Privacy

Researchers Bypass Apple FaceID Using Biometrics 'Achilles Heel' (threatpost.com) 53

Vulnerabilities have been uncovered in the authentication process of biometrics technology that could allow bad actors to bypass various facial recognition applications -- including Apple's FaceID. But there is a catch. Doing so requires the victim to be out cold. From a report: Researchers on Wednesday during Black Hat USA 2019 demonstrated an attack that allowed them to bypass a victim's FaceID and log into their phone simply by putting a pair of modified glasses on their face. By merely placing tape carefully over the lenses of a pair glasses and placing them on the victim's face the researchers demonstrated how they could bypass Apple's FaceID in a specific scenario. The attack itself is difficult, given the bad actor would need to figure out how to put the glasses on an unconscious victim without waking them up.

To launch the attack, researchers with Tencent tapped into a feature behind biometrics called "liveness" detection, which is part of the biometric authentication process that sifts through "real" versus "fake" features on people. It works by detecting background noise, response distortion or focus blur. One such biometrics tool that utilizes liveness detection is FaceID, which is designed and utilized by Apple for the iPhone and iPad Pro. "With the leakage of biometric data and the enhancement of AI fraud ability, liveness detection has become the Achilles' heel of biometric authentication security as it is to verify if the biometric being captured is an actual measurement from the authorized live person who is present at the time of capture," researchers said during the Black Hat USA 2019 session.

Businesses

Goldman Sachs, Bank of the Rich and Powerful, is Dipping Into Subprime Lending With Apple Card (cnbc.com) 105

Goldman Sachs is casting a wide net for customers of its new credit card with Apple, approving some subprime borrowers for the product. CNBC: The bank, which is in charge of deciding who gets the Apple Card, is accepting some applications from users with less-than-stellar credit scores, according to people with knowledge of the matter. Goldman began to make the card available to some Apple customers this week ahead of a broader rollout later this month. From the start, Apple wanted its bank partner to create a technology platform that would approve as many of its 100 million-plus U.S. iPhone users as possible, within the bounds of regulations and responsible lending, according to the people. That's in line with the tech giant's desire to provide a good user experience for its customers.
Iphone

Apple Confirms $1 Million Reward For Anyone Who Can Hack An iPhone (forbes.com) 65

Apple says it will offer up to $1 million for hackers who can find vulnerabilities in iPhones and Macs. "That's up from $200,000, and in the fall the program will be open to all researchers," reports Forbes. "Previously only those on the company's invite-only bug bounty program were eligible to receive rewards." From the report: As Forbes reported on Monday, Apple is also launching a Mac bug bounty, which was confirmed Thursday, but it's also extending it to watchOS and its Apple TV operating system. The announcements came in Las Vegas at the Black Hat conference, where Apple's head of security engineering Ivan Krstic gave a talk on iOS and macOS security. Forbes also revealed on Monday that Apple was to give bug bounty participants "developer devices" -- iPhones that let hackers dive further into iOS. They can, for instance, pause the processor to look at what's happening with data in memory. Krstic confirmed the iOS Security Research Device program would be by application only. It will arrive next year.

The full $1 million will go to researchers who can find a hack of the kernel -- the core of iOS -- with zero clicks required by the iPhone owner. Another $500,000 will be given to those who can find a "network attack requiring no user interaction." There's also a 50% bonus for hackers who can find weaknesses in software before it's released. Apple is increasing those rewards in the face of an increasingly profitable private market where hackers sell the same information to governments for vast sums.

