U.S. Government Warns iOS Users About ‘Masque Attack’ Vulnerability

The United States government today issued a bulletin warning iPhone and iPad users about the recent “Masque Attack” vulnerability, a security flaw that first surfaced on Monday of this week, reports Reuters. Masque Attack is a vulnerability that can allow malicious third-party iOS apps to masquerade as legitimate apps via iOS enterprise provision profiles.

Written by the National Cybersecurity and Communications Integration Center and the U.S. Computer Emergency Readiness Teams, the bulletin outlines how Masque Attack spreads — luring users to install an untrusted app through a phishing link — and what a malicious app is capable of doing.

An app installed on an iOS device using this technique may:
-Mimic the original app’s login interface to steal the victim’s login credentials.
-Access sensitive data from local data caches.
-Perform background monitoring of the user’s device.
-Gain root privileges to the iOS device.
-Be indistinguishable from a genuine app.

The post also advises iOS users to protect themselves by avoiding apps that have been installed from sources other than the App Store or an organization they’re affiliated with, avoiding tapping “Install” on third-party pop-ups when viewing web pages, and tapping “Don’t Trust” on any iOS app that shows an “Untrusted App Developer Alert.”

Masque Attack in action
Computer security alerts issued by the government are fairly rare, and only 13 have been sent over the course of 2014. Other vulnerabilities that have prompted alerts include Heartbleed and an SSL 3.0 flaw called “Poodle.”

FireEye, the team that discovered Masque Attack, has notified Apple about the vulnerability, but it has not been patched in the recent iOS 8.1.1 beta thus far. It also affects iOS 7.1.1, 7.1.2, 8.0, and 8.1, and as of today, Apple has not yet commented on Masque Attack.

Masque Attack, along with WireLurker, another vulnerability outlined earlier this month, is unlikely to affect the average iOS user so long as Apple’s security features are not bypassed. Masque Attack works by circumventing the iOS App Store to install apps, while WireLurker is similar, infecting machines via third-party software downloaded outside of the Mac App Store.

Both WireLurker and Masque Attack can be avoided by staying away from suspicious apps and avoiding links that prompt users to install apps outside of Apple’s App Stores.

Apple Seeds New Betas of Safari 8.0.1, 7.1.1, and 6.2.1 [Mac Blog]

Apple has released a new Safari 8.0.1 beta for developers running OS X Yosemite, along with a Safari 7.1.1 beta for Mavericks and a Safari 6.2.1 beta for older versions of OS X.

The new Safari builds can be downloaded through the Software Update mechanism in the Mac App Store. Safari 8.0.1 for OS X Yosemite requires OS X 10.10 or 10.10.1, while Safari 7.1.1 for OS X Mavericks requires OS X 10.9.5 and Safari 6.2.1 for OS X Mountain Lion requires OS X 10.8.5.

In the beta notes for Safari 8.0.1, Apple asks developers to focus on features like Extension compatibility, WebGL graphics on Retina displays, Password AutoFill, and more.

Focus Areas
Please focus testing on the following areas:
– General website compatibility
– Extension compatibility
– WebGL graphics on Retina displays
– Password AutoFill when passwords are synchronized across multiple devices
– Syncing history between devices (OS X Yosemite only)
– Importing usernames and passwords from Firefox (OS X Yosemite only)

In addition to a Safari update, Apple is also working on the first OS X Yosemite update, OS X 10.10.1, which asks developers to focus on Wi-Fi, Exchange accounts in Mail, and the Notification Center.

Apple Releases Thunderbolt Display Firmware Update 1.2 [Mac Blog]

Apple today released Thunderbolt Display Firmware Update 1.2, designed for the Thunderbolt Display that was released in 2011. According to the release notes, the update improves reliability when connecting devices to the Apple Thunderbolt Display and addresses a rare issue that may cause the display to go black.

Thunderbolt Display owners can download the update from the Mac App Store.

Thunderbolt Display Firmware updates are fairly rare, with the last firmware update released in December of 2011 to fix an issue with fan noise.

