University researchers have exposed a security flaw in iOS and OS X that lets an installed app exploit Apple’s cross-app resource sharing and communication to steal passwords from other apps and Apple’s Keychain, The Register reports. The team says they were able to upload their malware into an app that successfully passed the App Store’s vetting process. Once the app was downloaded, the researchers were able to raid users’ Keychain to steal passwords for iCloud, the Mail app and anything stored within Google’s Chrome browser. The team was able to steal banking credentials from Chrome, copy photos from WeChat and gain access to popular cloud service Evernote. Nearly 90 percent of a large sample of OS X and iOS apps were found to be “completely exposed” to the attack. Lead researcher Luyi Xing said his team informed Apple of the problem in October 2014 and complied with Apple’s request to hold off publishing the research for 6 months, but hasn’t heard back from the company since delivering an advance copy of the findings to Apple in February. Apple didn’t comment on the story, but Google’s Chromium security team has since removed Keychain integration for Chrome, saying the security flaw probably can’t be solved at the application level. AgileBits, which owns browser extension 1Password, said their company hadn’t found a way to fend off the attacks four months after the team’s disclosure. Since the malware was delivered in an app that got past Apple’s vetting process, the only protection for iOS and OS X users at this point is to scrutinize the developer before downloading an app and be wary of login prompts for things usually handled by Keychain.
Apple has confirmed that those camera-laden vans seen in public are indeed collecting images for use in Apple Maps. Apple has pledged to respect privacy while collecting its images, blurring faces and license plates before publishing the photos. The vans will be in some larger cities throughout the U.S., England, and Ireland until the end of the month. The push for adding images, combined with the new Transit feature coming in iOS 9 and a contract extension with TomTom, shows Apple is continuing its push to make Maps a viable competitor to Google Maps.
Although it wasn’t mentioned during Apple’s iOS 9 preview earlier today, a section at the bottom of Apple’s iOS 9 page reveals that the company also plans to release an Android migration app. Dubbed “Move to iOS”, the new app will likely be available as a separate download from the App Store as opposed to being bundled into the operating system, and will allow users to wirelessly move “contacts, message history, camera photos and videos, web bookmarks, mail accounts, calendars, wallpaper, and DRM-free songs and books.” The app will also help users “rebuild” their app library by suggesting downloads for free iOS versions of apps that the user had on their Android device, such as Facebook and Twitter, and adding paid apps to the user’s iTunes Wish List.
Apple is going to do away with Newsstand and introducte a free, Flipboard-style app that will show users samples of content from providers like the New York Times, Hearst, Conde Nast and ESPN, Re/code reports. Partners who complained about Newsstand burying their content will now sell their own apps on the App Store, with Apple taking 30 percent of revenue generated from subscriptions sold though the publisher’s own apps. Publishers will keep 100 percent of the advertising they sell within the new Flipboard-type app, according to unnamed sources. Apple will sell the ad space that publishers can’t, and will take a cut that one publisher called “very favorable.”
A bug in banner notifications through the Messages app allows a string of characters sent via iMessage or SMS to crash an iPhone, MacRumors reports. Receiving the string of symbols and Arabic characters causes an iPhone to crash and quickly reboot after the message pops up in a notification. After the reboot, Messages will crash immediately upon opening, unless it’s being opened to the conversation containing the offending message. Even then, trying to navigate to another conversation in Messages will crash the app. Reddit users found that replying to the original message solves the problem if the Messages app opens directly to the conversation containing the offending message. But if Messages opens to the conversation list view, the app will crash when opened until another message is received.
If you can’t get someone else to send you a message, sending yourself a message through Siri or through the Share sheet in another app is an option to resolve the issue. While the character strand is very specific and unlikely to be sent by accident, a quick search proves plenty of people have already started using the message maliciously. Until Apple rolls out a fix, turning off previews for Messages will help mitigate the immediate effects of receiving the message, and if someone is repeatedly sending the message to shut down your iPhone, blocking them is always an option.
