‘Secure’ apps in Google’s Play Store are a crapshoot
Infosec Apple fanboys are not known for their empathy — either for those who can’t afford their holy high fetish of phone security (iPhone) or for those who simply can’t stomach the ecosystem’s mounting hypocrisies.
But there’s one thing on their side. Apple’s App Store at least tries to curate product security, while Google’s Play Store is like playing appsec Russian roulette.
Nowhere has that been made more clear than in a post by researcher Jon Sawyer, called Password Storage in Sensitive Apps. Sawyer does freelance contract work “breaking and/or fixing Android phones and related software” — he hacks everything Android. For a recent gig, he was contacted by a forensic specialist for a law enforcement agency.
The law enforcement contact told Sawyer they had a phone with information on it “that could make or break a very sensitive case.” They had been trying to access the phone’s files and get data off the device with commercial mobile forensic tools but weren’t having any luck.
Sawyer verified their identity and purpose and got to the task at hand. “Using a backdoor … and some trickery we were able to fully extract all data off the device,” he explained. “This had me thinking, what next? What if this criminal was using another layer of security? What if they had a “secure storage” app, what if their photos, videos and whatnot were encrypted in an additional layer of security?”
Sawyer searched Google’s app store for “Secure Photo” and grabbed the first result. He doesn’t say which app this is. But in my search, the top result was Hide Pictures Keep Safe Vault, listed as a Play Store “Editors’ Choice” by a “Top Developer,” with 4.6 stars and between 10 million and 50 million downloads.
When he started hacking the app and looking at the supposedly safe and secure files, Sawyer found that “sure enough the files stored were encrypted.” But then he discovered that “the PIN was stored in plaintext as a shared preference” — making the app neither safe nor secure should you want to keep your files from the prying eyes of hackers or law enforcement.
Apparently, for Sawyer, this was so easy it was no fun. He moved on to installing and hacking the next result in his search, Private Photo Vault. That one had a 4.1-star rating, 17,000 starred reviews, and over one million downloads.
“The #1 iOS Private Photo App is now available on Android! Private Photo Vault is a photo safe that keeps all of your private pictures and videos hidden behind a password.”
The researcher was hopeful. “The initial results were more promising than the first app, no plaintext PIN stored in the shared preferences.” But, he wrote, “the promise didn’t last long.” When Sawyer found (by testing it on himself) that unmasking any Vault user’s PIN code was easy, he “stopped analysis at this point, the app was already beyond broken.
“These companies are selling products that claim to securely store your most intimate pieces of data, yet are at most snake oil. You would have near equal protection just by changing the file extension and renaming the photos.”
If you want to know what happens when a hacker visits the Google Play Store trying to find an app that can’t be cracked … well, it’s not pretty. And that’s where Apple’s App Store has some advantage, even though iOS apps aren’t as secure as users want to believe. Yet while the App Store is hypocritically censored to hell and back, treats developers like crap and has its share of garbage on offer, app security has always been its strong suit.
Although there was that one time scientists at Georgia Tech got an app named Jekyll into the App Store in 2013. Jekyll bypassed every security measure put in place by Apple to protect its users and could stealthily tweet, take photos, steal device identity information, send email and SMS and much more. “Our method allows attackers to reliably hide malicious behavior that would otherwise get their app rejected by the Apple review process,” the researchers wrote in their paper, Jekyll on iOS: When Benign Apps Become Evil.
The app was pulled before anyone downloaded it, but the point was made: Nothing is as secure as any company promises. And in typical Apple PR fashion, it still remains unclear whether the vulnerabilities exploited by Jekyll were completely fixed.
With Google’s new Pixel phone, an attack like this is at least less likely. Similar to its Nexus phones on Google’s Project Fi program, the Pixel will mainline operating system updates and security refreshes (one of many reasons I’ll be excited to get my hands on one, app store sketchiness notwithstanding). But, as Jon Sawyer found out after his recent law enforcement project, there’s a lot of false advertising in the Play Store under the guise of “secure” apps.
As I mentioned, I’m an Android phone user and fan, so I obviously don’t believe it’s all snake oil in the Google Play Store. I just think it’s wise to make our downloading decisions with the scrutiny afforded by the death of security-by-way-of-wishful-thinking.
New in our buyer’s guide: The iPhone 7 and Fitbit Charge HR
Well, well, well. After just a few months of phone releases and reviews, our smartphone buyer’s guide section looks very different than it did recently. New to the guide, as you’d expect, are the iPhone 7 and 7 Plus, both of which earned strong reviews from us. The HTC 10 and Galaxy S7 have held their spots there, with the OnePlus 3 rounding out the list at the lower end. (And yes, we are thanking our lucky stars that we didn’t have time to add the highly rated Galaxy Note 7 into the guide before it was recalled and discontinued.)
