Search This Blog

Showing posts with label iPhone. Show all posts

Apple Blocks Millions of Apps and Restricts User Accounts

In 2021, Apple prevented more than 3.3 Million stolen credit cards from making transactions in the Apple App store, and blocked around 600,000 accounts from making transactions again. The company also mentioned that in 2021 it restricted more than 1.6 Million harmful and malicious applications and application updates from the app store. These risky apps either contained vulnerabilities that affected functioning, or restricted upgrades. 

The numbers, according to Apple, comprised over 8,35,000 problematic new applications, out of which more than 34,000 apps contained undocumented or hidden features; 1,57,000 were mentioned as spam, misleading, or copycat apps; and more than 3,40,000 apps were violating privacy. Besides this, more than 805,000 applications were restricted or blocked from the Apple store, as per the company's App Review Process. The measures meanwhile helped over 107,000 new developers launch applications in the App Store, Apple also blocked over 802,000 fake developer accounts and protected 153,000 developer applications related to scam concerns. 

In accordance with Apple's Developer Code of Conduct, developers have to be correct and truthful when showing themselves and their applications on the App Store. The code emphasizes that app developers will be removed from the Developer Program for engaging in malicious or harmful behaviour repeatedly. Customer accounts were also blocked for participating in scams and manipulating activities: amounting to 170 Million accounts. 

Besides this, more than 118 million account sign-up attempts were rejected due to suspicious potential fraud and manipulative activities. "Apple also says it took action against fraudulent ratings and reviews in the App Store. Out of over 1 billion such entries processed in 2021, more than 94 million reviews and 170 million ratings were blocked from being published. The company also removed an additional 610,000 reviews," reports the Security Week.

Even When Switched Off, iPhones are Vulnerable to Attack

 

The way Apple combines autonomous wireless technology such as Bluetooth, Near Field Communication (NFC), and Ultra-wideband (UWB) in the device, researchers determined that it could be exploited by attackers to target iPhones even when they are turned off. 

Such features—which have access to the iPhone's Secure Element (SE), which stores sensitive information—stay on even when modern iPhones are turned off, as per a team of researchers from Germany's Technical University of Darmstadt. This allows attackers to "load malware onto a Bluetooth chip that is performed when the iPhone is off," according to a research study titled "Evil Never Sleeps: When Wireless Malware Stays On After Turning Off iPhone."

As per Jiska Classen, Alexander Heinrich, Robert Reith, and Matthias Hollick of the university's Secure Mobile Networking Lab, attackers can gain access to secure information such as a user's credit card data, banking details, or even digital car keys on the device by compromising these wireless features. Researchers noted that while the risk is real, exploiting the circumstance is not that simple for would-be attackers. Threat actors will still need to load malware onto the iPhone when it is turned on for subsequent execution when it is turned off. This would require system-level access or remote code execution (RCE), which they might gain by exploiting known weaknesses like BrakTooth. 

The main cause of the problem is the existing implementation of low power mode (LPM) for wireless chips on iPhones. The experts distinguished between the LPM which these processors employ and the power-saving program that iPhone users can use to save battery life. Because LPM support is built into the iPhone's hardware, it cannot be deleted with system upgrades, and has "a long-term impact on the broader iOS security paradigm," according to the researchers.

Analysts disclosed their findings to Apple before publishing the study, but they claim the company did not respond to the difficulties revealed by their findings. It is recommended that one possible solution would be for Apple to implement "a hardware-based switch to disconnect the battery" so that these wireless parts would not have power while an iPhone is turned off.

Citizen Lab Exposes Cytrox as Vendor Behind 'Predator' iPhone Spyware

 

The University of Toronto's Citizen Lab has found yet another player in the private sector mobile spyware market, citing a small North Macedonian firm called Cytrox as the maker of high-end iPhone implants. 

Citizen Lab worked with Facebook parent company Meta's threat-intelligence team to expose Cytrox and a handful of other PSOAs (private sector offensive actors) in the murky surveillance-for-hire industry. Citizen Lab stated that Cytrox is behind a piece of iPhone spying malware that was put on the phones of two prominent Egyptians, according to a detailed technical analysis published. 

Predator, the malware, was able to infect the most recent iOS version (14.6) utilising single URLs provided via WhatsApp. Exiled Egyptian politician Ayman Nour was spooked by his iPhone overheating, and later discovered evidence of two different spyware applications running on the device, administered by two different government APT actors. 

The Egyptian government, a known Cytrox customer, has been attributed with the attack, according to Citizen Lab. Nour's phone was infected with both Cytrox's Predator and Israeli vendor NSO Group's more well-known Pegasus spyware, according to Citizen Lab. Citizen Lab's exposé detailed Cytrox's background as a startup launched in 2017 by Ivo Malinkovksi, a North Macedonian who later integrated the company with Intellexa and publicly hawked digital forensics tools. The firm claims to be established in the European Union, with R&D labs and sites all over Europe. 

