Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label iOS. Show all posts
UMI
AI technology Apple CyberCrime Cyberhackers Cybermedia Cybersecurity CyberThreat iOS iPhone Users Privacy reboot Software Updates UMI

Reboot Revolution Protecting iPhone Users

 


Researchers at the University of Michigan (UMI) believe that Apple's new iPhone software has a novel security feature. It presents that the feature may automatically reboot the phone if it has been unlocked for 72 hours without being unlocked. 

As 404 Media reported later, a new technology called "inactivity reboot" was introduced in iOS 18.1, which forces devices to restart if their inactivity continues for more than a given period.  Aside from the Inactivity Reboot feature, Apple continues to enhance its security framework with additional features as part of its ongoing security enhancements. Stolen Data Protection is one of the features introduced in iOS 17.3. It allows the device to be protected against theft by requiring biometric authentication (Face ID or Touch ID) before allowing it to change key settings. 

There are various methods to ensure that a stolen device is unable to be reconfigured easily, including this extra layer of security. With the upcoming iOS 18.2 update, Apple intends to take advantage of a feature called Stolen Data Protection, which is set to be turned off by default to avoid confusing users. However, Apple plans to encourage users to enable it when setting up their devices or after a factory reset to maintain an optimal user experience. 

As a result, users will be able to have more control over the way their personal information is protected. Apple has quietly introduced a new feature to its latest iPhone update that makes it even harder for anyone to unlock a device without consent—whether they are thieves or law enforcement officers. With this inactivity reboot feature, Apple has made unlocking even more difficult for anyone. When an iPhone has been asleep or in lock mode for an extended period, a new feature is introduced with iOS 18.1 will automatically reboot it in addition to turning it off. 

A common problem with iPhones is that once they have been rebooted, they become more difficult to crack since either a passcode or biometric signature is required to unlock them. According to the terms of the agreement, the primary objective of this measure is to prevent thieves (or police officers) from hacking into smartphones and potentially accessing data on them. There is a new "inactivity reboot" feature included in iOS 18 that, according to experts who spoke to 404 Media, will restart the device after approximately four days of dormancy if no activity is made.

A confirmation of this statement was provided by Magnet Forensics' Christopher Vance in a law enforcement group chat as described in Magnet Forensics' Christopher Vance, who wrote that iOS 18.1 has a timer which runs out after a set amount of time, and the device then reboots, moving from an AFU (After First Unlock) state to a BFU (Before First Unlock) state at the end of this timer. According to 404 Media, it seems that the issue was discovered after officers from the Detroit Police Department found the feature while investigating a crime scene in Detroit, Michigan.

When officers were working on iPhones for forensic purposes in the course of their investigation, they noticed that they automatically rebooted themselves frequently, which made it more difficult for them to unlock and access the devices. As soon as the devices were disconnected from a cellular network for some time, the working theory was that the phones would reboot when they were no longer connected to the network.  

However, there are actually much simpler explanations that can be provided for this situation. The feature, which AppleInsider refers to as an inactivity reboot, is not based on the current network connection or the state of the battery on the phone, which are factors that may affect the reboot timer. The reboot typically occurs after a certain amount of time has elapsed -- somewhere around 96 hours in most cases.  Essentially, the function of this timer is identical to the Mac's hibernation mode, which is intended to put the computer to sleep as a precaution in case there is a power outage or the battery is suddenly discharged. 

During the BFU state of the iPhone, all data on the iPhone belongs to the user and is fully encrypted, and is nearly impossible for anyone to access, except a person who knows the user's passcode to be able to get into the device. However, when the phone is in a state known as "AFU", certain data can be extracted by some device forensic tools, even if the phone is locked, since it is unencrypted and is thus easier to access and extract.  

According to Tihmstar, an iPhone security researcher on TechCrunch, the iPhones in these two states are also known as "hot" devices or "cold" devices depending on their temperature.  As a result, Tihmstar was making a point to emphasize that the majority of forensic firms are focusing on "hot" devices in an AFU state as they can verify that the user entered the correct passcode in the iPhone's secure enclave at some point. A "cold" device, on the other hand, is considerably more difficult to compromise because its memory can not be easily accessed once the device restarts, so there is no easy way to compromise it.

The law enforcement community has consistently opposed and argued against new technology that Apple has implemented to enhance security, arguing that this is making their job more difficult. According to reports, in 2016, the FBI filed a lawsuit against Apple in an attempt to force the company to install a backdoor that would enable it to open a phone owned by a mass shooter. Azimuth Security, an Australian startup, ultimately assisted the FBI in gaining access to the phone through hacking. 

These developments highlight Apple’s ongoing commitment to prioritizing user privacy and data security, even as such measures draw criticism from law enforcement agencies. By introducing features like Inactivity Reboot and Stolen Data Protection, Apple continues to establish itself as a leader in safeguarding personal information against unauthorized access. 

These innovations underscore the broader debate between privacy advocates and authorities over the balance between individual rights and security imperatives in an increasingly digitized world.
Read more »
Technology
Android interface iOS links Signal Technology

Join Group Calls Easily on Signal with New Custom Link Feature





Signal, the encrypted messaging service, has included new features to make it easier to join group calls, through personalised links. A blog post recently announced the update on the messaging app, setting out to simplify the way of conducting and administering a group call on its service.


Group Calls via Custom Link Easily Accessible


In the past, a group call on Signal began by first making a group chat. Signal recently added features that included automatically creating and sharing a direct link for group calls. Users no longer have to go through that annoying group chat setup just to make the call. To create a call link, one has to open the app and go to the links tab to tap to start a new call link. All links can be given a user-friendly name and include the ability to require approval of any new invitees prior to them joining, adding yet another layer of control.


The call links are also reusable, which is very useful for those who meet regularly, such as weekly team calls. Signal group calling has now been expanded to 50 participants, expanding its utilisation for larger groups.


More Call Control


This update also introduces better management tools for group calls. Users can remove participants if needed and even block them from rejoining if it is needed. That gives hosts more power when it comes to who should have access to the call, which would improve safety and participant management.


New Interactive Features for Group Calls


Besides call links, Signal has also integrated some interactive tools for consumers during group calls. Signal has included a "raise hand" button to enable participants to indicate whether they would want to speak, which makes further efforts to organise group discussions. It also allows support through emoji reactions in calls. The user can continue participating and not interrupt another caller.


Signal has also improved the call control interface so that more manoeuvres are available to mute or unmute a microphone, or turn cameras on or off. This is to ensure more fluidity and efficiency in its use.


Rollout Across Multiple Platforms


The new features are now rolled out gradually across Signal's desktop, iOS, and Android versions. The updated app is available on the App Store for iPhone and iPad users free of charge. In order to enjoy the new features regarding group calling functions, users should update their devices with the latest version of Signal.


Signal has recently added new features to make group calling easier, more organised, and intuitive. It has given the user more freedom to control the calls for both personal use and professional calls.

Read more »
Technology
CocoaPods Critical Bugs iOS Security Alert Technology

CocoaPods Security Alert: Critical Bugs Expose Millions of Apps


A recent security analysis discovered critical vulnerabilities in CocoaPods, the widely used dependency management platform for Apple developers. These vulnerabilities pose significant risks to iOS and macOS apps, potentially allowing attackers to compromise user data and system integrity.