We’ve also made some changes to our wearables section, with the Apple Watch Series 1 and Series 2 both making the cut (the Series 2 is the best in absolute terms, but we recommend the Series 1 for more people). You’ll also find the Fitbit Charge 2, our new favorite all-around fitness tracker. Find all that and more right here in our buyer’s guide, and be sure to check back soon — we plan to review some highly anticipated releases like Google’s new Pixel phones as well as the PlayStation Pro.
Source: Engadget Buyer’s Guide
Apple adds SIM-free iPhone 7 and 7 Plus option in the US
Apple has started selling SIM-free iPhone 7 and 7 Plus — on its US website, at least — just like it did for the previous models. It’s the way to go if you’d rather not be tied down with a two-year AT&T, T-mobile, Sprint or Verizon contract. The unit you’re getting is also unlocked and supports both CDMA and GSM networks, so you can take it to any carrier you want to get the best plan for your lifestyle.
The moment you click “SIM-free” on the iPhone 7 section, you’ll get taken through a series of pages where you can choose its finish and storage size. Take note that you’ll have to wait twice as long (six to eight weeks) to get the Jet Black version, which isn’t really surprising, since it sold out way back in mid-September. Also, you’ll have pay for the phone’s full price, though Apple does offer up to 18 months of special financing. If this is the first time you’re getting a SIM-free iPhone, don’t forget to read the FAQ on the website to make sure you know exactly what you’re getting.
Via: 9to5mac
Source: Apple
Apple reportedly wants to use changeable E Ink keyboards
Apple’s plans for advanced laptop controls may extend beyond that rumored OLED touch strip. Both 9to5Mac and TrustedReviews report that Apple has been in talks to use a laptop version of Sonder Design’s dynamic keyboard technology, which uses E Ink to change key labels on the fly. Just how Tim Cook and company would implement the hardware isn’t clear, but it might work the way these keyboards have operated since the days of Art Lebedev’s Optimus Maximus. If so, you’d get handy labels on keys as you switch contexts, such as brushes in an image editor or different characters when you switch languages.
Although Sonder has confirmed that talks have taken place, it’s not saying whether or not it has a deal. It only adds that it’s “closing B2B procurement contracts” with three laptop makers, and that Foxconn (which helped get Sonder off the ground) and E Ink are helping. Given the timing, you probably aren’t going to get a MacBook with this keyboard any time soon. Even if Apple has a contract in place (there’s no guarantee that it has), you probably wouldn’t see these livelier keyboards until 2017 at the earliest.
Source: 9to5Mac, TrustedReviews
4Chan may have wiped Clinton campaign chief’s iPhone
Hillary Clinton’s campaign chief, John Podesta, might be having a particularly lousy week. In the wake of WikiLeaks dumps revealing Podesta’s email and the sensitive account details inside, intruders (apparently from 4Chan’s /pol board) claim to have hijacked his iCloud account and wiped his iOS devices. They may have been the ones who briefly compromised his Twitter account, too. Podesta’s social account is back in running order, but it’s not certain what happened to his iPhone and iPad.
As with earlier high-profile iCloud intrusions, this doesn’t appear to be a hack. Instead, the intruders took advantage of what knowledge WikiLeaks offered to reset passwords and take control. That suggests that Podesta wasn’t using two-factor authentication to protect his accounts — an odd oversight for someone long considered a high-profile target, especially when WikiLeaks data has circulated for days.
It’s difficult to know whether or not 4chan members are directly responsible, or did as much damage as they claimed they did. The screenshots are plausible, but it’s easy to imagine someone on the prank-prone site whipping up faked images to look like a champion to Clinton haters. We’ve reached out to the Clinton campaign to see if it can confirm any details and say what it’s doing next, although Podesta has already blamed the Russian government for the hack that led to the email breach. Whatever it says, it’s safe to presume that the campaign will be double-checking its security measures.
Apparently some asshole from anonymous compromised Podesta’s Apple account using creds in WL dump and remotely wiped his phone. V cruel. pic.twitter.com/ZdfWf2NkuY
— Pwn All The Things (@pwnallthethings) October 13, 2016
Via: Ars Technica, The Verge
Source: Pwn All The Things (Twitter 1), (2), (3)
Inside the redesigned Apple Store on Regent Street
Soon, Apple’s store on Regent Street, London, will re-open to the public. The gadget mecca has been given a radical makeover, retiring the old glass staircase and much of the first floor. In their place you’ll find a double height “grand hall” which stretches seven meters above you. Twelve trees have been added to the ground floor, as well as some circular sofas (made from Rolls-Royce leather), and two staircases made from a pale Castagna stone. Climbing these will take you to a smaller space upstairs, where Apple’s new “Creative Pros” can teach you about specialised software.