In a separate advisory published by Meta’s security team, Cytrox is listed alongside Cobwebs Technologies, Cognate, Black Cupe, Bluehawk CI, BellTroX and two unknown Chinese entities among a growing roster of private companies in the surveillance-for-hire business. 

These firms handle the reconnaissance, engagement, and exploitation phases of advanced malware campaigns for governments and law enforcement agencies all across the world, including those that target journalists, politicians, and other members of civil society. 

Cytrox was recognised as a company that "develops exploits and sells surveillance tools and viruses that enable its clients to compromise iOS and Android devices," as per Facebook's team. 

Facebook’s security team stated, “[We were] able to find a vast domain infrastructure that we believe Cytrox used to spoof legitimate news entities in the countries of their interest and mimic legitimate URL-shortening and social media service.” 

“They used these domains as part of their phishing and compromise campaigns. Cytrox and its customers took steps to tailor their attacks for particular targets by only infecting people with malware when they passed certain technical checks, including IP address and device type. If the checks failed, people could be redirected to legitimate news or other websites.” 

“Targets of Cytrox and its customers included politicians and journalists around the world, including in Egypt and Armenia.”

NSO Zero-Click iPhone Exploit Termed 'Incredible and Terrifying' by Researchers

 

Google has described how the surveillance firm NSO Group created an exploit that would allow the user of their software to acquire entry to an iPhone and install malware – and all without the victim ever clicking on a link. 

The US Department of Commerce put NSO Group on its "entity list" last month, effectively barring it from US marketplaces given the evidence that it provided spyware to other authorities, which used it to attack government officials, journalists, entrepreneurs, activists, academics, and embassy workers. Apple issued a permanent injunction prohibiting NSO from using any of its software, applications, or equipment in late November. 

Google's Project Zero (GPZ) has now assessed a comparatively new NSO 'zero-click' attack for iOS 14.7.1 and older, calling it "one of the most technically sophisticated exploits we've ever seen". 

The NSO's exploit was regarded as "incredible" and "terrifying" by GPZ's Ian Beer and Samuel Groß. The hack generates a "weird" emulated computing atmosphere within an iOS element that manages GIFs but does not ordinarily allow scripting. Nevertheless, this exploit allows the attacker to execute JavaScript-like code in that component to write to arbitrary memory regions - and therefore remotely hack an iPhone. 

Citizen Lab, a Canadian security firm, revealed the problem to Apple as part of its collaborative investigation with Amnesty International into NSO's Pegasus mobile spyware program, which can be loaded after jailbreaking an iPhone via an exploit. 

This September, Apple fixed the memory corruption flaw in the CoreGraphics component, identified as CVE-2021-30860, in iOS 14.8. 

GPZ's Beer and Groß said it showed "the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation-states". 

 iMessage is the first point of contact for Pegasus on the iPhone. According to the research, this means that a person can be targeted simply by providing their phone number or AppleID username. 

The flaw in iMessage is due to the extra functionalities Apple allowed for GIF pictures. In iOS's ImageIO library, Apple employs a "fake gif" method to make standard GIF images loop indefinitely. This method also introduces over 20 more image codecs, providing attackers with a far bigger surface to attack. 

"NSO uses the "fake gif" trick to target a vulnerability in the CoreGraphics PDF parser," Beer and Groß explain. 

NSO discovered that powerful tool in Apple's usage of the JBIG2 standard for image compression and decompression. Originally, the standard was utilized in outdated Xerox scanners to efficiently convert photos from paper into PDF files only a few kilobytes in size. 

The emulated database design, which relied on the JBIG2 part of Apple's CoreGraphics PDF parser, was one of several clever methods NSO devised. Despite JBIG2's lack of scripting features, they were able to write to arbitrary memory addresses using an emulated computer environment and a scripting language similar to JavaScript. 

"JBIG2 doesn't have scripting capabilities, but when combined with a vulnerability, it does have the ability to emulate circuits of arbitrary logic gates operating on arbitrary memory," explains Beer and Groß. 

"The bootstrapping operations for the sandbox escape exploit are written to run on this logic circuit and the whole thing runs in this weird, emulated environment created out of a single decompression pass through a JBIG2 stream. It's pretty incredible, and at the same time, pretty terrifying."

Pegasus Spyware Reportedly Hacked iPhones of U.S. State Department & Diplomats

 

An unidentified party used NSO Group's Pegasus spyware to attack the Apple iPhones of at least nine US State Department officials, as per a report published Friday by Reuters. 

After receiving a query about the incident, NSO Group indicated in an email to The Register that it had barred an unnamed customer's access to its system, but it has yet to determine whether its software was engaged. 

An NSO spokesperson told The Register in an email, "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations." 

"To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case." 

The Israel-based firm, which was recently sanctioned by the US for reportedly selling intrusion software to repressive regimes and is being sued by Apple and Meta's (Facebook's) WhatsApp for allegedly assisting the hacking of their customers, says it will work cooperatively with any relevant government authority and share what it learns from its investigation. 

