This Week in Tech 618: Snakes vs Alligators

Leo is out this week, so Jason Snell takes the reins. At WWDC this week, Apple announced their Amazon Echo killer, the HomePod. They also announced big updates to iOS 11, the 10.5″ iPad Pro, and the (at least) $4999 iMac Pro. Catering to a slightly less spendy demographic, Amazon announced that it will offer lower priced Prime subscriptions to people on Government Assistance. Uber had (another) bad week – capped off with Eric Holder’s report to the Uber board.

–Mikah Sargent thinks Taylor Swift is fine.
–Harry McCracken is on Team Katy.
–Lisa Schmeiser has a blank space, baby, and she’ll write your name.
–Jason Snell has Katy Perry on the counter in his kitchen.

Android and iOS apps on Windows: What is Microsoft doing—and will it work?

At its Build developer conference last week, Microsoft made a pair of announcements about Windows development that were more than a little surprising: Windows will support applications developed for iOS and Android.

This immediately felt like a dangerous move. Windows will not be the first operating system to run foreign applications. Famously, IBM advertised OS/2 as a “Better Windows than Windows” in the 1990s, boasting that its platform would run all your existing Windows applications with greater stability and performance. More recently, BlackBerry 10 included support for Android applications, with BlackBerry licensing the Amazon App Store and using it as its gateway to a world of Android-compatible software.

Neither OS/2 nor BlackBerry 10 has made a success of this capability. There are two major problems with supporting foreign applications on a niche platform. The first is straightforward: it removes any incentive for developers to bother with the native platform. Investing in developing for a minor platform is already something of a gamble, and by telling developers “Oh hey, you can just use your existing Win16 or Android program…” as IBM and BlackBerry (respectively) did, you’re implicitly sending them a message. “Don’t bother learning our platform or writing native apps for it.”

It turned out as expected for both platforms. While a few true OS/2 applications were created—and similarly there are some true BlackBerry 10 apps—they’re relatively unusual. After all, what’s the point? If IBM is going to boast about just how well OS/2 will run Win16 apps and those Win16 apps can be sold both to OS/2 users and to Windows 3.1 users, why would a developer write anything other than a Win16 app?

This capability cedes a lot of control. By being dependent on apps developed for a third-party platform, you give the owner of that third-party platform the power to choose how to evolve its APIs and add new features. This bit OS/2 hard: while IBM was busy promoting how well OS/2 could run 16-bit Windows applications, Microsoft was busy encouraging developers to create new 32-bit Windows applications and end-users to buy the 32-bit capable Windows 95. This new world of 32-bit software wouldn’t run on OS/2, and so the big OS/2 feature that IBM heavily marketed was rendered semi-useless. OS/2 found some niche success, but it was ultimately a failure.

Supporting Android apps creates similar risks. If Android software constitutes a major part of a platform’s software ecosystem, any changes to Android (new APIs or capabilities, say) that Android software expects to be able to take advantage of have to be replicated. This is, however, tempered by Android’s uniquely poor update situation. Most Android phones don’t have access to the latest and greatest version of Android or the latest and greatest Android features, so most Android software has to refrain from demanding such capabilities. This means an Android-compatible platform could trail Google’s cutting edge by a year or more and still be highly compatible with Android apps.

Read More: Android and iOS apps on Windows: What is Microsoft doing—and will it work? | Ars Technica.

Mozilla blasts at Android and iOS for lack of openness

Mozilla has accused Google and Apple of not being transparent with their mobile technologies and misusing their dominant positions.

Google’s Android and Apple’s iOS make up for the majority marketshare in smartphone OSes globally and Mozilla has shown concern over the irresponsible behavior of the companies by not being transparent about the utilization of user data.

In a report from the Guardian, Mozilla’s chief technology officer, Andreas Gal, has revealed that the current mobile situation is not favorable for users’ privacy and believes Firefox OS can change the scenario.

