After months of trying, the FBI successfully broke into iPhones belonging to the gunman responsible for a deadly shooting at Pensacola Naval Air Station in December 2019, and it now claims he had associations with terrorist organization al-Qaeda. Investigators managed to do so without Apple's help, but Attorney General William Barr and FBI director Christopher Wray both voiced strong frustration with the iPhone maker at a press conference on Monday morning. From a report: Both officials say that encryption on the gunman's devices severely hampered the investigation. "Thanks to the great work of the FBI -- and no thanks to Apple -- we were able to unlock Alshamrani's phones," said Barr, who lamented the months and "large sums of tax-payer dollars" it took to get into devices of Mohammed Saeed Alshamrani, who killed three US sailors and injured eight other people on December 6th.

Apple has said it provided investigators with iCloud data it had available for Alshamrani's account but did not provide any assistance bypassing iOS's device encryption. Without that help, authorities spent many weeks trying to break in on their own. Wray chastised Apple for wasting the agency's time and resources to unlock the devices. "Public servants, already swamped with important things to do to protect the American people -- and toiling through a pandemic, with all the risk and hardship that entails -- had to spend all that time just to access evidence we got court-authorized search warrants for months ago," he said.

Edison Mail has rolled back a software update that apparently let some users of its iOS app see emails from strangers' accounts. From a report: Several Edison users contacted The Verge to report seeing the glitch after they applied the update, which was meant to allow users to sync data across devices. Reader Matthew Grzybowski said after the update he had more than 100 unread messages from the UK-based email account of a stranger. He didn't have to enter any credentials to see the emails, Grzybowski added. The company said it was a bug, not a security breach, and that the issue appeared limited to users of the iOS app.

wiredmikey writes: An abundance of iOS exploits being submitted to be sold should alarm iPhone/iPad users, according to the CEO of exploit acquisition firm Zerodium. The company announced that it was no longer buying certain types of iOS exploits in the next two to three months [including local privilege escalation, Safari remote code execution, and sandbox escape exploits] due to a surplus. And the company expects prices to drop in the near future.

"iOS Security is fucked," Chaouki Bekrar, CEO of Zerodium said on Twitter, noting that they are already seeing many exploits designed to bypass pointer authentication codes and a few zero-day exploits that can help an attacker achieve persistence on all iPhones and iPads. "Let's hope iOS 14 will be better," he added.

Bekrar said that only pointer authentication codes — which provide protection against unexpected changes to pointers in memory — and the difficulty to achieve persistence "are holding [iOS security] from going to zero."

9to5Mac has learned more exclusive details about Apple's upcoming over-ear headphones, dubbed the "AirPods Studio," including specifications and settings. From the report: One of the key features of regular AirPods is ear detection, which automatically pauses the song when you take the earphones off. We've learned that AirPods Studio will have a similar feature, but it will work in a different way. Instead of ear detection, Apple is working to include sensors that can detect whether the headphones are on your head or neck. Based on this, we assume that AirPods Studio will play or pause content when they detect being placed on your head. Neck detection can be used to keep the headset turned on while the music is paused, just like when you take just one of the AirPods out of the ear.

Another new sensor will be able to detect left and right ears to automatically route the audio channels. That means there's likely no right or wrong side to use AirPods Studio, whereas current headphones have fixed left and right channels. Just like the AirPods Pro, Apple's new headphones will have Active Noise Cancellation and Transparency Mode. Users will be able to easily switch between the two modes to reduce external noise or to hear the ambient sound.

As AirPods Studio are expected to be mainly focused on professional users, pairing the earphones with a Mac or iOS device will unlock custom equalizer settings, with low, medium, and high frequency adjustments available, sources told us. According to a Bloomberg recent report, Apple's own-brand over-ear headphones will be available in at least two variations of the headphones -- one using leather fabrics and another with lighter materials to fitness use cases. Bloomberg also said Apple is testing a new modular design with exchangeable magnetic ear pads. [...] As for the price, rumors suggest that it will cost $349.

Epic Online Services is now available, giving developers free access to the same kinds of tools used to support Epic Games' massive Fortnite player base. From a report: The new suite, which went live on Wednesday, enables a unified gameplay experience across multiple platforms, including Nintendo Switch, PlayStation, PC platforms (Windows, Mac, and Linux), and Xbox. It gives developers and their communities ready access to features like cross-play, cross-progression, unified matchmaking, lobbies, and more. Support for Android and iOS platforms will be added soon. "At Epic, we believe in open, integrated platforms and in the future of gaming being a highly social and connected experience," said Chris Dyl, general manager of online services at Epic Games, in a news release. "Through Epic Online Services, we strive to help build a user-friendly ecosystem for both developers and players, where creators can benefit regardless of how they choose to build and publish their games, and where players can play games with their friends and enjoy the same quality experience regardless of the hardware they own."