Cortana — Microsoft’s answer to Siri — will be available to iPhone users through the App Store later this year, according to a blog post from Microsoft. Cortana will manage various functions across both an iPhone and Windows 10 PC — Microsoft notes that its “Cortana app can do most of the things Cortana does on your PC or on a Windows phone.” It will be able to answer questions, provide reminders, make notes, track flights and other routine tasks. There will be some limitations to the integration, however, as the iOS version of Cortana won’t be able to toggle settings or open apps on iOS, and isn’t integrated with an iPhone’s microphone to enable the hands-free access available on a Windows phone by saying “Hey Cortana.”
Microsoft hopes its new Phone Companion app built into Windows 10 will make PC desktops more appealing to iPhone users, allowing the phone to instantly upload photos, access music, work on Office documents and make notes that sync up with a user’s PC through the company’s OneDrive service. A preview of Phone Companion will be available in a few weeks, but Cortana isn’t scheduled to land on iPhone until later this year.
Adobe has announced that it will be discontinuing its Photoshop Touch app, preferring to focus instead on its family of more focused apps tied into its Creative Cloud program. A post on the company’s Photoshop Blog highlights Adobe’s other more recent offerings such as Photoshop Mix and Photoshop Sketch as examples of how the company believes it has produced better user experiences through “laser-focus” on specific and traditionally complex workflows for specific subsets of tasks, rather than the more ambitious approach of trying to replicate all of Photoshop’s capabilities in a mobile app. In a similar vein, Adobe has already started work on a new “serious retouching” app to add the the collection, dubbed “Project Rigel” which is expected to be available later this year.
Photoshop Touch is scheduled to be removed from the App Store on May 28th, and no further updates will be provided. Users who have already purchased the app prior to that time, however, will be able to continue using it on their devices or even reinstalling it from their purchase history “for the foreseeable future” – likely meaning for as long as it remains compatible with future iOS versions.
Apple may finally be adding transit directions to Apple Maps with the release of iOS 9, according to new information obtained by 9to5Mac. When Apple transitioned from Google Maps to its own mapping service, integrated transit directions were one of the casualties, and as a stop-gap measure, Apple provided plug-ins for third-party routing apps for getting directions, allowing users to start planning a trip in Apple Maps and then switch to another app, such as Google Maps or Transit app, to provide specific routing directions. While built-in transit routing was expected to arrive last year in iOS 8, Apple reportedly experienced difficulty getting the feature off the ground due to personnel problems and data, as well as coverage limitations, deciding to pull the feature just prior to WWDC 2014.
Sources are now indicating that Apple hopes to launch its Transit service with iOS 9, which would include bus, subway, and train route navigation as the major updates to the Maps app. The new functionality would not only include routing and trip planning for public transit, but also larger icons for airports, subway stations, and train stations, and a new Transit view to complement the existing standard, hybrid, and satellite views. In addition, Apple has also apparently been making headway on an indoor mapping project that would allow users to navigate major buildings, offices, and landmarks. Autonomous robots with iBeacon sensors are reportedly being deployed in buildings to collect data for the indoor mapping project, however it’s uncertain whether this feature will go live with iOS 9 or is simply being prepared for some future release.
