Wednesday, February 29, 2012

iPhone photos can be seen by others

Recently, we learned that the iPhone’s Address Book can be sharedwith app developers because of a flaw that Apple says it is working to fix. Now it appears that a user’s photos on the phone can be similarly accessed by various apps without users knowing it.

The photo leakage can happen once a user gives an app permission to access location information on an iPhone (or iPad or iPod Touch), according to The New York Times. The app "can copy the user’s entire photo library, without any further notification or warning, according to app developers."

It is unclear whether any apps in Apple’s App Store are illicitly copying user photos. Although Apple’s rules do not specifically forbid photo copying, Apple says it screens all apps submitted to the store, a process that should catch nefarious behavior on the part of developers. But copying address book data was against Apple’s rules, and the company approved many popular apps that collected that information.

Apple declined to comment to the newspaper; we've also asked Apple about the issue, and will update this post if we hear back.

The newspaper said it "asked a developer, who asked not to be named because he worked for a popular app maker and did not want to involve his employer, to create a test application that collected photos and location information from an iPhone. When the test app, PhotoSpy, was opened, it asked for access to location data. Once this was granted, it began siphoning photos and their location data to a remote server. 
(The app was not submitted to the App Store.)"

Developers know that "this capability exists," the Times said, but they "assumed that Apple would ensure that apps that inappropriately exploited it did not make it into the App Store. Based on recent revelations, phone owners cannot be sure."

Friday, February 24, 2012

Flashback Mac trojan is back with new and improved exploit strategy


The "Flashback" Mac trojan is back, and it's smarter than ever. Mac security company Intego says the latest variant, Flashback.G, uses three new methods in order to make its way onto Macs, though it won't install itself at all if it detects a number of antivirus or anti-malware security programs already installed.
"The malware first tries to install itself using one of two Java vulnerabilities. If this is successful, users will be infected with no intervention," Intego wrote on its Mac Security Blog on Thursday. "If these vulnerabilities are not available—if the Macs have Java up to date—then it attempts a third method of installation, trying to fool users through a social engineering trick. The applet displays a self-signed certificate, claiming to be issued by Apple. Most users won’t understand what this means, and click on Continue to allow the installation to continue."
The Intego team believes the latest Flashback variant won't install when it detects security software in order to avoid detection, instead choosing to move onto the plethora of other Macs that aren't protected. As for what it does, the malware injects code into apps that can access the network and then searches for usernames and passwords to exploit, and can even automatically update itself if its developers decide to push out an update.

Saturday, February 11, 2012

Apple is Stealing Address Books


It's not really a secret, per se, but there's a quiet understanding among many iOS app developers that it is acceptable to send a user's entire address book, without their permission, to remote servers and then store it for future reference. It's common practice, and many companies likely have your address book stored in their database. Obviously, there are lots of awesome things apps can do with this data to vastly improve user experience. But it is also a breach of trust and an invasion of privacy.
I did a quick survey of 15 developers of popular iOS apps, and 13 of them told me they have a contacts database with millons of records. One company's database has Mark Zuckerberg's cell phone number, Larry Ellison's home phone number and Bill Gates' cell phone number. This data is not meant to be public, and people have an expectation of privacy with respect to their contacts.
There are two major questions to ask about this behavior:
First, why does Apple allow iOS apps to access a user's entire address book, at any time, without permission? Even Android requires that apps ask for explicit permission to access local contacts. On iOS, every other seemingly private local data source, like location and the camera roll, have strong protections; apps can't even see photos in the Camera Roll unless the user explicitly selects them from the image picker. There is a huge section of the Settings app dedicated to giving people fine control over which apps have access to location information. That Apple provides no protections on the Address Book is, at best, perplexing.
Second, why do app developers, who know of the potential public backlash if this behavior were publicized (that's why they keep it quiet), continue to upload user address books to their servers? I think this question is easier to answer. Any app is an investment, and, like any investment, there are three outcomes -- success, failure, and mediocrity. The only one that matters on a market like the App Store is success, so fledgling app developers do everything they can to increase their chances. Because Apple provides extremely easy access to address book data, the pro -- that is, using the data to improve user experience, increase virality and growth, etc. -- outweighs the con. To stay on equal footing, larger apps, like Yelp, Facebook, and Foursquare, have to follow along. From a design perspective, it is a concession of user growth at the expense of user trust.
Through the feedback we’ve received from all of you, we now understand that the way we had designed our ‘Add Friends’ feature was wrong. We are deeply sorry if you were uncomfortable with how our application used your phone contacts.
There was similar outrage last year, when Kik was outed. But, after a while, things calmed down. Kik never conceded. Developers continued to stay quiet. Users forgot about it entirely.
Apple's Failure
I fully believe this issue is a failure of Apple and a breach of trust by Apple, not by app developers. The expectation of Address Book privacy is obvious; in fact, one person on Hacker News, in response to learning about Path's use of the data, said, "Apple would never do this to their users." Because Apple has your trust and yet gives this private information freely to developers, Apple does do this to their users. All of them.
Usually, when I am curious about something Apple has done, I try to understand the design thinking that went into the decision. In this case, I can't think of a rational reason for why Apple has not placed any protections on Address Book in iOS. It makes no sense. It is a breach of my privacy, and it has allowed every app I've installed to steal my address book.

