Apple has approved Parler's return to the iOS app store following improvements the social media company made to better detect and moderate hate speech and incitement, according to a letter the iPhone maker sent to Congress on Monday. From a report: The decision clears the way for Parler, an app popular with conservatives including some members of the far right, to be downloaded once again on Apple devices. The letter -- addressed to Sen. Mike Lee and Rep. Ken Buck and obtained by CNN -- explained that since the app was removed from Apple's platform in January for violations of its policies, Parler "has proposed updates to its app and the app's content moderation practices." On April 14, Apple's app review team told Parler that its proposed changes were sufficient, the letter continued. Now, all Parler needs to do is to flip the switch. "Apple anticipates that the updated Parler app will become available immediately upon Parler releasing it," Apple's letter said. Parler, an alternative to Facebook and Twitter that bills itself as a haven for free speech, was removed from major tech platforms in early January following the US Capitol riots of Jan. 6.

According to app developer Kosta Eleftheriou, Apple's App Store hosted a kid's game that's actually a front for gambling websites. "The secret password isn't one you'd be likely to guess: you have to be in the right country -- or pretend to be in the right country using a VPN," writes Sean Hollister via The Verge. "But then, instead of launching an ugly monkey-flipping endless runner game filled with typos and bugs, the very same app launches a casino experience." From the report: The app, "Jungle Runner 2k21," has already disappeared from the App Store, presumably thanks to publicity from Gizmodo and Daring Fireball, who each wrote about Eleftheriou's finding earlier today. It's not the only one, though: the same developer, "Colin Malachi," had another incredibly basic game on the App Store called "Magical Forest - Puzzle" that was also a front for gambling. [...] I accessed them from a VPN server in Turkey; While Daring Fireball notes that users in other non-US countries like Italy also seem to have been able to access the gambling sites, I tried them with a number of other locations including Italy without success.

Unlike the multi-million dollar App Store scams that Eleftheriou uncovered earlier this year, it's not hard to see why Apple's App Store review program might have missed these -- they largely look like your typical shovelware if you don't know the trick, with only a handful of tells... like the fact that Jungle Runner uses a Pastebin for its privacy policies. It's not necessarily clear to me that they'd be violating very many of Apple's App Store policies, either. Gambling apps are permitted by Apple, as long as they're geo-restricted to regions where that gambling is permitted by law, and you could maybe argue that's exactly what this developer did by checking your IP address.

A new report from The Washington Post reveals how the FBI gained access to an iPhone linked to the 2015 San Bernardino shooting. Apple refused to build a backdoor into the phone, citing the potential to undermine the security of hundreds of millions of Apple users, which kicked off a legal battle that only ended after the FBI successfully hacked the phone. Thanks to the Washington Post's report, we now know the methods the FBI used to get into the iPhone. Mitchell Clark summarizes the key findings via The Verge: The phone at the center of the fight was seized after its owner, Syed Rizwan Farook, perpetrated an attack that killed 14 people. The FBI attempted to get into the phone but was unable to due to the iOS 9 feature that would erase the phone after a certain number of failed password attempts. Apple attempted to help the FBI in other ways but refused to build a passcode bypass system for the bureau, saying that such a backdoor would permanently decrease the security of its phones. After the FBI announced that it had gained access to the phone, there were concerns that Apple's security could have been deeply compromised. But according to The Washington Post, the exploit was simple: [An Australian security firm called Azimuth Security] basically found a way to guess the passcode as many times as it wanted without erasing the phone, allowing the bureau to get into the phone in a matter of hours.

The technical details of how the auto-erase feature was bypassed are fascinating. The actual hacking was reportedly done by two Azimuth employees who gained access to the phone by exploiting a vulnerability in an upstream software module written by Mozilla. That code was reportedly used by Apple in iPhones to enable the use of accessories with the Lightning port. Once the hackers gained initial access, they were able to chain together two more exploits, which gave them full control over the main processor, allowing them to run their own code. After they had this power, they were able to write and test software that guessed every passcode combination, ignoring any other systems that would lock out or erase the phone. The exploit chain, from Lightning port to processor control, was named Condor. As with many exploits, though, it didn't last long. Mozilla reportedly fixed the Lightning port exploit a month or two later as part of a standard update, which was then adopted by the companies using the code, including Apple.

