IOS

Apple Officially Bans Scammy Antivirus Apps From iOS App Store (theverge.com) 51

Fake "virus scanning" apps have plagued the iOS App Store for a while, and Apple seems to finally be banning them once and for all in updated developer guidelines it published last week. From a report: The updated developer guidelines, compiled by Paul Hudson over at Hacking With Swift, now includes a ban on apps that claim to "including content or services that it does not actually offer" -- something that includes any iOS virus scanning apps, seeing as it wasn't possible to scan for viruses on iOS with third party apps, since iOS's sandboxing prevents applications from directly interacting with each other or the core of the iOS operating system.
Android

Target's Sales Floors Are Switching From Apple To Android Devices (gizmodo.com) 115

After three years of Apple products, Target is moving to Android devices for stocking, pulling items, and other essential sales floor duties. Target first outfitted its employees with Apple products in 2014, replacing PDAs with iPod Touches. Gizmodo reports: In Fall of 2016, Target stores began testing the Zebra TC51, which runs Android 6.0 Mashmallow and was confirmed to Gizmodo as "the new MyDevices for store team members chainwide" by a company spokesperson over email. On Reddit's r/Target page and the unofficial employee forum The Breakroom, the new devices have been met with enthusiasm -- and plenty of jabs at the old iOS scanners. "The current iOS my devices we have all sorts of issues, connection issues, scanner issues, and tons more," one Breakroom poster complained. On Reddit, a former store manager wrote that "the iPod hardware they used as on the floor scanners for employees died quickly and there was no way of swapping in new batteries. There were many hardware issues that came about with the ipods." While a Target spokesperson confirmed the company will still purchase some products from Apple -- iPads for online order pickups, iPhones for managers -- the sales floor is switching to Android, and the company is staffing up on Android developers to port over all the internal software stores use.
Businesses

The iPhone Is Guaranteed To Last Only One Year, Apple Argues In Court (vice.com) 433

Reader Jason Koebler writes: Last month, Greg Joswiak, Apple's VP of iOS, iPad, and iPhone Marketing, told Buzzfeed that iPhones are "the highest quality and most durable devices. We do this because it's better for the customer, for the iPhone, and for the planet."
But in a class-action court case over the widespread premature failure of tens of thousands of iPhone 6 and iPhone 6 Plus devices, Apple argues that the company cannot guarantee any iPhone for more than a year. In a motion to dismiss, Apple argued that "to hold Apple's Limited Warranty substantively unconscionable simply because Plaintiffs expect their iPhones to last the length of their cellular service contracts 'would place a burden on [Apple] for which it did not contract.'"

OS X

Apple Is Releasing macOS High Sierra On September 25 (techcrunch.com) 95

After updating its website for the iPhone launch event, Apple has confirmed that macOS High Sierra will be released on September 25th. TechCrunch provides a brief rundown of the major changes, most of which are under the hood: The Photos app is still receiving some new features to keep it up to date with the iOS version. There are more editing tools, you can reorganize the toolbar and you can filter your photos by type. If you're a Safari user, my favorite change is that there is a new feature in the settings that lets you automatically block autoplaying videos around the web. Many websites have abused autoplaying video, it's time to stop it. And then, there's a new file system that should make your Mac snappier if you're using an SSD. Mail is compressing messages, Metal 2 should take better advantage of your GPU, Spotlight knows about your flight status, etc. The free update to macOS High Sierra will be available in the Mac App Store.
Security

BlueBorne Vulnerabilities Impact Over 5 Billion Bluetooth-Enabled Devices (bleepingcomputer.com) 121