Microsoft looks to be working on a way to make email conversations on the iPhone more like instant messaging with an apparent new app discovered by Twitter user @h0x0d. A posted image shows a general outline for Flow by Outlook, an app designed to let users have real-time conversations via their email accounts without bothering with the subject lines and signatures of traditional email exchanges. Only conversations started within the Flow app will be displayed there, separating out the more casual instant messaging-style communications from standard email correspondence. Users will be able to continue Flow conversations in Outlook. A disclaimer at the bottom of the image marks Flow as “Microsoft Confidential” and implores users not to discuss Flow or send Flow messages to anyone outside of Microsoft. [via ZDNet]
In a simple two-sentence statement, TomTom confirmed that its partnership to provide Apple with maps and related information has been extended, but provided no further details. TomTom has been partnered with Apple since 2012, the same year Apple fired its own internal manager in charge of Maps for iOS 6. Apple recently announced the acquisition of GPS firm Coherent Navigation, which could be another move to bolster the features of Maps. [via 9to5Mac]
Nintendo may be on track to release its first iOS game later this year, according to details revealed in the company’s Financial Results Briefing. Back in March, reports surfaced that the company was partnering with DeNA to allow its intellectual property to be used on non-Nintendo mobile hardware. The latest report refers rather obliquely to games for “smart devices,” making it unclear which platforms the company may be targeting for the initial release, however the current plan suggests that the company will debut one title later this year, with four more expected to arrive by March 2017. Nintendo chief Satoru Iwata’s comments make it clear that the company is taking a cautious and measured approach to ensure that customers will “appreciate the quality” of the games developed for smart device platforms, with designs intended to “match the play styles” of other devices, as opposed to simply being direct ports, and that the company will “carefully select appropriate IP and titles for our smart device deployment.” Iwata goes on to state that five titles is “not a small number at all” and that it “should demonstrate our serious commitment to the smart device business.” [via Engadget]
Following reports earlier this week that Apple has been using its influence to encourage record labels to kill off free streaming licenses for services like Spotify and YouTube, some services are accusing Apple of anticompetitive pricing as a result of its App Store subscription model. Several music industry sources have spoken with The Verge, strongly calling out Apple for the thirty percent cut that it takes from all in-app subscriptions, which of course includes subscriptions to services such as Spotify and Rdio. While the sources acknowledge that some fee for administrative overhead is reasonable, the feeling is that a 30 percent cut is excessive.
The sense is that Apple gets an unfair pricing advantage for its own upcoming streaming service, as other services are forced to either give up 30 percent of their base fees to Apple, or raise their prices for in-app subscriptions to make up the difference. While most of these services provide alternate methods for purchasing subscriptions outside of the App Store, such as visiting the company’s web site directly, Apple’s App Store Guidelines specifically prohibit redirecting users to a web site or even providing this information in the app itself, resulting in many users not being aware of another way to purchase a subscription.
Apple rejects Apple Watch apps that just tell time, requires independent approval for certain health apps
In a series of updates to its App Store guidelines, Apple has spelled out some boundaries for which apps will be allowed on the Apple Watch. Watch apps built primarily to tell time will be rejected, reflecting the time Apple has spent in its own exhaustive efforts to create intricate faces for the watch. Apple also clarified that apps used for health-related research on human subjects will need to be approved by an independent ethics review board. [via 9to5Mac]
Researchers at Skycure have exposed an SSL certificate security flaw allowing them to create a ‘No iOS Zone’ where most apps on iPhones and iPads running iOS 8 will crash while connecting to the Internet, even crashing the devices themselves in some cases. While the exploit is normally triggered by users manually joining these rogue Wi-Fi networks, hackers can also take advantage of the WiFiGate vulnerability to create fake Wi-Fi networks with names that iOS devices on some carriers will automatically join — for example any iPhone on AT&T will join any nearby Wi-Fi network with the name “attwifi” without requiring any user interaction. Once the device is connected, either automatically or manually by the user, apps attempting to make a secure connection with a server will crash. Heavy use of the device while it is exposed to the fake Wi-Fi location can even cause the device’s OS to crash. In some instances that crash led to a repeatable boot cycle, rendering the device useless while within range of the fake Wi-Fi hotspot. Users can avoid the problem by disconnecting from the offending Wi-Fi network and generally avoiding connecting to suspicious free Wi-Fi networks, although in the case of carrier-defined Wi-Fi networks, the user may be required to move out of range of the Wi-Fi network entirely, as many of these carrier settings cannot be overridden. Skycure has reported the problem to Apple and speculates that iOS 8.3 may have fixed some of the underlying issues. [via 9to5Mac]