An anonymous reader quotes a report from 9to5Google: A new Google Shopping experience that featured a personalized homepage launched in 2019. On Android, Google rebranded the existing Express app to Shopping, but it's now shutting down the mobile experience in favor of just the web. The [Android and iOS clients] will continue to work through June. It comes as Google has been expanding shopping functionality in Search, Image Search, and YouTube, while increasingly leveraging augmented reality: "Within the next few weeks, we'll no longer be supporting the Shopping app. All of the functionality the app offered users is available on the Shopping tab. We'll continue building features within the Shopping tab and other Google surfaces, including the Google app, that make it easy for people to discover and shop for the products they love."

The Federal Communications Commission has released a new speed test app to help measure internet speeds across the country, available on both Android and iOS. From a report: The FCC Speed Test App works similarly to existing speed-testing apps like Ookla's and Fast by Netflix, automatically collecting and displaying data once users press the "start testing" button. According to the FCC, the data collected through the app will inform the agency's efforts to collect more accurate broadband speed information and aid its broadband deployment efforts. "To close the gap between digital haves and have nots, we are working to build a comprehensive, user-friendly dataset on broadband availability," Acting Chair Jessica Rosenworcel said in a statement Monday. "Expanding the base of consumers who use the FCC Speed Test app will enable us to provide improved coverage information to the public and add to the measurement tools we're developing to show where broadband is truly available throughout the United States."

An anonymous reader quotes a report from ZDNet: A zero-day vulnerability in Zoom which can be used to launch remote code execution (RCE) attacks has been disclosed by researchers. The researchers from Computest demonstrated a three-bug attack chain that caused an RCE on a target machine, and all without any form of user interaction. As Zoom has not yet had time to patch the critical security issue, the specific technical details of the vulnerability are being kept under wraps. However, an animation of the attack in action demonstrates how an attacker was able to open the calculator program of a machine running Zoom following its exploit. As noted by Malwarebytes, the attack works on both Windows and Mac versions of Zoom, but it has not -- yet -- been tested on iOS or Android. The browser version of the videoconferencing software is not impacted. Computest researchers Daan Keuper and Thijs Alkemade earned themselves $200,000 for this Zoom discovery, as it was part of the Pwn2Own contest.

In a statement to Tom's Guide, Zoom thanked the Computest researchers and said the company was "working to mitigate this issue with respect to Zoom Chat." In-session Zoom Meetings and Zoom Video Webinars are not affected. "The attack must also originate from an accepted external contact or be a part of the target's same organizational account," Zoom added. "As a best practice, Zoom recommends that all users only accept contact requests from individuals they know and trust."

Apple knows that iMessage's blue bubbles are a big barrier to people switching to Android, which is why the service has never appeared on Google's mobile operating system. From a report: That's according to depositions and emails from Apple employees, including some high-ranking executives, revealed in a court filing from Epic Games as part of its legal dispute with the iPhone manufacturer. Epic argues that Apple consciously tries to lock customers into its ecosystem of devices, and that iMessage is one of the key services helping it to do so. It cites comments made by Apple's senior vice president of Internet Software and Services Eddie Cue, senior vice president of software engineering Craig Federighi, and Apple Fellow Phil Schiller to support its argument.

"The #1 most difficult [reason] to leave the Apple universe app is iMessage ... iMessage amounts to serious lock-in," was how one unnamed former Apple employee put it in an email in 2016, prompting Schiller to respond that, "moving iMessage to Android will hurt us more than help us, this email illustrates why." "iMessage on Android would simply serve to remove [an] obstacle to iPhone families giving their kids Android phones," was Federighi's concern according to the Epic filing. Although workarounds to using iMessage on Android have emerged over the years, none have been particularly convenient or reliable.

Long-time Slashdot reader phalse phace quotes the Washington Post: Phillipe Christodoulou wanted to check his bitcoin balance last month, so he searched the App Store on his iPhone for "Trezor," the maker of a small hardware device he uses to store his cryptocurrency. Up popped the company's padlock logo set against a bright green background. The app was rated close to five stars. He downloaded it and typed in his credentials.