The same design concept was rolled out in the US earlier this year. Regent Street is the first location in Europe to receive the new treatment, however. It was put together by Foster+Partners, the same architecture firm working on Apple’s new spaceship campus in Cupertino. It feels pretty spacious, although I suspect that feeling will disappear when hundreds of customers are battling for an Apple Genius. The store also has a fresh, earthy look. In addition to the new trees, Apple has added some wall panels covered in foliage. The tall glass windows still reside at the front of the shop too, meaning there’s plenty of natural light pouring onto the demo units.
Before its public opening this Saturday (October 15th), Apple invited us to take a look around. The new design contains few surprises — it’s very consistent with Apple’s longstanding design ethos — but does highlight the company’s relentless push to improve its retail presence. Google, take note.
Apple Store fires staff for stealing customers’ private pics
Another Apple Store in Australia is embroiled in a scandal, and this time, it involves explicit photos. According to Courier Mail (membership required), the Carindale Apple Store in Queensland fired four male employees for not only stealing sensitive images from customers’ phones sent in for repair, but also for taking creepshots of their female co-workers. The four reportedly shared their loot with other employees in chat, where they rated women’s body parts out of 10. By the time their MO was discovered, they already had quite a collection going: the publication says they were in possession of over 100 creepshots and stolen images, including close-ups of women’s chests and derrières.
The whole thing was apparently blown wide open when a staff member found one of the employees involved browsing a customer’s iPhone in the repair room. Courier Mail says the Carindale store then brought in an HR executive from overseas to investigate the issue.
In a statement sent to the various publications, Apple insists that its investigator didn’t find evidence that the employees transferred customers’ photos and took inappropriate shots of female co-workers without their consent. Nevertheless, Cupertino confirmed that the store already sacked several people as a result of its findings. It’s unclear why the company would fire anyone if nothing improper took place, so we reached out for clarification.
Here is Apple’s full statement:
“We are investigating a violation of Apple’s business conduct policy at our store in Carindale, where several employees have already been terminated as a result of our findings.
Based on our investigation thus far, we have seen no evidence that customer data or photos were inappropriately transferred or that anyone was photographed by these former employees. We have met with our store team to let them know about the investigation and inform them about the steps Apple is taking to protect their privacy.
Apple believes in treating everyone equally and with respect, and we do not tolerate behaviour that goes against our values.”
Last year, an Apple Store in Melbourne landed in hot water after employees kicked out a group of black teenagers. Their reason? They were worried that the kids would “steal something.” The store apologized for the incident, and Apple chief Tim Cook sent out a company-wide email calling the incident “unacceptable.”
Via: Mashable
Source: Courier Mail
Apple will build an R&D center in China’s Silicon Valley
Apple needs China a little more than China needs Apple, which is why the company is bending over backwards to show some love to the Middle Kingdom. VentureBeat is reporting that the iPhone maker will open a research and development center in Shenzen, the Silicon Valley of Hardware. The site quotes Apple spokesperson Josh Rosenstock saying that the facility will help Apple’s engineers work “even more closely and collaboratively with our manufacturing partners.” Given that Shenzen is home to Foxconn City, the site where several Apple products are assembled, it makes sense that Apple would push for an official presence in the region.
The site quotes local news sources as saying that Tim Cook held a meeting with Shenzen officials while at a Chinese innovation event, and was joined by Foxconn chief Terry Gou. It’s not the first time that Apple has pledged to build facilities in the country this year, with Cook pledging cash for a research and development building in Beijing back in August. That project is designed to increase cooperation with a country that’s been increasingly wary of Apple’s presence.
China very quickly became a key driver of iPhone growth for Apple, but as the smartphone market has stalled, those figures have begun to droop. The firm wants to demonstrate that it’s in for the long haul, however, and is using its financial muscle to put down roots in the country to assuage twitchy regulators. As well as pledging to build two facilities, the company pumped $1 billion into Uber-rival Didi Chuxing (which subsequently merged with its frenemy). That sort of cash should go some way in easing the fears of officials who want to protect local companies, which is one of the reasons China banned the iTunes Movie and iBooks stores earlier this year.
