In a report published Monday, The Information [paywalled] has detailed tactics used by China's Huawei to steal Apple's trade secrets. These tactics include Huawei engineers appealing to Apple's third-party manufacturers and suppliers with promises of big orders, but instead using the opportunity to pry on processes specific to iPhone-maker's component production. From a report: According to today's report, a Huawei engineer in charge of the company's smartwatch project tracked down a supplier that makes the heart rate sensor for the Apple Watch. The Huawei engineer arranged a meeting, suggesting he was offering the supplier a lucrative manufacturing contract, but during the meeting his main intent was questioning the supplier about the Apple Watch. The Huawei engineer attended the supplier meeting with four Huawei researchers in tow. The Huawei team spent the next hour and a half pressing the supplier for details about the Apple Watch, the executive said. "They were trying their luck, but we wouldn't tell them anything," the executive said. After that, Huawei went silent.

This event reportedly reflects "a pattern of dubious tactics" performed by Huawei to obtain technology from rivals, particularly Apple's China-based suppliers. According to a Huawei spokesperson the company has not been in the wrong: "In conducting research and development, Huawei employees must search and use publicly available information and respect third-party intellectual property per our business-conduct guidelines." According to the U.S. Justice Department, Huawei is said to have a formal program that rewards employees for stealing information, including bonuses that increase based on the confidential value of the information gathered.

dryriver writes: For many older people, you use Windows, macOS, or Linux on the desktop, and Android or iOS on mobile devices. Nobody is screaming for an Android desktop PC or an iOS 17.3-inch laptop computer. But what about younger generations growing up, from a very young age, glued to devices with these two mobile operating systems running on it? Will they want to use Windows, macOS, or Linux just like us old farts when they grow older, or will they want their favorite mobile operating systems running -- in a beefed up and more robust form -- on desktop and laptop computers which they use for school, college, and/or work as well? Since we are on this topic -- could Android or iOS one day become reasonably usable desktop operating systems from an architectural standpoint? And could Google and Apple already be planning for an "Android and iOS on the desktop" computing future, without telling anyone about it publicly?

Pirates used Apple's enterprise developer certificates to put out hacked versions of some major apps, a report said Thursday. From the report: Illicit software distributors such as TutuApp, Panda Helper, AppValley and TweakBox have found ways to use digital certificates to get access to a program Apple introduced to let corporations distribute business apps to their employees without going through Apple's tightly controlled App Store. Using so-called enterprise developer certificates, these pirate operations are providing modified versions of popular apps to consumers, enabling them to stream music without ads and to circumvent fees and rules in games, depriving Apple and legitimate app makers of revenue. By doing so, the pirate app distributors are violating the rules of Apple's developer programs, which only allow apps to be distributed to the general public through the App Store. Downloading modified versions violates the terms of service of almost all major apps.

A new variant of the multi-stage Shlayer malware known to target macOS users has been observed in the wild, now being capable to escalate privileges using a two-year-old technique and to disable the Gatekeeper protection mechanism to run unsigned second stage payloads. Bleeping Computer reports: This new Shlayer variant unearthed by Carbon Black's Threat Analysis Unit (TAU) targets all macOS releases up to the latest 10.14.3 Mojave, and will arrive on the targets' machines as a DMG, PKG, ISO, or ZIP files, some of them also signed with a valid Apple developer ID to make them look legitimate. Shlayer samples found by TAU also use malicious shell scripts to download additional payloads just like older installments did, and, in the case of samples distributed as DMG images, will surreptitiously launch a .command script in the background after the user launches the fake Flash installer. The malicious script included in the DMG is encoded using base64 and will decrypt a second AES encrypted script which will be executed automatically after being decrypted.

One it successfully downloads the second stage malware payload, Shlayer will "to escalate privileges with sudo using a technique invoking /usr/libexec/security_authtrampoline," presented by Patrick Wardle in his Death by 1000 Installers talk at DEFCON 2017. The next step is to download extra payloads which all contain adware according to TAU and it makes sure they'll be able to run on the compromised Mac by disabling the Gatekeeper protection mechanism. After this is accomplished, all extra payloads downloaded and launched by Shlayer will be seen as whitelisted software because the OS will no longer check if they are signed with an Apple developer ID. Also, just in case the malware is not able to disable Gatekeeper on the infected Mac, some of the second stage payloads are also signed with valid developer IDs.

