An anonymous reader quotes Forbes: When Apple announced Sign in with Apple at the June 2019 worldwide developers conference, it called it a "more private way to simply and quickly sign into apps and websites." The idea was, and still is, a good one: replace social logins that can be used to collect personal data with a secure authentication system backed by Apple's promise not to profile users or their app activity... Unsurprisingly, it has been pushed as being a more privacy-oriented option than using your Facebook or Google account.

Fast forward to April 2020, and a security researcher from Delhi uncovered a critical Sign in with Apple vulnerability that could allow an attacker to potentially take over an account with just an email ID. A critical vulnerability that was deemed important enough that Apple paid him $100,000 through its bug bounty program by way of a reward. With the vulnerability already now patched by Apple on the server-side, Bhavuk Jain published his disclosure of the security shocker on May 30.
It applied "only to third-party apps which used Sign in with Apple without taking any further security measures," the article points out , adding that the researcher who found it "said Apple carried out an internal investigation and determined that no account compromises or misuse had occurred before the vulnerability was fixed."

But they also quote an SME application security lead at ImmersiveLabs who said he "would have expected better testing around this from a company such as Apple, especially when it is trying to set itself a reputation as privacy-focused."

Bluetooth accessory maker Tile has written to the European Union accusing Apple of abuse of power and of illegally favoring its own products. From a report: According to a report by Financial Times, in a letter sent on Tuesday to the European Commissioner for Competition, the accessory maker said that Apple is making it harder for users to use Tile products on iPhone because it has its own rival Find My app. Tile asked the EU to investigate Apple's business practices, echoing previous calls made by the accessory maker in the United States. Specifically, Tile complains about changes Apple made to location services in iOS 13, which encourage customers not to use always-on location tracking. In addition, Tile said changing these options involve navigating between "complex settings not easy to find."

Adam Engst, writing for TidBITS: Because force-quitting apps and restarting or shutting down devices are necessary only to fix unanticipated problems, there are two notable downsides to engaging in such behavior as a matter of habit: reduced battery life and wasted time. Why would these behaviors reduce battery life? Remember, iOS is a modern operating system that's built on top of Apple's proprietary hardware. Apple has put a great deal of effort into ensuring that iOS knows the best ways to manage the limited hardware resources within your iPhone or iPad. No one, possibly short of an iOS systems engineer armed with Apple's internal diagnostic and debugging tools, would be able to outguess iOS itself on issues like memory usage, power draw, and CPU throttling.

When you invoke the App Switcher in iOS, you can swipe right to see all the apps you've used, possibly since you got your device. (The very first app in my iPhone 11 Pro's App Switcher is Apple's Tips, which I think came up automatically when I turned the iPhone on last year and hasn't been touched since. It's difficult to count apps in the App Switcher, but I probably have at least a hundred in there.) As the number of apps in the App Switcher should indicate, those apps are not necessarily running -- they merely have run at some point in the past. They're much more like the contents of the Mac's Apple > Recent Items menu. In normal usage, iOS devotes the lion's share of CPU and memory resources to the app that you're using. That's sensible -- the performance of that app is paramount. However, the next few apps in the App Switcher may also be consuming some CPU and memory resources. That's because iOS correctly assumes that you're most likely to return to them, and it wants to give you the best experience when you do. The screen shouldn't have to redraw multiple times, Internet-loaded content shouldn't have to update, and so on. [...]

India has released the source code of its contact-tracing app, Aarogya Setu, to the relief of privacy and security experts who have been advocating for this ever since the app launched in early April. From a report: Ministry of Electronics and Information Technology Secretary Ajay Prakash Sawhney made the announcement on Tuesday, dubbing the move "opening the heart" of the Aarogya Setu app to allow engineers to inspect and tinker with the code. The app has amassed over 114 million users in less than two months -- an unprecedented scale globally. The source code of Aarogya Setu's Android app is live on GitHub with code of iOS and KaiOS apps slated to release in a "few weeks." Nearly 98% of the app's users are on the Android platform. Sawhney said the government will also offer cash prizes of up to $1,325 to security experts for identifying and reporting bugs and vulnerabilities. "Open-sourcing Aarogya Setu is a unique feat for India. No other government product anywhere in the world has been open-sourced at this scale," said Amitabh Kant, chief executive of government-run think-tank NITI Aayog, in a press conference today.