An anonymous reader quotes a report from Bleeping Computer: Security researchers have discovered eight vulnerabilities -- codenamed collectively as BlueBorne -- in the Bluetooth implementations used by over 5.3 billion devices. Researchers say the vulnerabilities are undetectable and unstoppable by traditional security solutions. No user interaction is needed for an attacker to use the BleuBorne flaws, nor does the attacker need to pair with a target device. They affect the Bluetooth implementations in Android, iOS, Microsoft, and Linux, impacting almost all Bluetooth device types, from smartphones to laptops, and from IoT devices to smart cars. Furthermore, the vulnerabilities can be concocted into a self-spreading BlueTooth worm that could wreak havoc inside a company's network or even across the world. "These vulnerabilities are the most serious Bluetooth vulnerabilities identified to date," an Armis spokesperson told Bleeping Computer via email. "Previously identified flaws found in Bluetooth were primarily at the protocol level," he added. "These new vulnerabilities are at the implementation level, bypassing the various authentication mechanisms, and enabling a complete takeover of the target device." Consumers are recommended to disable Bluetooth unless you need to use it, but then turn it off immediately. When a patch or update is issued and installed on your device, you should be able to turn Bluetooth back on and leave it on safely. The BlueBorne Android App on the Google Play Store will be able to determine if a user's Android device is vulnerable. A technical report on the BlueBorne flaws is available here (PDF).
Google

Equifax's App Has Disappeared From Apple's App Store and Google Play (fastcompany.com) 73

From a report: Equifax's mobile app has been removed from both the iOS and Google Play app stores. According to data from AppAnnie, the app was taken down the same day Equifax announced its massive security breach (September 7). Now customers no longer have access to Equifax Mobile. For example, when iOS users attempt to access the app, they receive a pop-up requiring them to update the program. The pop-up directs users to the App Store -- where they are informed the Equifax app is no longer available. We don't know why the app came down, though Fast Company has confirmed Apple was not involved with the decision to remove Equifax from the App Store.
Businesses

Apple Suffers 'Major iPhone X Leak' 114

Details of new iPhones and other forthcoming Apple devices have been revealed via an apparent leak. From a report: Two news sites were given access to an as-yet-unreleased version of the iOS operating system. The code refers to an iPhone X in addition to two new iPhone 8 handsets. It also details facial recognition tech that acts both as an ID system and maps users' expressions onto emojis. One tech writer said it was the biggest leak of its kind to hit the firm. [...] "As best I've been able to ascertain, these builds were available to download by anyone, but they were obscured by long, unguessable URLs [web addresses]," wrote John Gruber, a blogger known for his coverage of Apple. "Someone within Apple leaked the list of URLs to 9to5Mac and MacRumors. I'm nearly certain this wasn't a mistake, but rather a deliberate malicious act by a rogue Apple employee." Neither Mr Gruber nor the two Apple-related news sites have disclosed their sources. However, the BBC has independently confirmed that an anonymous source provided the publications with links to iOS 11's golden master (GM) code that downloaded the software from Apple's own computer servers. It's a big blow to Apple, which uses surprise as a key element at its events. The leak could take some wind out of its sails as it looks to wow consumers. In 2012, Tim Cook had said the company was planning to "double down on secrecy." At the quarterly earnings call, he blamed the leaks about the upcoming iPhone models as one of the reasons that slowed down the sales of current generation iPhone models. However, an analysis published over the weekend found that Apple itself has been the source of several of these leaks in the years since. Earlier this year, the company held a meeting to boast about its internal progress to curb leaks. The hour-long recording of the meeting ironically got leaked. Nearly all details, except the final press renders of the new iPhone models, have leaked. In a subsequent post, Gruber wrote: The BBC doesn't say definitively that the leak was sent by an Apple employee, but I can state with nearly 100 percent certainty that it was. I also think there's a good chance Apple is going to figure out who it was. [...] That person should be ashamed of themselves, and should be very worried when their phone next rings. Moments ago, 9to5Mac reported about a new tvOS firmware leak, which appeared "to be out in the wild today" that details the upcoming features of the next generation Apple TV streaming device.
Facebook