An anonymous reader quotes a report from Wired: A little after 6 pm ET on Wednesday, the system started blinking red for iOS developer Clay Jones. Like many devs, Jones uses a Google product called Crashlytics to keep tabs on when his app stops working. Out of nowhere, it registered tens of thousands of crashes. It also pointed to the cause: a chunk of code that Jones' app incorporates to let people log in with their Facebook accounts. By 6:30 pm, Jones had filed a bug report about the flaw in Facebook's software development kit on GitHub, the code repository. He wasn't alone. According to widespread reports and the web monitoring service Down Detector, prominent iOS apps like TikTok, Spotify, Pinterest, Venmo, and more experienced issues on Wednesday. Many users found that they crashed whenever they tried to open the apps, whether or not they used Facebook to log in.

"Yesterday, a new release of Facebook included a change that triggered crashes in some apps using the Facebook iOS SDK for some users. We identified the issue quickly and resolved it," Facebook said in a statement. That change was quite small, given its outsized impact. "It was something like a server value -- which was supposed to provide a dictionary of things -- was changed to providing a simple YES/NO instead, without warning," says iOS developer Steven Troughton-Smith. "A change that simple can break an app that isn't prepared for it."

"Pretty much all these apps -- Pinterest, Spotify, a lot of the big ones -- use the Facebook SDK for the login button," says Jones. "You'll see 'Login With Facebook.' Everyone has it, super common, great for sign-up rates because it's just a one-click thing." And lots of apps that don't use Login With Facebook still use the SDK, which is why the issue Wednesday was so widespread. [...] The good news is that Facebook did fix the issue with haste, as far as these things go. Jones says it took about two hours for things to return to normal.

Google has added a very useful feature to Google Lens, its multipurpose object recognition tool. From a report: You can now copy and paste handwritten notes from your phone to your computer with Lens, though it only works if your handwriting is neat enough. In order to use the new feature, you need to have the latest version of Google Chrome as well as the standalone Google Lens app on Android or the Google app on iOS (where Lens can be accessed through a button next to the search bar). You'll also need to be logged in to the same Google account on both devices. That done, simply point your camera at any handwritten text, highlight it on-screen, and select copy. You can then go to any document in Google Docs, hit Edit, and then Paste to paste the text. And voila -- or, viola, depending on your handwriting.

Google Authenticator, the company's code-based authentication app, has received its first update in three years, updating the app's interface for larger screens with more modern aspect ratios and delivering one of the platform's most-needed features. From a report: The Android version was last updated on August 22nd, 2017, while the iOS one was updated around a year ago to adjust it for iPhone X screens. Now, for the first time, Authenticator users will be able to easily transfer their account from one device to another without needing to manually transfer each code or disable and reenable two-factor authentication (2FA) on each account. The update introduces this feature through an import / export tool that lets you choose which accounts to include and transfer using a single QR code scan. It's a feature that competitor Authy has provided for quite some time, so it's refreshing to see it come to Authenticator, even if it's years late.

Last year, Apple accused a cybersecurity startup based in Florida of infringing its copyright by developing and selling software that allows customers to create virtual iPhone replicas. Critics have called the Apple's lawsuit against the company, called Corellium, "dangerous" as it may shape how security researchers and software makers can tinker with Apple's products and code. From a report: The lawsuit, however, has already produced a tangible outcome: very few people, especially current and former customers and users, want to talk about Corellium, which sells the eponymous software that virtualizes iPhones and Android devices. During the lawsuit's proceedings, Apple has sought information from companies that have used the tool, which emulates iOS on a computer, allowing researchers to probe potential iPhone vulnerabilities in a forgiving and easy-to-use environment.

"Apple has created a chilling effect," a security researcher familiar with Corellium's product, who asked to remain anonymous because he wasn't allowed to talk to the press, told Motherboard. "I don't know if they intended it but when they name individuals at companies that have spoken in favor [of Corellium], I definitely believe retribution is possible," the researcher added, referring to Apple's subpoena to the spanish finance giant Santander Bank, which named an employee who had Tweeted about Corellium. Several other cybersecurity researchers expressed fear of retribution from Apple for using Corellium.

An anonymous reader quotes a report from Engadget: Google's experimental Area 120 unit launched Shoelace in mid-2019 as a way to help people get together in real life. Unfortunately, the fledgling social network won't make it out of the experimental phase -- the tech giant has announced that Shoelace is shutting down on May 12th. The service was geared towards people looking for group activities with other locals who share the same interests. Say, people interested in photography who want to meet up for a shoot or those looking for buddies to see concerts with. It was only ever available for iOS users in NYC, though, and never quite made its way to other regions.

Based on the team's announcement on its website, the app fell victim to the coronavirus pandemic. Area 120 says it doesn't feel like it's the right time to invest further in the project "given the current health crisis" and that it doesn't have plans to reboot Shoelace in the future. Google will delete all data associated with the service after May 12th, though users can get a copy of it by filling out this form before that date.