Apple CocoaPods Bugs Expose Millions of Apps to Code Injection

CocoaPods is a platform allowing Apple developers to add and manage other libraries (called "pods"). It has 100,000+ libraries that are utilized by over three million apps, including the most popular worldwide. 

A brief scan of its website finds bundles for Instagram, X, Slack, AirBnB, Tinder, and Uber, to name a few. This makes the pods excellent targets for hackers, and the CocoaPods platform, if it contains an underlying, platform-wide vulnerability, a veritable money pit.

According to research released recently by E.V.A Information Security, the CocoaPods platform has a trio of significant vulnerabilities. The most serious of them, CVE-2024-38366, a remote code execution (RCE) opportunity, received a critical 10 out of 10 CVSS rating. CVE-2024-38368, another notable fault caused by pods without owners, received a critical 9.3, while CVE-2024-38367, a session verification hijacking vulnerability, received an 8.2 rating.

1. Remote Code Execution (CVE-2024-38366)

A severe flaw in CocoaPods enabled attackers to inject malicious code into app builds during the dependency resolution process. The impact: Apps relying on compromised dependencies could execute arbitrary code, leading to serious security breaches.

2. Unowned Pods (CVE-2024-38368)

Some CocoaPods lacked proper ownership, making them susceptible to unauthorized modifications. The risk- Attackers could replace legitimate pods with malicious versions, compromising app functionality and user trust.

3. Session Verification Hijacking (CVE-2024-38367)

CocoaPods failed to adequately verify session tokens during package installation. The consequence? Apps unintentionally using compromised libraries could suffer security breaches.

How to Stay Safe?

Regular Dependency Updates

  • Developers must consistently update their CocoaPods dependencies to receive security patches promptly.
  • Tools like pod outdated help identify outdated libraries.

Ownership Verification

  • Before integrating third-party pods, verify their ownership and integrity.
  • Consider using signed pods or checksums to ensure authenticity.

Code Signing and Notarization

  • Code signing ensures that only trusted code runs on users’ devices.
  • Apple’s notarization process adds an extra layer of security by verifying app binaries.

Finding Exploit A Long Shot

There is no convincing evidence that attackers exploited any of the vulnerabilities discovered by the researchers and patched by CocoaPods in October.

It's worth mentioning, however, that the easily concealable nature of software supply chain flaws, along with the enormous number of pods at danger for so long, would provide adequate cover for anyone who did.

Finding a CocoaPods exploit during the last decade would appear to be simple, but this has not been the case. Instead, E.V.A. suggests that all developers of apps that relied on pods prior to last October (i.e., almost all Apple apps) take six remedial steps, including checking for orphaned pods and extensively evaluating all third-party code dependencies.
Read more »
Technology Upgrade
AI Apple Cyber Attacks CyberCrime Cybersecurity Developers iOS Technology Upgrade

Apple's AI Features Demand More Power: Not All iPhones Make the Cut

 


A large portion of Apple's developer conference on Monday was devoted to infusing artificial intelligence (AI) technology into its software. Some of the features Apple has rumoured to incorporate are not expected to work on all iPhones. If you read this article correctly, it sounds as if Apple is betting its long-awaited AI features will be enough to make you upgrade your iPhone — especially if the AI requires the latest smartphone. The annual developer conference of Apple, WWDC, is expected to take place on Monday with the announcement of iOS 18. 

According to Bloomberg, the company will release a new version of its artificial intelligence software, dubbed "Apple Intelligence," which will include features that will run directly on the iPhone's processor instead of being powered by cloud servers - in other words, they'll be powered directly from the device itself. According to the report, some of the AI services will still utilize cloud-based computing, however, many won't. The iPhone, iOS18, as well as any of Apple's other products and devices, are set to be updated, and anything short of a full array of AI-based features will likely disappoint developers and industry analysts, not to mention investors, with any changes Apple makes to its operating system. 

The company has turned to artificial intelligence (AI) as a way to revive its loyal fan base of over 1 billion customers and reverse the decline of its best-selling product in the face of choppy consumer spending and resurgent tech rivals. A key selling point that Apple uses to differentiate itself from its competitors is the fact that it is committed to privacy. There are still questions to be answered in regards to how Federighi will make sure that the personal context of a user will be shared across multiple devices belonging to the same user. 

However, he said that all data will be processed on-device and will never be shared across cloud servers. It is widely believed that the move by Apple was an evolution of the generative AI domain that would lead to the adoption of generative AI by enterprises by streamlining the best practices for AI privacy in the industrial sector. Analysts said that the software is likely to encourage a cascade of new purchases, as it requires at least an iPhone 15 or 15 Pro to be able to function. It has been predicted that we will likely see Apple's most significant upgrade cycle since the launch of the iPhone 12 in 2020, when 5G connectivity was part of the appeal for consumers for the device. 

A study from Apple analyst Ming-Chi Kuo published on Medium has claimed that the amount of on-board memory in the forthcoming iPhone 16 range, which is predicted to have 8GB of storage, may not be enough to be able to fully express the large language model (LLM) behind Apple's artificial intelligence (AI). It has been argued by analyst Kuo in a recent post that the iPhone 16's 8GB DRAM limit will likely restrict on-device learning curves from exceeding market expectations. Kuo suggests that eager Apple fans might want to temper their expectations before WWDC this year. 

Although this is true, Apple's powerful mobile chips and efficient iOS operating system can offer market-leading performance, regardless of how much RAM is available to them, on many of their previous iPhone models. As a result, memory has never been much of an issue on revious iPhone models. In the case of notoriously demanding AI tools, such as deep learning, however, the question becomes whether that level of complexity will still be applicable.

Several apps are set to feature AI technology, including Mail, Voice Memos, and Photos, as part of Apple's AI integration, but users will have to opt-in to use the features if they wish to use them. There were rumours that the company would deliver a series of features designed to simplify everyday tasks such as summarizing and writing emails, as well as suggesting custom emojis for emails. Moreover, Bloomberg reports that Siri is also going to undergo an AI overhaul to allow users to be able to do more specific tasks within apps, for instance, deleting an email inside an app will be one of these. According to The Information and Bloomberg, Apple has signed a deal with OpenAI to power some features, including a chatbot that is similar to ChatGPT, one of the most popular chatbots.
Read more »
Vulnerabilites and Exploits
Apple CISA iOS iPad Vulnerabilites and Exploits

Apple iOS and iPadOS Memory Corruption Vulnerabilities: A Critical Alert


The U.S. Cybersecurity and Infrastructure Security Agency (CISA) raised the alarm by adding two such vulnerabilities in Apple’s iOS and iPad to its Known Exploited Vulnerabilities catalog. These vulnerabilities are actively exploited, posing significant risks to users’ privacy, data, and device security.