Facebook Finds a New Service To Copy: Tinder (vice.com) 46

An anonymous reader shares a report from Motherboard, written by Jacob Dube: Facebook is trying out a new feature that connects users on its Messenger chat platform, but only if they both accept. It looks a lot like Tinder, except it only appears to be connecting people who are already friends with each other. While using Facebook on my phone Wednesday night, I was greeted by a notification that said "[Name redacted] and 15 others may want to meet up with you this week." When I opened the link, I was taken to a page with photos of my Facebook friends and a question: "Want to meet up with [name redacted] this week?" It indicated that my response would be private unless we both said yes. Tap "No Thanks," and that's the end of it. The feature seems to be in beta, and, though it is currently available to me and a few of my friends in Canada, the rest of Motherboard was unable to access it. It's unclear what the feature might be called. It's not hard to see the similarity between the feature and dating apps like Tinder or Bumble, but the Facebook feature seems to connect you only to people you already know, and could have already reached on the Messenger app. The feature didn't just show me potential love interests, however. It also displayed some of my friends, indicating that it might be used to encourage people who are already friends on Facebook to hang out IRL. "People often use Facebook to make plans with their friends," a Facebook spokesperson told Motherboard in an email. "So, we're running a very small test in the Facebook app to make that easier. We look forward to hearing people's feedback." The test is reportedly limited to a small number of users in parts of Toronto and New Zealand, on iOS and Android.
Android

Android Oreo's Rollback Protection Will Block OS Downgrades (androidpolice.com) 119

jbernardo writes: Google is using the boiling frog method to exclude power users and custom ROMs from android. A new feature in Android 8.0 Oreo, called "Rollback Protection" and included in the "Verified Boot" changes, will prevent a device from booting should it be rolled back to an earlier firmware. The detailed information is here. As it rejects an image if its "rollback index" is inferior than the one in "tamper evident storage," any attempts to install a previous version of the official, signed ROM will make the device unbootable. Much like iOS (without the rollback grace period) or the extinct Lumias. It is explained in the recommended boot workflow and notes below, together with some other "smart" ideas.

Now, this might seem like a good idea at first, but let's just just imagine this on a PC. It would mean no easy rollback from windows 10 to 7 after a forced installation, and doing that or installing linux would mean a unreasonably complex bootloader unlocking, with all your data wiped. Add safetynet to the mix, and you would also be blocked from watching Netflix or accessing your banking sites if you dared to install linux or rollback windows. To add insult to injury, unlocked devices will stop booting for at least 10 seconds to show some paternalist message on how unlocking is bad for your health: "If the device has a screen and buttons (for example if it's a phone) the warning is to be shown for at least 10 seconds before the boot process continues." Now, and knowing that most if not all android bootloaders have vulnerabilities/backdoors, how can this be defended, even with the "security/think of the children" approach? This has no advantages other than making it hard for users to install ROMs or to revert to a previous official ROM to restore missing functionality.

Operating Systems

Is Apple Copying Palm's WebOS? (salon.com) 188

An anonymous reader quotes a report from Salon: Released in 2009 by Palm -- the same company that popularized the PDA in the 1990s -- WebOS pioneered a number of innovations, including multiple synchronized calendars, unified social media and contact management, curved displays, wireless charging, integrated text and Web messaging, and unintrusive notifications [that have all been copied by the mobile operating systems that defeated it on the marketplace]. The operating system, built on top of a Linux kernel, was also legendary for how easily it could be upgraded by users with programming skills. WebOS was also special in that it used native internet technologies like JavaScript for local applications. That was a huge part of why it was able to do so much integration with Web services, something its competitors at the time simply couldn't match.

Apple's upcoming iOS 11 once again demonstrates how far ahead of its time WebOS really was. The yet-to-be-released Apple mobile system has essentially copied the WebOS model for switching apps by having the user swipe upward from the bottom to reveal several "cards" that represent background applications. While Apple's decision to remove its massively overworked Home button is an improvement, it is still an inferior way of switching apps, compared to what you could do on WebOS eight years ago.