NSO's spokesperson stated, “To clarify, the installation of our software by the customer occurs via phone numbers. As stated before, NSO’s technologies are blocked from working on US (+1) numbers. Once the software is sold to the licensed customer, NSO has no way to know who the targets of the customers are, as such, we were not and could not have been aware of this case." 

According to Reuters, the impacted State Department officials were situated in Uganda or were focused on Ugandan issues, therefore their phone numbers had a foreign nation prefix rather than a US prefix. When Apple launched its complaint against the NSO Group on November 23rd, the iPhone maker also stated that it will tell iPhone customers who have been the target of state-sponsored hacking. On the same day, Norbert Mao, a communist, was assassinated. On the same day, Norbert Mao, a lawyer and the President of Uganda's Democratic Party, tweeted that he'd gotten an Apple threat notification. 

According to the Washington Post, NSO's Pegasus software was involved in the attempted or accomplished hacking of 37 phones linked to journalists and rights activists, including two women connected to Saudi journalist Jamal Khashoggi. The findings contradicted NSO Group's claims that their software was only licenced for battling terrorists and law enforcement, according to the report. 

The NSO Group released its 2021 Transparency and Responsibility Report [PDF] the same month, insisting that its software is only used against groups with few sympathisers, such as terrorists, criminals, and pedophiles. 

Several reports from cybersecurity research and human rights organisations, not to mention UN, EU, and US claims about the firm, have disputed that assertion. The US State Department refused The Register's request for confirmation of the Reuters claim but said the agency takes its obligation to protect its data seriously. They were also told that the Biden-Harris administration is seeking to limit the use of repressive digital tools.

Apple Fixes Critical iOS Flaws; One Under Attack

 

Researchers discovered one significant flaw that could be exploited from the browser, allowing watering-hole assaults. 

On October 25 and 26, Apple released iOS 14.8.1, iPadOS 14.8.1, watchOS 8.1, and tvOS 15.1, fixing 24 CVEs overall. The CVEs are detailed on Apple's security website, and they include various problems in iOS components that, if abused, may result in arbitrary code execution, sometimes with kernel privileges that would allow an intruder to reach the core of the operating system.

In one incident of a memory-corruption issue in IOMobileFrameBuffer for Apple TV, Apple stated that it is "aware of a report that this problem may have been actively exploited ", a "maybe" that researchers substantiated. 

This one is especially concerning because researchers have previously discovered that the issue is exploitable via the browser, making it "ideal for one-click & waterholing mobile attacks," as per the mobile security firm ZecOps earlier this month. 

A watering-hole attack occurs when a threat actor places malware on websites that may attract a target in the hopes that someone may ultimately drop in and become infected. Justifiably, Apple keeps information confidential that may aid further attackers to create damage and attack. This flaw might allow an application to run arbitrary code with kernel privileges. 

Apple stated earlier this year that it would give users a choice: they could either update to iOS 15 as soon as it was available, or they could stay on iOS 14 and get essential security updates until they were ready to upgrade. 

In context with the reason behind the prompt decision, there have been speculations that it had something to do with an "urban mythology" about Apple deliberately slowing down older phones to entice consumers to upgrade. 

Maybe it's simply a popular conspiracy idea, but it's based on legal comeuppance, at least in terms of battery life: In 2017, Apple admitted to slowing down phones in order to prevent outdated batteries from abruptly shutting down devices. In November of last year, the corporation was fined $113 million to resolve an investigation into what was known as iPhone “batterygate.”

Researchers Make Contactless Visa Payment Using iphone Flaw

 

Cybersecurity experts in a video showed how to make a contactless Visa payment of €1,000 from a locked iphone. These unauthorised payments can be made while the iPhone is locked, it is done via exploiting an Apple Pay feature built to assist users transaction easily at ticket barriers payments with Visa. 

Apple responded by saying the problem is concerned with a Visa system. However, Visa says that its payments are safe and the such attacks lie outside of its lab and are impractical. Experts believe that the problem exists in the Visa cards setup in 'Express Transit' mode in iPhone wallet. 

It is a feature (express transit) which allows users to make fast contactless payments without unlocking their phone. However, the feature turned out to be a drawback with Visa system, as experts found a way to launch an attack. While scientists demonstrated the attack, the money debited was from their personal accounts. 

How does the attack look? 

  • A small radio is placed beside the iPhone, the device thinks of it as a legit ticket barrier. 
  • Meanwhile an android phone runs an application to relay signals (developed by experts) from the iPhone to a contactless transaction platform, it could be in a shop or a place that is controlled by the criminal. 
  • As the iPhone thinks the payment is being done to a ticket barrier, it doesn't unlock. 
However, the iPhone's contact with the transaction platform is altered to make it think that the iPhone has been unlocked and an authorized payment is done which allows high value payments, without the need of fingerprint, PIN, or Face Id verification. 