The SEC Wednesday charged a former Apple executive with insider trading. From a report: Gene Levoff, senior director of corporate law and corporate secretary until September, "traded on material nonpublic information about Apple's earnings three times during 2015 and 2016," according to the lawsuit filed Wednesday in the U.S. District Court of New Jersey. "Levoff also had a previous history of insider trading, having traded on Apple's material nonpublic information at least three additional times in 2011 and 2012. For the trading in 2015 and 2016, Levoff profited and avoided losses of approximately $382,000," the complaint says. Levoff's position at Apple granted him insider access to not-yet-public earnings results and briefings on iPhone sales, the complaint says. On more than one occasion, he disobeyed the company's "blackout" period for stock transactions, selling or buying stock worth tens of millions of dollars, according to the SEC.

Zorro shares a report from The Wall Street Journal: Apple's plan to create a subscription service for news is running into resistance from major publishers over the tech giant's proposed financial terms (Warning: source may be paywalled; alternative source), according to people familiar with the situation, complicating an initiative that is part of the company's efforts to offset slowing iPhone sales. In its pitch to some news organizations, the Cupertino, Calif., company has said it would keep about half of the subscription revenue from the service, the people said. The service, described by industry executives as a "Netflix for news," would allow users to read an unlimited amount of content from participating publishers for a monthly fee. It is expected to launch later this year as a paid tier of the Apple News app, the people said. The rest of the revenue would go into a pool that would be divided among publishers according to the amount of time users spend engaged with their articles, the people said. Representatives from Apple have told publishers that the subscription service could be priced at about $10 a month, similar to Apple's streaming music service, but the final price could change, some of the people said.

Another concern for some publishers is that they likely wouldn't get access to subscriber data, including credit-card information and email addresses, the people said. Credit-card information and email addresses are crucial for news organizations that seek to build their own customer databases and market their products to readers. Digital subscriptions are powering growth at big publishers including the Times, whose basic monthly subscription costs $15, the Post, which charges $10, and the Journal, which charges $39. Some of those companies are skeptical about giving up too much control to Apple, or cannibalizing their existing subscriptions to sign up lower-revenue Apple users, according to people familiar with the matter.

Facebook and Google were far from the only developers openly abusing Apple's Enterprise Certificate program meant for companies offering employee-only apps. A TechCrunch investigation uncovered a dozen hardcore pornography apps and a dozen real-money gambling apps that escaped Apple's oversight. From the report: The developers passed Apple's weak Enterprise Certificate screening process or piggybacked on a legitimate approval, allowing them to sidestep the App Store and Cupertino's traditional safeguards designed to keep iOS family friendly. Without proper oversight, they were able to operate these vice apps that blatantly flaunt Apple's content policies. The situation shows further evidence that Apple has been neglecting its responsibility to police the Enterprise Certificate program, leading to its exploitation to circumvent App Store rules and forbidden categories.

An anonymous reader shares an excerpt from a Bloomberg report: Apple's new campus in Cupertino, California, is a symbol of how the company views itself as an employer: simultaneously inspiring its workers with its magnificent scale while coddling them with its four-story cafe and 100,000-square-foot fitness center. But one group of Apple contractors finds another building, six miles away on Hammerwood Avenue in Sunnyvale, to be a more apt symbol. This building is as bland as the main Apple campus is striking. From the outside, there appears to be a reception area, but it's unstaffed, which makes sense given that people working in this satellite office -- mostly employees of Apple contractors working on Apple Maps -- use the back door. Workers say managers instructed them to walk several blocks away before calling for a ride home. Several people who worked here say it's widely referred to within Apple as a "black site," as in a covert ops facility.

Inside the building, say former workers, they came to expect the vending machines to be understocked, and to have to wait in line to use the men's bathrooms. Architectural surprise and delight wasn't a priority here; after all, the contract workers at Hammerwood almost all leave after their assignments of 12 to 15 months are up. It's not uncommon for workers not to make it that long. According to 14 current and former contractors employed by Apex Systems, a firm that staffs the building as well as other Apple mapping offices, they operated under the constant threat of termination. "It was made pretty plain to us that we were at-will employees and they would fire us at any time," says one former Hammerwood contractor, who, like most of the workers interviewed for this story, spoke on condition of anonymity because he signed a nondisclosure agreement with Apex. "There was a culture of fear among the contractors which I got infected by and probably spread." Apex manages the workers it hires -- not Apple. "Following an inquiry from Bloomberg News, the company says, it conducted a surprise audit of the Hammerwood facility and found a work environment consistent with other Apple locations," reports Bloomberg.