Businesses

Apple Acknowledges Siri Leadership Has Officially Moved From Eddy Cue To Craig Federighi (macrumors.com) 52

An anonymous reader shares a report: Apple has updated its executive leadership page to acknowledge that software engineering chief Craig Federighi now officially oversees development of Siri. The responsibility previously belonged to Apple's services chief Eddy Cue. "Craig Federighi is Apple's senior vice president of Software Engineering, reporting to CEO Tim Cook. Craig oversees the development of iOS, macOS, and Siri. His teams are responsible for delivering the software at the heart of Apple's innovative products, including the user interface, applications and frameworks," Apple says. Apple's leadership page is only now reflecting Federighi's role as head of Siri, but the transition has been apparent for several months, based on recent interviews and stage appearances at Apple's keynotes.
Privacy

Uber Says It'll Stop Tracking Riders After They're Dropped Off (usatoday.com) 69

Uber is revamping privacy settings that it rolled out last fall to allow iOS users the ability to deny Uber the right to track your whereabouts. Similar tweaks are reportedly coming to the Android version of the app. USA Today reports: The new options for Uber app users are: Always (Uber is allowed to collect rider location information from the moment the app is opened until the trip ends), While Using The App (information flows to Uber while the app is visible on the screen) and Never (no info is transmitted but riders have to manually input their pick-up and drop-off locations). One of the old privacy features that gave many users pause was Uber's ability to track the whereabouts of riders up to 5 minutes after a ride was completed. Uber says the 5-minute feature was never activated on the iOS version of its app, and that it was disabled a few months after being initiated on the Android version. The company maintained that the feature was to enhance safety, but for many the option was too reminiscent of some of Uber's more notorious Big Brother tactics.

In 2016, Uber settled an investigation brought by New York's attorney general by agreeing to encrypt rider geo-location. The inquiry was sparked by reports that Uber executives had access to riders' locations, and that Uber displayed rider information in an aerial view known internally as "God View." Earlier this year, federal regulators began investigating an Uber practice known as "greyballing," which allowed engineers to take over an app and create a screen showing cars that did not really exist. The practice was used to steer regulators investigating Uber away from drivers, and was halted by Uber after being reported by The New York Times.

Software

Why Are There So Many Knobs in Audio Software? (theoutline.com) 214

John Lagomarsino, writing for The Outline: Skeuomorphic design, where user interfaces emulate the appearance of physical objects, has been popular for pretty much the history of personal computing. The ideas of "files," "folders," and the "recycle bin" in Windows could be considered skeuomorphs, intended to help transition early computer users from analog to digital, as could the idea of an "inbox" and "outbox" in email and the paperclip that symbolizes attachments. More recently, a lot of early iOS apps were famous for their heavy-handed skeuomorphic elements, with felt textures and chunky drop shadows. But no area of computing has so thoroughly gone for it more than audio software. The first Billboard #1 single that was recorded to a hard drive instead of tape was "Livin' La Vida Loca" in 1999; 18 years later, in 2017, most audio software still looks like the designers attempted to replicate physical equipment piece for piece on a computer screen. Faders, switches, knobs, needles twitching between numbers on a volume meter -- they're all there. Except you have to control them with a mouse. Winamp may have been Patient Zero in this gaudy epidemic, but it has spread far and wide. I spend a lot of my time mixing and editing audio, and that often involves having multiple audio plugins (essentially applications that run inside the main audio program) from multiple vendors running simultaneously. But all audio software, for what I suppose are historical reasons, features the most egregious skeuomorphic design in all of software. Alone, each plugin is hideous in its own unique way. A panel of 3D knobs here, a pixelated oscilloscope there.
Businesses