According to Gal, neither Android nor iOS is transparent and users are kept in the dark about what happens with their data. Although, Android is based on open source software, Google has kept large portions of its integrated services proprietary and iOS has been closed since the very beginning. Gal feels that, “right now the user has a choice between one phone where you can’t tell what goes on inside it and another phone where you can’t tell what goes on inside it.”

Both Apple and Google have in the past banned or removed privacy-centric applications from their respective app stores, which can be termed as misuse of their dominant positions and Mozilla hopes that people realize this and choose open platforms in the future.

via Mozilla blasts at Android and iOS for lack of openness – Neowin.

iOS security hole allows attackers to poison already installed iPhone apps

Security researchers have warned of a security hole in Apple’s iOS devices that could allow attackers to replace legitimate apps with booby-trapped ones, an exploit that could expose passwords, e-mails, or other sensitive user data.

The “Masque” attack, as described by researchers from security firm FireEye, relies on enterprise provisioning to replace banking, e-mail, or other types of legitimate apps already installed on a targeted phone with a malicious one created by the adversary. From there, the attacker can use the malicious app to access sent e-mails, login credential tokens, or other data that belonged to the legitimate app.

“Masque Attacks can replace authentic apps, such as banking and e-mail apps, using attacker’s malware through the Internet,” FireEye researchers wrote in a blog post published Monday. “That means the attacker can steal user’s banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app’s local data, which wasn’t removed when the original app was replaced. These data may contain cached e-mails or even login-tokens which the malware can use to log into the user’s account directly.”

The attack works by presenting a targeted phone with a same sort of digital certificate large businesses use to install custom apps on employees’ iPhones and iPads, as long as both the legitimate app and the malicious app use the same bundle identifier. The attack requires some sort of lure to trick a target into installing the malicious app, possibly by billing it as an out-of-band update or a follow-on to an already installed app. Recently, the researchers uncovered evidence the attacks may be circulating online, they said without elaborating. The technique doesn’t work against iOS preinstalled apps such as Mobile Safari. FireEye researchers said they reported the vulnerability to Apple in July.

“By leveraging Masque Attack, an attacker can lure a victim to install an app with a deceiving name crafted by the attacker (like New Angry Bird), and the iOS system will use it to replace a legitimate app with the same bundle identifier,” Monday’s report stated. “Masque Attack couldn’t replace Apple’s own platform apps such as Mobile Safari, but it can replace apps installed from App Store.” From there attackers can:

Mimic the login interface of the replaced app to steal the victims’ login credentials

Access local data caches assigned to the replaced app to steal e-mails, login tokens, or other sensitive data

Install custom programming interfaces not approved by Apple onto victims’ phones

Bypass the normal app sandbox architecture built into iOS and possibly get root access by exploiting known iOS vulnerabilities, such as those recently targeted by the Pangu team.

Read more: iOS security hole allows attackers to poison already installed iPhone apps | Ars Technica.

Security expert details multiple undocumented services running on all iOS devices

During a recent hacker conference, forensic scientist and iPhone jailbreaking expert Jonathan Zdziarski outlined a number of undocumented high-value forensic services running on every iOS device. He also found suspicious design omissions in iOS that make data collection easier according to a report from ZDNet.

Zdziarski notes that while Apple has worked hard to make iOS devices reasonably secure against typical attackers, they’ve also put a lot of time and planning into making devices accessible on their end on behalf of law enforcement.

The hacker also found that screen-locking an iPhone doesn’t encrypt its data. The only real way to do this is to shut down / power off the handset. What’s more, some of the undocumented services are able to bypass backups and can be accessed using USB, Wi-Fi or perhaps even cellular.

Using commercially available forensics tools, for example, law enforcement could gain access to a device during a routine traffic stop or during an arrest before a suspect is able to power the phone off.

Zdziarski finds it suspicious that none of these services (“lockdownd,” “pcapd” or “mobile.file_relay”) are referenced in any Apple software. The data they collect is personal in nature thus unlikely to be used for debugging purposes and is stored in raw format to make it useless to wireless carriers or during a trip to a Genius Bar.

All said and done, Zdziarski is left with more questions than answers.


via Security expert details multiple undocumented services running on all iOS devices – TechSpot.