An anonymous reader quotes TechCrunch: A renowned iPhone hacking team has released a new "jailbreak" tool that unlocks every iPhone, even the most recent models running the latest iOS 13.5. [9to5Mac points out it also works on iPads.]

For as long as Apple has kept up its "walled garden" approach to iPhones by only allowing apps and customizations that it approves, hackers have tried to break free from what they call the "jail," hence the name "jailbreak...." The jailbreak, released by the unc0ver team, supports all iPhones that run iOS 11 and above, including up to iOS 13.5, which Apple released this week. Details of the vulnerability that the hackers used to build the jailbreak aren't known, but it's not expected to last forever...

Security experts typically advise iPhone users against jailbreaking, because breaking out of the "walled garden" vastly increases the surface area for new vulnerabilities to exist and to be found.

Security researchers and hackers have had access to a leaked early version of iOS 14, the iPhone's next operating system, since at least February, Motherboard reported Friday. From the report: That's almost eight months before the expected official release of iOS 14, given that Apple usually publishes the new iOS in September along with the announcement of new phones. Sometimes, screenshots and descriptions of new features leak before the official reveal. This time, however, an entire version of the operating system has leaked and is being widely circulated among hackers and security researchers. Motherboard has not been able to independently verify exactly how it leaked, but five sources in the jailbreaking community familiar with the leak told us they think that someone obtained a development iPhone 11 running a version of iOS 14 dated December 2019, which was made to be used only by Apple developers. According to those sources, someone purchased it from vendors in China for thousands of dollars, and then extracted the iOS 14 internal build and distributed it in the iPhone jailbreaking and hacking community.

Many high school students around the country completed Advanced Placement tests online last week but were unable to submit them at the end because the testing portal doesn't support HEIC images -- the default format on iOS devices and some newer Android phones. The Verge reports: For the uninitiated: AP exams require longform answers. Students can either type their response or upload a photo of handwritten work. Students who choose the latter option can do so as a JPG, JPEG, or PNG format according to the College Board's coronavirus FAQ. But the testing portal doesn't support the default format on iOS devices and some newer Android phones, HEIC files. HEIC files are smaller than JPEGs and other formats, thus allowing you to store a lot more photos on an iPhone. Basically, only Apple (and, more recently, Samsung) use the HEIC format -- most other websites and platforms don't support it. Even popular Silicon Valley-based services, such as Slack, don't treat HEICs the same way as standard JPEGs.

[Nick Bryner, a high school senior in Los Angeles] says many of his classmates also tried to submit iPhone photos and experienced the same problem. The issue was so common that his school's AP program forwarded an email from the College Board to students on Sunday including tidbits of advice to prevent submission errors. "What's devastating is that thousands of students now have an additional three weeks of stressful studying for retakes," Bryner said. The email Bryner received doesn't mention the HEIC format, though it does link to the College Board's website, which instructs students with iPhones to change their camera settings so that photos save as JPEGs rather than HEICs. The company also linked to that information in a tweet early last week. In a statement emailed to The Verge, the College Board said that "the vast majority of students successfully completed their exams" in the first few days of online testing, "with less than 1 percent unable to submit their responses." The company also noted that "We share the deep disappointment of students who were unable to submit responses."

Apple and Google announced today that they have rolled out a COVID-19 exposure notification system, "essentially a unified programming interface that will allow public health departments to create their own contact tracing applications," reports ABC News. "Apple and Google are not building contact tracing apps." From the report: "Starting today, our Exposure Notifications technology is available to public health agencies on both iOS and Android," Apple and Google said in a statement. "Today, this technology is in the hands of public health agencies across the world who will take the lead and we will continue to support their efforts."