The Vulnerabilities

CVE-2024-23225: This vulnerability targets the kernel of both Apple iOS and iPadOS. A flaw in memory handling allows malicious actors to corrupt critical system memory, potentially leading to unauthorized access, privilege escalation, or even remote code execution. Exploiting this vulnerability can have severe consequences, compromising the integrity of the entire operating system.

CVE-2024-23296: Another memory corruption vulnerability affecting Apple iOS and iPadOS, CVE-2024-23296, has also been identified. While specific technical details are not publicly disclosed, it is evident that attackers are leveraging this flaw to gain unauthorized access to sensitive data or execute arbitrary code on affected devices.

The Impact

These vulnerabilities are not merely theoretical concerns; they are actively being exploited in the wild. Cybercriminals are capitalizing on them to compromise iPhones and iPads, potentially gaining access to personal information, financial data, and corporate secrets. The impact extends beyond individual users to organizations, government agencies, and enterprises relying on Apple devices for daily operations.

Immediate Action Required

CISA’s Binding Operational Directive (BOD) 22-01 specifically targets Federal Civilian Executive Branch (FCEB) agencies, urging them to take immediate action to remediate these vulnerabilities. However, the urgency extends beyond the federal sector. All organizations, regardless of their affiliation, should prioritize the following steps:

Patch Management: Ensure that all iOS and iPadOS devices are updated to the latest available versions. Apple has released security patches addressing these vulnerabilities, and users must apply them promptly.

Security Awareness: Educate users about the risks associated with memory corruption vulnerabilities. Encourage them to be cautious while clicking on suspicious links, downloading unverified apps, or interacting with unfamiliar content.

Monitoring and Detection: Implement robust monitoring mechanisms to detect any signs of exploitation. Anomalies in system behavior, unexpected crashes, or unusual network traffic patterns may indicate an active attack.

Incident Response: Develop and test incident response plans. In case of successful exploitation, organizations should be prepared to isolate affected devices, investigate the breach, and remediate the impact swiftly.

Beyond the Technical Realm

The addition of Apple iOS and iPadOS memory corruption vulnerabilities to CISA’s Known Exploited Vulnerabilities catalog serves as a wake-up call. It reminds us that threats are real, and proactive measures are essential to protect our devices, data, and digital lives.

Read more »
Phishing Attacks
Android Apple cryptocurrency Cyberattacks CyberCrime Cybersecurity Data Breach Threat FCC iOS Phishing Attacks

Sophisticated Phishing Tactics Unveiled in Targeted FCC Cybersecurity Breach

 


Several phishing campaigns targeting employees of cryptocurrency platforms such as Binance and Coinbase and the Federal Communications Commission (FCC) have been discovered, including one dubbed CryptoChameleon, which targets cryptocurrency platforms and employees. Based on an analysis from Lookout, the victims of this attack primarily use Apple iOS and Google Android devices with SSO solutions, such as Okta, Outlook, and Google, with their Apple and Google accounts with single sign-on. 

Several days ago, Lookout, a company focused on cloud security, announced that it had discovered an "advanced phishing kit" that targeted cryptocurrency exchanges, revealing techniques similar to what was expected. The phishing kit, which has been dubbed CryptoChameleon, can also be used to cheat the Federal Communications Commission (FCC) by using mobile devices. 

Most of the intended targets are crypto traders, single sign-on (SSO) services in the U.S., Binance staff, and Coinbase employees, with a small minority being Bitcoin traders and SSO service users. The kit seeks to trick victims into sharing sensitive information, including usernames, passwords, password reset URLs, and photo IDs, by sending carbon copies of SSO pages, phishing emails, SMS messages, and call-in scams via email, SMS, and voice mail, mainly aimed at US users.  

A suspicious new domain registration for the domain fcc-oktacom led researchers to discover a suspicious phishing kit. Cryptocurrency platforms and SSO services, including Coinbase, are most commonly targeted by this phishing kit, which is capable of impersonating a variety of company brands, with Coinbase being the most frequently targeted service.

Other websites were using the kit, and the majority of these websites used a subdomain of official-servercom as their C2 instead of their main domain. A recent blog post by Lookout states that the attack has been successful in phishing over a hundred people, many of whom remain active today. It is noteworthy that the C2 server URL, the client-side logic, and the style sheets were included in the kit. 

Most cybercriminals host their sites on RetnNet hosting. To prevent automated analysis tools from identifying the site, victims must first complete a captcha, known as hCaptcha, which provides the site with credibility. It appears CryptoChameleon is replicating the fashions used by Scattered Spider, specifically through its impersonation of Okta and the use of domain names previously assumed to be associated with the organization by Lookout. 

It is important to remember that the phishing kit has significantly different capabilities and C2 infrastructure than the phishing kit, even though the URL and spoofed pages look similar to what Scattered Spider might create. It is common for threat actors to copy one another's tactics and procedures when the tactic or procedure has been so publicized that it has become widely accepted. 

Furthermore, it remains unclear if this is the work of a single threat actor or a tool that is being used by many different groups at the same time. This is what has made the threat actors so successful in stealing high-quality data, according to Lookout, as high-quality phishing URLs, login pages that perfectly match the look and feel of legitimate websites, a sense of urgency, and consistent communication via SMS and voice calls have enabled them to steal data so efficiently. 

As soon as the attackers get access to the victim, they use their credentials to log in, and based on information that has been provided by the MFA service, they direct them to the appropriate page.  In addition to employees of the Federal Communications Commission (FCC), this phishing kit targets cryptocurrency users of Binance, Coinbase, and various other platforms that provide cryptocurrency services like Binance, Coinbase, Gemini, Kraken, ShakePay, Caleb & Brown, and Trezor. 

There have been over 100 successful phishing attacks on victims so far. As a result, automated analysis tools are not able to flag the sites because the fake login screen is displayed only after the victim completes a CAPTCHA test using hCaptcha, thus preventing them from being flagged. 

By mimicking a company's customer service team with the pretence that it is protecting a person's account after a purported hack, these pages can be distributed via unsolicited phone calls and text messages. As a result, the victim's phone number and the choice of six- or seven-digit code can be customized on the phishing page. 

Cryptocurrency platforms and Single Sign-On services are the most frequently targeted services by phishing kits that impersonate various company brands, with Coinbase being the most commonly targeted.  

Further, victims are also lured through phone calls, emails, and text messages, when phishing emails are disguised as legitimate messages from cryptocurrency platforms or the Federal Communications Commission (FCC) with malicious links, while SMS messages are disguised as legitimate notifications from cryptocurrency platforms or the FCC. 

Lookout customers have been protected against these phishing sites since the beginning of January 2024 due to the similarity of infrastructure and the similarity of previous attacks.
Read more »
Passwords
Apple Cyber Security Cyberattacks CyberCrime CyberThreat iOS iPhone Passwords

Apple's Shield Shattered: The Critical Flaw in iPhone Theft Defense

 


Several weeks ago, Joanna Stern from the Wall Street Journal reported that an increasing number of iPhone thieves have been stealing their devices from restaurants and bars and that one criminal was earning up to $300,000. 

During these attacks, it was common for thieves to observe their victims entering their passcodes before stealing their devices, changing their Apple ID passwords, and disabling Find My iPhone so that they could not be tracked or wiped remotely. With the help of this Keychain password manager, a thief can easily lock victims out of accounts (such as Venmo, CashApp, other banking apps, etc.) by using their passwords. 