The experts while demonstrating in a video did a €1,000 Visa transaction without unlocking the iPhone, or authorizing the payment. According to experts, the payment terminals and android phones used here don't need to near the targeted iPhone. 

As of now, the demonstration has only been done by experts in the lab and no reports of the feature exploit in the wild have been reported. "The researchers also tested Samsung Pay, but found it could not be exploited in this way.They also tested Mastercard but found that the way its security works prevented the attack. 

Co-author Dr Ioana Boureanu, from the University of Surrey, said this showed systems could be "both usable and secure". The research is due to be presented at the 2022 IEEE Symposium on Security and Privacy," reports BBC.

Security Issues in Visa and Apple Payment Could Result in Fraudulent Contactless Payments

 

Researchers warn that an attacker who steals a locked iPhone can use a saved Visa card to conduct contactless payments worth thousands of dollars without having to unlock the phone. According to an academic team from the Universities of Birmingham and Surrey, backed by the UK's National Cyber Security Centre (NCSC), the problem is caused by unpatched vulnerabilities in both the Apple Pay and Visa systems. Visa, on the other hand, claims that Apple Pay transactions are safe and that any real-world assaults would be impossible to execute. 

Any iPhone with a Visa card set up in "Express Transit" mode can make fraudulent tap-and-go payments at card readers, according to the team. Commuters all around the world, including those on the New York City subway, the Chicago El, and the London Underground, may tap their phones on a reader to pay their fares without having to unlock their devices. 

The problem, which exclusively affects Apple Pay and Visa, is created, according to the researchers, by the usage of a unique code, dubbed "magic bytes," that is broadcast by transit gates and turnstiles to open Apple Pay. They were able to undertake a relay attack using ordinary radio equipment, deceiving an iPhone into thinking it was talking to a transit gate, according to the team. 

 “An attacker only needs a stolen, powered-on iPhone,” according to a writeup published this week. “The transactions could also be relayed from an iPhone inside someone’s bag, without their knowledge. The attacker needs no assistance from the merchant.” 

The researchers demonstrated a £1,000 payment being delivered from a locked iPhone to a normal, non-transit Europay, Mastercard, and Visa (EMV) credit-card reader in a proof-of-concept video. Visa said in a statement that Visa cards linked to Apple Pay Express Transit are safe to use and that cardholders should continue to do so. Contactless fraud methods have been investigated in the lab for over a decade and have proven to be impracticable to implement on a large scale in the real world. They also said that it takes all security concerns seriously and is always working to improve payment security across the ecosystem. 

“Logically, it’s an interesting advancement of tapping a contactless card machine against someone’s wallet/purse in their back pocket on the subway/metro,” Ken Munro, a researcher with Pen Test Partners, said. “However, I’m more concerned about the threat of fraud with a stolen phone. In the past, the PIN would have prevented fraud from a stolen phone. Now, there’s a valid attack method that makes theft of a phone with Express Transit enabled really quite valuable.”

New Zero-Click iMessage Exploit Used to Deploy Pegasus Spyware

 

Citizen Lab's digital threat researchers have discovered a new zero-click iMessage exploit that was exploited to install NSO Group's Pegasus spyware on Bahraini activists' smartphones. In total, nine Bahraini activists (including members of the Bahrain Center for Human Rights, Waad, and Al Wefaq) had their iPhones hacked in a campaign conducted by a Pegasus operator linked to the Bahraini government with high confidence, according to Citizen Lab. 

After being compromised using two zero-click iMessage exploits (that do not involve user participation), the spyware was installed on their devices: the 2020 KISMET exploit and a new never-before-seen exploit named FORCEDENTRY. 

In February 2021, Citizen Lab first noticed NSO Group deploying the new zero-click FORCEDENTRY iMessage attack, which bypasses Apple's BlastDoor protection. BlastDoor, a structural change in iOS 14 aimed to stop message-based, zero-click attacks like this, had just been released the month before. BlastDoor was designed to prevent Pegasus attacks by operating as a "tightly sandboxed" service responsible for "almost all" of the parsing of untrusted data in iMessages, according to Samuel Groß of Google Project Zero.

“We saw the FORCEDENTRY exploit successfully deployed against iOS versions 14.4 and 14.6 as a zero-day,” Citizen Lab said. “With the consent of targets, we shared these crash logs and some additional phone logs relating to KISMET and FORCEDENTRY with Apple, Inc., which confirmed they were investigating.” 

Attacks like the ones revealed by Citizen Lab, according to Ivan Krstić, head of Apple Security Engineering and Architecture, are highly targeted and hence nothing to worry about for most people, at least. Such attacks are "very complex, cost millions of dollars to design, often have a short shelf life, and are used to target specific individuals," according to Krstić. 