FTC Questioning Apple About Health Data Protection Policies

The United States Federal Trade Commission has met with Apple representatives several times over the past few months to discuss Apple’s privacy practices covering health data collection, reports Reuters. The FTC is reportedly seeking assurance that Apple will prevent health data collected by the Apple Watch and other iOS devices via the Health app from being used without express user consent.

The two people, both familiar with the FTC’s thinking, said Apple representatives have met on multiple occasions with agency officials in recent months, to stress that it will not sell its users’ health data to third-party entities such as marketers or allow third-party developers to do so.

An Apple spokesperson told Reuters that the company “works closely with regulators around the world” to make its built-in data protections clear. “We’ve been very encouraged by their support,” she said, adding that Apple’s new health-focused initiative, HealthKit, had been designed “with privacy in mind.”

While the FTC declined to comment, Reuters does not believe that the government agency will launch a formal inquiry into Apple’s data protection policies, though it is clearly taking a great interest in the Apple Watch, which collects data like heart rate and movement, and HealthKit, which allows Apple’s Health app to aggregate health-related data from various apps and accessories.

Though it hasn’t even hit the market, other government officials have also taken an interest in the Apple Watch. In September, Connecticut Attorney General George Jepsen sent a letter to Apple CEO Tim Cook asking for information on what data Apple plans to collect with the device, how the information will be stored, and what Apple’s policies are for apps that access health information.

Earlier this year, ahead of the Apple Watch’s debut, Apple released new guidelines for HealthKit APIs, which also applies to the Apple Watch. In the document, Apple explains that HealthKit information will not be stored in iCloud and that apps attempting to store health-related data in iCloud will be rejected. It also clearly states that apps will not be able to share data with third parties without express user consent.

In recent months, Apple has attempted to make its privacy policies more transparent, creating a comprehensive new privacy site that details all of its privacy practices. Tim Cook also spoke on privacy in a recent interview, stating that users “have a right to privacy” and that the company “tries not to collect data.” “Our business is based on selling [products],” he said. “Our business is not based on having information about you. You are not our product.”

U.S. Justice Department Accused of Using Fake Cell Towers on Planes to Gather Data From Phones

The United States Justice Department has been using fake communications towers installed in airplanes to acquire cellular phone data for tracking down criminals, reports The Wall Street Journal. The program has reportedly been in place since 2007 and uses Cessna airplanes that operate out of “at least five” metropolitan-area airports.

Aircraft in the program out outfitted with “dirtbox” devices produced by Boeing that are designed to mimic cellular towers, fooling cellphones into reporting “unique registration information” to track down “individuals under investigation.” According to the WSJ, these devices let investigators gather “identifying information and general location” data from thousands of cellular phones in one flight, and Apple’s encryption policies don’t prevent the collection of data.

Cellphones are programmed to connect automatically to the strongest cell tower signal. The device being used by the U.S. Marshals Service identifies itself as having the closest, strongest signal, even though it doesn’t, and forces all the phones that can detect its signal to send in their unique registration information. Even having encryption on one’s phone, such as Apple Co. ‘s iPhone 6 now includes, doesn’t prevent this process.

The technology is aimed at locating cellphones linked to individuals under investigation by the government, including fugitives and drug dealers, but it collects information on cellphones belonging to people who aren’t criminal suspects, these people said. They said the device determines which phones belong to suspects and “lets go” of the non-suspect phones.

The fake tower devices are able to interrupt calls on “certain phones,” with authorities attempting to minimize harm by ensuring they doesn’t interrupt emergency calls, and the technology can pinpoint a suspect’s cellphone location down to three meters.

The program is run by the U.S. Marshals Service, and some individuals involved have raised concerns about the legality of the operation and “if there are effective procedures” in place to safeguard the handling of data acquired, as it is said to capture data from thousands of non-criminal individuals as well.

It is not known how often the flights take place as the WSJ‘s sources did not divulge that information, but they reportedly “take place on a regular basis.” Justice Department officials did not confirm or deny the existence of the program when questioned, stating that a discussion of the matter could “allow criminal suspects or foreign powers to determine U.S. surveillance capabilities,” but a representative said that Justice Department agencies comply with federal law and seek court approval for their activities.

A Verizon spokesperson said that the company was not aware of such a program and did not participate, while spokespeople from AT&T and Sprint declined to comment.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.