However, Stolen Device Protection helps protect users against this vulnerability in two main ways. Users must use Face ID or Touch ID authentication (with no fallback for the passcode) to change important security settings such as Apple ID passwords or device passcodes when the feature is enabled. In addition to this, it also introduces a one-hour security delay before users can adjust any of these security settings. 

Essentially, this is intended to give victims enough time to mark their iPhones as lost before a thief can change them crucially. With the release of iOS 17.3 last week, Apple made sure that it included much anticipated features such as Collaborative Apple Music Playlists and AirPlay hotel integration. 

The biggest highlight of iOS 17.3 was the Stolen Device Protection, but we found that it was not as secure as we originally thought it would be. This is a new feature of iOS 17.3 called Stolen Device Protection that prevents bad actors from completing crucial actions such as changing your Apple ID password if they have your passcode. The purpose of this is to prevent bad actors from completing critical operations such as changing your passcode. Thus, you are unable to track the iPhone or mark it as stolen if someone stole it. 

In familiar locations such as your home and workplace, the iPhone Stolen Device Protection feature is turned off by default. However, there is a fatal flaw here. It is difficult for users to set familiar locations manually on the iPhone, as it learns your habits and automatically marks familiar locations as familiar locations. 

As a result, if you frequent the same bar or cafe over and over again, the Stolen Device Protection feature might not work, and it will be marked as a familiar place. There are two ways in which you can fix this problem. For example, the new feature automatically detects when an iPhone has been stolen, secures the device by using Face ID or Touch ID authentication, and then allows the user to change or modify any passwords stored on the device. Also, it would be necessary to wait for one hour with a mandatory time delay before any of the changes would be locked in. 

As a result of the cool-down period, users can report or mark the iPhone as lost before making any changes to it before making any changes to the devices. As ThioJoe pointed out in the post, users who have Significant Locations enabled will not be able to call upon the increased security layers if they have Significant Locations enabled on their devices. 

According to Apple, once a user starts frequenting a certain location, that location will be deemed 'significant'. As well as using this data to suggest journals, store memories, and display photos, it uses other data too. Furthermore, Apple is now also utilizing this technology to protect stolen devices after they have been lost or stolen. 

Furthermore, ThioJoe explains that users have no control over Significant Locations, which, means that once your iPhone finds itself in a Significant Location, all the protection features of the device are nullified by that moment. According to Apple, the feature, which is buried in the iPhone's settings menu, will add an extra layer of security to the iOS operating system. 

The security update addresses a vulnerability that has been exploited by thieves, allowing them to lock victims out of their Apple accounts, delete their pictures and other files from their iCloud accounts, and empty their bank accounts by using the Keychain Password Manager passwords that they keep in their accounts. Anecdotal evidence suggests that phone thefts are on the rise due to Apple's introduction of this feature. 

Incidents of stolen phones are prevalent on online forums like Reddit and in news articles across various locations, ranging from Los Angeles to London. Common tactics employed by thieves include pickpocketing, "table surfing," and moped snatching, as reported by law enforcement. The Wall Street Journal previously highlighted criminal activities where perpetrators observed individuals entering passcodes on stolen phones to access personal information. 

To counteract such security concerns, Stolen Device Protection has been introduced, designed to monitor a user's "familiar locations," such as their home or workplace. When attempting certain actions on the device outside these recognized places, additional biometric security measures are enforced. This approach aims to reduce the reliance on passcodes, susceptible to theft through various means, in favour of more secure "biometric" features like facial recognition or fingerprints, which are significantly harder to replicate.

Currently, as Apple works on developing a more robust solution, a temporary workaround involves disabling the Significant Locations feature on your iPhone. This can be done by accessing the Settings app, navigating to Privacy & Security, and selecting Location Services > Significant Locations. This feature prompts the device to request Face or Touch ID authentication when Stolen Device Protection is active. Although this serves as a temporary resolution, it is anticipated that Apple will enhance and refine this feature in future updates to provide a more comprehensive and secure solution.
Read more »
Social Media App
Data Safety iOS Mobile Security Passkey Social Media App

X Launches Secure Login with Passkey for iOS Users in US

 

X (formerly known as Twitter) is set to allow users to login in with a passkey rather than a password, but only on iOS devices.

X earlier announced its intention to roll out passwordless technology, and it has now made the option available to iPhone customers. It enables a faster login process by allowing users to authenticate with whatever they use to lock their device, such as their fingerprint, FaceID, or PIN. 

They are also regarded to be safer, because the device generates the underlying cryptographic key, which is unknown to anyone, even the user. This means they are impervious to phishing, which means cybercriminals cannot use fake emails and social engineering strategies to lure them out of targets.

Only for iPhones

The FIDO Alliance designed passkeys and set technological guidelines for them. They employ the WebAuthn standard, which is a vital component of the FIDO2 requirements. The alliance's board of directors includes the majority of top technology firms, including Apple, Google, and Microsoft. 

To set up passkeys on X, open the X app on iPhone and go to "Settings and privacy" under "Your account". Then navigate to "Security and account access" and then "Security". Choose "Passkey" under "Additional password protection" and comply with the on-screen directions. You can remove a passkey from the same menu at any moment. 

Although X does not make passkeys necessary, it highly encourages users to start using them. Currently, users must have a password-protected account with X before they can set up a passkey, however the company advises customers should "stay tuned" on this.

As iOS devices are the only ones capable of logging into X using a passkey (for the time being), users' passkeys will be synced across their Apple devices via Apple's Keychain password manager, allowing multiple iOS devices to login to X with an identical passkey.
Read more »
Stolen Device
Apple Cyberattacks CyberCrime Cyberhackers Cybersecuirty iOS iPhone Privacy Stolen Device

Enhanced Security Alert: Setting Up Stolen Device Protection on iOS 17.3

 


It has been announced that Apple has released iOS 17.3, the latest version of its iPhone operating system. This new version has several important new features, including Stolen Device Protection, which provides users with additional security measures if their phone is stolen. 

As every iPhone user should know, this is one of the most important features users can enable, as it ensures that they have the best security without doing anything. In case any user's iPhone is stolen and they have turned on Stolen Device Protection, it will be able to place limits on certain settings changes when it is not at home or work, which makes it difficult for them to make changes. 

Once the user's phone has been unlocked, and if a thief wants to change these settings, they will first have to authenticate using Face ID or Touch ID. It is therefore near-impossible for them to modify protected settings if they also have their biometrics – a near-impossible procedure. 

A feature called Stolen Device Protection, when enabled, adds extra security steps to a range of other security measures. Currently, it is required to use biometric authentication (such as Face ID or Touch ID) to access things like stored credit card information or account passwords, which is not possible to do with a passcode. If, however, users lose their phone, only they can retrieve these items, even if someone knows their passcode and the user can't find it.