In less than a second, nearly all of his life savings — 17.1 bitcoin worth $600,000 at the time — was gone. The app was a fake, designed to trick people into thinking it was a legitimate app.

But Christodoulou is angrier at Apple than at the thieves themselves: He says Apple marketed the App Store as a safe and trusted place, where each app is reviewed before it is allowed in the store. Christodoulou, once a loyal Apple customer, said he no longer admires the company. "They betrayed the trust that I had in them," he said in an interview. "Apple doesn't deserve to get away with this."

Apple bills its App Store as "the world's most trusted marketplace for apps," where every submission is scanned and reviewed, ensuring they are safe, secure, useful and unique. But in fact, it's easy for scammers to circumvent Apple's rules, according to experts. Criminal app developers can break Apple's rules by submitting seemingly innocuous apps for approval and then transforming them into phishing apps that trick people into giving up their information, according to Apple. When Apple finds out, it removes the apps and bans the developers, the company says. But it's too late for the people who fell for the scam.
The Post also points out that the 15 to 30 percent commission Apple collects on all sales in the App Store "goes to fund the 'highly curated' customer experience, the company has said."

iOS 14 has brought several new privacy features, and there are more to come with App Tracking Transparency -- which will let users opt out of being tracked by apps. From a report: As the launch of this new option approaches, Apple has begun to reject apps using third-party SDKs that collect user data without consent. Developers can implement some SDKs that help them track users by a method called "device fingerprinting," which uses multiple attributes such as the device model, IP address, and other data to identify a person across the internet. Apps often use this data for deep analysis about their audience or to sell advertisements.

While tracking the user is not exactly illegal, Apple wants to put an end to apps that do this without explicit consent. As noted by analyst Eric Seufert, the company is now rejecting any apps using the Adjust SDK, which is one of those SDKs that provides device fingerprinting. There would be no problem for these developers if the Adjust SDK complied with Apple's new privacy guidelines, but this doesn't seem to be the case. Seufert detailed to 9to5Mac that the Adjust SDK not only doesn't have an option for users to opt out of being tracked, but has also been suggesting alternatives for developers to continue tracking users once Apple enables App Tracking Transparency. Snap has explored how it can circumvent new privacy rules for iPhones, Financial Times reported Friday.

Microsoft has shut down its Cortana app for iOS and Android. From a report: It's the latest in a series of moves to end support for Cortana across multiple devices, including Microsoft's own Surface Headphones. The Cortana app for iOS and Android is no longer supported, and Microsoft has removed it from both the App Store and Google's Play Store.

An anonymous reader quotes a report from The Record by Recorded Future: Academic research published last week looked at the telemetry traffic sent by modern iOS and Android devices back to Apple and Google servers and found that Google collects around 20 times more telemetry data from Android devices than Apple from iOS. The research, conducted by Professor Douglas J. Leith from Trinity College at the University of Dublin, analyzed traffic originating from iOS and Android devices heading to Apple and Google servers at various stages of a phone's operation... [...] The study unearthed some uncomfortable results. For starters, Prof. Leith said that "both iOS and Google Android transmit telemetry, despite the user explicitly opting out of this [option]." Furthermore, "this data is sent even when a user is not logged in (indeed even if they have never logged in)," the researcher said.

But while the Irish researcher found that Apple tends to collect more information data types from an iOS device, it was Google that collected "a notably larger volume of handset data. During the first 10 minutes of startup the Pixel handset sends around 1MB of data is sent to Google compared with the iPhone sending around 42KB of data to Apple," Prof. Leith said. "When the handsets are sitting idle the Pixel sends roughly 1MB of data to Google every 12 hours compared with the iPhone sending 52KB to Apple i.e., Google collects around 20 times more handset data than Apple." In response to the findings, a Google spokesperson said: "This research outlines how smartphones work. Modern cars regularly send basic data about vehicle components, their safety status and service schedules to car manufacturers, and mobile phones work in very similar ways. This report details those communications, which help ensure that iOS or Android software is up to date, services are working as intended, and that the phone is secure and running efficiently." The Android maker also disputed the paper's methodology, which they claim under-counted iOS' telemetry volume by excluding certain types of traffic, which Google believes resulted in skewed results that found Android devices collecting 20 times more data than iOS.

