Privacy

Wading Through AccuWeather's Response (daringfireball.net) 67

On Tuesday, ZDNet reported that popular weather app AccuWeather was sending location-identifying information to a monetization firm, even when a person had disabled location data from the app. In a response, AccuWeather said today "if a user opts out of location tracking on AccuWeather, no GPS coordinates are collected or passed without further opt-in permission from the user." But it is misleading people. John Gruber of DaringFireball writes: The accusation has nothing to do with "GPS coordinates." The accusation is that their iOS app is collecting Wi-Fi router names and MAC addresses and sending them to servers that belong to Reveal Mobile, which in turn can easily be used to locate the user. Claiming this is about GPS coordinates is like if they were caught stealing debit cards and they issued a denial that they never stole anyone's cash. The accusation comes from Will Strafech, a respected security researcher who discovered the "actual information" by observing network traffic. He saw the AccuWeather iOS app sending his router's name and MAC address to Reveal Mobile. This isn't speculation. They were caught red-handed. GPS information is more precise, and if you grant the AccuWeather app permission to access your location (under the guise of showing you local weather wherever you are, as well as localized weather alerts), that more precise data is passed along to Reveal Mobile as well. But Wi-Fi router information can be used to locate you within a few meters using publicly available databases. Seriously, go ahead and try it yourself: plug your Wi-Fi router's BSSID MAC address into this website, and there's good chance it'll pinpoint your location on the map. "Other data, such as Wi-Fi network information that is not user information, was for a short period available on the Reveal SDK, but was unused by AccuWeather," the company writes. In what way is the name and MAC address of your router not "user information"? And saying the information was "unused by AccuWeather" is again sleight of hand. The accusation is not that AccuWeather itself was using the location of the Wi-Fi router, but that Reveal Mobile was. Here are Reveal Mobile's own words about how they use location data.
Security

Secret Chips in Replacement Parts Can Completely Hijack Your Phone's Security (arstechnica.com) 62

Dan Goodin, writing for ArsTechnica: People with cracked touch screens or similar smartphone maladies have a new headache to consider: the possibility the replacement parts installed by repair shops contain secret hardware that completely hijacks the security of the device. The concern arises from research that shows how replacement screens -- one put into a Huawei Nexus 6P and the other into an LG G Pad 7.0 -- can be used to surreptitiously log keyboard input and patterns, install malicious apps, and take pictures and e-mail them to the attacker. The booby-trapped screens also exploited operating system vulnerabilities that bypassed key security protections built into the phones. The malicious parts cost less than $10 and could easily be mass-produced. Most chilling of all, to most people, the booby-trapped parts could be indistinguishable from legitimate ones, a trait that could leave many service technicians unaware of the maliciousness. There would be no sign of tampering unless someone with a background in hardware disassembled the repaired phone and inspected it. The research, in a paper presented this week (PDF) at the 2017 Usenix Workshop on Offensive Technologies, highlights an often overlooked disparity in smartphone security. The software drivers included in both the iOS and Android operating systems are closely guarded by the device manufacturers, and therefore exist within a "trust boundary."
IOS

iOS 11 Has a Feature To Temporarily Disable Touch ID (cultofmac.com) 138

A new feature baked into iOS 11 lets you quickly disable Touch ID, which could come in handy if you're ever in a situation where someone (a cop) might force you to unlock your device. Cult of Mac reports: To temporarily disable Touch ID, you simply press the power button quickly five times. This presents you with the "Emergency SOS" option, which you can swipe to call the emergency services. It also prevents your iPhone from being unlocked without the passcode. Until now, there were other ways to temporarily disable Touch ID, but they weren't quick and simply. You either had to restart your iPhone, let it sit idle for a few days until Touch ID was temporarily disabled by itself, or scan the wrong finger several times. The police, or any government agency, cannot force you to hand over your iPhone's passcode. However, they can force you to unlock your device with your fingerprint. That doesn't work if your fingerprint scanner has been disabled.
Media