AccuWeather Updates Its iOS App To Address Privacy Outcry (techcrunch.com) 54

Taylor Hatmaker, writing for TechCrunch: Responding to privacy concerns, AccuWeather is out with a new version of its iOS app that removes a controversial data sharing behavior. Earlier this week, security researcher Will Strafach called attention to the practice in a post and users took to Twitter to announce their intention to dump the app in droves. "AccuWeather's app employed a Software Development Kit (SDK) from a third party vendor (Reveal Mobile) that inadvertently allowed Wi-Fi router data to be transmitted to this third-party vendor," the company wrote in a statement accompanying the app update. "Once we became aware of this situation we took immediate action to verify the operation and quickly disabled the SDK from the IOS app. Our next step was to update the IOS app and remove Reveal Mobile completely."
Privacy

Wading Through AccuWeather's Response (daringfireball.net) 81

On Tuesday, ZDNet reported that popular weather app AccuWeather was sending location-identifying information to a monetization firm, even when a person had disabled location data from the app. In a response, AccuWeather said today "if a user opts out of location tracking on AccuWeather, no GPS coordinates are collected or passed without further opt-in permission from the user." But it is misleading people. John Gruber of DaringFireball writes: The accusation has nothing to do with "GPS coordinates." The accusation is that their iOS app is collecting Wi-Fi router names and MAC addresses and sending them to servers that belong to Reveal Mobile, which in turn can easily be used to locate the user. Claiming this is about GPS coordinates is like if they were caught stealing debit cards and they issued a denial that they never stole anyone's cash. The accusation comes from Will Strafech, a respected security researcher who discovered the "actual information" by observing network traffic. He saw the AccuWeather iOS app sending his router's name and MAC address to Reveal Mobile. This isn't speculation. They were caught red-handed. GPS information is more precise, and if you grant the AccuWeather app permission to access your location (under the guise of showing you local weather wherever you are, as well as localized weather alerts), that more precise data is passed along to Reveal Mobile as well. But Wi-Fi router information can be used to locate you within a few meters using publicly available databases. Seriously, go ahead and try it yourself: plug your Wi-Fi router's BSSID MAC address into this website, and there's good chance it'll pinpoint your location on the map. "Other data, such as Wi-Fi network information that is not user information, was for a short period available on the Reveal SDK, but was unused by AccuWeather," the company writes. In what way is the name and MAC address of your router not "user information"? And saying the information was "unused by AccuWeather" is again sleight of hand. The accusation is not that AccuWeather itself was using the location of the Wi-Fi router, but that Reveal Mobile was. Here are Reveal Mobile's own words about how they use location data.
Security

Secret Chips in Replacement Parts Can Completely Hijack Your Phone's Security (arstechnica.com) 62

Dan Goodin, writing for ArsTechnica: People with cracked touch screens or similar smartphone maladies have a new headache to consider: the possibility the replacement parts installed by repair shops contain secret hardware that completely hijacks the security of the device. The concern arises from research that shows how replacement screens -- one put into a Huawei Nexus 6P and the other into an LG G Pad 7.0 -- can be used to surreptitiously log keyboard input and patterns, install malicious apps, and take pictures and e-mail them to the attacker. The booby-trapped screens also exploited operating system vulnerabilities that bypassed key security protections built into the phones. The malicious parts cost less than $10 and could easily be mass-produced. Most chilling of all, to most people, the booby-trapped parts could be indistinguishable from legitimate ones, a trait that could leave many service technicians unaware of the maliciousness. There would be no sign of tampering unless someone with a background in hardware disassembled the repaired phone and inspected it. The research, in a paper presented this week (PDF) at the 2017 Usenix Workshop on Offensive Technologies, highlights an often overlooked disparity in smartphone security. The software drivers included in both the iOS and Android operating systems are closely guarded by the device manufacturers, and therefore exist within a "trust boundary."
IOS