Apple users left exposed to serious threats for weeks, former employee says

A noted whitehat hacker who spent more than a year on Apple’s security team has dealt her former employer some blistering criticism for fixing critical vulnerabilities in iOS three weeks after they became widely known to blackhats.

Kristin Paget, who recently took a security position at a major car manufacturer, took to her private blog Wednesday and catalogued more than a dozen separate security bugs that were patched in Tuesday’s release of iOS 7.1.1. Some of them gave attackers the ability to surreptitiously execute malicious code on iPhones and iPads without requiring much or any interaction from end users. Paget noted that 16 of the vulnerabilities addressed had been fixed three weeks earlier in a separate update for OS X users. Such delays give malicious hackers the opportunity to reverse engineer the fixes for one platform and develop potent exploits to use against the same bugs surviving in unpatched platforms, security researchers have long charged.

“Apparently someone needs to sit Apple in front of a chalkboard and make them write out 100 lines: ‘I will not use iOS to drop 0day on OS X, nor use OS X to drop 0day on iOS,'” Paget wrote in Thursday’s blog post. Addressing Apple officials directly, Paget continued:

Is this how you do business? Drop a patch for one product that quite literally lists out, in order, the security vulnerabilities in your platform, and then fail to patch those weaknesses on your other range of products for *weeks* afterwards? You really don’t see anything wrong with this?

Someone tell me I’m not crazy here. Apple preaches the virtues of having the same kernel (and a bunch of other operating system goop) shared between two platforms—but then only patches those platforms one at a time, leaving the entire userbase of the other platform exposed to known security vulnerabilities for weeks at a time?

In what world is this acceptable?

Paget’s critique comes two months after Apple patched the extremely critical “goto fail” bug in iOS without fixing it in the Mavericks version of OS X. Critics once again warned that the code and description Apple released for the mobile update gave a roadmap attackers could use to target the same flaws during the four-day window it remained unpatched on desktops. The bug, which made it trivial to bypass crucial HTTPS encryption protections, was finally fixed on Mavericks on February 25.

Paget—who has also been employed by Google and eBay—called on readers to cross-check previous iOS and OS X security updates to see if they also showed long lapses between the time when critical vulnerabilities are fixed on one platform and when they’re repaired on the other.

via Apple users left exposed to serious threats for weeks, former employee says | Ars Technica.

Report finds iOS apps riskier than Android apps

How many apps do you have on your smartphone or tablet right now? Well, take that number, and multiply it by 0.9. That’s about how many of your apps are a potential security concern according to a new study from Appthority.

The Appthority Reputation Report for Winter 2014 was compiled using data from the cloud-based Appthority App Risk Management Service. Appthority performed static, dynamic, and behavioral app analysis of 400 paid and free apps spanning iOS and Android to assess the relative security and risky behavior of the most popular apps.

Appthority found that 95 percent of the top 200 free apps on iOS and Android exhibit at least one risky behavior. That number drops to 80 percent for paid apps—an improvement, but four out of five paid apps exhibiting risky behavior is hardly something to cheer about. Appthority also discovered that iOS apps are riskier overall than Android apps—91 percent contain risky behavior as opposed to 83 percent on Android.

They risky behaviors vary, but include things like location tracking—found in 70 percent of the free iOS and Android apps—weak authentication, sharing data with ad networks, accessing the contact list, or identifying the user or UDID.

“Appthority found that 95 percent of the top 200 free apps on iOS and Android exhibit at least one risky behavior. ”

There are a couple significant caveats to the idea of iOS being a greater risk. First, Android apps have a much higher presence of accessing the UDID or identifying the user. Apple took steps to prevent developers from accessing UDID information on iOS mobile devices—but some developers have found ways to circumvent those rules.

The other thing that separates Android from iOS is that, although there are more iOS apps that exhibit risky behavior, the Android apps tend to collect more information about the user and the user’s mobile activities than their iOS counterparts.

To sum up, a higher percentage of iOS apps include risky behaviors than Android apps, and paid apps are generally less risky than free apps.