Iphone

Apple Is Locking Batteries To Specific iPhones, a Nightmare for DIY Repair (vice.com) 281

A longtime nightmare scenario for independent iPhone repair companies has come true: Apple has tied batteries to specific iPhones, meaning that only it has the ability to perform an authorized battery replacement on the newest versions of iPhones, two independent experiments have found. From a report: Battery replacements are among the most common repairs done by Apple and by independent repair companies. This is because lithium ion batteries eventually lose their ability to hold a charge, which will eventually make the phone unusable. Replacing the battery greatly extends the life of the phone: Apple CEO Tim Cook acknowledged earlier this year that battery replacements are resulting in fewer people buying new iPhones, which has affected Apple's bottom line. It's concerning on many levels, then, that on the iPhone XS, XS Plus, and XR, that any battery swap not performed by Apple will result in the phone's settings saying that the new battery needs "Service." An iPhone will still turn on and function with an aftermarket battery, but several important features are unavailable, and the iPhone warns users that they should seek service, presumably from an Apple Store.
Facebook

iOS 13 Privacy Feature Will Force Total Overhaul For Facebook Apps (arstechnica.com) 68

Privacy has been a renewed focus with Apple's next operating system update. One new feature in iOS 13 that seems centered on user privacy could have sweeping consequences for messaging and online call apps. From a report: In iOS 13, Apple will not allow apps to run voice over Internet protocol (VoIP) in the background when the programs are not actively in use. Many apps that offer VoIP services currently run in the background, and they will need to be rewritten to adjust to Apple's upcoming rules. The change is slated to roll out when iOS 13 is released in September. However, app developers will get a grace period, and they have until April 2020 to comply. VoIP services ostensibly stay running in the background so they can connect calls quickly, but they also let those apps collect information about what users are doing on their devices. Restricting the programs that can simply be open at any time on its mobile hardware fits the narrative Apple is crafting about being a trusted place for customer privacy in an increasingly untrustworthy industry.
Google

Alphabet Overtakes Apple To Become Most Cash-Rich Company (theverge.com) 81

According to The Financial Times, Google's parent company Alphabet has overtaken Apple to become the most cash-rich company in the world. As of the second quarter of this year, Alphabet holds $117 billion in liquid reserves, compared to $102 billion net of debt, for Apple. The Verge reports: Despite the obvious benefits of hoarding so much cash, earning the title of "Cash Kings" might not give much cause for celebration. As the FT notes, such a conspicuous display of wealth could increase pressure from shareholders who'd like to see the company spend more of its money on share buybacks or dividends, and could lead to increased scrutiny from regulators concerned with Google's dominance. Google and its parent company have been hit with around $9.05 billion in antitrust fines by the EU in the past two years, and the company is also facing heavy scrutiny by U..S lawmakers.
AI

Apple Stops Letting Contractors Listen To Siri Voice Recordings, Will Offer Opt-Out Later (theverge.com) 55

Apple says it will temporarily suspend its practice of using human contractors to grade snippets of Siri voice recordings for accuracy. The move follows a report in The Guardian where a former worker detailed the program, claiming that contractors "regularly hear confidential medical information, drug deals, and recordings of couples having sex" as part of their job. The Verge reports: "We are committed to delivering a great Siri experience while protecting user privacy," an Apple spokesperson says in a statement to The Verge. "While we conduct a thorough review, we are suspending Siri grading globally. Additionally, as part of a future software update, users will have the ability to choose to participate in grading." Apple did not comment on whether, in addition to pausing the program where contractors listen to Siri voice recordings, it would also stop actually saving those recordings on its servers. Currently the company says it keeps recordings for six months before removing identifying information from a copy that it could keep for two years or more.
Businesses

Spotify Keeps Big Lead Over Apple Music But Disappoints With 108M Subscribers (cnet.com) 37

In its second-quarter report, Spotify said its subscribers rose 31% year over year to hit 108 million subscribers at the end of June. "That figure was weaker than Spotify expected but keeps it well above its closest competitor, Apple Music, which had 60 million subscribers as of June," reports CNET. From the report: Spotify also said Wednesday that 232 million people now use its service at least once a month, up 29% from a year earlier. Spotify, unlike Apple, has a free tier that lets anyone listen to music with advertising. Apple has never disclosed a monthly-active-user stat; almost all people who use Apple Music are subscribers. Spotify's growth in monthly active users beat the best-case prediction the company made in April, coming in 4 million above the 228 million high end of guidance. But its subscribers -- who make Spotify way more money than ad-supported free listeners -- were at the low end of its expectations. Its 108 million figure scraped into its guidance range of 107 million to 110 million.

