heard of many devs willing to publicly admit it. They were scared.

And they're still scared, says Yen. Even though Apple changed its rules on September 11th to exempt "free apps acting as a stand-alone companion to a paid web based tool" from the IAP requirement -- Apple explicitly said email apps are exempt -- ProtonMail still hasn't removed its own in-app purchases because it fears retaliation from Apple, he says. He claims other developers feel the same way: "There's a lot of fear in the space right now; people are completely petrified to say anything." [...] "For the first two years we were in the App Store, that was fine, no issues there," he says. (They'd launched on iOS in 2016.) "But a common practice we see ... as you start getting significant uptake in uploads and downloads, they start looking at your situation more carefully, and then as any good Mafia extortion goes, they come to shake you down for some money."

Facebook Chief Revenue Officer David Fischer said Tuesday that the economic models that rely on personalized advertising are "under assault" as Apple readies changes that would limit the ability of Facebook and other companies to target ads and estimate how well they work. Apple frames the change as preserving users' privacy, rather than as an attack on the advertising industry, and has been promoting its privacy features as a core reason to get an iPhone. CNBC reports: The change to Apple's identifier for advertisers, or IDFA,will give iPhone users the option to block tracking when opening an app. It was originally planned for iOS 14, the version of the iPhone operating system that was released last month. But Apple said last month it was delaying the rollout until 2021 "to give developers time to make necessary changes." Fischer, speaking at a virtual Advertising Week session Tuesday morning, spoke about the changes after being asked about Facebook's vulnerability to the companies that control mobile platforms, like Apple and Google, which runs Android.

Fischer argued that though there's "angst and concern" about the risks of technology, personalized and targeted advertising has been essential to help the internet grow. "The economic model that not just we at Facebook, but so many businesses rely on, this model is worth preserving, one that makes content freely available, and the business that makes it run and hum, is via advertising," he said. "And right now, frankly, some of that is under assault, that the very tools that entrepreneurs, that businesses are relying on right now are being threatened. To me, the changes that Apple has proposed, pretty sweeping changes, are going to hurt developers and businesses the most."

Fischer said the company plans to "defend" its existing model. "There are different business models out there. Apple has one that sells luxury hardware or subscription services, mainly to consumers like us who are fortunate enough to have a lot of discretionary income in some of the world's wealthiest countries," he said. "That's fine, but I don't think it's appropriate to then dictate that has to be other business models, and the one that we believe is so valuable, one that relies on advertising, in our case, personalized ads, to enable free products, enable businesses to launch and grow and thrive, we're going to defend that. And we think it really important that not just we but our industry does that."

An anonymous reader writes: Google today launched Chrome 86 for Windows, Mac, Linux, Android, and iOS. Chrome 86 brings password protections for Android and iOS, VP9 for macOS Big Sur, autoupgrades for insecure forms, focus indicator improvements, and a slew of developer features. You can update to the latest version now using Chrome's built-in updater or download it directly from google.com/chrome.

With over 1 billion users, Chrome is both a browser and a major platform that web developers must consider. In fact, with Chrome's regular additions and changes, developers have to stay on top of everything available -- as well as what has been deprecated or removed. Chrome 86, for example, deprecates support for FTP URLs, starting with 1% of users and ramping up to 100% by Chrome 88.

Spotify has rolled out a useful new feature today for iOS and Android that allows users to search for songs by its lyrics. 9to5Mac reports: When you're not sure the name of a song/artist, music recognition apps like Shazam are great if a song is playing. However, they don't work near as well if you're just trying to sing a couple of the lyrics into your phone. In those cases, it's common to search the web for the lyrics before heading to your music service to play or add the track. Now Spotify has simplified that problem as the service on both iOS and Android has added the handy option to type in lyrics to search for songs. Spotify designer Lina shared the news on Twitter this morning.

Apple has confirmed several problems including "increased battery drain" for some users who upgraded their iPhone to iOS 14. But ZDNet warns Apple's proposed solution "sounds pretty drastic."

Forbes reports: In an official post, Apple reveals seven significant data and battery-related problems with iOS 14 and watchOS 7, and the company states the only fix is to "erase all content and settings from your iPhone".

Breaking these down, Apple classifies six as related to its Activity, Health and Fitness apps as well as the broader problem of "Increased battery drain on your iPhone or Apple Watch." The latter will not be a surprise to anyone who has seen the growing number of complaints directed at the company's @AppleSupport Twitter account since iOS 14 was released...

On the plus side, Apple's belief that these problems can be fixed without an iOS update is good news. That said, a complete data wipe is also the nuclear option, so Apple is not messing around... I would also be amazed if iOS 14.0.2 is not being fast tracked as we speak.

