Tag: Apple

Categories
Writing

Less Than Impressed With 1Password

First, the good news: 1Password has released a new version of their product on iOS. The company outlines a whole pile of reasons for supposedly delaying security upgrades – some of which include the updates will slow the speed at which users can access their encrypted data – but fail to identify what I suspect is a key motive behind the upgrade. If you recall, I wrote a while ago about key failures in mobile password managers. 1Password was amongst those who had flawed security implementations.

To be clear: security, especially good security, is damn hard to engineer. 1Password didn’t have the gaping flaw that others did – i.e. storing passwords in plaintext!! – but it was flawed. In the security community this (ideally) is resolved when someone critiques your secured infrastructure. In today’s world you should also credit the security researcher(s) who identified the flaw.

Unfortunately, this isn’t what 1Password has done. As far as I can tell, there is no formal recognition from the company that they have had flaws in their mobile security model pointed out by a third-party. This is a shame, given that a key factor that builds genuine trust in security is transparency. It seems like 1Password is willing to address problems – they’re not dwelling in a security by obscurity paradigm, to be sure! – but not credit others with finding those problems in the first place.

Update: My very, very bad. I missed an earlier piece from 1Password, where they note the research. That is available here. It would have been ideal to see a reference to this in their update but, admittedly, credit had previously been given.

Categories
Links Writing

I Like The Apps, But Not The Design

A new version of the iPad is coming. The latest ‘craze’ around this version is whether or not it will come with a home button. To date, there’s been one particularly strong ‘In Defence of the Home Button’ post by Dave Caolo, which is effectively a listing of all the functions that Apple has tied to the singular button at the bottom of each iDevice.

This button isn’t going anywhere. And that’s really unfortunate, because better – or at least equivalent – options are out there.

The PlayBook is seriously lacking on apps. SERIOUSLY LACKING. But the hardware design of the device is stunning. I don’t need to pay attention to what is up, down, left, or right because of how RIM has integrated the bezel functionality. For a quick overview of the bezel options, check out the video below:

This isn’t to say that the Playbook is a winner hands down. Apple’s home button is linked to variety of accessibility options which are lacking on the Playbook. Also, Apple has a series of gestures that enable similar features as the Playbook, though I’m far less impressed at how they’re integrated. Because of how awkward these gestures tend to be, I tend to just use the home button, which can be incredibly inconvenient depending on the iPad’s orientation at the time.

My dream would be Apple getting creative and bringing the hardware design leadership of the Playbook to the app-rich iDevice environment. I’m not holding my breath through.

Categories
Links

Let’s Say It Together: Apple Is Not A Security Company!

I sympathize with people’s concern and anger when they learn more about Apple’s atrocious APIs that let developers run off with consumer data. In the most recent revelation

Accepting an iOS prompt that asks permission to access location data can also allow copying of private photo and video libraries, the Times said yesterday. Because these devices often save coordinate information along with photos, it might also be possible to put together a user’s location history, as well as recording current location.

Apparently in an attempt to make photo apps more efficient, access to private photos has been available since the fourth version was released in 2010.

All of this, however disturbing it might be, make a lot of sense. Apple is a consumer company that aims to engineer products so that users can best enjoy them. This means they don’t want to throw a whole lot of security warnings in front of you, for two reasons: First, you’ll just ignore them anyways; second, they’ll annoy you and thus could reduce your iDevice usage.

Very few mobile companies ‘do’ security. The much-maligned Research In Motion is actually about the only mobile company that sells its products on security grounds, though the need to have secured code reduces the rate that they can bring new, highly innovative, product to market. Consumers, businesses, governments, and the market point to their slower rates of innovation as indicative of RIM’s forthcoming doom, but in so doing miss that the ‘cost’ of RIM’s death would be a near-absolute dearth of secured mobile platforms.

If you’re interested in reading about the economics of ignorance and mobile security, check out a piece that was written last year on this very subject.

Categories
Links Writing

parislemon: What If… (Office For iPad Edition)

parislemon:

Watching the back-and-forth yesterday about the whole Microsoft Office for iPad thing was nothing if not amusing. The basic rundown:

It’s coming, here it is.” “That’s not it.” “Yes it is.” “No it’s not, but we didn’t say it’s not coming.” “A Microsoft employee showed it to us.” “No…

MG has an interesting analysis on what Office for iPad might mean. I have to admit, if MS partners with Apple to bring real office software to the iPad then another sword will be levied at Google’s throat. I still – as a professional writer – despise using Google Docs for anything but the most minimal tasks: it just doesn’t meet my requirements for ‘real’ word processing.

The takeaway? Office would add to the ‘professional’ status of the iPad without taking away from the iPad’s ‘consumer friendly’ branding. This would further exacerbate the issues that Google’s tablets face while simultaneously challenging RIM’s own advertising that the PlayBook is ‘the’ tablet for professionals. It would definitely be a coup for both companies against their competitors, and so well worth watching for.

Categories
Aside Links

Self-Mutating Trojans Come to Android

Symantec is warning that the next generation of smartphone viruses has come:

Researchers from security vendor Symantec Corp. have identified a new premium-rate SMS Android Trojan horse that modifies its code every time it gets downloaded in order to bypass antivirus detection.

This technique is known as server-side polymorphism and has already existed in the world of desktop malware for many years, but mobile malware creators have only now begun to adopt it.

A special mechanism that runs on the distribution server modifies certain parts of the Trojan in order to ensure that every malicious app that gets downloaded is unique. This is different from local polymorphism where the malware modifies its own code every time it gets executed.