About 1,500 iOS apps have an HTTPS vulnerability leaving them open to attack, according to analytics service SourceDNA. The flaw stems from a weakness in version 2.5.1 of AFNetworking, an open-source code which provides networking capabilities for apps. Apps containing the code may not properly validate SSL certificates, leaving users of apps like Movies by Flixster with Rotten Tomatoes and Citrix OpenVoice Audio Conferencing vulnerable to spying over public Wi-Fi networks. AFNetworking has updated version 2.5.2 to fix the issue and companies like Yahoo, Microsoft and Uber have already issued fixes for affected apps. The full list of vulnerable apps still using version 2.5.1 has been kept private, but SourceDNA provides a search tool allowing users to see which of their apps might be affected. [via Ars Technica]
A security change in iOS 8.3 prevents some file manager and transfer utilities like iFunBox and iExplorer from accessing app directories on an iPhone, iPad or iPod touch, MacRumors notes. The apps allow users to manage, transfer and back up data between their iOS devices and a Mac or PC, but updated iOS 8.3 security features blocked the apps’ ability to control data in installed apps and games. Scrambling for a fix over the weekend, iFunBox released an updated version that partially addressed the problem, allowing any music file to be imported as a ringtone, and apps with “iTunes File Sharing” enabled to be opened for sandbox browsing. Any other apps are still not accessible in iOS 8.3. Macroplant’s iExplorer claims to be iOS 8.3 ready, making no mention of the security issues.
After being pulled from the App Store twice for objectionable content, the anonymous After School app is back with improved safety features, The Daily Dot reports. The app requires students to sign in with Facebook credentials to verify their location and school, then lets them post content anonymously to be viewed by others at their school. Bullies used that anonymity to torment other students, so After School’s parent company, One, spent three months improving the app’s safety. One co-founder Cory Levy said moderators now review every post before it goes live, with a “mature content” filter preventing anyone under 17 from accessing more adult posts. To verify age, the app will require a driver’s license scan. Students posting about harming or killing themselves will be referred to a 24/7 anonymous support team. Threats posted to the app will be flagged by an automated program that emails police and school officials. Even with the new safeguards, the App Store has After School rated 17+ for mature themes, mild sexual content, mild profanity and infrequent references to drug and alcohol use, among other things.
One of Apple’s small company acquisitions may have resulted in the more convenient search now found in the “Explore” tab in the App Store, according to TechCrunch. Ottocat, a small search startup focused on organizing apps based on “nested” categories, released a beta version of software designed to make it easier to find relevant apps in May 2013, claiming to have indexed every app in Apple’s App Store. By October 2013 the company was gone, with its website simply stating, “Ottocat is no longer available.” Little information is available on Apple’s acquisition of the company, aside from one of Ottocat’s co-founders authoring a patent as an employee of Apple and filing it in November 2013. It’s also unclear whether Edwin Cooper and Michelle Cooper, Ottocat’s founders, are still with Apple, but in June 2014 Apple unveiled the “Explore” tab in the App Store, sorting the store’s offerings into categories and subcategories, as Ottocat claimed to have done the previous year. No one from Apple or Ottocat has responded to the story.
Apple has added Booking.com and Trip Advisor reviews to its Apple Maps app — previously, Apple Maps relied solely on Yelp for business reviews. Incorporation of Booking and Trip Advisor is still limited — only one of the three review providers is visible for any one business within Maps, with no clear way to determine which source you’ll be getting. And there’s no way to swap between review providers within the app. However, the addition of Booking seems to add more information about international destinations. Apple hasn’t commented on the additions and still lists Yelp as its sole review provider. [via 9to5Mac]
Apple has pulled The Whole Pantry app from its U.S. and Australian App Stores amid controversy surrounding the app’s creator, The Sydney Morning Herald reports. Australian app developer Belle Gibson’s claim of healing herself from terminal cancer without conventional treatment came under scrutiny last week after friends and doctors voiced doubts about her diagnosis, and charities reported that they hadn’t received funding Gibson had promised. The Whole Pantry — an app providing recipes and lifestyle guides — has been dropped from the App Store and is no longer featured on a page displaying Apple Watch apps.