Showing posts with label SECURITY. Show all posts

A recent article from TechCrunch reported that various apps in the iOS App Store secretly recording users’ screen without their permissions, includes popular apps like Abercrombie & Fitch, Hotels.com, Expedia, and more, it uses the “session replay" screen recording feature called Glassbox, that allows developers screenshot or record or a user's screen, and have the ability to play back those recordings.



However, Apple is now urging developers that are using session replay must extract the code as soon as possible. In an email provided to TechCrunch, Apple states that they will take action if necessary to remove these apps from the App Store. "We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary", says the company.
"Protecting user privacy is paramount in the Apple ecosystem. Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity."

"We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary," the spokesperson added.
In addition, Apple is also demanding developers that record the screen need to have a little red icon on the top left the corner of the phone, similar to how Apple's native Screen Recording feature works - by showing a red bar on the top of the display that notifies you the screen is being recorded.

Image Via MacStories

Apple has brought a new USB restriction mode in iOS 12 will make it harder for law enforcement agencies to crack the iPhone. Reuters reported that Apple has admitted that it will bring these new features, but is aimed at users, not law enforcement agencies.


“We’re constantly strengthening the security protections in every Apple product to help customers defend against hackers, identity thieves and intrusions into their personal data,” Apple said in a prepared statement. “We have the greatest respect for law enforcement, and we don’t design our security improvements to frustrate their efforts to do their jobs.”

An Apple spokesperson explained in a statement that Apple has been seeking ways to improve the security of Apple devices.  Although Apple claims that this move is preventing individual users from cracking the iPhone, it is clear that its true intention is to prevent law enforcement agencies from using cracking methods.

Here is how the new USB restriction mode works: if an iPhone hasn't been unlocked in the past hour, then the iPhone needs to be connected to the computer via USB to unlock by a password. In other words, police forces have only one hour to use tools such as Cellebrite or GrayKey to crack an iPhone with iOS 12 installed on it.

Image Via 9to5Mac

Apple launched a new "Data & Privacy" website today, where users can download all data associated with Apple ID. These data including purchase history, app usage history, calendars, reminders, photos, documents stored in iCloud, Apple Music and Game Center data, and AppleCare support history.

Unfortunately, only Apple IDs registered in European Union, Iceland, Liechtenstein, Norway, as well as Switzerland. However, Apple says it will roll out the service worldwide "in the coming months". Additionally, you can request data corrections, deactivate or delete your own account as well.


The new website is designed to response to the new GDPR regulation that goes into effect at the end of the month. Because of Apple’s strong stance on privacy, the data stored in Apple severs shouldn't take plenty of time to download.

Thoughts?

Top Apple News Today:

TeenSafe Leaks Thousands of Apple IDs Info: As reported by ZDNet, TeenSafe, an app that allow parents to monitor their teenagers' phone activity has suffered data breach, it leaked tens of thousands of login credentials, including the Apple IDs of children, and at least 10,200 records affected by it.

The data was hosted on Amazon servers as it remained unprotected and accessible without a password. But now, the servers have been temporarily pulled offline, and the company's representative stated that the company has begun to send out additional info to users, and will be provide further details in the future.


Apple Updates Clips App Ahead World Cup: Ahead of the upcoming 2018 FIFA World Cup that will kick off in Russia on June 14th, Apple has updated its Clips app with new soccer graphics that can be added to videos, it includes a new football tag and soccer-related background poster that contains customizable text elements as well.

Apple Shares New Animoji Karaoke Ad: Apple recently shared a brand new Animoji karaoke ad on its Korean YouTube channel, and promoted the iPhone X's Animoji feature with the new single “Citizen Kane”, sung by Hyukoh, an independent band that is very popular in Korea, yet comes ahead of the planned release on May 31.

Apple Loses Netflix Over Obama's Production Deal: The New York Times reported that former US President Barack Obama have signed a production deal with Netflix, which will see two productions of TV shows and movies. On the other hand, Apple has interested in the deal, but apparently, they have lose the chance.

As we getting close to the public release of iOS 11.4, more and more reports have discovered some hidden features. And now, according to security blog Elcomsoft, the update introduces a USB Restricted Mode which contains a security protocol on access to the Lightning port on your iOS devices.