After an individual downloads and enables a contact tracing application on his phone, he would subsequently receive an alert if he is exposed to anyone who is diagnosed with or likely to have COVID-19. Of course, that assumes that the COVID-19-positive individual also has the application enabled on his phone. The companies said that digital contact tracing is meant to argument traditional human-to-human tracing, not replace it. Digital contact tracing is faster than traditional tracing, requires fewer resources and since it doesn't rely on human memory, can make it easier to track exposure in crowded spaces, or contact with strangers. On the other hand, for such applications to be effective, they require users to download and enable the applications on their phones, and it's not yet clear that Americans will be willing to do so en masse. "Once they download the app, users will have to consent to make their information available to the health authorities and can turn it on and off when they choose to," the report adds. "Data collection will be kept private and only used by health authorities for COVID-19 exposure, not stored in a central database."

The companies said that they will not monetize the data that comes out of the system.

After months of trying, the FBI successfully broke into iPhones belonging to the gunman responsible for a deadly shooting at Pensacola Naval Air Station in December 2019, and it now claims he had associations with terrorist organization al-Qaeda. Investigators managed to do so without Apple's help, but Attorney General William Barr and FBI director Christopher Wray both voiced strong frustration with the iPhone maker at a press conference on Monday morning. From a report: Both officials say that encryption on the gunman's devices severely hampered the investigation. "Thanks to the great work of the FBI -- and no thanks to Apple -- we were able to unlock Alshamrani's phones," said Barr, who lamented the months and "large sums of tax-payer dollars" it took to get into devices of Mohammed Saeed Alshamrani, who killed three US sailors and injured eight other people on December 6th.

Apple has said it provided investigators with iCloud data it had available for Alshamrani's account but did not provide any assistance bypassing iOS's device encryption. Without that help, authorities spent many weeks trying to break in on their own. Wray chastised Apple for wasting the agency's time and resources to unlock the devices. "Public servants, already swamped with important things to do to protect the American people -- and toiling through a pandemic, with all the risk and hardship that entails -- had to spend all that time just to access evidence we got court-authorized search warrants for months ago," he said.

Edison Mail has rolled back a software update that apparently let some users of its iOS app see emails from strangers' accounts. From a report: Several Edison users contacted The Verge to report seeing the glitch after they applied the update, which was meant to allow users to sync data across devices. Reader Matthew Grzybowski said after the update he had more than 100 unread messages from the UK-based email account of a stranger. He didn't have to enter any credentials to see the emails, Grzybowski added. The company said it was a bug, not a security breach, and that the issue appeared limited to users of the iOS app.

wiredmikey writes: An abundance of iOS exploits being submitted to be sold should alarm iPhone/iPad users, according to the CEO of exploit acquisition firm Zerodium. The company announced that it was no longer buying certain types of iOS exploits in the next two to three months [including local privilege escalation, Safari remote code execution, and sandbox escape exploits] due to a surplus. And the company expects prices to drop in the near future.

"iOS Security is fucked," Chaouki Bekrar, CEO of Zerodium said on Twitter, noting that they are already seeing many exploits designed to bypass pointer authentication codes and a few zero-day exploits that can help an attacker achieve persistence on all iPhones and iPads. "Let's hope iOS 14 will be better," he added.

Bekrar said that only pointer authentication codes — which provide protection against unexpected changes to pointers in memory — and the difficulty to achieve persistence "are holding [iOS security] from going to zero."

9to5Mac has learned more exclusive details about Apple's upcoming over-ear headphones, dubbed the "AirPods Studio," including specifications and settings. From the report: One of the key features of regular AirPods is ear detection, which automatically pauses the song when you take the earphones off. We've learned that AirPods Studio will have a similar feature, but it will work in a different way. Instead of ear detection, Apple is working to include sensors that can detect whether the headphones are on your head or neck. Based on this, we assume that AirPods Studio will play or pause content when they detect being placed on your head. Neck detection can be used to keep the headset turned on while the music is paused, just like when you take just one of the AirPods out of the ear.

