Security researchers have uncovered a new type of macOS malware that has been used in the wild to attack iOS software developers through trojanized Xcode projects. From a report: Named XcodeSpy, the malware consists of a malicious Run Script that was added to a legitimate Xcode project named TabBarInteraction. Security firm SentinelOne, which analyzed the malware in a report published today and shared with The Record, said the malicious script ran every time the Xcode project was built, installing a LaunchAgent for reboot persistence and then downloading a second payload, a macOS backdoor named EggShell. "The backdoor has functionality for recording the victim's microphone, camera and keyboard, as well as the ability to upload and download files," said Phil Stokes, macOS malware researcher at SentinelOne. While the XcodeSpy server infrastructure that controlled the LaunchAgent was down, Stokes said they were able to discover several instances of the EggShell backdoor uploaded on the VirusTotal web-based malware scanner. Stokes said SentinelOne first learned of this malware following a tip from an anonymous researcher, who found an instance of the EggShell backdoor on the network of a US-based company. "The victim reported that they are repeatedly targeted by North Korean APT actors and the infection came to light as part of their regular threat hunting activities," Stokes said, but the researcher told The Record they were not able to definitively link the malware to a nation-state operation beyond a reasonable doubt.

Read more of this story at Slashdot.

It turns out that Apple's iOS 14.5 update won't actually let you change your default music service that you use with Siri. Engadget reports: Beta users had originally noticed that it appeared as if early versions of the update might allow you to change the default service that launches when you ask Siri to play a song. This meant that rather than specifying a third-party music app with each request, Siri would remember your preference and launch with the service you had originally specified. While all that still seems to be the case, TechCrunch reports that Apple has apparently "clarified" that it "doesn't consider this feature the equivalent to 'setting a default.'" That's because the feature relies on "Siri intelligence," which can track your music-listening habits over time and predict which app you're more likely to want at that moment. For users, that may certainly feel as if you've changed your default music player, but there's still no way to do that on iOS.

Read more of this story at Slashdot.

Apple is going to make one of the most powerful types of attacks on iPhones much harder to pull off in an upcoming update of iOS. From a report: The company quietly made a new change in the way it secures the code running in its mobile operating system. The change is in the beta version of the next iOS version, 14.5, meaning it is currently slated to be added to the final release. Several security researchers who specialize in finding vulnerabilities in and crafting exploits for iOS believe this new mitigation will make it much harder for hackers to take control of an iPhone with a technique known as a zero-click (or 0-click) exploit, which allows a hacker to take over an iPhone with no interaction from the target. Apple also told Motherboard it believes the changes will impact 0-click attacks. "It will definitely make 0-clicks harder. Sandbox escapes too. Significantly harder," a source who develops exploits for government customers told Motherboard, referring to "sandboxes" which isolate applications from each other in an attempt to stop code from one program interacting with the wider operating system. Motherboard granted multiple exploit developers anonymity to speak more candidly about sensitive industry issues. Like the name suggests, zero-click attacks allow hackers to break into a target without needing the victim to interact with anything, such as a malicious phishing link. This means that the attack is generally harder for the targeted user to detect. These are generally very sophisticated attacks. These attacks may now become much rarer, according to several security researchers who look for vulnerabilities in iOS.

Read more of this story at Slashdot.

Apple's upcoming iOS 14.5 release will ship with a feature that will re-route all Safari's Safe Browsing traffic through Apple-controlled proxy servers as a workaround to preserve user privacy and prevent Google from learning the IP addresses of iOS users. From a report: The new feature will work only when users activate the "Fraudulent Website Warning" option in the iOS Safari app settings. This enables support for Google's Safe Browsing technology in Safari. The Safe Browsing technology works by taking an URL the user is trying to access, sending the URL in an anonymized state to Google's Safe Browsing servers, where Google accesses the site and scans for threats. If malware, phishing forms, or other threats are found on the site, Google tells the user's Safari browser to block access to the site and show a fullscreen red warning. While years ago, when Google launched the Safe Browsing API, the company knew what sites a user was accessing; in recent years, Google has taken several steps to anonymize data sent from user's devices via the Safe Browsing feature. But while Google has anonymized URL strings, by sending the link in a cropped and hashed state, Google still sees the IP address from where a Safe Browsing check comes through. Apple's new feature basically takes all these Safe Browsing checks and passes them through an Apple-owned proxy server, making all requests appear as coming from the same IP address.

Read more of this story at Slashdot.

The official Reddit for iOS app recently received an update that added a new video player UI, and many users don't like it one bit. XDA Developers reports: The Reddit Mobile subreddit, the community where Reddit administrators notify users of new Android and iOS app updates, is currently filled to the brim with complaints about the new video player. Many users describe the experience as TikTok or Instagram-like. Others simply say it's too intrusive and also requires more button presses to reach the comments section of a post. The new video player UI has yet to reach the Android version, but we'd be surprised if Reddit pushes ahead with the controversial video player changes in their current form. For those looking for an alternative, XDA Developers recommends the Apollo app.

Read more of this story at Slashdot.

Apple's latest iOS 14.5 update for beta testers brings support for the new PS5 DualSense and Xbox Series X controllers. The Verge reports: Apple's upcoming iOS 14.5 update follows the company revealing back in November that it was working with Microsoft to include support for the Xbox Series X controllers. Steam also added PS5 controller support last year, followed by Nvidia's Shield TV support last month. Other features of iOS 14.5 include the ability to unlock an iPhone with an Apple Watch while wearing a mask, Siri emergency contact calling, CarPlay ETA sharing, and dual-SIM 5G support. The official release is expected in the next couple of months.

Read more of this story at Slashdot.