Apple echoed its rival's response. "The report conflates a number of items in relation to different services and misunderstands how personal location data is protected," an Apple spokesperson told The Record. "Apple is not collecting data that can be associated with individuals without a user's knowledge or consent."

Additional information about the findings can be found here (PDF).

This week Swedish developer Daniel Stenberg posted a remarkable reflection on the 23rd anniversary of his command-line data tool, cURL: curl was adopted in Red Hat Linux in late 1998, became a Debian package in May 1999, shipped in Mac OS X 10.1 in August 2001. Today, it is also shipped by default in Windows 10 and in iOS and Android devices. Not to mention the game consoles, Nintendo Switch, Xbox and Sony PS5.

Amusingly, libcurl is used by the two major mobile OSes but not provided as an API by them, so lots of apps, including many extremely large volume apps bundle their own libcurl build: YouTube, Skype, Instagram, Spotify, Google Photos, Netflix etc. Meaning that most smartphone users today have many separate curl installations in their phones.

Further, libcurl is used by some of the most played computer games of all times: GTA V, Fortnite, PUBG mobile, Red Dead Redemption 2 etc.

libcurl powers media players and set-top boxes such as Roku, Apple TV by maybe half a billion TVs.

curl and libcurl ships in virtually every Internet server and is the default transfer engine in PHP, which is found in almost 80% of the world's almost two billion websites.

Cars are Internet-connected now. libcurl is used in virtually every modern car these days to transfer data to and from the vehicles.

Then add media players, kitchen and medical devices, printers, smart watches and lots of "smart"; IoT things. Practically speaking, just about every Internet-connected device in existence runs curl.

I'm convinced I'm not exaggerating when I claim that curl exists in over ten billion installations world-wide...

Those 300 lines of code in late 1996 have grown to 172,000 lines in March 2021.
Stenberg attributes cURL's success to persistence. "We hold out. We endure and keep polishing. We're here for the long run. It took me two years (counting from the precursors) to reach 300 downloads. It took another ten or so until it was really widely available and used." But he adds that 22 different CPU architectures and 86 different operating systems are now known to have run curl.

In a later blog post titled "GitHub Steel," Stenberg also reveals that GitHub gave him a 3D-printed steel version of his 2020 GitHub contribution matrix — accompanied by a friendly note. "Please accept this small gift as a token of appreciation on behalf of all of us here at GitHub, and everyone who benefits from your work."

On March 24, 2001, Mac OS X first became available to users around the world. Ars Technica's Samuel Axon reflects on the OS and the many new features and technologies it brought that we now take for granted. From the report: Of course, Mac OS X (or macOS 10 as it was later known) didn't quite survive to its 20th birthday; last year's macOS Big Sur update brought the version number up to 11, ending the reign of X. But despite its double life on x86 and ARM processors and its increasingly close ties to iOS and iPadOS, today's macOS is still very much a direct descendant of that original Mac OS X release. Mac OS X, in turn, evolved in part from Steve Jobs' NeXT operating system -- which had recently been acquired by Apple -- and its launch was the harbinger of the second Jobs era at Apple.

[Mac OS X] enabled Apple's laptops to wake up from sleep immediately, and it introduced dynamic memory management, among other things. Mac OS X's greatest impact in retrospect may be in the role it had in inspiring and propping up iOS, which has far surpassed macOS as Apple's most widely used operating system. [...] Despite Apple's resounding success in the second Steve Jobs era, as well as in the recent Tim Cook era, the Mac is still a relatively niche platform -- beloved by some, but skipped by much of the mainstream. After 20 years, a lot has changed, but a whole lot has stayed the same.