Video Is Coming To Reddit (variety.com) 74

An anonymous reader shares a report from Variety: Videos are coming to Reddit, thanks to a new feature that allows users to upload video clips directly to the service. Reddit rolled out the new video feature Tuesday after testing it with around 200 communities over the past couple of weeks. Reddit users are now able to upload videos of up to 15 minutes in length, with file sizes being limited to 1 gigabyte. Users will be able to upload videos via Reddit's website and its mobile apps for iOS and Android, with the latter offering basic trimming functionality as well. And, in keeping with the spirit of the site, Reddit is also offering a conversion tool to turn videos into animated Gifs. Videos are being displayed persistently, or pinned, meaning that users can scroll through the comments while the video keeps playing in the corner of their screen. And community moderators can opt not to allow videos in their Subreddits at all, with Le arguing that some discussion-heavy Subreddits may decide that the format just doesn't work for them.
Desktops (Apple)

In Defense of the Popular Framework Electron (dev.to) 138

Electron, a popular framework that allows developers to write code once and seamlessly deploy it across multiple platforms, has been a topic of conversation lately among developers and users alike. Many have criticised Electron-powered apps to be "too memory intensive." A developer, who admittedly uses a high-end computer, shares his perspective: I can speak for myself when I say Electron runs like a dream. On a typical day, I'll have about three Atom windows open, a multi-team Slack up and running, as well as actively using and debugging my own Electron-based app Standard Notes. [...] So, how does it feel to run this bloat train of death every day? Well, it feels like nothing. I don't notice it. My laptop doesn't get hot. I don't hear the fan. I experience no lags in any application. [...] But aside from how it makes end-users feel, there is an arguably more important perspective to be had: how it makes software companies feel. For context, the project I work in is an open-source cross-platform notes app that's available on most platforms, including web, Mac, Windows, Linux, iOS, and Android. All the desktop applications are based off the main web codebase, and are bundled using Electron, while the iOS and Android app use their own native codebases respectively, one in Swift and the other in Kotlin. And as a new company without a lot of resources, this setup has just barely allowed us to enter the marketplace. Three codebases is two too many codebases to maintain. Every time we make a change, we have to make it in three different places, violating the most sacred tenet of computer science of keeping it DRY. As a one-person team deploying on all these platforms, even the most minor change will take at minimum three development days, one for each codebase. This includes debugging, fixing, testing, bundling, deploying, and distributing every single codebase. This is by no means an easy task.
Google

Google Allo For Chrome Finally Arrives, But Only For Android Users (engadget.com) 88

Google Allo, the chat app that arrived on the iPhone and Android devices last year, now has a web counterpart. Head of product for Allo and video chat app Duo, Amit Fulay, tweeted: "Allow for web is here! Try it on Chrome today. Get the latest Allo build on Android before giving it a spin." Engadget reports: To give it a go, you'll need to open the Allo app on your device and use that to scan a QR code you can generate at this link. Once you've scanned the code, Allo pulls up your chat history and mirrors all the conversations you have on your phone. Most of Allo's key features, including smart replies, emoji, stickers and most importantly the Google Assistant are all intact here. In fact, this is the first time you can really get the full Google Assistant experience through the web; it's been limited to phones and Google Home thus far.
Software

App Developers Should Charge More If They Want People To Buy Subscriptions, Suggests Report (theverge.com) 50

A new report from Liftoff, a Silicon Valley-based mobile app marketing and retargeting firm, says that subscription-based apps may do better if developers charge a higher price for services, rather than setting prices too low to lure users in initially. The Verge reports: The Liftoff report, which analyzed data gathered between June 2016 and June 2017, categorized app subscriptions into low-cost monthly subs ($0.99 to $7), medium ($7 to $20), and high-cost subs ($20 to $50), while also factoring the cost of acquisition per customer. The company found that apps in the medium price range had the highest conversion rate -- 7.16 percent -- and the lowest cost to acquire a subscriber, at just over $106 dollars. This was five times higher than the rate of people who subscribed to apps when the apps were in the low-cost category. This may partly be because streaming media apps, like Netflix and Spotify, have already conditioned people to pay around $10 a month for services. But it also might be attributable to the sunk cost fallacy, Liftoff says: the "cognitive bias people have that makes them stay the course because they have already spent time or resources on it." The report also examines apps that fulfill "need states," like dating apps or cloud services. These have the potential to offer services that customers are willing to pay for, again and again. But, according to Liftoff, utility apps have a much higher install-to-subscriber rate compared to dating apps. Blame those who eventually find love?
Communications