The second thing that needs to be done is to wait an hour before attempting a security-related action – such as changing the Apple ID password – and then to pass a second biometric authentication test. As a result, the user will have a lot more time to mark their device as lost or remotely erase it to prevent the wrong hands from getting to their data. This should make it harder for a trespasser to access a user's data. When the Stolen Device Protection feature is activated, it adds additional security measures to specific features and actions within a recognized area of the iPhone in case the iPhone leaves that area. 

To ensure that key changes to accounts or the device itself remain inaccessible even if a thief gains access to the device's passcode, this additional security layer guarantees that they will never be able to gain access to the device. The thief will need to authenticate themselves using either Face ID or Touch ID to change these settings after unlocking the stolen device. 

If a thief has access to a stolen passcode, he or she will still have to replicate the actual owner's biometrics to modify protected settings, which is a very difficult task to accomplish. In addition to limiting what information the owner's iPhone thief can access, Stolen Device Protection also requires biometric authentication, such as Face ID or Touch ID, to view saved passwords or to make changes to the stolen Apple savings account, depending on which iPhone it is. 

Having an unlocked iPhone will stop thieves from using it to steal users' money or open an Apple credit card in the actual owner's name under the false identity of the owner. Some of the changes may have been made as a result of reports of iPhone owners having their devices snatched by thieves after they observed them logging in with their PINs and scanning their phones.

When an iPhone is accessed and accessed by someone who is not authorized to do so, thieves can steal money from the device, open credit card accounts, and do many other things once they have gained access to the device. The thieves can also completely lock victims out of their accounts with Apple, which makes it very difficult for them to disable their iPhones or track their stolen phones with Apple's Find My feature to track and disable their phones. 

The victims can sometimes not be able to access the photos and files that have been saved in their iCloud accounts. With this new feature, hackers will find it harder to use stolen iPhones to ruin users' lives and ruin their reputations. Having this feature on may cause some inconvenience for users at times, but the fact remains that they should turn it on to save the day. 

As soon as users have installed iOS 17.3 and wish to enable Stolen Device Protection, go to the Settings section of iOS and choose Face ID & Passcode. If users swipe down when using the app, they will find the section on Stolen Device Protection, which they should tap, to enable the feature.
Read more »
Technology News
Apple Apple Charging Cables. Apple Devices Cyber Safety Innovation iOS Technology Technology News

A Closer Look At The Future of MagSafe in Apple's Ecosystem

Apple is actively exploring ways to enhance MagSafe, aiming to enable wireless data transfer and seamless recognition and authentication of connected accessories. Currently, placing a MagSafe-compatible iPhone on a MagSafe charger allows for charging, even with an added MagSafe iPhone case. However, Apple acknowledges existing limitations, citing issues such as accessory devices unintentionally creating heat traps and increased heat generation with advancements in processor technology. A newly granted patent application, titled "Accessory Devices That Communicate With Electronic Devices," addresses these challenges and proposes intelligent solutions to refine MagSafe functionality. 

Apple's exploration of MagSafe goes beyond conventional boundaries. It includes more than just data transmission and user authentication. One of the anticipated innovations is the integration of augmented reality (AR) features. In theory, this development translates MagSafe as a platform where connected accessories seamlessly merge with a digital environment, promising users an immersive and interactive experience beyond the device's physical realm. Additionally, there are discussions surrounding MagSafe evolving into a dynamic power-sharing system, enabling wireless charging and effortless power distribution to compatible accessories. This multifaceted approach positions MagSafe as a transformative technology, poised to redefine user interactions and boost the overall functionality of Apple devices.  

In light of this, Apple recognizes that certain electronic devices employ thermal management mechanisms, slowing down processors or even shutting down when reaching specific temperatures. This dilemma forces users to choose between safeguarding their device with an accessory or allowing optimal processing capabilities.  

To address this, Apple proposes placing a magnetic sensor in devices like the iPhone. This sensor detects MagSafe accessories, allowing the device to distinguish between a charger and a case. Based on the type detected, it adjusts the charging process, considering temperature and setting different levels for cases and chargers. 

Apple is thinking of a two-step system. First, a basic identification without specific accessory data, assuming it's a case or charger. Second, a more advanced step where MagSafe accessories send data, authenticating and exchanging information with the device based on the magnetic field.  

To this end, Apple foresees a sophisticated level of recognition within the MagSafe ecosystem. At this advanced stage, MagSafe accessories are envisioned not only as functional components but also as data transmitters through the system. The transformative concept holds the potential for MagSafe accessories to communicate their specific tolerances directly to iOS. The focus of the patent is on data transmission, hinting at exciting possibilities. The significance lies in the prospect of these accessories evolving beyond their traditional roles to become intricate keys, unlocking enhanced functionality and integration with Apple devices. 

This innovation opens doors to a domain where MagSafe accessories go above and beyond, offering a nuanced and personalised interaction with iOS. As these accessories potentially evolve into multifaceted tools, users may experience a seamless integration of technology, where MagSafe becomes more than just a connector but a dynamic interface enriching the overall user experience. With the potential to transmit data via MagSafe, there's a prospect of authentication based on magnetic field vectors, turning MagSafe into an identification tool. For instance, picture an iPhone recognising a nearby MagSafe accessory and utilising its data. 

This innovation may not be exclusive to the iPhone, as there are rumours about the iPad adopting MagSafe. This alludes to a broader synthesis of these advanced features across various Apple devices, ensuring a unified end-user involvement. 

MagSafe's evolution promises more than just seamless connections; it foresees a dynamic relationship between devices and accessories. Envision a world where MagSafe transcends being a mere connector, providing enhanced experiences tailored to each user. Apple's commitment to innovation is paving the way for a new era in technology, where MagSafe is at the forefront of redefining how we interact with our devices. Exciting times lie ahead in the world of Apple technology and connectivity. 


Read more »
User Privacy
Apple Devices Apple Watch Cyber Security iOS Smart Watch Tech Industry United States User Privacy

Apple Watch Series 9: Pulse Oximetry Ban Saga

The IT community is in uproar as the Apple Watch Series 9 Ultra 2 has been taken off of shops and online marketplaces in an unexpected development. The debate peaked when an American judge temporarily banned Apple Watch sales due to worries over the device's pulse oximetry capability. Let's examine the major incidents that transpired and comprehend the ramifications.

The controversy erupted when the Apple Watch Series 9 Ultra 2 faced a sudden halt in online sales and in-store availability. The move left consumers puzzled, prompting a search for answers. It was revealed that the pulse oximetry feature, designed to measure blood oxygen levels, was at the storm's center. The ban was initially instated due to concerns about the accuracy of this health monitoring function.

Pulse oximetry plays a crucial role in monitoring respiratory health, especially during a time when health-conscious consumers are increasingly relying on wearables for real-time data. The ban raised questions about the efficacy and reliability of this feature in the Apple Watch Series 9 Ultra 2, leaving both users and tech enthusiasts eager for clarity.

However, the controversy took an unexpected turn when an appeals court decided to put the sales ban on hold, providing temporary relief for Apple. This decision indicated a willingness to revisit the case and evaluate whether the concerns about pulse oximetry were well-founded. The court's intervention highlighted the complexity of regulating health-related features in consumer electronics and the importance of thorough scrutiny before imposing sales restrictions.