In addition to Apple's iMessage, NSO Group has a history of using other messaging apps, such as WhatsApp, to spread malware. Nonetheless, Citizen Lab believes that disabling iMessage and FaceTime in this circumstance, with these specific threats, may have blocked the threat actors. Researchers emphasized that disabling iMessage and FaceTime would not provide total security from zero-click assaults or adware.

NSO Group stated in a statement to Bloomberg that it hasn't read the report yet, but it has concerns about Citizen Lab's techniques and motivations. According to the company's statement, "If NSO gets reliable evidence relating to the system's misuse, the company will thoroughly investigate the claims and act accordingly."

Apple’s iPhone is the Easiest to Snoop on Using the Pegasus, Says Amnesty

 

NSO Group, an Israeli cyber intelligence firm, developed Pegasus spyware as a surveillance tool. As claimed by the corporation, this firm is known for developing advanced software and technology for selling primarily to law enforcement and intelligence agencies of approved nations with the sole objective of saving lives by preventing crime and terror activities. Pegasus is one such software designed to get unauthorized access to your phone, gather personal and sensitive data, and transfer it to the user who is spying on you. 

Pegasus spyware, according to Kaspersky, can read SMS messages and emails, listen to phone calls, take screenshots, record keystrokes, and access contacts and browser history. A hacker may commandeer the phone's microphone and camera, turning it into a real-time monitoring device, according to another claim. It's also worth mentioning that Pegasus is a complex and expensive spyware meant to spy on specific individuals, so the typical user is unlikely to come across it. 

Pegasus malware snooped on journalists, activists, and certain government officials, and Apple, the tech giant that emphasizes user privacy, was a victim of the attack. Indeed, according to Amnesty's assessment, Apple's iPhone is the easiest to snoop on with Pegasus software. According to the leaked database, iPhones running iOS 14.6 feature a zero-click iMessage exploit, which could have been used to install Pegasus software on the targeted entities' iPhones. The Cupertino behemoth has issued a statement condemning the assault. 

Apple’s Head of Security Engineering and Architecture, Ivan Krsti, in a statement said, "Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data." 

Citizen Labs had already uncovered this flaw. Zero-click attacks are practically invisible and run in the background because they do not require the user's involvement. In iOS 14, Apple included the Blastdoor framework to make zero-click attacks more difficult, although it does not appear to be operating as planned.

This iPhone Bug Exists Even After Network Settings Reset

 

Two weeks after the iphone wifi bug was found, the same cybersecurity analyst Carl Schou discovered a similar different case. The expert in a tweet said that if an iPhone comes within a wifi network range called ‘%secretclub%power,' then the connected iphone wouldn't be able to use wifi or any other features related to it. The bug exists even if the user resets network settings, says Schou. 

9TO5Mac reports "Obviously, this is such an obscure chain of events that it is highly unlikely that any person accidentally falls into this unless a load of Wi-Fi pranksters suddenly pop up in the wild with open Wi-Fi networks using the poisoned name. Until Apple fixes this edge case in a future OS update, just keep an eye out for any Wi-Fi networks with percent symbols in their name." The only solution to fix the bug would be a factory reset of the iphone. 

However, the experts advise not to do it as it is not tested. The earlier problem was related to iPhones facing a network name with the SSiD “%p%s%s%s%s%n," however, the issue could be fixed by simply resetting the iphone in the network settings option. But the new problem has more threat as it can affect any device which comes into the range of the infected public wifi named 'secretclub%power.' However, it is clear that both the bugs are somewhat related as ‘%secretclub%power’ and ‘%p%s%s%s%s%n' exploit string format code vulnerability which lies somewhere in the iOS network stack. Schou tweeted "You can permanently disable any iOS device's WiFI by hosting a public WiFi named %secretclub%power. Resetting network settings is not guaranteed to restore functionality." 

As of now, it is clear that there exist many variants of network name bugs that use ‘%s’, ‘%p’, and ‘%n’ character sequences. From the user's perspective, the best way to stay safe from the bug is to avoid connecting your device to wifi networks that contain '%' symbols in their names. iOS users can only wait for the next update when Apple will fix the OS bug. "Here’s a funny bug: a security researcher has found that a carefully crafted network name causes a bug in the networking stack of iOS and can completely disable your iPhone’s ability to connect to Wi-Fi," reported 9TO5Mac previously.

Apple Covered a Mass Hack on 128 Million iPhone Users in 2015

 

Apple and Epic are now embroiled in a legal dispute, and as a result, some shocking material has surfaced on the internet. Epic recently demonstrated Apple's desire to conquer the industry by deciding not to unleash the iMessage platform on Android. Now, according to a recent email filed in court, Apple decided not to alert 128 million iPhone users of its first-ever mass hack. This was back in 2015 when the iPhone 6s series was first introduced. 

The massive hack was first discovered when researchers discovered 40 malicious App Store applications, which quickly grew to 4,000 as more researchers looked into it. The apps included malware that turned iPhones and iPads into botnets that stole potentially sensitive user data. 