iOS 10 Quietly Deprecated A Crucial API For VoIP and Communication Apps (apple.com) 122

neutrino38 warns that iOS 10 includes a significant change "overlooked by the general public": It deprecates an API that is crucial for VoIP and other instant messaging applications that enable keeping one socket active despite the fact that the application would run in the background. As a replacement, developers need to use PushKit: when an incoming call is to be forwarded to an iOS VoIP client, the VoIP infrastructure needs to:

- withold the call
- contact Apple push infrastructure using a proprietary protocol to wake up the client app remotely
- wait for the application to reconnect to the infrastructure and release the call when it is ready

This "I know better than you" approach is meant to further optimize battery life on iOS devices by avoiding the use of resources by apps running in background. It has also the positive effect of forcing developers to switch to a push model and remove all periodic pollings that ultimately use mobile data and clog the Internet. However, the decision to use an Apple infrastructure has many consequences for VoIP providers:

- the reliability of serving incoming calls is directly bound to Apple service
- Apple may revoke the PushKit certificate. It thus has life and death decision power over third-party communication infrastructures
- organizations wanting to setup IPBX and use iOS client have no option but to open access for the push services of Apple in their firewall
- It is not possible to have iOS VoIP or communication clients in network disconnected from the Internet - Pure standard SIP clients are now broken on iOS

The original submission argues that Apple is creating "the perfect walled garden," adding that "Ironically, the only VoIP 'app' that is not affected is the (future?) VoLTE client that will be added to iOS one day."
Iphone

Apple Refuses To Enable iPhone Emergency Settings that Could Save Countless Lives (thenextweb.com) 279

An anonymous reader shares a report: Despite being relatively easy, Apple keeps ignoring requests to enable a feature called Advanced Mobile Location (AML) in iOS. Enabling AML would give emergency services extremely accurate locations of emergency calls made from iPhones, dramatically decreasing response time. As we have covered before, Google's successful implementation of AML for Android is already saving lives. But where Android users have become safer, iPhone owners have been left behind. The European Emergency Number Association (EENA), the organization behind implementing AML for emergency services, released a statement today that pleads Apple to consider the safety of its customers and participate in the program: "As AML is being deployed in more and more countries, iPhone users are put at a disadvantage compared to Android users in the scenario that matters most: An emergency. EENA calls on Apple to integrate Advanced Mobile Location in their smartphones for the safety of their customers." Why is AML so important? Majority of emergency calls today are made from cellphones, which has made location pinging increasingly more important for emergency services. There are many emergency apps and features in development, but AML's strength is that it doesn't require anything from the user -- no downloads and no forethought: The process is completely automated. With AML, smartphones running supporting operating systems will recognize when emergency calls are being made and turn on GNSS (global navigation satellite system) and Wi-Fi. The phone then automatically sends an SMS to emergency services, detailing the location of the caller. AML is up to 4,000 times more accurate than the current systems -- pinpointing phones down from an entire city to a room in an apartment. "In the past months, EENA has been travelling around Europe to raise awareness of AML in as many countries as possible. All these meetings brought up a recurring question that EENA had to reply to: 'So, what about Apple?'" reads EENA's statement.
IOS