Source: VentureBeat
Apple suspends developer account over ‘review fraud’
Review fraud is a hot topic of late. Both Amazon and Steam are dealing with it in their own ways, and now Apple is jumping into the fray with the creator of the dev-tool, Dash. Apple removed the application from the App Store last week, later telling Bogdan Popsecu that his account was being suspended due to suspicion of review manipulation. Popsecu’s side of the story is such: Around four years ago he paid for a relative’s Apple Developer Program Membership with his credit card and gave her some test hardware to work with.
“From then on, those accounts were linked in the eyes of Apple,” Popsecu writes. “Once that account was involved with review manipulation, my account was closed.” Popsecu says that he wasn’t given any advance warning of the shutdown and assumed that certain features of his iTunes Connect account being disabled (account showing it was closed and apps being pulled from the digital storefront) was part of migrating from an individual account to a company one.
That wasn’t the case. Apple told Popsecu (he recorded his last phone call with an Apple representative) that to get his account reinstated, he’d have to pen a blog post admitting “some wrongdoing.”
“I told them I can’t do that because I did nothing wrong,” Popsecu says. “On Saturday they told me that they are fine with me writing the truth about what happened, and that if I did that, my account would be restored.
“Saturday night I sent a blog post draft to Apple and have since waited for their approval. Tonight, Apple decided to accuse me of manipulating the App Store in public via a spokesperson.”
Apple’s statement to iMore is as follows:
“Almost 1,000 fraudulent reviews were detected across two accounts and 25 apps for this developer so we removed their apps and accounts from the App Store. Warning was given in advance of the termination and attempts were made to resolve the issue with the developer but they were unsuccessful.
We will terminate developer accounts for ratings and review fraud, including actions designed to hurt other developers. This is a responsibility that we take very seriously, on behalf of all of our customers and developers.”
In the recorded phone call, Popsecu says that he was never contacted and the Apple spokesperson confirmed that the company had contacted the other person (presumably Popsecu’s relative) about the incident instead because, from Apple’s perspective, the two accounts were the same entity.
The phone call posted in the post does not match Apple’s press announcement at all. https://t.co/HaCM6jrvAB
— Spooky Streza (@SteveStreza) October 10, 2016
Popsecu says he’s never engaged in review fraud — giving his own app high ratings and leaving negative ones for competitors — and that “Apple’s decision is final and can’t be repealed.”
“We want to work with you, but we want to make it clear that we didn’t make a mistake, right?” the spokesperson asks on the call. “We were correct when we did our investigation and we had uncovered that your account was linked to an account with fraudulent activity. And when we say ‘linked,’ we mean that test devices, credit card that was used to enroll the accounts.”
It paints Popsecu into a corner, because while he says he didn’t do any of the nefarious deeds himself, he’s still being punished by Apple’s draconian viewpoint. For now, Popsecu says that he’ll continue supporting the desktop version of Dash and that if you want to keep using it you should migrate your license immediately.
“I don’t know if/when things will go back to normal,” he says.
We’ve reached out to Apple for a comment and will update this post should more information arrive.
Via: The Loop
Source: Kapeli (1), (2)
Samsung’s cylindrical PC looks like a very trendy trash can
Apple, HP and MSI aren’t the only ones big on super-stylish, trash can-shaped desktop PCs. Samsung has quietly started taking pre-orders for the ArtPC Pulse, a cylindrical computer that bears more than a passing resemblance to the current-generation Mac Pro. The two systems couldn’t be more different in terms of focus, however. While the Mac is aimed squarely at workstation users, the ArtPC is most definitely intended for home use. Its centerpiece is a top-mounted, 360-degree Harman Kardon speaker with ambient lighting — much like HP’s Pavilion Wave, this could sit in your living room just as easily as it could in your den.
Logically, the hardware under the hood is very different as well. About the only thing in common with the Mac is an included 256GB solid-state drive. Instead of a Xeon processor and workstation graphics, you’re getting a 2.7GHz Core i5, 8GB of RAM and entry-level Radeon RX 460 graphics. You won’t be rendering advanced 3D models on this rig, in other words, but it should be enough to play 4K video and indulge in some light gaming. As it is, Samsung is counting on expansion modules to pick up some of the slack. It hasn’t detailed all of them or how they’ll work, but you can get a 1TB hard drive module if you need more space.
The shift in focus leads to a much lower price than Apple’s machine, although the $1,200 you’ll pay isn’t cheap for what you’re getting. You’re most definitely paying a premium for both the design and that speaker. At least you shouldn’t have to wait long to see whether or not the ArtPC is worth your attention. If Amazon is correct, the desktop ships on October 28th.
Via: PCWorld
Source: Amazon
AIVAnet 