The differences in many cases are small and semantic, though. The fact that iOS has a higher percentage than Android may offer some small consolation to Android users, but the fact that nearly all of the apps on both major mobile platforms exhibit at least one risky behavior should be a red flag for both app developers and mobile device users—as well as for Apple and Google themselves.

The real lesson to be found in this report is that app developers recognize the financial value of gathering user data, and that mobile apps in general have a long way to go in terms of security and respecting a user’s privacy.

via Report finds iOS apps riskier than Android apps | PCWorld.

Kantar: Windows Phone, Android see massive growth at expense of iOS, Blackberry

We’ve already heard that Nokia and Samsung had disappointing fourth quarters, and Apple’s iPhone has been slowly losing market share throughout 2013. So many may be wondering if anyone’s actually winning the smartphone wars since everyone seems to be losing.

Now the latest report from Kantar Worldpanel gives us a clearer picture who is gaining market share and which markets are the most volatile. Kantar’s data is based on the previous three months, ending in December 2013.

First up, checking the tables below, we can easily see that Android has had another phenomenal year, with increased marketshare around the world. In the U.S., Google’s OS managed to increase its presence and is now sitting just shy of 51%. China and Europe have also seen greater adoption of the OS, which is sitting comfortably at 78% and 68%, respectively. However the biggest change occurred in Latin America, where Android saw a 21 percent increase year over year, and it now pretty much owns the market with an 83% adoption rate.

Despite all this, Samsung has had disappointing results lately, mainly due to increased pressure from local manufacturers in China, and more competition in the low-end market from players such as Nokia.

Speaking of Nokia, which practically owns the Windows Phone market, it too has had a good year in terms of adoption. Windows Phone has seen growth almost across the board. The biggest change is in Europe, where Microsoft’s platform has held double digit figures for the last three months of 2013. That’s almost double compared to last year’s results, when Windows Phone only accounted for 5.6% market share. Other markets have also seen growth, but Windows Phone is still very anaemic when it comes to the U.S. and China.

Finally, the year’s biggest market share losers are Blackberry, which is clinically dead, and more surprisingly Apple. The Cupertino company has seen decreases in pretty much every market. Even in the U.S., where it holds the most sway, iOS has seen a 5.8% decrease with most of those users moving to Android. Another big drop was seen in Europe where Apple’s products lost another 5.2% compared to 2012 and are now sitting at 18.5% marketshare.

Already we know Samsung is going on the offensive with the new Galaxy S5 being supposedly launched in the next couple of months, and there are a ton of rumors as to Apple’s upcoming plans. And let’s not forget Microsoft, which now owns Nokia’s smartphone business. All in all, 2014 is shaping up to be a very interesting year in terms of the smartphone race.

via Kantar: Windows Phone, Android see massive growth at expense of iOS, Blackberry – Neowin.

iOS 7 finally gets jailbroken, just in time for the holidays

In time for the holiday season, an iOS 7 jailbreak has been released from the Evasi0n team, supporting all iPhones, iPod touches, iPads and iPad minis running iOS 7.0 to 7.0.4. The jailbreak is untethered, meaning the device its installed on will remain jailbroken after a reboot.

The process to jailbreak an iOS 7 device is said to be quite easy, taking around five minutes to complete. Once the installer has finished its work, you will be able to begin customizing your device and installing third-party applications, just like with any previous jailbreak for older iOS versions.

However this jailbreak is not without controversy. It has been reported that the version of Cydia (a third-party app store) included with the jailbreak is not official, nor updated. It has also come to light that a second app store called Taig is installed on devices where the language is set to Chinese; Taig sells some cracked/pirated applications, which many members of the jailbreaking community are not happy about.

The good news is that members of team Evasi0n, despite entering an agreement with Taig, are on the case to remove any signs of piracy from the Chinese marketplace. Evasi0n had hoped that their “cooperation with Taig will improve the piracy situation in China”, and will continue to remove pirated apps where they are discovered.

via iOS 7 finally gets jailbroken, just in time for the holidays – TechSpot.