Developers Explain Why iOS Apps Are Getting Bulkier (ndtv.com) 140

Reader joshtops shares a report: Apps are getting bigger in size, in part because developers add new features, something many users obviously appreciate, developers say. "Apps are getting bigger because iOS devices are more powerful, and developers are building more and more complex things for them without considering the impact the size will have around the world," developer Stephen Troughton-Smith tells Gadgets 360. But in part, it is also happening because developers are being careless, and adding more than one instance of files, Troughton-Smith added. "So Facebook, Twitter, and other large companies have perhaps tens or hundreds of people building their iOS apps. A lot of the components for these apps are developed independently as components, or frameworks. For each additional component you glue together into an app, there is some overhead," he explained. "Some of the teams will duplicate functionality some other team wrote. Images and other resources end up being duplicated." The high-resolution image assets that developers are required to add also contributes to the size of an app, two India-based developers, and Peter Steinberger, founder and CEO of PSPDFKit, a dev kit that is used by several popular PDF apps, told Gadgets 360. Apple can itself take some blame, too. Developers using Apple's Swift language, which the company introduced in 2014, are required to add several components to their apps that make them heavier. "Apple's new Swift language, for example, requires a bunch of components to be embedded each time it's used, because it's not yet 'ABI stable,'" Troughton-Smith explained. This means developers need to embed the versions of libraries they've developed against, and not count on the one available on the system. Another developer who didn't want to be identified said a typical app built with Swift language requires as many as 30 Swift runtime libraries to be stuffed within the app. On top of this, he added, "you will be surprised at just how many apps use common code found at places like GitHub. Developers often don't care about removing the bits that wasn't relevant to their app," he added.
Youtube

YouTube Adds Mobile Chat, Because Google Doesn't Have Enough Messaging Apps (venturebeat.com) 25

Krystalo writes: YouTube today rolled out the ability to share videos with contacts directly in its mobile app for Android and iOS. Users can chat about shared videos using text, react with emoji, like messages with a heart, reply with other videos, and invite more friends to the conversation (up to a maximum of 30 people per group message). YouTube first started testing letting groups of users share and talk about videos in May 2016. The company then pushed the feature to Canada in January 2017 as a test, since Canadians share more videos online than any other nation. After some tweaks, the Google-owned company is now pushing it out to all its Android and iOS users. "We've been improving the feature since our experiments began last year," a YouTube spokesperson told VentureBeat. "For example, we've made changes to the chat visual; and we've made the video stick to the top of the chat when scrolling down, to allow replying and chatting while watching a video; and we'll continue making improvements." With the new update, YouTube has become yet another Google messaging app, on top of Android Messages, Allo, Duo, Hangouts Chat, and Hangouts Meet.
Debian

OpenSSL Support In Debian Unstable Drops TLS 1.0/1.1 Support (debian.org) 76

An anonymous reader writes: Debian Linux "sid" is deprecating TLS 1.0 Encryption. A new version of OpenSSL has been uploaded to Debian Linux unstable. This version disables the TLS 1.0 and 1.1 protocol. This currently leaves TLS 1.2 as the only supported SSL/TLS protocol version. This will likely break certain things that for whatever reason still don't support TLS 1.2. I strongly suggest that if it's not supported that you add support for it, or get the other side to add support for it. OpenSSL made a release 5 years ago that supported TLS 1.2. The current support of the server side seems to be around 90%. I hope that by the time Buster releases the support for TLS 1.2 will be high enough that I don't need to enable them again. This move caused some concern among Debian users and sysadmins. If you are running Debian Unstable on server tons of stuff is going to broken cryptographically. Not to mention legacy hardware and firmware that still uses TLS 1.0. On the client side (i.e. your users), you need to use the latest version of a browser such as Chrome/Chromium and Firefox. The Older version of Android (e.g. Android v5.x and earlier) do not support TLS 1.2. You need to use minimum iOS 5 for TLS 1.2 support. Same goes with SMTP/mail servers, desktop email clients, FTP clients and more. All of them using old outdated crypto.

This move will also affect for Android 4.3 users or stock MS-Windows 7/IE users (which has TLS 1.2 switched off in Internet Options.) Not to mention all the mail servers out there running outdated crypto.

Businesses

Popular Password Manager LastPass Doubles Price of Its Premium Plan, Removes features From Its Free Service Tier (neowin.net) 156

An anonymous reader shares a report: In November, LastPass made a big change to its service, allowing users to keep track of their passwords across all their internet-enabled mobile and desktop devices, free of charge. In addition to the free tier, the cross-platform password manager - available on iOS, Android, and Windows 10 -- also offered a Premium plan with additional features, priced at $12 per year. Today, LastPass announced another wave of changes to its lineup for individual users -- but this time, the changes are unlikely to be welcomed with open arms by its customers. LastPass Premium has now doubled in price to $24 a year, which includes "emergency access, the ability to share single passwords and items with multiple people, priority tech support, advanced multi-factor authentication, LastPass for applications, and 1GB of encrypted file storage," along with all the other features of the Free tier. In a statement, the company said, "While LastPass Free continues to offer access on all browsers and devices and the core LastPass password management functionality, unlimited sharing and emergency access are now Premium features. Free users will be able to share one item with one other individual.
Cloud

