"Apple's tightly controlled App Store is teeming with scams," argues a 3,000-word exposé in Sunday's Washington Post

"Among the 1.8 million apps on the App Store, scams are hiding in plain sight. Customers for several VPN apps, which allegedly protect users' data, complained in Apple App Store reviews that the apps told users their devices have been infected by a virus to dupe them into downloading and paying for software they don't need. A QR code reader app that remains on the store tricks customers into paying $4.99 a week for a service that is now included in the camera app of the iPhone. Some apps fraudulently present themselves as being from major brands such as Amazon and Samsung. Of the highest 1,000 grossing apps on the App Store, nearly two percent are scams, according to an analysis by The Washington Post. And those apps have bilked consumers out of an estimated $48 million during the time they've been on the App Store, according to market research firm Appfigures.

The scale of the problem has never before been reported. What's more, Apple profits from these apps because it takes a cut of up to a 30 percent of all revenue generated through the App Store.

Even more common, according to The Post's analysis, are "fleeceware" apps that use inauthentic customer reviews to move up in the App Store rankings and give apps a sense of legitimacy to convince customers to pay higher prices for a service usually offered elsewhere with higher legitimate customer reviews...

Apple has long maintained that its exclusive control of the App Store is essential to protecting customers, and it only lets the best apps on its system. But Apple's monopoly over how consumers access apps on iPhones can actually create an environment that gives customers a false sense of safety, according to experts... Apple isn't the only company that struggles with this issue: They're also on Google's Play Store, which is available on its Android mobile operating system. But unlike Apple, Google doesn't claim that its Play Store is curated. Consumers can download apps from different stores on Android phones, creating competition between app stores...

When it comes to one type of scam, there's evidence that Apple's store is no safer than Google's. Avast analyzed both the Apple and Google app stores in March, looking for fleeceware apps. The company found 134 in the App Store and 70 on the Play Store, with over a billion downloads, about half on Android and half on iOS, and revenue of $365 million on Apple and $38.5 million on Android. Most the victims were in the United States.

Marco Arment, a widely respected programmer, app developer and commentator on Apple, has analyzed Apple's arguments and its thinking as officially portrayed in its lawsuit against Epic. He writes: Apple's leaders continue to deny developers deny developers of two obvious truths: 1. That our apps provide substantial value to iOS beyond the purchase commissions collected by Apple.
2. That any portion of our customers came to our apps from our own marketing or reputation, rather than the App Store.

For Apple to continue to deny these is dishonest, factually wrong, and extremely insulting -- not only to our efforts, but to the intelligence of all Apple developers and customers. This isn't about the 30%, or the 15%, or the prohibition of other payment systems, or the rules against telling our customers about our websites, or Apple's many other restrictions. (Not today, at least.) It's about what Apple's leadership thinks of us and our work. It isn't the App Store's responsibility to the rest of Apple to "pay its way" by leveraging hefty fees on certain types of transactions. Modern society has come to rely so heavily on mobile apps that any phone manufacturer must ensure that such a healthy ecosystem exists as table stakes for anyone to buy their phones. Without our apps, the iPhone has little value to most of its customers today.

If Apple wishes to continue advancing bizarre corporate-accounting arguments, the massive profits from the hardware business are what therefore truly "pay the way" of the App Store, public APIs, developer tools, and other app-development resources, just as the hardware profits must fund the development of Apple's own hardware, software, and services that make the iPhone appeal to customers. The forced App Store commissions, annual developer fees, and App Store Search Ads income are all just gravy. The "way" is already paid by the hardware -- but Apple uses their position of power to double-dip. And that's just business. Apple's a lot of things, and "generous" isn't one. But to bully and gaslight developers into thinking that we need to be kissing Apple's feet for permitting us to add billions of dollars of value to their platform is not only greedy, stingy, and morally reprehensible, but deeply insulting.

Twitter unveiled its long-awaited subscription service, offering paying customers exclusive features for rescinding tweets and organizing posts as part of a push to ease the social network's dependence on advertising revenue. From a report: Dubbed Twitter Blue, the product will cost $2.99 a month for access to tools including the ability to "undo" a post before it goes out publicly, organize bookmarked tweets into folders, and more easily read long tweet threads. Subscribers will also get faster service for customer-support claims, can choose from new app colors and will have the ability to modify the Twitter app icon on iOS devices. The subscription model could help Twitter diversify its business at a time when the pandemic has underscored the risks of a heavy reliance on digital advertising. [...] The product suite is being pitched to the most prolific of Twitter's 200 million daily users, including journalists, social media managers and those who use the site as their primary news source, said Sara Beykpour, the product lead in charge of subscriptions. "Twitter Blue is aimed at customers who are our most engaged, our most passionate super users who really want to take their experience to the next level," said Beykpour, who declined to estimate the size of the target group. "There is something special about this cohort that we're really learning about."