As it faces a barrage of probes and investigations regarding the App Store and the distribution of apps on its devices, Apple has told Australia's consumer watchdog that developers have "multiple" ways to reach iOS users and claims that they are "far from limited" to simply using the App Store. From a report: In a new filing responding to concerns from the Australian Competition & Consumer Commission that it exploits "alleged market power in its role as a distributor of apps," Apple highlights multiple avenues that developers can take to reach customers. Specifically, Apple points out that the "whole web" exists as an alternative means of distribution, arguing that the web has become a platform unto itself. Apple supports this claim by noting that iOS devices have "unrestricted and uncontrolled" access to the web, allowing users to download web apps. Apple says: Web browsers are used not only as a distribution portal but also as platforms themselves, hosting "progressive web applications" (PWAs) that eliminate the need to download a developer's app through the App Store (or other means) at all. PWAs are increasingly available for and through mobile-based browsers and devices, including on iOS. [...] As explained further below, Apple faces competitive constraints from distribution alternatives within the iOS ecosystem (including developer websites and other outlets through which consumers may obtain third-party apps and use them on their iOS devices) and outside iOS. Prominent iOS developer Marco Arment commented on Apple's argument, saying: LOL

A company that makes an email app that helps users encrypt their emails paid for fake reviews in an attempt to get more people to download its products, according to leaked emails obtained by Motherboard. An anonymous reader shares a report: The CEO of pEp, a Luxembourg-based company that makes the pEp email encryption apps for Android and iOS, commissioned a marketing company to write fake reviews that he himself wrote in the summer of last year. Leon Schumacher asked the marketing company Mobiaso to post 40 five-star reviews in English, French, and German to the Google Play Store. Schumacher included an Excel spreadsheet that contained the specific text that he wanted Mobiaso to use. "Super easy privacy," one fake review said. "One of the best mail applications. I have never had problems and I suggest it all the time to friends," another said.

"Can we speed up today and do 12 ratings per day do 7 reviews per day (Please use the Texts below for the right countries (that I forwarded already per earlier e-mail)," Schumacher wrote in an email to Mobiaso. pEp, short for Pretty Easy Privacy, develops email encryption apps for both iOS and Android, where it has more than 10,000 installs, according to the stats on the Google Play Store. The company, through its foundation, also funded a new library to encrypt emails using PGP, the decades old technology that allows users to encrypt emails and other files. Mobiaso advertises "iOS reviews" and "Android installs" on its website. One of the services the company offers is App Store Optimization, or ASO, which includes fake reviews. The service has several price tiers, ranging from $160 to $450. Only the two most expensive tiers include fake reviews. "Each app developer/advertiser should remember that without a good ASO search optimization, your target audience wouldn't even find or open your app page," Mobiaso says.

In 2019 Purism launched a suite of privacy-protecting, no-tracking apps and services named Librem One. And it included an encrypted, no-logging, virtual private network tunnel named Librem Tunnel.

Unfortunately, "Recently we've been forced to remove Librem Tunnel from iOS due to their unfair policies," explains a post this week on Purism's blog: Apple's policy is that applications that make in-app purchases or offer subscriptions using Apple's payment platform pay Apple 30% of their revenue. The justification behind that fee is that companies are benefiting from all of the work Apple has put into its payments platform and so the fee helps them maintain that payments infrastructure while saving app developers from having to implement their own payment or subscription infrastructure...

Recently our VPN endpoints have changed, which required us to update the Librem Tunnel application. Unfortunately our attempts to push an update were blocked, because Apple saw that the application was a VPN, which flagged it to check whether it was a subscription service (which VPNs frequently are). Even though Librem Tunnel is just part of the overall Librem One offering, because it's part of a subscription service, Apple is requiring us to add the ability to sign up and pay for Librem One subscriptions within the Librem Tunnel app before they will allow updated versions into the App Store. Why are they making that requirement even though we already have our own independent payment infrastructure? Because once that app allows in-app purchases, Apple can then automatically take their 30% cut.

We do not accept these kinds of monopolistic practices, nor do we want to fund them through our own customers. Since Apple does not allow alternatives to the App Store on their platform, we have no choice but to remove Librem Tunnel from iOS, until such time Apple changes their policies either on their own, or through government intervention.
For their existing users on iOS, "Because Librem Tunnel uses the standard, open, OpenVPN protocol, we have been working with customers to apply their OpenVPN configuration to a different iOS OpenVPN client."