Face ID was a great idea -- until large swathes of the world were forced to wear face masks, rendering it largely useless. Apple has apparently heard our pain. From a report: Users are reporting a subtle new feature in the latest developer version of iOS 13.5 that will make it easier to unlock your iPhone without having to take off your protective face mask. Videos shared on Twitter by Robert Petersen and Guilherme Rambo show that Apple devices with Face ID will jump to the backup passcode-entry screen if it detects a mask. That's not only helpful if you're unlocking your phone dozens of times a day -- which we all do -- but it's also helping to keep people safe by not forcing users to take off their masks and potentially exposing themselves to the virus.

An anonymous reader quotes a report from MacRumors: A bug has been discovered in Apple's macOS Image Capture app that needlessly eats up potentially gigabytes of storage space when transferring photos from an iPhone or iPad to a Mac. Discovered by the developers of media asset management app NeoFinder and shared in a blog post called "Another macOS bug in Image Capture," the issue occurs when Apple's Mac tool converts HEIF photos taken by iOS to more standard JPG files. This process happens when users uncheck the "Keep Originals" option in Image Capture's settings, which converts the HEIC files to JPG when copied to Mac. However, the app also inexplicably adds 1.5MBs of empty data to every single file in the process.

It's worth noting that the bug only occurs when transferring photos from Apple devices, not when importing photos from digital cameras using Image Capture. NeoFinder's team says it has notified Apple of the bug, and the developers suggest anyone plagued by the issue can try using a new beta version of the third-party utility Graphic Converter, which includes an option to remove the unwanted empty data from the JPEG files.

Google has announced the general availability of a long-awaited feature -- the ability to manage Windows 10 devices through G Suite. From a report: Until today, companies that used G Suite to manage corporate endpoints could only enroll Android, iOS, Chrome, and Jamboard devices. Once enrolled in a G Suite enterprise plan, system administrators at these companies would have full control over the enrolled devices, to ensure that company data was safeguarded from sloppy employees. G Suite admins could enforce security policies related to login operations, file storage, encryption, and other features. Starting this week, the same features are now also available for working with Windows 10 devices, Google announced in a blog post. These include the ability to, among other things: Log into Windows 10 systems using a Google account, control Windows 10 update rules, and change Windows 10 settings remotely.

The popular anti-malware software MalwareBytes is releasing a new Windows VPN service called Malwarebytes Privacy. The company says it plans on offering Mac, iOS, Android, and ChromeOS versions in the future. Bleeping Computer reports: During our tests yesterday, you could select from 10 states in the USA and 30 countries around the world. [...] Malwarebytes told BleepingComputer that this is not a white-label service, but rather one they developed themselves. A trusted-third party built the network infrastructure, and Malwarebytes developers created the app and other components. Malwarebytes Privacy is using the modern WireGuard VPN implementation that was recently integrated into the Linux kernel.

Unfortunately, not much is known about Malwarebytes Privacy's logging and data retention policies. According to Malwarebytes' product page, "Malwarebytes Privacy does not log your online activities, whether it's browsing or accessing any websites." This is what most people want, but it would be good to get more specific language in a dedicated data retention policy or language in their privacy policy.

One of the largest VPN companies, NordVPN, is rolling out NordLynx -- it's first mainstream WireGuard virtual private network for its Windows, Mac, Android and iOS client-software applications. ZDNet reports: NordVPN's own tests have shown NordLynx easily outperforms the other protocols, IKEv2/IPsec and OpenVPN. How much faster? According to NordVPN's 256,886 speed tests, "When a user connects to a nearby VPN server and downloads content that's served from a content delivery network (CDN) within a few thousand miles/kilometers, they can expect up to twice higher download and upload speed." While speed is what customers will notice, security experts like WireGuard for its code's simplicity. With only about 4,000 lines of code, WireGuard's code can be comprehensively reviewed by a single individual.

Besides WireGuard, NordVPN adds in its double Network Address Translation (NAT) system to protect users' privacy. This enables users to establish a secure VPN connection while storing no identifiable user data on a server. You're assigned a dynamic local IP address that remains assigned only while the session is active. User authentication is done with the help of a secure external database. To switch to NordLynx, users need to update their NordVPN app to the latest version. The NordLynx protocol can be chosen manually from the Settings menu.