iOS 11 Has a Feature To Temporarily Disable Touch ID (cultofmac.com) 138

A new feature baked into iOS 11 lets you quickly disable Touch ID, which could come in handy if you're ever in a situation where someone (a cop) might force you to unlock your device. Cult of Mac reports: To temporarily disable Touch ID, you simply press the power button quickly five times. This presents you with the "Emergency SOS" option, which you can swipe to call the emergency services. It also prevents your iPhone from being unlocked without the passcode. Until now, there were other ways to temporarily disable Touch ID, but they weren't quick and simply. You either had to restart your iPhone, let it sit idle for a few days until Touch ID was temporarily disabled by itself, or scan the wrong finger several times. The police, or any government agency, cannot force you to hand over your iPhone's passcode. However, they can force you to unlock your device with your fingerprint. That doesn't work if your fingerprint scanner has been disabled.
Media

Video Is Coming To Reddit (variety.com) 74

An anonymous reader shares a report from Variety: Videos are coming to Reddit, thanks to a new feature that allows users to upload video clips directly to the service. Reddit rolled out the new video feature Tuesday after testing it with around 200 communities over the past couple of weeks. Reddit users are now able to upload videos of up to 15 minutes in length, with file sizes being limited to 1 gigabyte. Users will be able to upload videos via Reddit's website and its mobile apps for iOS and Android, with the latter offering basic trimming functionality as well. And, in keeping with the spirit of the site, Reddit is also offering a conversion tool to turn videos into animated Gifs. Videos are being displayed persistently, or pinned, meaning that users can scroll through the comments while the video keeps playing in the corner of their screen. And community moderators can opt not to allow videos in their Subreddits at all, with Le arguing that some discussion-heavy Subreddits may decide that the format just doesn't work for them.
Desktops (Apple)

In Defense of the Popular Framework Electron (dev.to) 138

Electron, a popular framework that allows developers to write code once and seamlessly deploy it across multiple platforms, has been a topic of conversation lately among developers and users alike. Many have criticised Electron-powered apps to be "too memory intensive." A developer, who admittedly uses a high-end computer, shares his perspective: I can speak for myself when I say Electron runs like a dream. On a typical day, I'll have about three Atom windows open, a multi-team Slack up and running, as well as actively using and debugging my own Electron-based app Standard Notes. [...] So, how does it feel to run this bloat train of death every day? Well, it feels like nothing. I don't notice it. My laptop doesn't get hot. I don't hear the fan. I experience no lags in any application. [...] But aside from how it makes end-users feel, there is an arguably more important perspective to be had: how it makes software companies feel. For context, the project I work in is an open-source cross-platform notes app that's available on most platforms, including web, Mac, Windows, Linux, iOS, and Android. All the desktop applications are based off the main web codebase, and are bundled using Electron, while the iOS and Android app use their own native codebases respectively, one in Swift and the other in Kotlin. And as a new company without a lot of resources, this setup has just barely allowed us to enter the marketplace. Three codebases is two too many codebases to maintain. Every time we make a change, we have to make it in three different places, violating the most sacred tenet of computer science of keeping it DRY. As a one-person team deploying on all these platforms, even the most minor change will take at minimum three development days, one for each codebase. This includes debugging, fixing, testing, bundling, deploying, and distributing every single codebase. This is by no means an easy task.
Google

Google Allo For Chrome Finally Arrives, But Only For Android Users (engadget.com) 88

Google Allo, the chat app that arrived on the iPhone and Android devices last year, now has a web counterpart. Head of product for Allo and video chat app Duo, Amit Fulay, tweeted: "Allow for web is here! Try it on Chrome today. Get the latest Allo build on Android before giving it a spin." Engadget reports: To give it a go, you'll need to open the Allo app on your device and use that to scan a QR code you can generate at this link. Once you've scanned the code, Allo pulls up your chat history and mirrors all the conversations you have on your phone. Most of Allo's key features, including smart replies, emoji, stickers and most importantly the Google Assistant are all intact here. In fact, this is the first time you can really get the full Google Assistant experience through the web; it's been limited to phones and Google Home thus far.

Slashdot Top Deals