It's been almost a year since Apple re-launched TestFlight.
Apple had acquired TestFlight in 2014, and the much-anticipated announcement at WWDC gave many in the industry hope that TestFlight would spell the end for the numerous headaches associated with development builds and beta distributions. So where does TestFlight stand a year later? Has it lived up to these hopes?
"Masque Attack" is the new name—given by security firm FireEye—to an old trick intended to fool you into installing malicious apps on your iPhone or iPad. Most recently detailed by security researcher Jonathan Zdziarski, tricks like Masque Attack won't affect most people, but it's worth understanding how it works and, in the event you are targeted, how to avoid it.
There are once again some needlessly scary security articles going around, this time concerning malware dubbed "WireLurker". WireLurker hides inside pirated apps and tries to get people to install it on the Mac so it can transfer data to and from the iPhone or iPad over USB. it's important to point out almost no one reading this is in any danger from WireLurker, and anyone who is can easily avoid it. When reached for comment, Apple said:
Just as quickly as CurrentC popped into the limelight, questions arose around the companies intentions. Even though I don't have an invite for CurrentC's invite-only mobile payments and loyalty rewards system, I decided to take a look. I posted some initial findings on Twitter and a brief summary on iMore, but wanted to do a more in-depth technical post for anybody who was curious.
Over the last few days, CVS and Rite Aid have disabled NFC technology at their retail outlets to prevent customers from using Apple Pay. It's been reported that this is due to an existing deal in place with a system called CurrentC, which involves the use of an app, QR codes, your bank account, and their servers. Walmart recently explained MCX's — the consortium behind CurrentC — position to Business Insider as follows:
Normally when you're walking around with a WiFi-enabled device, if it's not connected to a network, it's broadcasting probes in order to try and find known networks. These probes would be sent using your phone's WiFi MAC address, which is a unique and normally persistent value. This means that anybody monitoring these probes, say in a department store for example, can persistently track you through a store and across multiple visits. This information isn't tied to your personal identity, but a lot of information about your shopping habits could be gleaned from this data by analytics companies, and some users aren't thrilled about not having a say in this. And remember, this isn't just an iPhone thing, this is a WiFi thing. This is what devices do. But Apple decided they could do better.
Software is buggy. Humans write and test software and humans are imperfect; as a result, so is software. This is the reality of software and should come as a surprise to nobody. What can be surprising are the kind of bugs we actually see make their way out into the wild. We've seen two very prominent examples this week. The first was the release of iOS 8.0.1 on Wednesday which broke cellular service and Touch ID for iPhone 6 and iPhone 6 Plus users. The very same day we saw a huge bug in bash publicly disclosed; a vulnerability leaving millions and millions of personal computers, servers, embedded systems, and who knows how many other types of Internet-connected devices open to attack. And for most people, it's baffling how bugs like this could ever find their way into the world. Aren't developers supposed to be smart? The bash bug may be obscure enough that many end-users don't understand it, but what about iOS 8.0.1? How could such a big piece of software ship with such a glaring bug that broke such critical pieces of functionality?
Apple has posted a new version of their terrific white paper on iOS security, this one updated for iOS 8 an dated September, 2014. I haven't had time to read through it yet, but if last year's version is any indication, encryption enthusiasts should be in for a treat. The timing, immediately following iOS 8's release, and Tim Cook's letter on privacy, probably isn't a coincidence. Apple is making privacy and security both a differentiator and they want this information out there.
Yesterday Apple announced Apple Pay, a payment mechanism that will be available on the iPhone 6, iPhone 6 Plus, and Apple Watch. While the convenience of such a feature is tempting, how do we know if we can trust it? To answer this, let's take a look at what we know about Apple Pay's security so far.
Apple is responding to security concerns raised by many this past week as a result of massive release of stolen celebrity photos. While this is a good move by Apple that will increase security for users, it's important to understand what these changes do and don't mean for us.
Every day our iPhones and iPads become a little more integrated in our lives. Every day they learn a little more about us and become more capable than they were before. And every day many of us make a choice to hand over more information about ourselves in exchange for features and convenience. One such piece of information is our location. There's a seemingly endless list of apps that may want to track your location for a variety reasons. From mapping your bike rides to recommending nearby restaurants, many of us grant apps permission to access our location every day. As more apps request and make use of this type of sensitive information, it becomes increasingly important for users to have more granular control over which apps access what information and when. With iOS 8, we will see some noteworthy changes to location permissions intended to provide more transparency, and give users more control.
Beta testing apps has long been a pain point for iOS developers. So it's no surprise that the announcement of TestFlight as part of iOS 8 was met with much fanfare at WWDC 2014. Since Apple's acquisition of Burstly (makers of TestFlight), there has been a lot of speculation and hope that Apple could finally release a more friendly solution for handling the distribution of beta apps. TestFlight marks a significant advancement for Apple in that area, and a welcome change for developers.
Yesterday Apple released updates for iOS 6, iOS 7, and Apple TV to squash a security bug that affected SSL/TLS connections. Often times, security patches can fix obscure bugs that could only occur under the strangest of circumstances, and they get rolled in to larger updates that address many other issues. However, this fix warranted its own updates, both for iOS 7 and for iOS 6. So what kind of bug calls for such a response? Fortunately for those of us curious enough to wonder, Adam Langley has the answer.
Responding to a recent security bug, Starbucks released an update to their iPhone app addressing the issue late last night. Starbucks said in an update on their blog:
As promised, we have released an updated version of Starbucks Mobile App for iOS which adds extra layers of protection. We encourage customers to download the update as an additional safeguard measure.
Earlier this week, security researcher Daniel Wood disclosed his findings on Starbucks' insecure handling of sensitive user information in their iPhone app. The sensitive information discovered includes usernames, passwords, emails, addresses, location data, and OAuth keys. While Wood's findings are valid, the interpretations of his findings have been inaccurate and exaggerated.
Update: The group originally claiming credit for the database breach has since acknowledged they had only performed a distributed denial of service attack. It seems the group simply used the maintenance-related Dropbox outage as an opportunity to troll the Internet. You win this round, @1775Sec.
Update 2: The Dropbox website is back up.
Update 3 - 1/11/14:Dropbox's status page shows that maintenance is still ongoing. Users continue to report trouble using some services.
The Internet has been buzzing about Coin, a credit card replacement announced last Thursday. Currently taking pre-orders, and planning to launch Summer 2014, Coin is a credit card-sized device which is capable of storing and behaving as pretty much any card with a magnetic strip: credit cards, gift cards, membership cards, etc. Coin allows you to select which card you want to use, and when you or a merchant swipe your credit card, the information for the appropriate card can be read from Coin. Replacing every card in your wallet with a single, card-sized device is exciting to think about, but obviously a product like this raises a lot of questions.
After a failed attempt last month at rolling out BlackBerry Messenger (BBM) for iOS and Android, BlackBerry is giving the rollout another try. However, anybody who did not sign up previously is stuck waiting for their turn as BlackBerry slowly rolls out BBM to new users... unless you know how to skip the line.