It's going to get harder for Android apps to track users who've opted out of receiving personalized ads, the Financial Times reports, after Google announced changes to how it'll handle the unique device identifiers that allow marketers to track them between apps. From a report: Starting later this year, Google is cutting off access to these "Advertising IDs" after a user opts out, and will show developers a "string of zeros" in its place. The news was announced in an email to Play Store developers, and Google has also updated its support page for Advertising IDs with the announcement. Google told developers the changes will "provide users with more control over their data, and help bolster security and privacy," the Financial Times reports. The change comes a few short months after Apple overhauled how advertising IDs work on iOS in an apparent attempt to compete with the new policy.

Google is losing one of its strongest champions of the web. Alex Russell, who has led the Fugu project to make web apps as powerful as those running on Google's Android or Apple's iOS software, is leaving the company on Wednesday. From a report: Russell announced his departure on Twitter. He's not quitting in anger or being pushed out. But after 12 years at Google pushing his vision for a more powerful web, "I need some time off," he said in an interview. Russell has been an outspoken advocate for the web, using Chrome's dominant position to help test and introduce new abilities that let programmers build interactive apps on the web, not just relatively static websites. Project Fugu embodies this effort, as does the broader progressive web app, or PWA, movement that lets you install and launch web apps more like those that run natively on smartphones and PCs.

Security researcher Gabi Cirlig's findings, verified for Forbes by two other independent researchers, reveal that on both Android and iOS versions of UC Browser, every website a user visits, regardless of whether they're in incognito mode or not, is sent to servers owned by UCWeb. From a report: Cirlig said IP addresses -- which could be used to get a user's rough location down to the town or neighborhood of the user -- were also being sent to Alibaba-controlled servers. Those servers were registered in China and carried the .cn Chinese domain name extension, but were hosted in the U.S. An ID number is also assigned to each user, meaning their activity across different websites could effectively be monitored by the Chinese company, though it's not currently clear just what Alibaba and its subsidiary are doing with the data.

"This could easily fingerprint users and tie them back to their real personas," Cirlig wrote in a blog post handed to Forbes ahead of publication on Tuesday. Cirlig was able to uncover the problem by reverse engineering some encrypted data he spotted being sent back to Beijing. Once the key had been cracked, he was able to see that every time he visited a website, it was being encrypted and transmitted back to the Alibaba company. On Apple's iOS, he didn't even need to reverse engineer the encryption because there effectively was none on the device (though it was encrypted when in transit). "This kind of tracking is done on purpose without any regard for user privacy," Cirlig told Forbes. When compared to Google's own Chrome browser, for instance, it does not transfer user web browsing habits when in incognito. Cirlig said he'd looked at other major browsers and found none did the same as UC Browser.

An Apple job listing has mentioned "homeOS," an otherwise never-before heard of Apple operating system, ahead of WWDC next week. From a report: Spotted by developer Javier Lacort, the Apple job listing for a Senior iOS Engineer in Apple Music explicitly mentions "homeOS" on two occasions, alongside Apple's other operating systems including iOS, watchOS, and tvOS. Interestingly, the job listing mentions homeOS as a "mobile platform," seemingly highlighting it as more akin to iOS and watchOS than systems like macOS and tvOS, but it is not clear why that would be the case.

"The web browser is a crucial part of modern life, and yet it hasn't really been revised since the '90s," writes Protocol. "That may be about to change." The browser tab is an underrated thing. Most people think of them only when there are too many, when their computer once again buckles under Chrome's weight. Even the developers who build the tabs — the engineers and designers working on Chrome, Firefox, Brave and the rest — haven't done much to them. The internet has evolved in massive, earth-shaking ways over the last two decades, but tabs haven't really changed since they became a browser feature in the mid '90s.

Josh Miller, however, has big plans for browser tabs. Miller is the CEO of a new startup called The Browser Company, and he wants to change the way people think about browsers altogether. He sees browsers as operating systems, and likes to wonder aloud what "iOS for the web" might look like. What if your browser could build you a personalized news feed because it knows the sites you go to? What if every web app felt like a native app, and the browser itself was just the app launcher? What if you could drag a file from one tab to another, and it just worked? What if the web browser was a shareable, synced, multiplayer experience? It would be nothing like the simple, passive windows to the web that browsers are now. Which is exactly the goal.