An anonymous reader quotes a report from CNBC: Facebook CEO Mark Zuckerberg on Thursday said he is confident the social media company "will be able to manage through" Apple's upcoming planned privacy update to iOS 14, which will make it easier for iPhone and iPad users to block companies from tracking their activity to target ads. "We'll be in a good position," Zuckerberg said Thursday afternoon in Josh Constine's PressClub Clubhouse room. Apple's upcoming privacy changes will inform users about device ID tracking and ask them if they want to allow it. The tracking is based on a unique device identifier on every iPhone and iPad called the IDFA. Companies that sell mobile advertisements use this ID to help target ads and estimate their effectiveness. Apple has said that the change will roll out early this spring.

Zuckerberg explained that the change could benefit Facebook if more businesses decide to sell goods directly through Facebook and Instagram. "It's possible that we may even be in a stronger position if Apple's changes encourage more businesses to conduct more commerce on our platforms by making it harder for them to use their data in order to find the customers that would want to use their products outside of our platforms," Zuckerberg said. Zuckerberg on Thursday said that already Facebook has 1 million active shops on its services and 250 million people using shops actively. "Compared to the early conversations we had about how people would use this across Facebook and Instagram and our product, I think this is something that's well on track to be something that's going to be increasingly important to people," Zuckerberg said.

Security researchers have uncovered a new type of macOS malware that has been used in the wild to attack iOS software developers through trojanized Xcode projects. From a report: Named XcodeSpy, the malware consists of a malicious Run Script that was added to a legitimate Xcode project named TabBarInteraction. Security firm SentinelOne, which analyzed the malware in a report published today and shared with The Record, said the malicious script ran every time the Xcode project was built, installing a LaunchAgent for reboot persistence and then downloading a second payload, a macOS backdoor named EggShell. "The backdoor has functionality for recording the victim's microphone, camera and keyboard, as well as the ability to upload and download files," said Phil Stokes, macOS malware researcher at SentinelOne.

While the XcodeSpy server infrastructure that controlled the LaunchAgent was down, Stokes said they were able to discover several instances of the EggShell backdoor uploaded on the VirusTotal web-based malware scanner. Stokes said SentinelOne first learned of this malware following a tip from an anonymous researcher, who found an instance of the EggShell backdoor on the network of a US-based company. "The victim reported that they are repeatedly targeted by North Korean APT actors and the infection came to light as part of their regular threat hunting activities," Stokes said, but the researcher told The Record they were not able to definitively link the malware to a nation-state operation beyond a reasonable doubt.

Mobile app developer Kosta Eleftheriou, who publicly called out Apple earlier this year for negligence with regard to policing iOS scams and copycat apps on the App Store, has filed a lawsuit against the iPhone maker in California. From a report: He's accusing the company of exploiting its monopoly power over iOS apps "to make billions of dollars in profits at the expense of small application developers and consumers." Eleftheriou's company KPAW LLC, which he co-owns with his partner Ashley Eleftheriou, filed its complaint in Santa Clara County on Wednesday. It details the development and release timeline of Eleftheriou's Apple Watch keyboard app FlickType. At the time he began accusing Apple of abetting App Store scams early last month, Eleftheriou revealed that his FlickType app had been targeted by competing software he says either didn't work well or didn't work at all, and yet nonetheless chipped away at this sales and App Store rankings through false advertising and the purchase of fake reviews. After he complained, he said Apple did not do enough to combat the scams, though Apple did later remove some of the apps he called attention to.

An anonymous reader shares a report: Over the course of the last several weeks, Google has been adding App Privacy labels to its iOS apps in accordance with Apple's App Store rules, but it took Google multiple months to begin sharing the information. There was speculation that Google's delay meant that it had something to hide, which DuckDuckGo is leaning into with a blog that highlights Google's data collection and calls out the company for "spying" on users. [...] DuckDuckGo claims that Google "wanted to hide" the information that it collects, which is why Google took so long to roll out support for App Privacy labels. Most people are likely not surprised at the extent of the data that Google collects, but having it in one spot in the âOEApp StoreâOE is a stark reminder.