"Like we do with other suppliers, we will work with Apex to review their management systems, including recruiting and termination protocols, to ensure the terms and conditions of employment are transparent and clearly communicated to workers in advance," an Apple spokesperson says in a statement.

For those hoping the next iPhone would ditch the Lightning port in favor of the more versatile USB-C port, you'll surely be disappointed by the latest rumor. "Japanese site Macotakara says that not only will the 2019 iPhone use Lightning, Apple will also continue to bundle the same 5W charger and USB-A to Lightning cable in the box," reports 9to5Mac. "This is seen as a cost saving measure. It seems that customers wanting faster iPhone charge times will still have to buy accessories, like the 12W iPad charger." From the report: The site explains that Lightning port is not going anywhere and Apple is resistant to changing the included accessories to maintain production costs. Apple can benefit from huge economies of scale by selling the same accessories for many generation. As such, Apple apparently will keep bundling Lightning EarPods, Lightning to USB-A cable, and the 5W USB power adaptor, with the 2019 iPhone lineup. This is disappointing as Apple began shipping an 18W USB-C charger with its iPad Pro line last fall, and many expected that accessory to become an iPhone standard too. Even if the iPhone keeps the Lightning port, Lightning can support fast-charging over the USB Type-C protocol. It's not clear if the cost savings of this decision would be passed on to consumers with lower cost 2019 iPhone pricing.

Motherboard's Joseph Cox and Jason Koebler report of the underground industry where thieves, coders, and hackers work to remove a user's iCloud account from a phone so that they can then be resold. They reportedly are able to do this by phishing the phone's original owners, or scam employees at Apple Stores, which have the ability to override iCloud locks. The other method (that is very labor intensive and rare) involves removing the iPhone's CPU from the Logic Board and reprogramming it to create what is essentially a "new" device. It is generally done in Chinese refurbishing labs and involves stealing a "clean" phone identification number called an IMEI. Here's an excerpt from their report: Making matters more complicated is the fact that not all iCloud-locked phones are stolen devices -- some of them are phones that are returned to telecom companies as part of phone upgrade and insurance programs. The large number of legitimately obtained, iCloud-locked iPhones helps supply the independent phone repair industry with replacement parts that cannot be obtained directly from Apple. But naturally, repair companies know that a phone is worth more unlocked than it is locked, and so some of them have waded into the hacking underground to become customers of illegal iCloud unlocking companies.

In practice, "iCloud unlock" as it's often called, is a scheme that involves a complex supply chain of different scams and cybercriminals. These include using fake receipts and invoices to trick Apple into believing they're the legitimate owner of the phone, using databases that look up information on iPhones, and social engineering at Apple Stores. There are even custom phishing kits for sale online designed to steal iCloud passwords from a phone's original owner. [...] There are many listings on eBay, Craigslist, and wholesale sites for phones billed as "iCloud-locked," or "for parts" or something similar. While some of these phones are almost certainly stolen, many of them are not. According to three professionals in the independent repair and iPhone refurbishing businesses, used iPhones -- including some iCloud-locked devices -- are sold in bulk at private "carrier auctions" where companies like T-Mobile, Verizon, Sprint, AT&T, and cell phone insurance providers sell their excess inventory (often through third-party processing companies.)

An anonymous reader quotes a report from Ars Technica: Apple will design its own modems in-house, according to sources that spoke with Reuters. In doing so, the company may hope to leave behind Intel modems in its mobile devices, which Apple has used since a recent falling out with Qualcomm. According to the sources, the team working on modem design now reports to Johny Srouji, Apple's senior vice president of hardware technologies. Srouji joined Apple back in 2004 and led development of Apple's first in-house system-on-a-chip, the A4. He has overseen Apple silicon ever since, including the recent A12 and A12X in the new iPhone and iPad Pro models.

Before this move, Apple's modem work ultimately fell under Dan Riccio, who ran engineering for iPhones, iPads, and Macs. As Reuters noted, that division was heavily focused on managing the supply chain and working with externally made components. The fact that the team is moving into the group focused on developing in-house components is a strong signal that Apple will not be looking outside its own walls for modems in the future. In recent years, Apple has been locked in a costly and complex series of legal battles with Qualcomm, the industry's foremost maker of mobile wireless chips. While Apple previously used Qualcomm's chips in its phones, the legal struggles led the tech giant to turn instead to Intel in recent iPhones.