Apple's Adoption Of HEVC Will Drive A Massive Increase In Encoding Costs Requiring Cloud Hardware Acceleration (streamingmedia.com) 203

An anonymous reader shares a report: For the last 10 years, H.264/AVC has been the dominant video codec used for streaming but with Apple adopting H.265/HEVC in iOS 11 and Google heavily supporting VP9 in Android, a change is on the horizon. Next year the Alliance for Open Media will release their AV1 codec which will again improve video compression efficiency even further. But the end result is that the codec market is about to get very fragmented, with content owners soon having to decide if they need to support three codecs (H.264, H.265, and VP9) instead of just H.264 and with AV1 expected to be released in 2019. As a result of what's take place in the codec market, and with better quality video being demanded by consumers, content owners, broadcasters and OTT providers are starting to see a massive increase in encoding costs. New codecs like H.265 and VP9 need 5x the servers costs because of their complexity. Currently, AV1 needs over 20x the server costs. The mix of SD, HD and UHD continues to move to better quality: e.g. HDR, 10-bit and higher frame rates. Server encoding cost to move from 1080p SDR to 4K HDR is 5x. 360 and Facebook's 6DoF video are also growing in consumption by consumers which again increases encoding costs by at least 4x. If you add up all these variables, it's not hard to do the math and see that for some, encoding costs could increase by 500x over the next few years as new codecs, higher quality video, 360 video and general demand increases.
Iphone

Microsoft's Windows Phone Keyboard For the iPhone Is Dead (theverge.com) 42

Microsoft's Word Flow keyboard for the iPhone had one unique feature when it launched more than a year ago: a one-handed mode that could be used with either your left or right thumb. Now, according to a support note spotted by Windows Central, it appears Microsoft is consolidating and removing the keyboard from the App Store, encouraging users to download SwiftKey instead. The Verge reports: Microsoft has tested out a number of iOS keyboards, and it now appears the company is focusing solely on SwiftKey after acquiring the app last year. We haven't seen any major additions to SwitftKey since Microsoft acquired it, apart from a separate Swiftmoji emoji predictor in July last year. Microsoft's SwiftKey keyboard now competes against the likes of Google's Gboard keyboard and various other iOS and Android keyboards. Have you been using Word Flow on your iPhone? If so, what has your experience been with the application? Do you plan on switching to Gboard or another third-party keyboard now that Word Flow is no longer supported?
IOS

Appocalypse Now - How iOS11 Will Kill Some Of Your Favourite iPhone Apps (independent.ie) 177

Ronan Price, writing for Independent: The app-ocalypse is coming and almost no one knows it. Apologies for the dreadful pun but, in about six to eight weeks' time, hundreds of thousands of older apps for iPhone and iPad will cease to work when Apple updates its iOS software to version 11. Businesses and consumers who rely on these elderly apps and update to iOS11 without knowing the consequences face a rude awakening. Their difficulty ranges from mere inconvenience that a useful app no longer functions to the complete loss of valuable data buried in a piece of obsolete software. Apple began signalling two years ago that it was signing the death warrant for older apps when it moved iOS to 64-bit software - essentially a more secure, faster and technologically advanced version that replaced the previous 32-bit code. First, Apple encouraged developers to rewrite their apps to 64-bit status but continued to allow 32-bit apps to function. Then it began to warn developers and customers that future iOS updates would experience compatibility issues. You may have seen -- and ignored -- the messages when launching apps in the last year telling you "App X needs up to be updated, the developer needs to update it to improve its compatibility." Finally, just this June, Apple confirmed that iOS11 would put the kibosh on 32-bit forever when it's released into the wild in late September. The announcement came and went with little fanfare from the public's perspective.
Businesses

Former webOS, Pebble Design Lead, Who Just Left Andy Rubin's Essential, Heads To Google (variety.com) 38