Its subscriber growth was relatively weaker because fewer people signed up for its heavily discounted student plan. Spotify also said it would make up for the latest quarter's shortfall by the end of the year. Looking ahead, Spotify predicted that it will have 110 million to 114 million paid subscribers by the end of September and that its monthly active users will increase to between 240 million and 245 million. By the end of the year, it expects to cross the milestone of a quarter of a billion monthly listeners.

China

Your Next iPhone Might Be Made in Vietnam. Thank the Trade War. (nytimes.com) 173

No country on earth has benefited from President Trump's trade fight with China more than Vietnam. From a report: The country's factories have swelled with orders as American tariffs cause companies to reconsider making their products in China. Now, more big technology firms are looking to bulk up their manufacturing operations in Vietnam, lifting the ambitions of a nation already well on its way to becoming a powerhouse maker of smartphones and other high-end gadgets. First, though, Vietnam needs to get better at making the little plastic casings on your earbuds.

Vu Huu Thang's company in the northern city of Bac Ninh, Bac Viet Technology, produces small plastic parts for Canon printers, Korg musical instruments, and Samsung cellphones and phone accessories, including earbuds. He said it would be hard for his firm to compete against Chinese suppliers as long as he had to buy 70 to 100 tons of imported plastic material every month, most of it made in China. "Vietnam cannot compare with China," Mr. Thang said. "When we buy materials, it's 5, 10 percent more expensive than China already." And the Vietnamese market is too small, he said, to entice plastic producers to set up plants here.

Security

iPhone Bluetooth Traffic Leaks Phone Numbers -- in Certain Scenarios (zdnet.com) 51

Security researchers say they can extract a user's phone number from the Bluetooth traffic coming from an iPhone smartphone during certain operations. From a report: The attack works because, when Bluetooth is enabled on an Apple device, the device sends BLE (Bluetooth Low Energy) packets in all directions, broadcasting the device's position and various details. This behavior is part of the Apple Wireless Direct Link (AWDL), a protocol that can work either via WiFi or BLE to interconnect and allow data transfers between nearby devices. Previous academic research has revealed that AWDL BLE traffic contains device identification details such as the phone status, Wi-Fi status, OS version, buffer availability, and others. However, in new research published last week, security researchers from Hexway said that during certain operations these BLE packets can also contain a SHA256 hash of the device's phone number.
Businesses

Apple Reports Declining Profits and Stagnant Growth, Again (nytimes.com) 154

An anonymous reader quotes a report from The New York Times: Apple has long performed like clockwork, growing steadily and producing an ever-growing stream of profit. Not anymore. On Tuesday, the Silicon Valley behemoth said that its net income had fallen 13 percent and that its revenue rose 1 percent in the latest quarter, with iPhone sales continuing to decline and gains in the company's services and wearables business failing to make up the difference. The results showed persistent signs of weakness for one of the world's financial standouts. Apple built its enormous business on the iPhone, but sales of the device have slipped for three straight quarters in a saturated market for smartphones. Yet the results also suggested that the company could be starting to halt declines in those sales and other key areas, including revenue from the Chinese market. Over the previous two quarters, Apple's profits and revenue had fallen over all.