The Browser Company (which everyone on the team just calls Browser) is one of a number of startups that are rethinking every part of the browser stack. Mighty has built a version of Chrome that runs on powerful server hardware and streams the browser itself over the web. Brave is building support for decentralized protocols like IPFS, and experimenting with using cryptocurrencies as a new business model for publishers. Synth is building a new bookmarks system that acts more like a web-wide inbox. Sidekick offers a vertical app launcher and makes tabs easier to organize. "A change is coming," said Mozilla CEO Mitchell Baker. "The question is just the time frame, and what's actually required to make it happen."

They have lots of different ideas, but they share a belief that the browser can, and should, be more than it is. "We don't need a new web browser," Miller said. "We need a new successor to the web browser."

While he was at the White House, Chief Digital Officer (and Miller's boss) Jason Goldman said something Miller couldn't forget. "Platforms have all the leverage," is how Miller remembers it. "And if you care about the future of the internet, or the way we use our computers, or want to improve any of the things that are broken about technology ... you can't really just build an application. Platforms, whether it's iOS or Windows or Android or Mac OS, that's where all the control is."

App developer and scam app hunter Kosta Eleftheriou's latest discovery is a real doozy: an iOS app that refuses to function until you give it at least a 3-star review in the App Store. From a report: Although the UPNP Xtreme app -- which claimed to let users stream video to their TVs -- now appears to have been pulled, we were able to verify that it generates the App Store rating box the second it opens. You can't dismiss the ratings box, nor can you tap the 1 or 2-star ratings, Eleftheriou said. We verified this behavior, but some other users report they were able to dismiss the dialog box or leave a lower rating.

Apple today released macOS Big Sur 11.4, the fourth major update to the macOS Big Sur, operating system that launched in November 2020. From a report: The new macOS Big Sur 11.4 update can be downloaded for free on all eligible Macs using the Software Update section of System Preferences. macOS Big Sur 11.4 lays the groundwork for two upcoming Apple Music features: Spatial Audio with Dolby Atmos and Lossless Audio, both of which will be available on the Mac. It also adds support for Apple Podcasts subscriptions, and fixes a number of bugs. Apple today also released iOS and iPadOS 14.6, marking the sixth major updates to the iOS and iPadOS operating systems that initially came out in September 2020. From a report: The iOS and iPadOS 14.5 updates can be downloaded for free and the software is available on all eligible devices over-the-air in the Settings app. To access the new software, go to Settings - General - Software Update. iOS 14.6 introduces support for several previously announced features. It lays the groundwork for the Apple Music Spatial Audio with Dolby Atmos and Lossless Audio functionality, but these new Apple Music capabilities aren't expected to launch until June. The update also adds support for Apple Card Family for sharing Apple Cards, it introduces new Podcast subscription options, and it adds new AirTags capabilities, in addition to addressing several bugs.

Apple CEO Tim Cook took his first turn in the witness chair this morning in what is probably the most anticipated testimony of the Epic v. Apple antitrust case. But rather than a fiery condemnation of Epic's shenanigans and allegations, Cook offered a mild, carefully tended ignorance that left many of the lawsuit's key questions unanswered, or unanswerable. TechCrunch reports: The facade of innocent ignorance began when he was asked about Apple's R&D numbers -- $15-20 billion annually for the last three years. Specifically, he said that Apple couldn't estimate how much of that money was directed towards the App Store, because "we don't allocate like that," i.e. research budgets for individual products aren't broken out from the rest. [...] This was further demonstrated when Cook was asked about Apple's deal with Google that keeps the search engine as the default on iOS. Cook said he didn't remember the specific numbers.

Apple's software engineering head Craig Federighi had a tricky task in the Epic v. Apple trial: explaining why the Mac's security wasn't good enough for the iPhone. From a report: Mac computers have an official Apple App Store, but they also allow downloading software from the internet or a third-party store. Apple has never opened up iOS this way, but it's long touted the privacy and security of both platforms. Then Epic Games sued Apple to force its hand, saying that if an open model is good enough for macOS, Apple's claims about iOS ring hollow. On the stand yesterday, Federighi tried to resolve this problem by portraying iPhones and Macs as dramatically different devices -- and in the process, threw macOS under the bus.