Janko Roettgers, writing for Variety: Google has hired a former lead Pebble and webOS designer Liron Damir as the new head of user experience of its Google Home group, which works on products such as Google Home, Chromecast and Google Wifi. Damir announced that he joined Google on LinkedIn this week, writing that he was "super excited and proud to be joining Google... to lead the design of Google Home products." A Google spokesperson confirmed the hire Thursday, but declined to comment further. Most recently, Damir worked as head of UX for Essential, the new startup from Android founder Andy Rubin. Before that, he was VP of design at Pebble, the pioneering smart watch maker that got acquired by Fitbit in late 2016. Before joining Pebble, Damir led the webOS design efforts at HP, and then at LG. webOS was initially developed as a mobile operating system to take on Android and iOS, but HP scrapped these efforts when it realized that it couldn't compete with the likes of Apple and Samsung. The company sold webOS to LG in early 2013, which ended up using the operating system for its smart TVs.
Businesses

Where's All My CPU and Memory Gone? The Answer: $5B Worth Slack App (medium.com) 190

Slack, valued at $5 billion, has received buyout pitches from several companies including Amazon and Microsoft. But the team collaborations service, which has over 5 million active users, continues to offer one of the most resource intensive apps you could find on Mac and iOS. From an article: TLDR; If you care about battery life or availability of your finite CPU and memory on your computer, then you probably won't want to use Slack desktop with more than one or two accounts. Slack resource usage increases linearly as you add more accounts, and it quickly adds up. [...] I noticed that my machine has been sluggish and its battery life has become poor. Whilst investigating this, it turns out that Slack desktop fails badly when used with multiple accounts. This is because CPU and memory usage increases linearly as you add more accounts to your Slack desktop client. As a result, I believe the growing trend to use Slack to be part of multiple communities is seriously flawed until Slack resolve this problem. The author, Matthew O'Riordan, has shared screenshots of Activity Monitor which shows that Slack application on his Mac was consuming more than 1.5GB of memory, and as much as 70 percent of the energy. The company's iOS app instills several more issues.
IOS

iOS 11 Will Prevent Your iPhone From Automatically Connecting To Unreliable Wi-Fi Networks (trustedreviews.com) 88

A new feature spotted in iOS 11 beta 2 intelligently manages wireless networks based on their reliability, learning to ignore those that are too far away to provide a consistent experience. TrustedReviews reports: It follows the company's Wi-Fi Assist feature which meant handsets would switch to a data connection when Wi-Fi networks became too slow. Naturally, users weren't thrilled with the resulting data usage issues, and it seems Apple is looking to do better this time around. This new feature will disable "Auto join" for any network which suffers from low speed issues or is deemed to be generally unreliable. Users will, of course, still be able to join these networks manually, but the change should prevent the frustration that comes from iPhones automatically joining networks users know to be inadequate. At this point, there's no way to know how well the feature will work, and there will undoubtedly be issues when it eventually arrives in iOS 11.
IOS

Public Service Announcement: You Should Not Force Quit Apps on iOS (daringfireball.net) 285

John Gruber, writing for DaringFireball: The single biggest misconception about iOS is that it's good digital hygiene to force quit apps that you aren't using. The idea is that apps in the background are locking up unnecessary RAM and consuming unnecessary CPU cycles, thus hurting performance and wasting battery life. That's not how iOS works. The iOS system is designed so that none of the above justifications for force quitting are true. Apps in the background are effectively "frozen", severely limiting what they can do in the background and freeing up the RAM they were using. iOS is really, really good at this. It is so good at this that unfreezing a frozen app takes up way less CPU (and energy) than relaunching an app that had been force quit. Not only does force quitting your apps not help, it actually hurts. Your battery life will be worse and it will take much longer to switch apps if you force quit apps in the background. [...] In fact, apps frozen in the background on iOS unfreeze so quickly that I think it actually helps perpetuate the myth that you should force quit them: if you're worried that background apps are draining your battery and you see how quickly they load from the background, it's a reasonable assumption to believe that they never stopped running. But they do. They really do get frozen, the RAM they were using really does get reclaimed by the system, and they really do unfreeze and come back to life that quickly.

Slashdot Top Deals