According to an email filed in court last week in Epic Games' litigation against Apple, Apple managers discovered 2,500 malicious apps on September 21, 2015, that had been downloaded a total of 203 million times by 128 million users, 18 million of whom were in the United States. 

“Joz, Tom, and Christine—due to the large number of customers potentially affected, do we want to send an email to all of them?” App Store VP Matthew Fischer wrote, talking to Apple's Greg Joswiak, senior vice president of worldwide communications, and Tom Neumayr and Christine Monaghan, who work in public relations. 

The email continued: "If yes, Dale Bagwell from our Customer Experience team will be on point to manage this on our side. Note that this will pose some challenges in terms of language localizations of the email, since the downloads of these apps took place in a wide variety of App Store storefronts around the world (e.g. we wouldn’t want to send an English-language email to a customer who downloaded one or more of these apps from the Brazil App Store, where Brazilian Portuguese would be the more appropriate language)." 

Bagwell talks about the complexities of notifying all 128 million impacted customers, localizing updates to each user's language, and "accurately including the names of the applications for each client" about 10 hours later. 

Unfortunately, it seems that Apple never carried out its plans. There was no indication that such an email was ever sent, according to an Apple spokesperson. Apple instead released only this now-deleted article, according to statements the representative submitted on background—meaning I'm not allowed to quote them.

An Award-Winning iPhone Hack Used by China to Spy on Uyghur Muslims

 

According to a recent article, the Chinese government used an award-winning iPhone hack first uncovered three years ago at a Beijing hacking competition to spy on the phones of Uyghur Muslims. The government was able to successfully tap into the phones of Uyghur Muslims in 2018 using a sophisticated tool, according to a study published Thursday by MIT Technology Review. 

For years, the US government and other major technology firms have recognized that China has been waging a violent campaign against ethnic minorities using social media, phones, and other technologies. The movement also attacked journalists and imitated Uyghur news organizations. 

According to MIT Technology Review report the hacking vulnerability was discovered during the Beijing competition. The Tianfu Cup hacking competition began in November 2018 in China as a way for Chinese hackers to discover vulnerabilities in popular tech software. According to the paper, the competition was modeled after an international festival called Pwn2Own, which attracts hackers from all over the world to show technical bugs so that marketers can discover and patch defects throughout their goods. 

However, China's Tianfu Cup was designed to enable Chinese hackers to show those vulnerabilities without exposing them to the rest of the world. According to the paper, this will enable the Chinese government to use those hacking methods found at the event for their own purposes. 

The very first event took place in November of 2018; Qixun Zhao, a researcher at Qihoo 360, won the top prize of $200,000 for demonstrating a remarkable chain of exploits that helped him to easily and reliably take control of even the newest and most up-to-date iPhones. He discovered a flaw in the kernel of the iPhone's operating system, originating from inside the Safari web browser. 

What's the end result? Any iPhone that accessed a web page containing Qixun's malicious code might be taken over by a remote intruder. It's the type of hack that could be traded on the black market for millions of dollars, allowing hackers or governments to spy on huge groups of people. It was given the name "Chaos" by Qixun. 

Apple patched it two months later, but an analysis revealed that it had been used by the Chinese government to hack Uyghur Muslims' iPhones in the interim. After US surveillance found it and confirmed it to Apple, the company released a low-key press release acknowledging it, but the full scale of it wasn't understood until now.

A Bug in iPhone Call Recording App Exposed Clients Data

 

A security vulnerability in a famous iPhone call recording application exposed thousands of users' recorded conversations. The flaw was found by Anand Prakash, a security researcher and founder of PingSafe AI, who tracked down that the aptly named Automatic Call Recorder application permitted anybody to access the call recordings from different clients — by knowing their phone number. 
 This application can track and record calls without an internet connection and can alter the voices of recordings, upload them to Dropbox, Google Drive, or One Drive, and also can translate in up to 50 dialects. All the client information gets stored in the company’s cloud storage on Amazon web services. This cloud storage has somewhere around 130,000 audio recordings that make up almost 300 GB. 

 Security circumstances like this are disastrous. Alongside affecting client's security, these issues likewise debilitate the organization's image and give an additional benefit to the contenders, said Anand Prakash. “This wasn’t just a violation of data privacy but also affected the users physically and at cyber risk, if their recorded conversations carry sensitive personal information. App makers that go wrong in investing in their cybersecurity must accept that the fines they could face for non-compliance with data privacy laws are extremely expensive – not to mention the cost of losing their customers' trust” he added. 

The bug was detected by Anand Prakash on the 27th of the last month when he was able to modify the web traffic and supplant the enlisted telephone number with someone else's number utilizing a proxy site called Burp, which gave him admittance to that person's call records and details. Fortunately, the bug was fixed by Saturday, March 6th, and the glitch-free version was launched in the Apple App Store. 