Specifically, once you update the devices to iOS 11.4, there will be a week-long expiration date on access to the Lightning port on your iOS devices if your phone hasn't been unlocked, in other words, if it hasn't been unlocked or connected to a paired Mac or PCs in the last 7 days using a passcode, the Lightning port is useless for data access and limited to charging. Apple's description of the change:

To improve security, for a locked iOS device to communicate with USB accessories you must connect an accessory via Lightning connector to the device while unlocked - or enter your device passcode while connected - at least once a week." 

Apple's intention to introduce the feature clearly towards to digital forensics specialists like Grayshift, who can break into a device, at least using any simple techniques. However, it's important to note that such method won't prevent tools like the GrayKey box from being used on an iPhone, but it sure helps when they face long passcodes.

Originally, Apple plans to include the security change in iOS 11.3, later on, the company decided to change mind, so it's possible they may still work after iOS 11.4 is released, or may not. Anyway, setting up an alphanumeric passcode and mixed with numbers, uppercase/lower letters should be able to largely improve the privacy.

Image By Indabaa.com

According to Kromtech Security Center as they discovered that MongoDB's database for collecting ai.type Keyboard user data was misconfigured, and was available on the internet. Contained in the database is reportedly "data and details of 31,293,959 users" of the ai.type keyboard.

The database included the personal details of 31,293,959 users who installed ai.type virtual keyboard.  Highly sensitive and identifiable information such as: Phone number, full name of the owner, device name and model, mobile network name, SMS number, links and the information associated with the social media profiles, photos, and much more!


To making the situation even worse, it appears 6.4 million records contained a gleaned from a user's Contacts, including names and phone numbers, leading to a total of 373 million records in the publicly available database. Other information in the database includes average messages per day, words per message, and ages of users.

Theoretically, it is logical that anyone who has downloaded and installed the Ai.Type virtual keyboard on their phone has had all of their phone data exposed publicly online. This presents a real danger for cyber criminals who could commit fraud or scams using such detailed information about the user. It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products or services that gain full access to their devices.

When user installed ai.type, the app will then asks for "Full Access." If permission is granted, the add-on keyboard can transmit absolutely anything typed through the keyboard to the developer. However, the company claims that it will never use personal information it collects, although they tells a different story about the data contained in the database - but doesn't deny that a database was available publicly for a period of time.

Founder Eitan Fitusi told BBC that the stolen information was a "secondary database." Additionally, he claims that the IMEI information was never collected by the company, user data collected only involves what ads are clicked by the user, and that the location data wasn't accurate. The Chief Executive claims that the database been secured since the breach.

Via AppleInsider, Image Credit 9to5Google

According to Motherboard, developer Felix Krause this week has detailed a proof-of-concept project, that was focused on the iPhone's cameras. Krause warned that any time you grant an app permission to access your iPhone's front and back cameras, the app can secretly take pictures and videos of you as long as it's running in the foreground.

Krause's camera privacy project isn't about disclosing a new iOS bug, but more about warning users that this kind of privacy violation is possible within iOS. Many apps regularly request permission to the Camera in iOS, such as allowing users to post photos from their Camera Roll, take a picture within the app without leaving it, and more.

He went on explained that if these permissions granted to a malicious app, the iPhone's front and back cameras can be turned on when that app is running. From there it could record content, upload it online, and even use facial expression analysis to measure your emotional response to things like ads displayed in the feed, all without indicating that your iPhone is recording you or your surroundings.


The demo app called watch.user he wrote shows a social networking app asking permission to access your camera to allow you to upload a photo, and then taking photos and video without notice while you are simply scrolling through the feed. The developer explained that with a vision framework in iOS 11 a developer could even map someone's face to track their expressions.


He said that there're "only a few things you can do" to potentially prevent this from happening, include purchasing camera covers to place over your iPhone's lenses. Otherwise, you have to revoke camera access for all apps. Krause have reported the issue to Apple, and mentioned a few ways it could be potentially addressed.

Offer a way to grant temporary access to the camera (e.g. to take and share one picture with a friend on a messaging app) [or] show an icon in the status bar that the camera is active, and force the status bar to be visible whenever an app accesses the camera.

To double check which apps have access to your iPhone's cameras and photo library, navigate to the Settings - Privacy, and there you'll find Photos and Camera, Apps that you've granted access to each will be listed, and you can change settings with toggles or choosing to "Never" allow access.


Via MacRumors And 9to5Mac, Image Credit MacRumors And 9to5Mac
Powered by Blogger.