Two RSS reader apps, Reeder and Fiery Feeds, said this week that their iOS apps have been removed in China over content that deemed "illegal" by the local cyber watchdog. TechCrunch reports: Apps get banned in China for all sorts of reasons. Feed readers of RSS, or Real Simple Syndication, are particularly troubling to the authority because they fetch content from third-party websites, allowing users to bypass China's Great Firewall and reach otherwise forbidden information, though users have reported not all RSS apps can circumvent the elaborate censorship system. Those who use RSS readers in China are scarce, as the majority of China's internet users -- 940 million as of late -- receive their dose of news through domestic services, from algorithmic news aggregators such as ByteDance's Toutiao and WeChat's built-in content subscription feature to apps of mainstream local outlets. Major political events and regulatory changes can trigger new waves of app removals, but it's unclear why the two RSS feed readers were pulled this week.

Inoreader, a similar service, was banned from Apple's Chinese App Store back in 2017. Feedly is also unavailable through the local App Store. The history of China's crackdown on RSS dates back to 2007 when the authority launched a blanket ban on web-based RSS feed aggregators. The latest incidents could well be part of Apple's business-as-usual in China: cleaning up foreign information services operating outside Beijing's purview, regardless of their reach.

Google today announced it will make it easier to install and use third-party app stores with the release of Android 12 next year. From a report: Google also reiterated its existing Payments Policy for in-app purchases of digital goods: Android developers who want to distribute apps and games on Google Play, must use Play's billing system. Google is offering a 1-year grace period for developers who aren't complying with this policy: The deadline is September 30, 2021. Today's announcements today are a direct response to Epic's war with Apple and Google over the 30% cut they take of every purchase on the iOS App Store and the Google Play store, respectively. On August 13, Epic updated Fornite for Android and iOS to use its own billing service, resulting in Apple and Google deleting Fortnite from their app stores. Epic then turned around and sued both tech giants. The lawsuits could define how all developers, from individuals to massive corporations, distribute apps on the world's duopoly of mobile operating systems.

Engadget reports: One big benefit of iOS 14 is that you can set non-Apple-made apps as your default, including for email and web browsing. Hot on the heels of you being able to set Chrome and Gmail as your clients of choice, Firefox is enabling you to make its browser the default on iPhones and iPads. Naturally, you'll need to have both the latest version of the operating system and the apps, and then just make the switch inside settings.
Meanwhile, Bleeping Computer profiles some of the new features in this week's release of Firefox 81, including:

• The ability to control videos via your headset and keyboard even if you're not using Firefox at the time

• A new credit card autofill feature for Firefox users in the U.S. and Canada

• A new theme called AlpenGlow

• Firefox can now be set as the default system PDF viewer

Facebook has temporarily shamed Apple out of taking a 30 percent cut of paid online events organized by small businesses and hosted on Facebook -- things like cooking classes, workout sessions, and happy hours. Demand for these kinds of online events has soared during the COVID-19 pandemic. From a report: Apple says that it has a longstanding policy that digital products must be purchased using Apple's in-app payments system -- and hence pay Apple's 30 percent tax. In contrast, companies selling physical goods and services are not only allowed but required to use other payment methods (options here include Apple Pay, which doesn't take such a big cut). For example, an in-person cooking class is not a digital product, so a business selling cooking class tickets via an iPhone app wouldn't have to give Apple a 30 percent cut. But if the same business offers a virtual cooking class, Apple considers that to be a digital product and demands a 30 percent cut -- at least if the customer pays for the class using an iOS device. Last month, Facebook announced it would start offering a new feature for small businesses to host paid online events. Facebook has waived any fees for the first year, allowing small businesses to pocket 100 percent of the revenue. But Apple refused to budge on its 30 percent take.

Microsoft is about to release a big Xbox app update for iOS that includes the ability to stream Xbox One games to an iPhone. The Verge reports: A new Xbox app will arrive in the App Store soon that includes a remote play feature, which lets Xbox One console owners stream their games to an iPhone. Remote play is different to Microsoft's xCloud service, which streams games directly from servers instead of your own Xbox One console. This Xbox remote play feature will only connect to your own Xbox console, not to xCloud. It's similar to Sony's own PS4 Remote Play feature that's also available on Android and iOS.

You will be able to access an Xbox console over Wi-Fi, or even an LTE or 5G connection, too. As this app takes control of your home Xbox, you can remotely start your console outside of your home. The Xbox will start up without a sound or the Xbox light at the front, and when you disconnect, it goes back into standby after a brief period of inactivity. A new Xbox app arrived on Android recently, and this updated iPhone version includes the same new design and new features.