The second difference is data sensitivity. "iPhones are very attractive targets. They are very personal devices that are with you all the time. They have some of your most personal information -- of course your contacts, your photos, but also other things," he said. Mobile devices put a camera, microphone, and GPS tracker in your pocket. "All of these things make access or control of these devices potentially incredibly valuable to an attacker." That may undersell private interactions with Macs; Epic's counsel Yonatan Even noted that many telemedicine calls and other virtual interactions happen on desktop. Still, it's fair to say phones have become many people's all-purpose digital lockboxes. The third difference is more conceptual. Federighi basically says iOS users need to be more protected because the Mac is a specialist tool for people who know how to navigate the complexities of a powerful system, while the iPhone and iPad are -- literally -- for babies.

Do gamers need a dedicated browser? Opera sure thinks so. Two years after launching Opera GX, a browser aimed at gamers, on desktop, the company has started to beta test Opera GX on iOS and Android. From a report: So what sets it apart from regular browsers? For starters, Opera GX features a control panel that lets you set limits on CPU, RAM and network bandwidth. Mobile users can also utilize the fast action button to quickly access functions like search and to open and close tabs. Exporting elements from the world of gaming, the button also uses vibrations and haptic feedback. You can also sync the mobile browser with the desktop version by scanning a QR code. Doing this will allow you to transfer across files of up to 10MB, links, YouTube videos, photos and various ephemera. The company says it expects Opera GX for iOS and Android to leave beta in a few weeks.

Craig Federighi is currently testifying during the Apple vs. Epic lawsuit. While facing questioning from Apple's lawyers, Federighi made some interesting comments about security, particularly noting that the Mac currently has a level of malware that Apple "does not find acceptable." 9to5Mac reports: One of Federighi's goals is to paint the iPhone ecosystem, including the App Store and lack of side-loading support, as a secure and trusted environment for users. To do this, it appears that part of Federighi's strategy is to throw the Mac under the bus. Judge Yvonne Gonzalez Rogers, who is presiding over the Epic vs. Apple case, asked Federighi about why the Mac can have multiple app stores, but not the iPhone. "It is regularly exploited on the Mac," Federighi explained. "iOS has established a dramatically higher bar for customer protection. The Mac is not meeting that bar today." "Today, we have a level of malware on the Mac that we don't find acceptable," Federighi added.

The Apple executive also pointed to Android as another example of a platform with multiple app stores that suffers from security problems. "It's well understood in the security community that Android has a malware problem," he explained. "iOS has succeeded so far in staying ahead of the malware problem." Federighi added that Apple is essentially playing "an endless game of whack-a-mole" with malware on the Mac and has to block "many instances" of infections that can affect "hundreds of thousands of people" every week. Since last May, Federighi testified there have been 130 types of Mac malware, and one of them infected 300,000 systems. When asked whether side-loading would affect security on iOS, Federighi said things would change "dramatically. No human policy review could be enforced because if software could be signed by people and downloaded directly, you could put an unsafe app up and no one would check that policy," he said.

The same technology that powers Google Duplex to call businesses and make appointments for you is being used to help you automatically change your password to a website that's been compromised in a security breach. TechCrunch reports: This new feature will start to roll out slowly to Chrome users on Android in the U.S. soon (with other countries following later), assuming they use Chrome's password-syncing feature. It's worth noting that this won't work for every site just yet. As a Google spokesperson told us, "the feature will initially work on a small number of apps and websites, including Twitter, but will expand to additional sites in the future."

Parler, a social media app popular with U.S. conservatives, returned to Apple's App Store on Monday, after the iPhone maker dropped it following the deadly Jan. 6 riot at the U.S. Capitol. From a report: Parler also named George Farmer, the company's chief operating officer since March, as its new chief executive and said interim CEO Mark Meckler would be leaving. Apple said last month it would readmit Parler into its iOS App Store, after Parler proposed updates to its app and content moderation policies. read more "The entire Parler team has worked hard to address Apple's concerns without compromising our core mission," said Meckler in an emailed statement.

"Anything allowed on the Parler network but not in the iOS app will remain accessible through our web-based and Android versions. This is a win-win for Parler, its users, and free speech." The Washington Post said Parler's Chief Policy Officer Amy Peikoff likened the iOS version of the app to a "Parler Lite or Parler PG." Parler is still pushing Apple to allow users to see hate speech behind a warning label, the newspaper reported. Several tech companies cut ties with Parler after the Capitol riot, accusing the app backed by prominent Republican Party donor Rebekah Mercer of failing to police violent content on its service.