An anonymous reader quotes a report from TechCrunch: Apple is telling app developers to remove or properly disclose their use of analytics code that allows them to record how a user interacts with their iPhone apps -- or face removal from the app store, TechCrunch can confirm. In an email, an Apple spokesperson said: "Protecting user privacy is paramount in the Apple ecosystem. Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity." "We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary," the spokesperson added.

It follows an investigation by TechCrunch that revealed major companies, like Expedia, Hollister and Hotels.com, were using a third-party analytics tool to record every tap and swipe inside the app. We found that none of the apps we tested asked the user for permission, and none of the companies said in their privacy policies that they were recording a user's app activity. Even though sensitive data is supposed to be masked, some data -- like passport numbers and credit card numbers -- was leaking.

Apple on Thursday released iOS 12.1.4, an iPhone update that fixes a Group FaceTime bug that allowed users to eavesdrop on each other. The update is a available for the iPhone 5S and later, iPad Air and later, and iPod touch 6th generation. From a report: Last week, Apple turned off Group FaceTime after a bug was identified that allowed iPhone users to call another device via the FaceTime video chat service and hear audio on the other end before the recipient had answered the call. It essentially turned any iPhone into a hot mic without the user's knowledge. Apple on Friday said it'd fixed the vulnerability on its servers and that it'd issue a software update to re-enable Group FaceTime. Apple also apologized to users who were affected and said it takes the security of its products "extremely seriously."

In the release notes for Safari 12.1, the new version of Apple's browser installed in iOS 12.2, Apple says that it is removing support for the "Do Not Track" feature, which is now outdated. From a news writeup: "Removed support for the expired Do Not Track standard to prevent potential use as a fingerprinting variable," the release note reads. The same feature was also removed from Safari Technology Preview today, Apple's experimental macOS browser, and it is not present in the macOS 10.14.4 betas. According to Apple, Do Not Track is "expired" and support is being eliminated to prevent its use as, ironically, a fingerprinting variable for tracking purposes. It is entirely up to the advertising companies to comply with the "Do Not Track" messaging, and it has no actual function beyond broadcasting a user preference.

Linuz Henze, a credible researcher, has revealed an exploit that in a single button press can reveal the passwords in a Mac's keychain. From a report: Keychain is where macOS stores most of the passwords used on the machine, ranging from iMessage private encryption keys to certificates, secured notes, Wi-Fi, and other Apple hardware passwords, app passwords, and web passwords. A pre-installed app called Keychain Access enables users to view the entire list of stored items, unlocking each one individually by repeatedly entering the system password, but Henze's KeySteal exploit grabs everything with a single press of a "Show me your secrets" button.

While the demo is run on a 2014 MacBook Pro without Apple's latest security chips, Henze says that it works "without root or administrator privileges and without password prompts, of course." It appears to work on the Mac's login and system keychains, but not iCloud's keychain. Generally, white hat security researchers publicly reveal flaws like this only after informing the company and giving it ample time to fix the issues. But Henze is refusing to assist Apple because it doesn't offer paid bug bounties for macOS.

Apple has reached a deal with French authorities to pay an undeclared amount of back-dated tax. While the amount isn't disclosed, French media suggest the sum is around $571 million (500 million euros). MacRumors reports: France has been working diligently to stop tech companies like Apple from exploiting tax loopholes in the country. The loopholes are said to have allowed Apple to "minimize taxes and grab market share" at the expense of Europe-based companies. French President Emmanuel Macron is one of the leaders behind the tax crackdown on international tech companies, with a goal of bringing a more unified corporate tax system across the nineteen euro area states.

As noted by iPhon.fr, Apple and French tax authorities reached the agreement for the payment of several years of unpaid taxes in December, according to French newspaper L'Expansion. The agreement followed a meeting in October between Apple CEO Tim Cook and President Macron, in which both reportedly agreed that a solution would ultimately be enacted by the European Union rather than France.

There are no 5G iPhones, and there probably won't be 5G iPhones for a while. But that isn't stopping Apple and AT&T: they are reportedly rolling out AT&T's fake "5G E" branding with its upcoming iOS 12.2 update. From a report: Much like when the two companies pulled this scam with 4G and LTE back in 2012, if you can't beat them, you roll out a software update to make it look like you did even though the phones and network are still exactly the same. Multiple users on Twitter are now reporting that they're seeing the new 5G E icon on devices running the latest iOS 12.2 beta 2, which was released earlier today. The new icon isn't there for everyone, presumably because it will only appear in cities where AT&T's 5G Evolution network -- the company's intentionally misleading name for its LTE network that it seems to hope customers will confuse for actual, next-generation 5G networks -- is active.