Another new sensor will be able to detect left and right ears to automatically route the audio channels. That means there's likely no right or wrong side to use AirPods Studio, whereas current headphones have fixed left and right channels. Just like the AirPods Pro, Apple's new headphones will have Active Noise Cancellation and Transparency Mode. Users will be able to easily switch between the two modes to reduce external noise or to hear the ambient sound.

As AirPods Studio are expected to be mainly focused on professional users, pairing the earphones with a Mac or iOS device will unlock custom equalizer settings, with low, medium, and high frequency adjustments available, sources told us. According to a Bloomberg recent report, Apple's own-brand over-ear headphones will be available in at least two variations of the headphones -- one using leather fabrics and another with lighter materials to fitness use cases. Bloomberg also said Apple is testing a new modular design with exchangeable magnetic ear pads. [...] As for the price, rumors suggest that it will cost $349.

Epic Online Services is now available, giving developers free access to the same kinds of tools used to support Epic Games' massive Fortnite player base. From a report: The new suite, which went live on Wednesday, enables a unified gameplay experience across multiple platforms, including Nintendo Switch, PlayStation, PC platforms (Windows, Mac, and Linux), and Xbox. It gives developers and their communities ready access to features like cross-play, cross-progression, unified matchmaking, lobbies, and more. Support for Android and iOS platforms will be added soon. "At Epic, we believe in open, integrated platforms and in the future of gaming being a highly social and connected experience," said Chris Dyl, general manager of online services at Epic Games, in a news release. "Through Epic Online Services, we strive to help build a user-friendly ecosystem for both developers and players, where creators can benefit regardless of how they choose to build and publish their games, and where players can play games with their friends and enjoy the same quality experience regardless of the hardware they own."

An anonymous reader quotes a report from Wired: A little after 6 pm ET on Wednesday, the system started blinking red for iOS developer Clay Jones. Like many devs, Jones uses a Google product called Crashlytics to keep tabs on when his app stops working. Out of nowhere, it registered tens of thousands of crashes. It also pointed to the cause: a chunk of code that Jones' app incorporates to let people log in with their Facebook accounts. By 6:30 pm, Jones had filed a bug report about the flaw in Facebook's software development kit on GitHub, the code repository. He wasn't alone. According to widespread reports and the web monitoring service Down Detector, prominent iOS apps like TikTok, Spotify, Pinterest, Venmo, and more experienced issues on Wednesday. Many users found that they crashed whenever they tried to open the apps, whether or not they used Facebook to log in.

"Yesterday, a new release of Facebook included a change that triggered crashes in some apps using the Facebook iOS SDK for some users. We identified the issue quickly and resolved it," Facebook said in a statement. That change was quite small, given its outsized impact. "It was something like a server value -- which was supposed to provide a dictionary of things -- was changed to providing a simple YES/NO instead, without warning," says iOS developer Steven Troughton-Smith. "A change that simple can break an app that isn't prepared for it."

"Pretty much all these apps -- Pinterest, Spotify, a lot of the big ones -- use the Facebook SDK for the login button," says Jones. "You'll see 'Login With Facebook.' Everyone has it, super common, great for sign-up rates because it's just a one-click thing." And lots of apps that don't use Login With Facebook still use the SDK, which is why the issue Wednesday was so widespread. [...] The good news is that Facebook did fix the issue with haste, as far as these things go. Jones says it took about two hours for things to return to normal.

Google has added a very useful feature to Google Lens, its multipurpose object recognition tool. From a report: You can now copy and paste handwritten notes from your phone to your computer with Lens, though it only works if your handwriting is neat enough. In order to use the new feature, you need to have the latest version of Google Chrome as well as the standalone Google Lens app on Android or the Google app on iOS (where Lens can be accessed through a button next to the search bar). You'll also need to be logged in to the same Google account on both devices. That done, simply point your camera at any handwritten text, highlight it on-screen, and select copy. You can then go to any document in Google Docs, hit Edit, and then Paste to paste the text. And voila -- or, viola, depending on your handwriting.