The call recorder clients were advised to uninstall the previous variant and download the latest rendition that is 2.26 or newer which is accessible on the Apple App Store. The paid variant is $6.99 for 7 days; additionally, they allow a three-day trial period. Their most basic monthly membership costs $14.99, with a 12 months advance, and has a few other options as well.

Apple Deliberately Restricts Old Versioned iPhones' Performance; Gets Fined!



Apple, the technology giant famously known for its partially eaten logo among other things, was recently fined by France’s authority that regulates competition in the country, mentioned sources.

This apparently isn’t the first time that Apple has been fined by governmental authorities but it hasn’t mattered to the multi-million organization much before because of its money replenishing power.

Per reports, the reason behind this charging happens to be Apple’s voluntarily keeping the fact from its users that the software updates it released in 2017 could limit the functioning of the older versions of iPhones.

According to sources, Apple never updated its users that the time-worn batteries of the older iPhones, namely, iPhone 7, iPhone 6, iPhone SE and such wouldn’t be able to manage the increased battery usages.

The Directorate-General for Competition, Consumption and the Suppression of Fraud (DGCCSF) is the aforementioned body that in one of its reports elaborated upon how Apple’s software updates hindered the proper performing of older models of iPhones and how the company never realized their duty to enlighten the users about it.

The updates in question basically curbed the performance levels of iPhones to thwart excessive energy consumption of older versions of the phones, eventually trying to ward off a total crashing down of the devices.

The users could go back to older software versions or replace the battery and their iPhones could have a chance at working like they formerly did. The issue is a good initiative and has a solution but how are the people to know about this and act accordingly, if they aren’t duly apprised by Apple?

And what’s more, Apple restricted the users from returning to their previous software types, meaning the users couldn’t do much about the situation anyway!

Sources mentioned that Apple agreed to pay the fine of around $27.4 million for purposely limiting the performance of older iPhones and not alerting the users about it.

There was quite a hullabaloo outside of France as well regarding the same issue including lawsuits that got Apple to publicly apologize and offer free battery exchanges for affected devices.

As per sources, an Italian agency too had fined Apple and Samsung for not conspicuously informing the users on how to replace batteries.

But, $27.4 is next to nothing for a gigantic tech name like Apple. It would, with no apparent trouble, stock back the amount of money in just 2roper to 3 hours!

Google Maps…Creepy or Useful?



Whether Android or iPhone there is no denying that Google is there for all of us, keeping a track log of our data in a "Timeline" that unequivocally shows wherever we've been, which while in some cases is amazingly valuable and helpful yet for the rest it’s downright creepy.

The creepy degree of details range from like precisely the time at which the user left for home, arrival at home, the exact route taken along the way, pictures taken in specific locations and then some.

It'll show them if they were driving, strolling or on a train, and any pit stops they may have made during their journey. Like here is an example including a user's stop for lunch, and a meeting they took with Snapchat on the Upper West side earlier in the day.



Zoomed in, one can see the exact course taken to arrive and where the car was parked.


And hence there's no reason as to why Google has to know this much information about any user, except if they truly care about things like Google's recommendations based on where they've been.

So there are a couple of ways the user can recover their privacy. First, here’s how the user can delete everything Google Maps currently knows about them:

  • Open Google Maps on your iPhone or Android phone.
  • Tap your profile picture on the top-right. 
  • Choose “Your data in Maps.” 
  • Choose “See & Delete activity.” 
  • Hit the menu button on the top-right of the page and select “Settings.” 
  • Choose “Delete all location history.” 


 And here’s how the user can set it up so Google automatically deletes all this location data every three months:

  • Open Google Maps on iPhone or Android. 
  • Tap the menu bar on the top-left of the app. 
  • Choose “Your Timeline.” 
  • Tap the three dots on the top-right of the screen. 
  • Choose “Settings and privacy.” 
  • Select “Automatically delete location history.” 
  • Change the setting from “Keep until I delete manually” to “Keep for 18 months” or “Keep for 3 months.” 


 Or, if the user doesn’t mind Google tracking them day to day but just want to stop it for a little while, they can simply turn on Incognito mode in Maps by doing this:


  • Open Maps on your iPhone or Android phone. 
  • Tap your profile picture on the top-right. 
  • Choose “Turn on Incognito mode.”



iPhone 5 users may lose access to internet services



Users who are still using iPhone 5 are advised to update their device software by the end of this weekend. If not, users can lose their internet access. The users are being pushed to update their former iOS gadgets. Many of them have got the popups on iPhone 5. However, software update notifications on iPad 4 have not appeared yet. The issue with this is that those devices are jailbroken. The main problem is that these devices are now outdated.


"People who are unable to install iOS 10.3.4 updates by 3 November can be deprived of features that depend on the right time and date," says Apple. This covers Apple's iStore, email, online surfing, and iCloud. While iOS 10.3.4 may not be the newest variant of the iOS system, it is the most up-to-date available for the model. Users of former iPhones are also notified to revive their system software if they want to have precise GPS tracking services.