Facebook executives have sharply ramped up their criticism of Apple in recent months, contesting the iPhone maker's restrictions on gaming apps and ad targeting, as well as its cut of in-app purchases. Now, emboldened by Apple software changes that suggest it is starting to bend, Facebook wants something else: the option to make its Messenger app the default messaging tool on iPhones [Editor's note: the link is paywalled; alternative source]. From a report: "We feel people should be able to choose different messaging apps and the default on their phone," Stan Chudnovsky, the Facebook vice president in charge of its Messenger app, told The Information. "Generally, everything is moving this direction anyway." Chudnovksy said Facebook has asked Apple over the years to consider opening up default messaging. Apple has never agreed. Apple's Messages app is a core feature of its mobile software that encourages people to keep buying its devices, and the app's encryption of messages is also a cornerstone of the company's privacy pitch to consumers. Google's rival Android mobile operating system already lets users choose their default messaging app.

According to The Verge, Twitter says they will be testing voice DMs soon, after rolling out audio tweets for iOS in June. From the report: Brazil will be the first country included in that test. "We know people want more options for how they express themselves in conversations on Twitter -- both publicly and privately," [Alex Ackerman-Greenberg, product manager for direct messages at Twitter, said in a 20-second voice message].

Similar to voice tweets, voice messages have a bare-bones, simple interface: there's just a play / pause button, and the sender's avatar pulsates as the message plays. The product team designed an "in-line recording experience to make it easier to send these messages as part of the natural conversation flow," so that's one difference from the current audio tweets interface. There's a "report message" option in the event that someone misuses voice DMs, which is always a fair concern with private audio.

Google has announced that Flutter, its open source UI development kit for building cross-platform software from the same codebase, is finally available for Windows apps in alpha. From a report:For the world's leading desktop operating system with some 1 billion installations of Windows 10 alone, this has been a long time coming. Flutter's alpha incarnation was initially launched at Google's I/O developer conference back in 2017, before arriving in beta less than a year later. In its original guise, Flutter was designed for Android and iOS app development, but it has since expanded to cover the web, MacOS, and Linux, which are currently available in various alpha or beta iterations. Developers have had to consider unique platform-specific factors when designing for the desktop or mobile phones, such as different screen sizes and how people interact with their devices. On smartphones, people typically use touch and swipe-based gestures, while keyboards and mice are commonly used on PCs and laptops. This means Flutter has had to expand its support to cover the additional inputs.

Users have found a major bug in Apple's iOS 14 iPhone software. The free software upgrade, which Apple made publicly available last week, includes features many users had long asked for, such as better ways to organize apps, living programs called widgets on the home screen, and the ability to change which default apps the phone uses to browse the web or send an email. That last one doesn't appear to work. From a report: A growing chorus of Twitter users has been posting about the bug in Apple's default email and default web browser options. What happens is that whenever they set the default browser to Google's Chrome, for example, it works as expected, and tapping any link in an app or browser will open Chrome on the iPhone. But then if they restart the phone, iOS 14 changes that default back to Apple's Safari. "We are aware of an issue that can impact default email and browser settings in iOS 14 and iPadOS 14. A fix will be available to users in a software update," Apple said in a statement.

An anonymous reader quotes a report from MacRumors: Apple in iOS 14 added Picture in Picture to the iPhone, a feature designed to let you watch a video in a small screen on your device while you continue to do other things on the phone. The YouTube app doesn't support Picture in Picture, but up until yesterday there was a functional workaround that allowed videos from YouTube.com to be watched in Safari in Picture in Picture mode. As of today, that workaround is gone, and it's not clear if it's a bug or a deliberate removal. Attempting to use Picture in Picture on a video on the mobile YouTube website simply doesn't work. Tapping the Picture in Picture button when in full screen mode pops the video out for a second, but it immediately pops back into the website, so it can't be used as a Picture in Picture window. [...] Picture in Picture appears to work on the mobile YouTube website in Safari for those who are YouTube Premium subscribers, which suggests that the restriction is intentional and not a bug.

An anonymous reader writes: "Billions of smartphones, tablets, laptops, and IoT devices are using Bluetooth software stacks that are vulnerable to a new security flaw disclosed over the summer," reports ZDNet. Named BLESA (Bluetooth Low Energy Spoofing Attack), the vulnerability impacts devices running the Bluetooth Low Energy (BLE) protocol, and affects the reconnection process that occurs when a device moves back into range after losing or dropping its pairing. A successful BLESA attack allows bad actors to connect with a device (by getting around reconnection authentication requirements) and send spoofed data to it. In the case of IoT devices, those malicious packets can convince machines to carry out different or new behavior. For humans, attackers could feed a device deceptive information. BLESA impacts billions of devices that run vulnerable BLE software stacks. Vulnerable are BLE software libraries like BlueZ (Linux-based IoT devices), Fluoride (Android), and the iOS BLE stack. Windows' BLE stack is not impacted.