Microsoft is launching the personal version of Microsoft Teams today. After previewing the service nearly a year ago, Microsoft Teams is now available for free personal use amongst friends and families. From a report: The service itself is almost identical to the Microsoft Teams that businesses use, and it will allow people to chat, video call, and share calendars, locations, and files easily. Microsoft is also continuing to offer everyone free 24-hour video calls that it introduced in the preview version in November. You'll be able to meet up with up to 300 people in video calls that can last for 24 hours. Microsoft will eventually enforce limits of 60 minutes for group calls of up to 100 people after the pandemic, but keep 24 hours for 1:1 calls. While the preview initially launched on iOS and Android, Microsoft Teams for personal use now works across the web, mobile, and desktop apps. Microsoft is also allowing Teams personal users to enable its Together mode -- a feature that uses AI to segment your face and shoulders and place you together with other people in a virtual space. Skype got this same feature back in December.

Apple is swatting down criticisms about how it runs its App Store, arguing its policies are just like those of its peers, in a new letter to senators today. From a report: Apple is making similar arguments to Congress to the ones in its defense in the Epic Games lawsuit -- namely, that it has the right to run its marketplace as it sees fit, and that companies and consumers that don't like it have alternatives. The letter, addressed to the members of the Senate Judiciary subcommittee that held a contentious hearing on app stores last month, contends that Spotify, Tile and Match Group misstated Apple's policies and are actually examples of companies that have been successful on iOS.

"Rather than demonstrating a problem with competition, these witnesses -- representing companies that have thrived in Apple's ecosystem -- showcased how Apple and the iOS ecosystem foster competition," wrpte Apple chief compliance officer Kyle Andeer, in the letter to Congress. At points, Apple appears to overstate its case. In one part, it writes that Spotify is wrong to suggest that developers can't communicate with customers about alternate purchase options, saying "Apple simply says that developers cannot redirect customers who are in the App Store to leave the App Store and go elsewhere." However, this restriction doesn't just apply in the App Store, but anywhere within an iOS app.

The beauty and misery of private RSS feeds. An anonymous reader shares a report: There's only supposed to be one way to hear exclusive podcast content from sports host Scott Wetzel: by paying $5 a month to subscribe to his Patreon. But the show's also been available on a smaller podcasting app for free. In fact, leaked podcast feeds from dozens of subscription-only shows, including Wetzel's and The Last Podcast On The Left, are available to stream through Castbox, a smaller app for both iOS and Android, just by searching for them.

Two people in the podcast space tell me they've reached out to Castbox multiple times, only for the company to remove a show and then have it pop up again, an infuriating cycle for someone trying to charge for their content. "It's a little bit like playing whack-a-mole with them," says one source, who asked to remain anonymous because of their ongoing work in the space. Podcast subscriptions have existed for years, but they've gained wider attention this past month. Apple, which makes the dominant podcasting app, introduced in-app subscriptions with a button that lets people directly subscribe to a show from the app. Spotify announced its own subscription product, too, but with caveats -- the main one being there's no actual in-app button.

An anonymous reader quotes a report from The Register: A dozen Wi-Fi design and implementation flaws make it possible for miscreants to steal transmitted data and bypass firewalls to attack devices on home networks, according to security researcher Mathy Vanhoef. On Tuesday, Vanhoef, a postdoctoral researcher in computer security at New York University Abu Dhabi, released a paper titled, "Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation" [PDF]. Scheduled to be presented later this year at the Usenix Security conference, the paper describes a set of wireless networking vulnerabilities, including three Wi-Fi design flaws and nine implementation flaws. Vanhoef, who in 2017 along with co-author Frank Piessens identified key reinstallation attacks (KRACKs) on the WPA2 protocol (used to secure Wi-Fi communication), has dubbed his latest research project FragAttacks, which stands for fragmentation and aggregation attacks.

The dozen vulnerabilities affect all Wi-Fi security protocols since the wireless networking technology debuted in 1997, from WEP up through WPA3. [...] In total, 75 devices -- network card and operating system combinations (Windows, Linux, Android, macOS, and iOS) -- were tested and all were affected by one or more of the attacks. NetBSD and OpenBSD were not affected because they don't support the reception of A-MSDUs (aggregate MAC service data units). [...]

Patches for many affected devices and software have already been deployed, thanks to a nine-month-long coordinated responsible disclosure overseen by the Wi-Fi Alliance and the Industry Consortium for Advancement of Security on the Internet (ICASI). Linux patches have been applied and the kernel mailing list note mentions that Intel has addressed the flaws in a recent firmware update without mentioning it. Microsoft released its patches on March 9, 2021 when disclosure was delayed tho Redmond had already committed to publication. Vanhoef advises checking with the vendor(s) of Wi-Fi devices about whether the FragAttacks have been addressed. "[F]or some devices the impact is minor, while for others it's disastrous," he said.