Grant Thompson, the teenager that reported the FaceTime bug last week, will be eligible for the Apple bug bounty program. "Apple's bug bounty system is typically invite-only and limited to specific categories of security flaws, like accessing iCloud account data or demonstrating ways for iPhone apps to escape the security sandbox of iOS," reports 9to5Mac. "It appears the company is making an exception here given the embarrassingly public nature of the case, although further details about the reward have yet to be discussed." From the report: The FaceTime bug that made waves as result of 9to5Mac's coverage last week was actually first reported to Apple by Grant Thompson and his mother in Arizona a week earlier. However, deficiencies in the Apple bug reporting process meant that the report was not acted upon by the company. Instead, the teenager made headlines when his mother shared their Apple communications on Twitter. Their claims were later proved to be legitimate.

Around January 22, Apple Support directed them to file a Radar bug report, which meant the mother had to first register a developer account as an ordinary customer. Even after following the indicated steps, it does not appear that Apple's product or engineering teams were aware of the problem until its viral explosion a week later. CNBC reports that an unnamed "high-level Apple executive" met with the Thompsons at their home in Tucson, Arizona on Friday. They apparently discussed how Apple could improve its bug reporting process and indicated that Grant would be eligible for the Apple bug bounty program.

2018 was the worst year ever for smartphone shipments, according to the latest figures from research firm IDC. It means Apple isn't the only company fighting to keep people interested in buying new phones every year. From a report: IDC said 1.4 billion smartphones were sold in 2018, marking a 4.1 percent decline for the year in an industry that's accustomed to rapid growth. In 2014, as well, 1.4 billion phones were shipped, which means the industry seems to have regressed about 5 years. Shipments shrank 4.9 percent for the fourth quarter of 2018, IDC said. Apple said earlier this week that iPhone revenues were 15 percent lower than last year. CEO Tim Cook said the strengthened dollar, an economic slowdown in China, lower subsidies on phones and its battery replacement program contributed to the drop in sales. Samsung phone shipments declined 5.5 percent and Apple's slipped 11.5 percent during the quarter, IDC said. But Huawei, which was able to capitalize on China, saw a 33.6 percent bump in shipments. Chinese vendors Oppo and Xiaomi also increased shipments, IDC said.

An anonymous reader shares a report: Contrary to popular Anglocentric belief, English isn't the world's most-spoken language by total number of native speakers -- nor is it the second. In fact, the West Germanic tongues rank third on the list, followed by Hindi, Arabic, Portuguese, Bengali, and Russian. (Mandarin and Spanish are first and second, respectively.) Surprisingly, Google Assistant, Apple's Siri, Amazon's Alexa, and Microsoft's Cortana recognize only a relatively narrow slice of these.

Google Assistant: With the addition of more than 20 new languages in January, the Google Assistant took the crown among voice assistants in terms of the number of tongues it understands. It's now conversant in 30 languages in 80 countries, up from 8 languages and 14 countries in 2017.
Apple's Siri: Apple's Siri, which until January had Google Assistant beat in terms of sheer breadth of supported languages, comes in a close second. Currently, it supports 21 languages in 36 countries and dozens of dialects for Chinese, Dutch, English, French, German, Italian, and Spanish.
Microsoft's Cortana: Cortana, which made its debut at Microsoft's Build developer conference in April 2013 and later came to Windows 10, headphones, smart speakers, Android, iOS, Xbox One, and even Alexa via a collaboration with Amazon, might not support as many languages as Google Assistant and Siri. Still, it has come a long way in six years.
Amazon's Alexa: Alexa might be available on over 150 products in 41 countries, but it understands the fewest languages of any voice assistant: English (Australia, Canada, India, UK, and US), French (Canada, France), German, Japanese (Japan), and Spanish (Mexico, Spain).
Samsung's Bixby: Samsung's Bixby -- the assistant built into the Seoul, South Korea company's flagship and midrange Galaxy smartphone series and forthcoming Galaxy Home smart speaker -- is available in 200 markets globally but only supports a handful of languages in those countries: English, Chinese, German, French, Italian, Korean, and Spanish.