Apple said net income had dropped to $10.04 billion for its fiscal third quarter, from $11.5 billion a year earlier, with profit of $2.18 a share exceeding Wall Street estimates. Revenue rose to $53.8 billion from $53.3 billion a year earlier. In the latest quarter, revenue from iPhone sales fell nearly 12 percent, to $25.97 billion, from a year earlier. In the company's previous quarter, iPhone sales fell 17 percent. For the first time since 2013, iPhone sales did not account for at least half of Apple's revenue, said Yoram Wurmser, an analyst at the market-research firm eMarketer.
Sales in China have declined nearly 25 percent over the previous two quarters, the report adds. "In the latest quarter, Apple's sales in the region fell 4.1 percent, while revenue specifically in mainland China grew."
Google

Google Reveals Fistful of Flaws In Apple's iMessage App (bbc.com) 41

Google researchers have shared details of five flaws in Apple's iMessage software that could make its devices vulnerable to attack. The BBC reports: In one case, the researchers said the vulnerability was so severe that the only way to rescue a targeted iPhone would be to delete all the data off it. Another example, they said, could be used to copy files off a device without requiring the owner to do anything to aid the hack. Apple released fixes last week. But the researchers said they had also flagged a sixth problem to Apple, which had not been rectified in the update to its mobile operating system.

Apple's own notes about iOS 12.4 indicate that the unfixed flaw could give hackers a means to crash an app or execute commands of their own on recent iPhones, iPads and iPod Touches if they were able to discover it. Apple has not commented on this specific issue, but has urged users to install the new version of iOS, which addresses Google's other discoveries as well as a further range of glitches and threats. One of the two Google researchers involved - Natalie Silvanovich - intends to share more details of her findings at a presentation at the Black Hat conference in Las Vegas next month.

Chrome

Chrome 76 Arrives With Flash Blocked By Default (venturebeat.com) 87

An anonymous reader shares a report from VentureBeat: Google today launched Chrome 76 for Windows, Mac, Linux, Android, and iOS. The release includes Adobe Flash blocked by default, Incognito mode detection disabled, multiple PWA improvements, and more developer features. You can update to the latest version now using Chrome's built-in updater or download it directly from google.com/chrome. Google has been taking baby steps to kill off Flash for years. In 2015, Chrome started automatically pausing less important Flash content. In 2016, Chrome started blocking "behind the scenes" Flash content and using HTML5 by default. In July 2017, however, Adobe said it would kill Flash by 2020. With Chrome 76, Flash is now blocked by default. Users can still turn it on in settings, but next year, Flash will be removed from Chrome entirely.
Security

Apple's AWDL Protocol Plagued By Flaws That Enable Tracking and MitM Attacks (zdnet.com) 56

Apple Wireless Direct Link (AWDL), a protocol installed on over 1.2 billion Apple devices, contains vulnerabilities that enable attackers to track users, crash devices, or intercept files transferred between devices via man-in-the-middle (MitM) attacks. From a report: These are the findings of a research project that started last year at the Technical University of Darmstadt, in Germany, and has recently concluded, and whose findings researchers will be presenting later this month at a security conference in the US. The project sought to analyze the Apple Wireless Direct Link (AWDL), a protocol that Apple rolled out in 2014 and which also plays a key role in enabling device-to-device communications in the Apple ecosystem. While most Apple end users might not be aware of the protocol's existence, AWDL is at the core of Apple services like AirPlay and AirDrop, and Apple has been including AWDL by default on all devices the company has been selling, such as Macs, iPhones, iPads, Apple watches, Apple TVs, and HomePods. But in the past five years, Apple has never published any in-depth technical details about how AWDL works. This, in turn, has resulted in very few security researchers looking at AWDL for bugs or implementation errors.
China

Trump Says Apple Will Not Be Given Tariff Waivers or Relief For Mac Pro Parts Made In China (cnbc.com) 210

An anonymous reader quotes a report from CNBC: In a tweet on Friday, President Trump said his administration will not grant Apple any relief on Mac Pro parts made in China. "Apple will not be given Tariff wavers (sic), or relief, for Mac Pro parts that are made in China," President Trump said. "Make them in USA, no Tariffs!" Apple asked for waivers on tariffs on the Mac Pro. Apple said it wanted to be exempt on some parts it uses for the new Mac Pro, including a power supply unit, the stainless-steel enclosure, finished mice and trackpads and circuit boards. "There are no other sources for this proprietary, Apple-designed component," Apple said in a filing. Apple shifted production of the Mac Pro to China in June, saving shipping costs for components that are supplied near Shanghai.
Iphone