In the summer of 2016, researchers at a digital rights organization and a cybersecurity firm announced they had caught one of the rarest fish in the cybersecurity ocean -- an in the wild attack against an iPhone, using unknown vulnerabilities inside Apple's vaunted operating system. Since then, only a handful of similar attacks have been caught and publicly disclosed. Now, a small startup said it has caught another one. From a report: ZecOps, a company based in San Francisco, announced on Wednesday that a few of its customers were targeted with two zero-day exploits for iOS last year. Apple will patch the vulnerability underlying these attacks on an upcoming release of iOS 13. "We concluded with high confidence that it was exploited in the wild," Zuk Avraham, the founder of ZecOps, told Motherboard. "One of [the vulnerabilities] we clearly showed that it can be triggered remotely, the other one requires an additional vulnerability to trigger it remotely."

"These vulnerabilities," ZecOps researchers wrote in a report they published Wednesday, "are widely exploited in the wild in targeted attacks by an advanced threat operator(s) to target VIPs, executive management across multiple industries, individuals from Fortune 2000 companies, as well as smaller organizations such as MSSPs." One of the two vulnerabilities, according to Avraham, is what's known as a remote zero-click. This kind of attack is dangerous because it can be used by an attacker against anyone on the internet, and the target gets infected without any interaction -- hence the zero-click definition. Vulnerabilities or exploits called zero-days are bugs in software or hardware that are unknown to their manufacturers and can be used to hack targets. They can be particularly effective attacks because they use flaws that are not patched yet, meaning there's no code deployed to specifically defend against them.

An anonymous reader quotes a report from Ars Technica: As many as a billion mobile phone owners around the world will be unable to use the smartphone-based system proposed by Apple and Google to track whether they have come into contact with people infected with the coronavirus, industry researchers estimate. The figure includes many poorer and older people -- who are also among the most vulnerable to COVID-19 -- demonstrating a "digital divide" within a system that the two tech firms have designed to reach the largest possible number of people while also protecting individuals' privacy.

The particular kind of Bluetooth "low energy" chips that are used to detect proximity between devices without running down the phone's battery are absent from a quarter of smartphones in active use globally today, according to analysts at Counterpoint Research. A further 1.5 billion people still use basic or "feature" phones that do not run iOS or Android at all. "In all, close to 2 billion [mobile users] will not be benefiting from this initiative globally," said Neil Shah, analyst at Counterpoint. "And most of these users with the incompatible devices hail from the lower-income segment or from the senior segment which actually are more vulnerable to the virus." Ben Wood, analyst at CCS Insight, estimates that only around two-thirds of adults would have a compatible phone. "And that's the UK, which is an extremely advanced smartphone market," he said. "In India, you could have 60-70 percent of the population that is ruled out immediately."

The report adds: "Counterpoint Research is more optimistic, estimating that 88 percent compatibility in developed markets such as the US, UK, and Japan, while about half of people in India would own the necessary handset."

Facebook's dedicated Gaming app is now live on Android, months before its planned June release. From a report: The social media giant pushed the app out two months prior to its scheduled unveiling amid a global pandemic that's left people all over the world isolated at home, rapidly burning through entertainment options. The New York Times announced the upcoming release in an exclusive over the weekend, noting that Facebook's massive gaming investment has culminated in more 700 million of the sites's 2.5 billion users actively playing games through the platform monthly. The launch of a devoted app is a clear next step for content that has, until now, been the domain of the site's Gaming tab. Social engagement is the focus for the app (naturally), which will be getting an iOS version at some point in the near future (pending Apple approval).

macOS and iOS software developers will soon be able to code on an iPad or even iPhone, if an unconfirmed report is correct. iPadOS 14 and the iPhone equivalent will reportedly include support for Xcode, Apple's software development environment. Cult of Mac reports: This report comes from Jon Prosser, founder of YouTube channel Front Page Tech, who recently correctly predicted the launch date of the 2020 iPhone SE. On Monday, Prosser said via Twitter "XCode is present on iOS / iPad OS 14. The implications there are HUGE." Whenever anyone suggests that iPads have become as powerful as MacBooks, someone always asks, "Does it do Xcode?" The implication is that iPads are just toys -- only Macs are real computers. But if Prosser is correct, then devs will be able to use iPad or Mac, whichever they prefer. This is part of Apple steadily upgrading the capabilities of its tablets over years, especially the iPad Pro line. These now have USB-C ports, support for accessing external media, mouse support, etc. And top-tier iPad processors as powerful as Apple laptops.

Movie ticketing company Fandango has agreed to buy Walmart's on-demand video streaming service, Vudu, for an undisclosed sum. From a report: The video service today reaches over 100 million living room devices across the U.S. including smart TVs, Blu-ray players, game consoles, and other over-the-top streaming devices, as well as Windows 10 and Mac computers, and iOS and Android mobile devices. To date, the Vudu app on mobile has been installed over 14.5 million times. As a part of the agreement, Vudu will continue to power Walmart's digital movie and TV store on Walmart.com. In addition, Walmart says Vudu customers will have uninterrupted access to their Vudu library. They'll also continue to be able to use their Walmart login as well as their Walmart wallet to make purchases on Vudu, the retailer notes.