Tech specialists and analysts offered their opinions on the matter as the court case developed. The Verge published an article expressing concerns about the possible effects on Apple's sales and reputation. According to reports, the appeals court decided to postpone the prohibition, highlighting the importance of the case for Apple and the wearable technology sector.

The Apple Watch Series 9 Ultra 2 dispute highlights how wearable technology is developing and how difficult it is to incorporate cutting-edge health capabilities. Even though Apple has received a temporary reprieve, talks about how technology, health, and regulatory control intersect continue to center around this case.

The debate surrounding the Apple Watch Series 9 Ultra 2 serves as a timely reminder of the precarious balance that exists in the digital industry between innovation and regulation. Users and industry watchers are waiting for a decision to guarantee the dependability and security of wearable health monitoring features while the legal proceedings are ongoing.

Read more »
iOS
AI technology AI Threat AI Tool AI Trends Artifical Intelligence Cyber Security Data Privacy iOS

Telus Makes History with ISO Privacy Certification in AI Era

Telus, a prominent telecoms provider, has accomplished a significant milestone by obtaining the prestigious ISO Privacy by Design certification. This certification represents a critical turning point in the business's dedication to prioritizing privacy. The accomplishment demonstrates Telus' commitment to implementing industry-leading data protection best practices and can be seen as a new benchmark.

Privacy by Design, a concept introduced by Dr. Ann Cavoukian, emphasizes the integration of privacy considerations into the design and development of technologies. Telus' attainment of this certification showcases the company's proactive approach to safeguarding user information in an era where digital privacy is a growing concern.

Telus' commitment to privacy aligns with the broader context of technological advancements and their impact on personal data. As artificial intelligence (AI) continues to shape various industries, privacy concerns have become more pronounced. The intersection of AI and privacy is critical for companies to navigate responsibly.

The realization that AI technologies sometimes entail the processing of enormous volumes of sensitive data highlights the significance of this intersection. Telus's acquisition of the ISO Privacy by Design certification becomes particularly significant in the current digital context when privacy infractions and data breaches frequently make news.

In an era where data is often referred to as the new currency, the need for robust privacy measures cannot be overstated. Telus' proactive stance not only meets regulatory requirements but also sets a precedent for other companies to prioritize privacy in their operations.

Dr. Ann Cavoukian, the author of Privacy by Design, says that "integrating privacy into the design process is not only vital but also feasible and economical. It is privacy plus security, not privacy or security alone."

Privacy presents both opportunities and concerns as technology advances. Telus' certification is a shining example for the sector, indicating that privacy needs to be integrated into technology development from the ground up.

The achievement of ISO Privacy by Design certification by Telus represents a turning point in the ongoing conversation about privacy and technology. The proactive approach adopted by the organization not only guarantees adherence to industry norms but also serves as a noteworthy model for others to emulate. Privacy will continue to be a key component of responsible and ethical innovation as AI continues to change the digital landscape.


Read more »
Privacy
Android Cyberattacks CyberCrime Cybersecurity Data Insecurity Digital Security iOS Privacy

Data Insecurity: Experts Sound the Alarm on 4 Apps Putting User Privacy at Risk

 


Security in the digital world continues to become more and more important with every passing year. Even though many of us rely on apps to entertain us, guide us, manage our exercise, and connect with family and friends, they are notoriously hard to trust. 

In an age when technology is constantly evolving, it is almost impossible to tell if a certain app is tracking the user at face value, and no security measures are foolproof since technology is constantly evolving. Even though the app behaves well today if the company behind the app is sold, the direction of the company changes, or if a flaw results in the app becoming compromised, the app could become a bad actor tomorrow. 

There has been a tremendous transformation in mobile phones since their invention in the 1970s when they became readily available to the public. Having said that, the sheer number of mobile apps is dizzying, as are their privacy policies; however, smartphone apps are joyous, laugh-inducing, and sometimes even catch the attention of the world due to their viral nature. Regardless of what smartphone app you use, make sure to take precautions to ensure that private information is never exposed to potential risks. During sharing and playing, a user should keep himself or herself safe. 

A new privacy setting on Android and iOS for Android and iOS can prevent apps from tracking users' data and will allow them to delete the data Google has saved about their data, along with ways to find and delete this data. 

While there is no doubt that users can do a lot about protecting their data privacy and improving the security of their smartphones, digital security experts mention a few steps that users should take to minimize the risk of data privacy and security breaches. 

A user in most cases consents to sharing their information with other apps, and they enable device permissions with their consent as well. The reason why apps require such permissions is usually for very good reason. It is common for cloud-based apps to gain access to the camera, location, data, and contacts on the user's phone. Users never know how much sensitive information might be intercepted by cloud-based apps. 

As a consequence, if unknowingly, employees give the keys to the company's back door to hackers, fraudsters, and spies, particularly if their company naively uses the same login information for external apps as it uses for internal apps, then the company is giving these nefarious types of people the keys.

There is nothing stronger than a series of letters, numbers, and symbols in no particular order that is unlikely to be found in the dictionary and will be more difficult to crack with brute force by a computer. This makes the strongest passwords. There are some disadvantages to complex passwords, however, such as the fact that they are difficult to remember. 

The password manager app comes in handy in this respect. Password managers are apps that keep all your passwords in one place, encrypted, password-protected and they generate and remember strong passwords for you. Several apps will save passwords for you, including Google Chrome and Samsung's proprietary phone app, but security experts always advise using a password manager to store passwords. 

According to 46 per cent of Android apps and 25 per cent of iOS apps, camera access was the most commonly requested common risky permission. It was followed closely by location tracking, which was requested by 45 per cent of Android apps and 25 per cent of iOS apps. There was 25 per cent of Android apps requested the ability to record audio files, while 9 per cent did for iOS apps. Another 15 per cent of Android apps asked for the ability to read SMS messages, as well as 10 per cent of Android apps asked for the ability to see call logs. There is no option in iOS to enable either of these permissions. 

Explore these four trending apps that might compromise your personal information, along with valuable tips to ensure a secure experience with smartphone applications. 

FaceApp  

As with Voilà AI Artist, FaceApp could also be a risk to users' privacy. As is the case with Voilà AI Artist, it is unclear how the app uses users' likenesses after it takes a picture. In the terms of the use agreement, FaceApp clearly states that the selfies that are uploaded to the app belong to FaceApp. Users are free to share their User Content with the app as long as they are not a commercial entity. It can also be used, reproduced, modified, adapted, developed into derivative works, distributed, performed, and displayed.  

Pokémon Go

There are several security vulnerabilities present in the premises of Pokémon Go, which are likely to be replicated by the next viral app that sweeps the world. The augmented reality in Pokémon Go makes players feel as if they are seeing a Pokémon walking through their living room. The app uses augmented reality technology, which means its camera, contacts, pictures, chats, and locations can also be accessed by it. 

TikTok  

In a recent statement, TikTok mentioned that it is under suspicion for data mining tactics, a practice in which corporations collect personal information from individual user profiles and pass it on to advertising, marketing, and analytics companies to target advertising campaigns. 