Apple Responds to ‘Masque Attack’ Vulnerability, Not Aware of Customers Affected by Attack

Just a couple days after the discovery of an iOS vulnerability referred to as Masque Attack because of its ability to emulate and replace existing legitimate apps with malicious ones, Apple has responded in a statement to iMore. 

“We designed OS X and iOS with built-in security safeguards to help protect customers and warn them before installing potentially malicious software,” an Apple spokesperson told iMore. “We’re not aware of any customers that have actually been affected by this attack. We encourage customers to only download from trusted sources like the App Store and to pay attention to any warnings as they download apps. Enterprise users installing custom apps should install apps from their company’s secure website.”

Masque Attack works by luring a user to install an app outside of the iOS App Store by clicking a phishing link in a text message or email. For example, a user could be prompted to download a new app in a text message that says something like “Hey, try out Flappy Bird 2″. A user is then directed to a website where they’re prompted to download the app, which will install the fake app over the legitimate one using iOS enterprise provision profiles, making it virtually undetectable.

Masque Attack in actionEarlier today, the United States government issued a warning about Masque Attack to iOS users. The vulnerability was discovered just a week after reports of malware called WireLurker surfaced. WireLurker is able to attack iOS devices through OS X using a USB cable. Both vulnerabilities are unlikely to affect the average iOS user as long as Apple’s security features are not bypassed.

Both WireLurker and Masque Attack can be avoided by staying away from suspicious apps and avoiding links that prompt users to install apps outside of Apple’s App Stores.

Microsoft Announces New Skype for Web Beta with Future Plugin-Free Safari Support [Mac Blog]

Microsoft today announced a new beta version of Skype for Web that brings a plugin-free version of the service to all modern browsers. Skype for Web beta will be available now to a small number of users, with a broader public rollout planned in the coming months.

Skye for Web relies on Web Real-Time Communication (WebRTC) APIs to provide real-time voice calling, video chat and instant messaging via a web browser. At first, the new beta version will require a small download, but as WebRTC expands, this download requirement will disappear. It is compatible with all modern browsers, including Internet Explorer 10, Chrome, Firefox, and Safari 6.

Skype for Web will be available on Skype.com with invitations being sent out to customers on a rolling basis. Once enabled, users will be able to log in to their online Skype account and start messaging or calling friends with a just a few clicks. Though Skype’s new web-based communication tool may be useful for some, Mac users on the go may want to meter their usage as Microsoft documents one known issue of increased battery consumption specific to the Skype for Web beta on Safari.

GT Advanced’s Failure Reveals the High Stakes Risk of Becoming an Apple Supplier

Apple and manufacturer partner GT Advanced parted ways after the sapphire supplier filed for bankruptcy earlier this year. While most Apple supplier relationships are kept secretive, the background story behind the GT-Apple partnership was revealed in a series of court documents filed by GT that were recently made public.

A follow-up report by The Guardian provides an interesting look at how a deal with Apple often can make and sometimes break a supplier. While the report does not introduce any significant new information, it is a good summary of the chain of events and may help some readers get caught up on the story.

In the case of GT, the outcome of its partnership with Apple was not favorable, with the supplier filing for bankruptcy in order to sever the ties between the two companies.

On 9 September Cook showed off the new phones – without sapphire screens. By 10 September GTAT stock was down 25% to $12.78; by Friday 3 October it stood at $11.05. On Monday 6 October, GTAT filed for Chapter 11, and its stock plummeted to $0.80. Trading ceased on 15 October.

Squiller says in the deposition that GTAT put itself into Chapter 11 bankruptcy (which protects a company from its creditors) simply to release itself from the Apple deal – and hence save the company.

The narrative of the relationship by GT paints a bleak picture of Apple and includes allegations of deceptive “bait and switch” business practices on Apple’s part and onerous contract terms that led to productions delays. When GT questioned the contract it was about to sign, Apple reportedly confirmed “similar terms are required for other Apple suppliers” and told GT to “put on your big boy pants and accept the agreement.”

In the end, GT failed to produce sapphire in suitable quality and sufficient quantity to meet Apple’s demands. Instead of a success story, GT is an excellent example of what happens when a supplier goes all in with Apple and fails to scale its production technology fast enough.