Friday, February 3, 2012

iOS Less Stable than Android

OS stability has always been a big concern when choosing which device you’re going to upgrade to. When it comes to the battle between Android and iOS, Apple fanboys would have you believe that their mobile OS is a smooth and steady as an ocean liner, but as history has taught us, some titans — sink. In my talks with friends and acquaintances on why they’ve chosen iOS over Android, I’ve heard everything from, “It just works,” to the argument that “Android is just too fragmented,” or “Apps constantly force close.”
Well, then you would assume that data gathered from Crittercism — a research startup that analyzes mobile app crashes — would show that iOS suffers from fewer, if any, app crashes when compared to Android. Right? Wrong.
Surprisingly,  Crittercism’s data (gathered from more than 214 million app launches between November and December of 2011) shows that apps on iOS crashed much more frequently than comparable apps on Android. Just take a look at that pie graph. It’s easily dominated by iOS, covering nearly 75% of total crashes. Yup. I was just as blown away as you. Numbers don’t lie.
Now, the reasons for these app crashes are numerous. Everything from iOS 5 being new to the market, problems with hardware, internet connectivity, language support, or just plain ‘ol poorly coded apps. It can even be argued that because there are so many more iOS devices than Andr– oh, wait. I almost forgot. There isn’t.
Even with this newly released data, I almost still don’t believe it. Android. With all the talks of fragmentation, force closes and incompatible apps, could somehow turn out to be more stable than iOS? Well, slap my momma and call me Sally. Who’d-a-thunkit. Now, I’m sure this will come off as the flames of an Android fanboy but I assure you, I’m not hating. Just found this information interesting and felt like sharing. Did this data surprise any of you?

Thursday, February 2, 2012

The Apple Bug That Let Us Spy on a Total Stranger’s iPhone


Every single iMessage to and from this man's iPhone—his friends call him Wiz—has been sent to us by accident. We know about his job, sex life, and address. Apple, you might want to fix this.
The story is simple: a friend's son had some trouble with his iPhone 4. Being an awesome mom, our friend took it into the Apple Store when her kid was at school. School. Not college or grad school, but I'm-under-18 school. When she got it back, her kid's phone was in perfect working order—but it had also become a portal into another man's private life. No matter how many times we've reset the phone and entered our friend's information, every incoming and outgoing iMessage meant for Wiz shows up on her child's phone. His phone had become her son's phone—and there was an iMessage bevy of stuff you wouldn't want your child to see.
The problem of iMessages winding up on the wrong screens isn't new—we mentioned it back in December. At the time, the worry was that iPhone thieves could pry into your private communications. But that's not what's going on here—this is like a wiretap we didn't ask for—and Wiz has no idea I'm looped in on the whole thing. He texts throughout the day like usual, oblivious to the snooping. Now we see just how big of a deal this obscure "bug" is: Your entire personal life could be flung open, and you'd never know.
Take our word for it—we've gotten to know Wiz pretty well.
You probably underestimate how much of yourself you casually pour into texts each day. We know enough about this guy to stalk him, blackmail him, and harass him, using nothing more than what we've picked up. Based on only a handful of chitchat breadcrumbs and some Google work, we pinned down Wiz's home address, his Facebook profile, email address, personal information about friends, where he exercises, and—drumroll—the Apple store where he works. Yep! This Apple bug screwed an Apple employee—at the same store where our pal took her phone.
In all likelihood, Wiz's messages are being broadcast to a phone he's unaware of because he swapped his SIM card in while repairing our friend's phone—permanently tethering his textual life to a phone that isn't his. The theory that iMessages are deadbolted to SIM cards, rather than just being something you sign into a la Gmail, was bandied around by Ars Technica more than a month ago.
It's impossible that Apple isn't aware of this problem.
But as long as it's the problem of thieves and their victims, maybe it's not high enough on the shit list to correct.
But again, no wrongdoing was committed here—no lost phone or pilfered login. Just a routine trip to the Genius Bar that's turned us into unwitting eavesdroppers. Hopefully this will be enough to give apple the message. Please fix this, guys.
Below, some choice samples:
He booty-texts.
He works at Apple.
He wanted to kiss the legs of a coworker (bad idea!).
He and his friends liked swapping tranny pics.
He once got his blood pressure measured at the grocery store. Cough drops were on sale.
The Apple Bug That Let Us Spy on a Total Stranger's iPhoneHe enjoys splashing around with his girlfriends.
He pulls heartstrings