This is a clever means to avoid the rudimentary analysis systems that the major vendors use to ID malware. It’s also (another) indication of how important antivirus is going to become for the mobile marketplaces. I suspect that, by the end of the year, a lot of users (on iOS, Android, and the rest) are going to wish that the post-Steve Jobs smartphones on the market today met Jobs’ initial thoughts regarding smartphones when Apple released the iPhone. Specifically, he held that:

He didn’t want outsiders to create applications for the iPhone that could mess it up, infect it with viruses, or pollute its integrity

While our pocket computers are better now that apps are available, I can’t help but think that Jobs’ earliest worries are now looming at today’s potential nightmares.

Categories
Aside Links

iOS is a Security Vampire

I’m sorry, but what Path did is (in some jurisdictions, such as my own) arguably a criminal offence. Want to know what they’ve been up to?

When developer Arun Thampi started looking for a way to port photo and journaling software Path to Mac OS X, he noticed some curious data being sent from the Path iPhone app to the company’s servers. Looking closer, he realized that the app was actually collecting his entire address book — including full names, email addresses, and phone numbers — and uploading it to the central Path service. What’s more, the app hadn’t notified him that it would be collecting the information.

Path CEO Dave Morin responded quickly with an apology, saying that “we upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and efficiently as well as to notify them when friends and family join Path. Nothing more.” He also said that the lack of opt-in was an iOS-specific problem that would be fixed by the end of the week. [emphasis added]

No: this isn’t an ‘iOS-specific problem’ it’s an ‘iOS lacks an appropriate security model and so we chose to abuse it problem’. I cannot, for the life of me, believe that Apple is willing to let developers access the contact book – with all of its attendant private data – without ever notifying the end user. Path should be tarred, feathered, and legally punished. This wasn’t an ‘accident’ but a deliberate decision, and there should be severe consequences for it.

Also: while the Verge author writes:

Thampi doesn’t think Path is doing anything untoward with the data, and many users don’t have a problem with Path keeping some record of address book contacts.

I think that this misses a broader point. You should not be able to disclose mass amounts of other people’s personal information without their consent. When I provide key contact information it is for an individual’s usage, not for them to share my information with a series of corporate actors to do whatever those actors want with it. The notion that a corporation would be so bold as to steal this personal information to use for their own purposes is absolutely, inexcusably, wrong.

Categories
Humour

I’ll Call you ‘An Ambulance’, OK?

fuckyeahgenderneutralstem: Siri, please help me when i’m dying.

Siri and voice recognition gone horribly, horribly wrong (in tragically comedic ways).

Categories
Aside

Useful Warnings

circa476: Poor Apple….

THIS is the kind of actionable, helpful, warning information that should be presented to end-users. It gives them the relevant information they need to choose ‘Cancel’ or ‘Add Anyway’ without scaring them one way or the other. If the jailbreak community can do this, then why the hell can’t the big players like Apple, RIM, Google, Microsoft and the rest?

Categories
Writing

parislemon: This Is Why We Can’t Have Nice Things

I agree with parislemon’s general take on the targeting of Apple and labour: Apple isn’t alone, and we can’t ignore the role of local government in (not) regulating the state of affairs at Foxconn (or other large manufacturing) plants. This said, language like the following in unacceptable and intentionally uncritical:

 While this report brings such an issue to the forefront, similar pieces and stories surface quite frequently, actually. Guess what changes? Nothing. It’s shitty to say, but it’s the truth. And we all know it.

The fact of the matter is that we live in a world that demands amazing technology delivered to us at low costs and at great speed. That world leads to Foxconn.

We say we care about the means by which the results are reached when we read stories such as this one. But then we forget. Or we chose not to remember. We buy things and we’re happy that they’re affordable. And then we buy more things. And more. With huge smiles on our faces. Without a care in the world.

In the above quotation, Siegler obfuscates the real role that our governments could have in shaping the supply chain. Imagine: if there were a requirement  that certain imported products (e.g. electronics) had to be certified to meet standardized ethical and human rights requirements. Would that increase the price of goods/prevent some from coming to market, initially? Certainly. As a result Chinese (and other foreign national) companies would dramatically increase labor standards because it would no longer be a competitive advantage to have such incredibly low standards. Prices would stabilize and we could buy iPhones, Blackberry devices, and the rest without sleepless nights.

What must happen, however, is that the West must see beyond itself. Citizens must recognize that they can shape the world, and refuse to just give up on the basis that change would threaten the existing, ethically bankrupt, neo-liberal economic practices that surround our lives. If the EU and North America refused to import ethically suspect electronics and gave significant preferential advantage to companies that were ethical in the production and disposal of goods, then significant change could occur.

It is our choice to adopt, or refuse, to enforce basic human rights in the economic supply chain. Technology – it’s production, usage, and disposal – is rife with ethical quandaries. We have to serious address them if we are to remedy intolerable behaviours the companies like Foxconn perpetuate.

Categories
Links

Android & iPhone Update History

calmscape: Android & iPhone Update History

The seriousness of Android’s (lack of) security updates cannot be overstated. Phones that do not receive security updates can be subject to many of the most serious security attacks – such as man in the middle attacks, certificate-based MITM attacks, browser-based attacks, and so forth – and users remain ‘locked’ to their phones because of years-long contracts.

In essence, Android users on lengthy contracts with carriers are forcibly, contractually, linked to long-term security sinkholes.

This is an absolutely inexcusable situation, and one that Google, phone vendors, or carriers should be legislatively mandated to remedy.