U.S. Customers Favoring iPhone 6 Over 6 Plus by 3:1 as 91% of Buyers Opt for Latest Models

Following the launch of the iPhone 6 and 6 Plus back in September, a new survey of U.S. customers by Consumer Intelligence Research Partners (CIRP) details the adoption rate of the first thirty days of the devices’ lifespan.

The survey data, shared in a research note published today by UBS analyst Steven Milunovich, indicates that 91 percent of iPhone owners bought either an iPhone 6 or 6 Plus in the first four weeks of launch, rising from 86 percent in the first two weeks. Uptake of the new models also compares favorably to last year’s iPhone launch, which saw 84 percent of customers in the first thirty days opting for the iPhone 5s and 5c.

Most of the increase in share for the new models since the initial launch period has come from the iPhone 6, which saw an increase of six percentage points to 68 percent, while the iPhone 6 Plus remains at around 23-24 percent of purchases, despite both facing high demand during their initial launch.

The 3:1 ratio favoring the iPhone 6 over 6 Plus has come down slightly from early adoption rate data, but as highlighted by Apple’s Greg Joswiak last month, the true balance of customer interest won’t be known until production constraints, which more heavily affect the iPhone 6 Plus, are resolved. The balance will also vary significantly by country, with customers in Asian countries tending to prefer larger screens than those in other countries.

The study by CIRP also measured future intentions on purchasing the iPhone 6 and 6 Plus. Of those asked, over 40 percent were planning to buy an iPhone 6 within the next year. Nineteen percent of Samsung users surveyed also plan to switch over to Apple for their next phone purchases, with over half of those intended purchases favoring the iPhone 6 Plus.

While that marks a significant potential share gain for Apple, recent data has so far shown lower than expected shares of Android customers switching over to the iPhone 6. A more realistic picture will, however, come later as the surge of iPhone early adopters wanes.

When the iPhone 6 and 6 Plus launched in September, they sold over ten million units in their launch weekend, including 4 million first-day pre-orders. The iPhone 6 and 6 Plus also outpaced last year’s nine million units of the iPhone 5s and 5c shipped in their opening weekend, but that figure is widely viewed as somewhat inflated by ample stocks of iPhone 5c units shipping into inventory channels.

Grocery Store Chains Winn-Dixie and BI-LO Begin Accepting Apple Pay

Following in the footsteps of office supply store Staples, Winn-Dixie and BI-LO have become the second and third retail chain this week to begin accepting Apple Pay in their retail locations.

According to a tipster who spoke to MacRumors, Apple Pay will officially be supported at Winn-Dixie beginning on Monday, November 17, but multiple reports on Twitter suggest that both Winn-Dixie and its sister store BI-LO have already begun processing Apple Pay payments.

Winn-Dixie is is a major grocery store chain that operates in the southeastern United States, with more than 500 stores in Alabama, Florida, Georgia, Louisiana, and Mississippi. Similarly, BI-LO, a grocery store chain owned by the same parent company, consists of more than 800 stores across Alabama, Florida, Georgia, Louisiana, Mississippi, North Carolina, South Carolina, and Tennessee.

The two grocery store chains will join Meijer, Wegmans, and Whole Foods, becoming the fourth and fifth grocery stores to accept Apple Pay. Unlike Staples, which also recently began accepting Apple Pay, BI-LO and Winn-Dixie were not listed under Apple’s “Coming later this year” banner, making their adoption of Apple Pay somewhat of a surprise. Winn-Dixie did not immediately respond to a request for comment on the addition of Apple Pay in its stores.

With the addition of Winn-Dixie and BI-LO, Apple Pay now has 36 retail partners, including major retailers like Macy’s, Disney, Foot Locker, Petco, Walgreens, and Toys R Us. Apple Pay is also unofficially accepted in many stores that support contactless payments.

Because Apple Pay is still in the early stages of rolling out, there’s little data available on its popularity in retail stores, but Whole Foods processed 150,000 transactions in the 17 days following Apple Pay’s October 20 debut, which equated to approximately one percent of all Whole Foods transactions.