Wednesday, February 1, 2012

Apple Boycott Urged Over Foxconn Investigation


Hey, that logo looks familiar...
Several high-profile media outlets are calling for a boycott of Apple products, amid new reports of mistreatment of workers at the company's manufacturing chain in China.
The New York Times first ignited media interest last week with a series of articles describing terrible working conditions at factories belonging to Taiwanese electronics manufacturer Foxconn. The company has several factories in mainland China where it produces components for an array electronic devices, including the Apple iPad.
The newspaper described conditions resembling bonded labor, with employees being forced to work obscenely long shifts in unhealthy conditions, and without many of the labor rights that workers in the West would take for granted. It also mentioned people being killed in explosions at iPad factories, and workers being given poisonous chemicals with which to clean iPhone screens.
Industry commentators from a number of publications have responded to the New York Times report, calling on consumers to boycott Apple.
Dan Lyons, who writes for The Daily Beast and Newsweek, described the situation as "barbaric," but said that "ultimately the blame lies not with Apple and other electronics companies -- but with us, the consumers. And ultimately we are the ones who must demand change."
The Los Angeles Times and Forbes magazine added to the outcry, with Forbes columnist Peter Cohan stating that the number of workers who die building iPhones and iPads is "shockingly high." Others have also pointed to Apple's failure to adequately respond to the reports, and the BBC's Rory Cellan-Jones has suggested that the company needs a new PR strategy.
Apple is not the only international technology company to use Foxconn, however, and this is also not the first time that working conditions at Foxconn have made headlines. Its practices were even thesubject of a theater production.
Earlier this year, Microsoft was forced to deal with reports that 150 people working on the Xbox 360 assembly line at the Foxconn Technology Park in Wuhan had threatened to commit mass suicide. Microsoft claimed that the suicide protest had to do with working conditions, and was related to staffing assignments and transfer policies.
Foxconn also faced a string of worker suicides in 2010, amid reports in the Chinese media that its staff were being abused. The company agreed to raise the wages of its workers by 20 percent, despite reports that the it had considered closing its mainland Chinese plants, and Foxconn installed anti-jumper nets on its high-rise buildings to prevent more suicides.
Then in May 2011, a number of Foxconn workers were killed in an explosion at a factory in Chengdu. The explosion happened in a polishing workshop in the factory where Apple's iPad 2 tablets were being made, and is believed to have been caused by a build-up of aluminum dust.
Apple's chief executive Tim Cook has responded to the latest allegations in an internal email to staff, obtained by 9to5Mac, stating that Apple cares about every worker in its worldwide supply chain.
"Any suggestion that we don't care is patently false and offensive to us," he wrote. "As you know better than anyone, accusations like these are contrary to our values."
Cook added that Apple inspects its factories every year and has helped to improve conditions for "hundreds of thousands of workers". He also said the company was focused on educating workers about their rights, and promised to never turn a blind eye to problems in the company's supply chain.