How can iPhone 5 users update their devices?

The users have been getting pop-up notes recently, prompting them to replace it with the newest iOS update. The software updates can be installed either wirelessly or by using a computer before November 3. Following November 3, the users would have to attach their iPhone 5 to a Mac or computer as the wireless updates option will no longer function. The company also says that "the users of the iPhone 5 should check if their devices are running on software version 10.3.4."

Other Apple models that are concerned- 

"Users of the iPhone 4S and some earlier variants of the iPad should update to the newest software for the proper working of the GPS location services." says the technology giant. Users of first-generation iPad mini, 4th generation iPad, and other earlier models are also covered in the list. Fortunately, users of the newer models are not concerned with this. Devices that run on wifi only are also safe. "iPhone 5 was a huge success story when it was first launched in 2012. Around 2 million devices were pre-ordered inside the 24 hrs of the launch. It was also the first phone to have a lightning charger. To date, around 70 million phones have been sold," says Apple.

iPhone hacking sites were also after Android, Windows users


Those hackers Google’s researchers sussed out earlier this week apparently went after more than just iPhone users. Microsoft’s operating system along with Google’s own were also targeted, according to Forbes, in what some reports are calling a possibly state-backed effort to spy on the Uighur ethnic group in China.

Google’s Threat Analysis Group was the first to discover the scheme earlier this year (news of the campaign was first disclosed Thursday). It involved a small group of websites aiming to infect visitors’ devices to gain access to their private information, including live location data and encrypted information on apps like on WhatsApp, iMessage, and Telegram. These websites were up for two years, during which thousands of visitors purportedly accessed them each week.

In February, Google notified Apple of 14 vulnerabilities the site’s malware exploited, which the company fixed within days with iOS 12.1.4. Apple disclosed in that update that the flaws, referred to as “memory corruption” issues, were fixed with “improved input validation.” The company hasn’t publicly addressed Google’s account of the hack since the news broke earlier this week.

While the Google team only reported iPhone users being targeted by this attack, sources familiar with the matter told Forbes that devices using Google and Microsoft operating systems were also targeted by these same sites. Thus widening the potential scale of an already unprecedented attack.

Whether Google found or shared evidence of this is unclear, as is whether the attackers used the same method of attack as they did with iPhone users, which involved attempting to sneak malicious code onto users’ phones upon their visit to the infected websites. When asked about these reported developments, a Google spokesperson said the company had no new information to disclose. We also reached out to Microsoft and will update this article with their statements.

iPhone contacts app vulnerable to hack attack, says security firm


Apple has never shied away from boasting about how secure its systems are, but researchers have found that contacts saved on iPhones are vulnerable to an SQLite hack attack which could infect the devices with malware.

SQLite - the most widespread database engine in the world - is available in every operating system (OS), desktop and mobile phone. Windows 10, macOS, iOS, Chrome, Safari, Firefox and Android are popular users of SQLite.

Security firm Check Point has demonstrated a technique being used to manipulate Apple's iOS Contacts app. Searching the Contacts app under these circumstances triggers the device to run malicious codes, Apple Insider reported on Saturday.

The vulnerability has been identified in the industry-standard SQLite database.

Documented in a 4,000-word report, the company's hack involved replacing one part of Apple's Contacts app and while apps and any executable code has to go through Apple's startup checks, an SQLite database is not executable.

"Persistence (keeping the code on the device after a restart) is hard to achieve on iOS as all executable files must be signed as part of Apple's Secure Boot. Luckily for us, SQLite databases are not signed," the report quoted the Check Point researchers as saying.

As of now, Apple has not commented on Check Point's report.

These legit looking iPhone cables allow hackers to take charge of your computer

When they said you should be wary of third-party accessories and unbranded cables for charging your smartphone, they were serious. And the latest example of what a cable that isn’t original can do, should be enough to scare you. There is apparently a Lightning Cable that looks just as harmless as an iPhone cable should. But it has a nasty trick up its sleeve, which allows a hacker to take control of your computer, the moment you plug this in to the USB port. This cable has been dubbed the OMGCable.

A security researcher with the Twitter handle @_MG_ took a typical USB to Lightning cable and added a Wi-Fi implant to it. The moment this gets plugged into the USB port on a PC, a hacker sitting nearby with access to the Wi-Fi module hidden inside the cable can run a malicious code and take charge of a PC or remotely access data without the user even noticing.

“This specific Lightning cable allows for cross-platform attack payloads, and the implant I have created is easily adapted to other USB cable types. Apple just happens to be the most difficult to implant, so it was a good proof of capabilities,” said MG, as reported by the TechCrunch website.

The thing with phone charging cables is that no one really gives them a second look. You see one, you plug it in and you let it be. At the same time, a lot of users are wary about using USB drives, also known as pen drives or thumb drives, because they are popular as carriers of malware and viruses that can pretty much ruin your PC.