Google Authenticator, the company's code-based authentication app, has received its first update in three years, updating the app's interface for larger screens with more modern aspect ratios and delivering one of the platform's most-needed features. From a report: The Android version was last updated on August 22nd, 2017, while the iOS one was updated around a year ago to adjust it for iPhone X screens. Now, for the first time, Authenticator users will be able to easily transfer their account from one device to another without needing to manually transfer each code or disable and reenable two-factor authentication (2FA) on each account. The update introduces this feature through an import / export tool that lets you choose which accounts to include and transfer using a single QR code scan. It's a feature that competitor Authy has provided for quite some time, so it's refreshing to see it come to Authenticator, even if it's years late.

Last year, Apple accused a cybersecurity startup based in Florida of infringing its copyright by developing and selling software that allows customers to create virtual iPhone replicas. Critics have called the Apple's lawsuit against the company, called Corellium, "dangerous" as it may shape how security researchers and software makers can tinker with Apple's products and code. From a report: The lawsuit, however, has already produced a tangible outcome: very few people, especially current and former customers and users, want to talk about Corellium, which sells the eponymous software that virtualizes iPhones and Android devices. During the lawsuit's proceedings, Apple has sought information from companies that have used the tool, which emulates iOS on a computer, allowing researchers to probe potential iPhone vulnerabilities in a forgiving and easy-to-use environment.

"Apple has created a chilling effect," a security researcher familiar with Corellium's product, who asked to remain anonymous because he wasn't allowed to talk to the press, told Motherboard. "I don't know if they intended it but when they name individuals at companies that have spoken in favor [of Corellium], I definitely believe retribution is possible," the researcher added, referring to Apple's subpoena to the spanish finance giant Santander Bank, which named an employee who had Tweeted about Corellium. Several other cybersecurity researchers expressed fear of retribution from Apple for using Corellium.

An anonymous reader quotes a report from Engadget: Google's experimental Area 120 unit launched Shoelace in mid-2019 as a way to help people get together in real life. Unfortunately, the fledgling social network won't make it out of the experimental phase -- the tech giant has announced that Shoelace is shutting down on May 12th. The service was geared towards people looking for group activities with other locals who share the same interests. Say, people interested in photography who want to meet up for a shoot or those looking for buddies to see concerts with. It was only ever available for iOS users in NYC, though, and never quite made its way to other regions.

Based on the team's announcement on its website, the app fell victim to the coronavirus pandemic. Area 120 says it doesn't feel like it's the right time to invest further in the project "given the current health crisis" and that it doesn't have plans to reboot Shoelace in the future. Google will delete all data associated with the service after May 12th, though users can get a copy of it by filling out this form before that date.

Face ID was a great idea -- until large swathes of the world were forced to wear face masks, rendering it largely useless. Apple has apparently heard our pain. From a report: Users are reporting a subtle new feature in the latest developer version of iOS 13.5 that will make it easier to unlock your iPhone without having to take off your protective face mask. Videos shared on Twitter by Robert Petersen and Guilherme Rambo show that Apple devices with Face ID will jump to the backup passcode-entry screen if it detects a mask. That's not only helpful if you're unlocking your phone dozens of times a day -- which we all do -- but it's also helping to keep people safe by not forcing users to take off their masks and potentially exposing themselves to the virus.

An anonymous reader quotes a report from MacRumors: A bug has been discovered in Apple's macOS Image Capture app that needlessly eats up potentially gigabytes of storage space when transferring photos from an iPhone or iPad to a Mac. Discovered by the developers of media asset management app NeoFinder and shared in a blog post called "Another macOS bug in Image Capture," the issue occurs when Apple's Mac tool converts HEIF photos taken by iOS to more standard JPG files. This process happens when users uncheck the "Keep Originals" option in Image Capture's settings, which converts the HEIC files to JPG when copied to Mac. However, the app also inexplicably adds 1.5MBs of empty data to every single file in the process.

It's worth noting that the bug only occurs when transferring photos from Apple devices, not when importing photos from digital cameras using Image Capture. NeoFinder's team says it has notified Apple of the bug, and the developers suggest anyone plagued by the issue can try using a new beta version of the third-party utility Graphic Converter, which includes an option to remove the unwanted empty data from the JPEG files.