Apple Contractors 'Regularly Hear Confidential Details' on Siri Recordings, Report Says (theguardian.com) 91

Alex Hern, reporting for The Guardian: Apple contractors regularly hear confidential medical information, drug deals, and recordings of couples having sex, as part of their job providing quality control, or "grading," the company's Siri voice assistant, the Guardian has learned. Although Apple does not explicitly disclose it in its consumer-facing privacy documentation, a small proportion of Siri recordings are passed on to contractors working for the company around the world.

They are tasked with grading the responses on a variety of factors, including whether the activation of the voice assistant was deliberate or accidental, whether the query was something Siri could be expected to help with and whether Siri's response was appropriate. Apple says the data "is used to help Siri and dictation ... understand you better and recognise what you say." [...] Apple told the Guardian: "A small portion of Siri requests are analysed to improve Siri and dictation. User requests are not associated with the user's Apple ID. Siri responses are analysed in secure facilities and all reviewers are under the obligation to adhere to Apple's strict confidentiality requirements." The company added that a very small random subset, less than 1% of daily Siri activations, are used for grading, and those used are typically only a few seconds long."
Further reading: Google Contractors Are Secretly Listening To Your Assistant Recordings; and Amazon Workers Are Listening To What You Tell Alexa.
Businesses

Apple Buys Intel's Smartphone Modem Business (theverge.com) 52

Apple is officially acquiring Intel's smartphone modem business for $1 billion, the two companies announced today. As rumored earlier this week, the move "would jump-start the iPhone maker's push to take control of developing the critical components powering its devices." The Verge reports: The acquisition means that Apple is now well on the way to producing its own 5G modems for its smartphones, rather than having to rely on Qualcomm for the hardware. Developing its own modems has the potential to deliver big benefits for Apple. In particular, it would no longer be subject to the patent licensing terms of Qualcomm, which were the source of the two companies' lengthy legal dispute. In the past, Apple has accused Qualcomm for charging "disproportionately high" fees in patent royalties, which it was accused of forcing companies to agree to if they want access to its hardware as part of a "no license -- no chips" policy.

The talks with Intel to acquire its modem business are understood to have started last summer, according to the WSJ, when Intel's new CEO Bob Swan arrived with a focus on cleaning up the company and addressing its loss-making segments. Acquiring another business to develop an in-house competitor is a tactic Apple has used at least once before when it spent $300 million to acquire part of Dialog, a company that previously supplied Apple with power management chips for its phones. The time of the acquisition, which included 300 employees, was Apple's biggest ever in terms of headcount.

Businesses

Apple and Amazon Become Top US Solar Users, Besting Target and Walmart (venturebeat.com) 76

Apple has spent nearly a decade dramatically expanding its use of solar energy across the United States, and the effort has paid off. From a report: The Solar Energy Industries Association (SEIA) reports today that Apple now has the most installed solar capacity of any U.S. company, followed by Amazon, as both companies vaulted over prior industry leaders Target and Walmart. But there's a catch. In the Solar Means Business 2017 report, Apple ranked fourth behind both of the top brick-and-mortar retailers and Prologis, an industrial warehouse company, while Amazon ranked tenth, below such retailers as Kohls, Costco, Ikea, and Macy's.

The SEIA's just-published 2018 report showed Apple and Amazon surging as measured by megawatts of installed solar capacity, with Apple at 393.3MW to Amazon's 329.8MW. Target jumped from 203.5MW in 2017 to 229.7MW in 2018, and Walmart from 149.4MW to 208.9MW, but the year-over-year gains from their digital-first competitors were comparatively huge.