Safety Tips for Using Smartphone Apps 


When downloading a trending app, it is worthwhile to conduct a quick search of the news for any specific concerns that may be raised before installation of this app. 

Ensure that the user account is only visible to people the user knows in real life, and opt out of targeted ads and tracking, as well as ensure that only the app sees what users do. 
Read more »
iOS
Cyberattacks CyberCrime Data Theft Financial Threatm Android Apps Financual Apps iOS

"Financial Safety Alert: The Personal Finance Apps That Pose a Data Theft Risk"

 


Many apps, tools, and data can be used to access a person's money, and scammers will always target these entities. Even though nearly 200 million Americans use bank apps for checking their balances and depositing checks, transferring money between accounts, and paying bills securely, not everyone is so fortunate.

It is a fact that these apps tend to share more data than it may seem necessary to share, according to Merchant Machine, a professional data analytics firm. There is a new research, published in September 2023, which suggests that the average app asks for 20 types of data in total, as shown in 204 applications, each with over 5000 reviews by users. 

The collection of some of these data is legitimate for the sake of providing a better service, but much of it goes to fuel marketing and profiling efforts. Essentially, mobile banking means that users can access their accounts by using the app available from their bank. 

There is a big difference here between online banking, which involves logging on to the bank's website through the phone's browser or directly through the device's browser to access the account. The mobile banking industry was already booming well before the COVID-19 lockdowns occurred. There was 33 per cent of bank customers who used a mobile app before the pandemic, according to the American Bankers Association survey that was conducted for their benefit. 

The number of bank customers using mobile apps today has risen from 44 per cent to 48 per cent. When users use an app, they are much less likely to fall victim to phishing sites that look like their bank's login page or to get their Wi-Fi network and passwords intercepted as they enter them online.

However, the ability to create phishing sites or intercept users' Wi-Fi networks when they use an app is much harder to achieve. To prevent users from being scammed, mobile bank apps need to verify them by using their unique phone ID and any account details they might have on their phone so apps can transmit data between their device and the bank's server. 

During the study, several financial service apps were analyzed, including those that enable the user to buy now pay later, surf the web for a deposit, manage your budget and money, trade stocks and trade stocks, earn cash-back with coupons, and make money transfers through mobile apps. Many apps are collecting a lot of information about consumers. 

One of the most popular was Robinhood: Investing for AllTM, which collected 25 different types of data from consumers. Other apps that collected 21 or more types of data included PayPal - Send, Shop, ManageTM, PayPal Pay in 4TM, KloarnaTM, and Groupon - Local Deals Near MeTM. 

A scammer using users' phones to access their banking accounts could bypass all of the security features in their banking application because most people save their passwords on their phones or even stay logged into services like their email accounts. There is a possibility that a scammer will ask for a new password for the user's bank app (and gain access to it via the user's email) and then bypass the security of the multi-factor authentication code (MFA) when the code is sent to their phone. 

There are many ways in which criminals can take advantage of this scam, including saving targeted user's passwords in their mobile browser (or notepad), locking their phones, and not using biometric security measures like fingerprints. They cannot use application security to protect their phone against theft or scams if they are scammed. 

It was found that the UK banking apps 'Monese: A Banking Alternative', 'Virgin Money Mobile Banking', and 'Starling Bank - Mobile Banking' were also considered to be highly intrusive by the government, and this was conducted after their websites disclosed several 23 and 20 categories of data, respectively. Many parameters constitute personal information, including a person's location, financial information, and some identifying information, which are merely a few of the most obvious parameters. 

Merchant Machine's investigation found apps that collect a wide range of sensitive information, including browsing history, searches, contact information, fitness records, and health records. In contrast, the applications GO2Bank, RetailMeNot: Coupons, Cashback, and FreshBooks Accounting each only collect two types of data.
Read more »
Vulnerability and Exploits.
Apple Devices Apple Inc. Data Encryption Decrypter Digital Landscape Identity verification iMessage iOS iPhone Public Key Cryptography QR code User Privacy Vulnerability and Exploits.

Contact Key Verification: Boosting iMessage Security

Apple has taken another significant step towards improving the security of its messaging platform, iMessage. The introduction of Contact Key Verification adds an extra layer of security to iMessage conversations, protecting user data and privacy. In this article, we will explore what Contact Key Verification is and why it matters.

iMessage is a popular messaging platform known for its end-to-end encryption, which ensures that only the sender and the recipient can read the messages. With the new Contact Key Verification feature, Apple is making iMessage even more secure by allowing users to verify the identity of the person they are messaging with.

Contact Key Verification uses public key cryptography to establish a secure connection between the sender and receiver. Each iMessage user has a unique public key, which is stored on Apple's servers. When a user sends a message, their public key is used to encrypt the message. The recipient's device then uses their private key to decrypt and read the message. This ensures that only the intended recipient can access the content.

But what Contact Key Verification does differently is that it allows users to confirm that the public key used for encryption belongs to the person they intend to communicate with. This extra layer of verification prevents man-in-the-middle attacks, where an attacker intercepts and decrypts messages meant for someone else.

The implementation of Contact Key Verification is simple. Users can access the feature by tapping on the contact's name or picture in the chat. They can then view the contact's key and verify it through various methods like scanning a QR code or comparing a series of numbers with the contact in person.

This additional security feature is essential in today's digital landscape, where data breaches and cyberattacks are increasingly common. It ensures that even if someone gains access to your device, they cannot impersonate you or read your messages without proper verification.

Apple's commitment to user privacy is evident in this move. By giving users control over their message security, they are ensuring that iMessage remains one of the most secure messaging platforms available. Moreover, the public key infrastructure used in Contact Key Verification is a proven method for securing digital communications.



Read more »
Vulnerabilities
Apple CISA Cybersecurity Google Heating Issue iOS iPhone Iphone15 Mac Technology Vulnerabilities

Apple's iOS 17.0.3 Update: Solving Overheating and Enhancing Security

 


In response to reports that iPhone 15s were running hot over the weekend, Apple pointed to an array of possible causes for the problem, including app-specific problems like Instagram and Uber, problems with background processing/post-transfer, and the presence of unspecified bugs in iOS 17. 

With the new software update created recently by Apple, the company was able to address a bug that could cause the iPhone to run hotter than normal. According to the patch notes for iOS 17.0.3, this bug may cause the iPhone to run hotter than usual.

It has been identified that two vulnerabilities have been fixed for both iOS and iPadOS in an update highlighting the security fixes included in this patch. An attacker with local access to the device could exploit the first vulnerability, which was a kernel exploit that could be exploited by a local attacker on the device. 

Apple mentioned that they believe it was exploited against older versions of iOS before iOS 16.6. It was also tackled in the update that a bug had been found in libvpx, which had been previously raised as a concern by CISA (Cybersecurity and Infrastructure Security Agency) and had been noted by them. 

A device with this bug may be vulnerable to remote attacks that could allow attackers to gain control of the device remotely. Additionally, other applications such as Chrome and Firefox have recently implemented similar patches to fix the same libvpx bug that was identified in the Chrome bug report. 