Desktops (Apple)

Dropbox Irks Mac Users With Annoying Dock Icon, Offers Clueless Support (arstechnica.com) 67

An anonymous reader quotes a report from Ars Technica: Dropbox now opens a new file browser and an associated Dock icon every time it starts, even if you don't want it to. If you're not familiar with Macs, the Dock is the line of applications on the bottom of the screen (or the side, if you've moved it in the settings) and serves the same function as the Windows Taskbar. If my computer restarts or if Dropbox restarts, the new Dropbox window that I don't want pops up in the Dock. This isn't a huge deal, as I can quit Dropbox's new file browser and get rid of that Dock icon each time my computer starts up. I'm not going to stop using Dropbox -- I've been paying the company $138 a year for 2TB of storage and for 12 months' worth of file history, which saves all deleted files and revisions to files. (It's going up to $158 next time I get billed, in February.) It's worth it to me because Dropbox still works great, while the alternatives have always been unreliable or disappointing in other ways when I've tried them. I'll get into that more later in this article.

But the Dock icon and window is a major change in how Dropbox presents itself to users. Dropbox has always been the kind of application that is there when you need it and gets out of the way when you don't. Dropbox's syncing and file-sharing features are integrated with the Finder (the Mac file manager), and there's a little icon in the Mac's Menu Bar at the top of the screen for when you need to change a setting. But now, Dropbox wants to be front and center at all times. The company built its own file browser to replace what's already available in the Mac Finder, and it opens that new file manager every time Dropbox starts. We wrote about it last week when Dropbox started rolling it out to more users. I've had it for more than a month since I somehow ended up in Dropbox's Early Access program.
Ars' Jon Brodkin, the author of the article, also discovered that "there are numerous Dropbox support employees who apparently have never used their company's Mac application and do not understand how it works." Specifically, the employees Brodkin talked to didn't know "that it's possible for Mac applications to run without a Dock icon even though that's exactly how Dropbox worked for a decade... And they've been giving bad advice to users who want to change back to the old way of doing things."
Businesses

Apple Dominates App Store Search Results, Thwarting Competitors (wsj.com) 44

Apple's mobile apps routinely appear first in search results ahead of competitors in its App Store, a powerful advantage that skirts some of the company's rules on such rankings, according to a Wall Street Journal analysis. From the report: The company's apps ranked first in more than 60% of basic searches, such as for "maps," [Editor's note: the link may be paywalled; alternative source] the analysis showed. Apple apps that generate revenue through subscriptions or sales, like Music or Books, showed up first in 95% of searches related to those apps. This dominance gives the company an upper hand in a marketplace that generates $50 billion in annual spending. Services revenue linked to the performance of apps is at the center of Apple's strategy to diversify its profits as iPhone sales wane. While many of Apple's products are undoubtedly popular, they are held to a different standard by the App Store. Apple tells developers that downloads, user reviews and ratings are factors that influence search results. Yet more than two dozen of Apple's apps come pre-installed on iPhones and are shielded from reviews and ratings.

[...] Audiobooks.com, an RBmedia company, largely held the No. 1 ranking in "audiobooks" searches in the App Store for nearly two years. Then last September it was unseated by Apple Books. The Apple app had only recently begun marketing audiobooks directly for the first time. "It was literally overnight," said Ian Small, Audiobooks.com's general manager. He said the change triggered a 25% decline in Audiobooks.com's daily app downloads. [...] Apple's role as both the creator of the App Store's search engine and the beneficiary of its results has rankled developers. They contend Apple is essentially pinning its apps No. 1, compelling anyone seeking alternatives to consider Apple apps first. [...] Phillip Shoemaker, who led the App Store review process until 2016, said Apple executives were aware of Podcasts' poor ratings. Around 2015, his team proposed to senior executives that it purge all apps rated lower than two stars to ensure overall quality. "That would kill our Podcasts app," an Apple executive said, according to Mr. Shoemaker, who has advised some independent apps on the App Store review process since leaving Apple. The proposal was eventually rejected, Mr. Shoemaker said.

Slashdot Top Deals