As a result, it is recommended that you check for the latest version of the iOS on your device in the Settings application. The download will take approximately 400MB, and there is no charge for this update. This update addresses an issue in iOS, the iPhone operating system, that was discovered on Wednesday.

The developers of these apps are also updating their apps with fixes for bugs that have been found in them. In addition, Apple said that the heat issue with the new phones was not partly due to the titanium and aluminium frames on the new models at the top end, and it was not partly due to the USB-C port since USB-C is the standard for charging phones now. 

It should be noted that Apple informs its customers that all iPhones are likely to feel warm when they are being restored from a backup, while they are being wirelessly charged, when using graphics-rich apps and games or when streaming high-quality video. 

As long as iPhones display an explicit warning about the temperature, they are safe to use, according to Apple. There has been a security problem identified in iOS 17.0.3 and iPadOS 17.0.3 that was addressed by Apple with improved checks, but Apple has not yet revealed who is responsible for finding and reporting the issue. 

In a nutshell, there are a lot of devices that have been impacted, including: iPhone XS and later In addition to iPad Pro 12.9-inch and iPad Pro 10.5-inch 2nd generation models, there are the iPad Pro 11-inch and iPad Pro 12.9-inch 1st generation models, the iPad Air and iPad Mini 5th generation models, as well as iPad 6th generation models. 

The open-source libvpx video codec library does not contain a heap buffer overflow vulnerability, CVE-2023-5217, which can be exploited to execute arbitrary code, resulting in the execution of arbitrary code following successful exploitation. 

The vulnerability was also addressed by Apple. Despite this fact, Apple has not labelled the libvpx bug as exploited anywhere in the wild, but it has already been patched as a zero-day by both Google and Microsoft in their Edge and Teams web browsers and their Skype service. 

As part of Google's Threat Analysis Group (TAG), a group of security experts who are known for frequently discovering zero-day vulnerabilities in government-sponsored targeted spyware attacks that target high-risk individuals, Clément Lecigne discovered CVE-2023-5217 as part of a research project. 

In the past few months, Apple has begun to fix 17 zero-day vulnerabilities discovered by its clients through attacks due to CVE-2023-42824 being exploited. Aside from the recently patched CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993, Apple recently patched three other zero-day vulnerabilities reported by Citizen Lab and Google TAG researchers and exploited by hackers to install Cytrox's Predator spyware during spyware attacks. 

In addition to these two zero-day bugs (CVE-2023-41061 and CVE-2023-41064), Citizens Lab also disclosed today that they were exploited, together with NSO Group's Pegasus spyware, to infect fully patched iPhones with BLASTPASS, a zero-click exploit chain exploited by the FBI. 

In the same way that new phones and new operating systems come out at around the same time each year, it's not uncommon for new iPhones to receive specific iOS patches in rapid succession. In addition, older devices receive a more thorough vetting as they enter the months-long developer and public beta programs, which Apple is making even easier to use in recent releases. 

There is currently a beta version of the first major update to iOS 17 called 17.1, which is currently being tested. According to MacRumors, the update appears to mainly refine a few of iOS 17's new features, such as the StandBy smart display mode. 

A comprehensive list of the changes can be found in MacRumors. It is expected that Apple will release the 17.1 update within a couple of weeks if it follows its usual schedule. Although rumours were circulating about potential hardware issues, possibly linked to the iPhone 15's advanced processor or the incorporation of titanium components, Apple's official statements primarily attribute the problem to software-related issues. 

Moreover, they also acknowledge the possibility of overheating when utilizing USB-C chargers. It is worth noting that Apple had previously released a post-iPhone 15 launch patch to address data transfer problems that were experienced by certain new users. 

Additionally, it is important to mention that the company is currently in the beta testing phase for a more substantial update, namely iOS 17.1. This update is expected to bring significant improvements and enhancements to the overall user experience.
Read more »
Privacy
Android Artifical Inteligence Business CSE Gmail Google Google Workspace HTML iOS Mobile Privacy

Mobile Privacy Milestone: Gmail Introduces Client-Side Encryption for Android and iOS

 


Encryption is one of the most important mechanisms for protecting data exchanged between individuals, especially when the information exchange occurs over e-mail and is quite sensitive. As a result, it can be complicated for users to be able to achieve this when they use public resources such as the internet. 

Now that Gmail has added client-side encryption to its mobile platform, users may feel safer when sending emails with Gmail on their mobile devices. Earlier this year, Google announced that it would be supporting Android and iOS mobile devices with client-side encryption in Gmail too. 

Using Google's client-side encryption (CSE) feature, which gives users more control over encryption keys and data access, Gmail can now be used on Android and iOS devices, as well as web browsers. In the past few months, Gmail's web version has been upgraded to support client-side encryption. This app lets users read and write encrypted emails directly from their smartphones and tablets. 

In addition to the Education Plus and Enterprise Plus editions of Google Workspace, the Education Standard edition also offers the feature. Workspace editions that don't support client-side encryption, such as Essentials, Business Starter, Business Standard Plus, Business Pro Plus, etc., do not support client-side encryption. 

Furthermore, users who have personal Google accounts are not able to access it. For those using email via desktop through Gmail, client-side encryption will be available at the end of 2022 on a trial basis. Workspace users with a subscription to Enterprise Plus, Education Plus, or Education Standard were the only ones able to take advantage of this feature at that time. 

Client-side encryption also prevented certain features from working, including the multi-send mode, signatures, and Smart Compose, which all functioned properly when using client-side encryption. A more robust version of the feature has been added to the Google Play Store since then. 

The company added the capability to allow users to see contacts even if they are unable to exchange encrypted emails so that they can keep in touch. There is also a security alert that appears in Google Mail when users receive attachments that are suspicious or that cannot be opened because of security concerns. 

While client-side encryption will now be available under the Enterprise Plus, Education Plus, and Education Standard Workspace accounts shortly, it has remained relatively exclusive. This type of Workspace account will also be the only kind of account that will be able to take advantage of the mobile rollout of client-side encryption. 

By using the S/MIME protocol, Google said that it will allow its users to encrypt and digitally sign their emails before sending them to Google servers so that they adhere to compliance and regulatory requirements. This feature lets users access and work with your most sensitive data from anywhere with their mobile devices. 

The blue lock icon present in the subject field of Gmail for Android or iOS users allows them to enable client-side encryption while they are writing a Gmail email for Android or iOS devices. Administrators will, however, have to enable access to the feature through their CSE administration interface, as it is disabled by default. 

During the past week, the search giant celebrated its 25th anniversary by letting teens (age 13 and above) try out its generative search service. The company also announced a new tool called Google-Extended that would enable website administrators to control how Google's Bard AI can be trained on their content. It allows website administrators to control whether or not Google can access their content. 

In addition to pulling the plug on Gmail's basic HTML version, which used to support legacy browsers and users with slow connections and could be used to support legacy browsers, Google will also drop the automatic loading of Gmail's Basic view, instead loading the Standard view by default early next year. Customers who are using Google Workspace Enterprise Plus, Education Plus, and Education Standard will be able to take advantage of this feature. 
Read more »
Subscribe to: Posts (Atom)