Apple's latest iPhones stuck with Face ID as the singular method of biometric authentication in an era when people are wearing face masks everywhere they go. This inevitably means having to enter your passcode constantly throughout the day. But Apple has come up with a stopgap solution that should make it easier to get into your phone during mask life -- as long as you've got an Apple Watch. From a report: As first reported by Pocket-lint, the new iOS 14.5 update, which went into beta today, uses the Apple Watch on your wrist to quickly authenticate and unlock your iPhone. Apple already offers this convenient trick on the Mac, but now it's coming to the iPhone as well. It works similarly here. You lift your iPhone to turn on the screen, and you'll feel a little nudge of haptic feedback on your Apple Watch to indicate that your iPhone has been unlocked. The devices must be in close proximity for this to work in the first place, which is a measure to keep your data secure. (If the Apple Watch is locked, this won't work either.) And this Apple Watch shortcut is only good for unlocking your iPhone; App Store and iTunes purchases will still require other authentication if your face is covered. And as a final security check, you'll still be asked to put in your passcode every few hours even when unlock with Apple Watch is enabled.

Read more of this story at Slashdot.

wiredmikey shares a report from SecurityWeek.com: Apple has quietly added several anti-exploit mitigations into iOS in what appears to be a specific response to zero-click iMessage attacks observed in the wild. The new mitigations were discovered by Samuel Grob, a Google Project Zero security researcher, [with the first big addition being] a new, tightly sandboxed "BlastDoor" service that is now responsible for the parsing of untrusted data in iMessages. With iOS 14, Grob discovered that Apple shipped a significant refactoring of iMessage processing, and made all four parts of an attack much harder to succeed. Apple added logic into iOS 14 to specifically detect [shared cache region] attacks and new techniques to limit an attacker's ability to retry exploits or brute force Address Space Layout Randomization (ASLR). "Overall, these changes are probably very close to the best that could've been done given the need for backwards compatibility, and they should have a significant impact on the security of iMessage and the platform as a whole," the Google researcher added.

Read more of this story at Slashdot.

Google's cloud gaming service now supports the iPhone and iPad. As expected, the company is using a web app to access the service. From a report: Google also says that you need to update to iOS 14.3, the latest iOS update that was released earlier this week. If you want to try it out with a free or paid Stadia account, you can head over to stadia.google.com from your iOS device. Log in to your Google account, add a shortcut to your home screen and open the web app. After that, you can launch a game and start playing. Most games will require a gamepad, so you might want to pair a gamepad with your iPhone or iPad as well. Apple's iOS supports Xbox One and PlayStation 4 controllers using Bluetooth as well as controllers specifically designed for iOS. You can also play with the Stadia controller, but it's optional. If you just want to check your inventory quickly, Stadia on iOS also supports touch controls.

Read more of this story at Slashdot.

One year after its first 1.0 release, Brave says it has hit the milestone of 20.5 million active monthly users. "At the same time last year, the browser had 8.7 million active monthly users, and of the 20 million monthly users, 7 million are daily users, which represents more than a doubling of last year's 3 million," reports ZDNet. "Brave added that since Apple allowed browsers other than its own to be the default option on iOS, it has seen its iOS user base increase by a third." From the report: One of the touted features of the browser is that it hates ads, and will go out of its way to block them, unless users decide to see Brave-powered advertisements. To that end, Brave has hit "2 billion ad confirmation events" and completed 2,215 campaigns from over 460 companies. The browser maker says its users have a click-through rate of 9%, way and away outstripping industry averages. The browser also has its own cryptocurrency, Basic Attention Tokens, that users use to "tip" content creators. Thus far, 26 million of the tokens have been sent to creators. At the time of writing, the blockchain-based token is trading for just under 18 cents, meaning $4.6 million has been sent from users.

Read more of this story at Slashdot.

Apple has poached a key member of Google's Project Zero, a hacking team at Google that has found dozens of critical vulnerabilities in Apple's iOS and other critical Apple software. From a report: Last year, Apple and Google fought over a series of vulnerabilities that Project Zero discovered in iOS, with Apple suggesting that Google was overselling the vulnerabilities. About a year later, Brandon Azad announced on Twitter at the beginning of October that he was leaving Google's elite team of hackers to join Apple. "My teammates at Project Zero have been among the kindest and smartest people I've met, and I've learned so much from them," Azad wrote. "I'll really miss working alongside everyone on the team. Thank you all for these wonderful experiences, and keep on hacking!" Azad has been widely considered one of the best iPhone hackers who didn't work for Apple, being named by Apple in countless security advisories, and presenting highly technical findings on Apple's products at major cybersecurity conferences around the world. Last year, Motherboard profiled Project Zero and revealed that Apple had been trying to poach a colleague of Azad, Ian Beer.

Read more of this story at Slashdot.

An anonymous reader quotes a report from MacRumors: Apple in iOS 14 added Picture in Picture to the iPhone, a feature designed to let you watch a video in a small screen on your device while you continue to do other things on the phone. The YouTube app doesn't support Picture in Picture, but up until yesterday there was a functional workaround that allowed videos from YouTube.com to be watched in Safari in Picture in Picture mode. As of today, that workaround is gone, and it's not clear if it's a bug or a deliberate removal. Attempting to use Picture in Picture on a video on the mobile YouTube website simply doesn't work. Tapping the Picture in Picture button when in full screen mode pops the video out for a second, but it immediately pops back into the website, so it can't be used as a Picture in Picture window. [...] Picture in Picture appears to work on the mobile YouTube website in Safari for those who are YouTube Premium subscribers, which suggests that the restriction is intentional and not a bug.

Read more of this story at Slashdot.

While developers have had access to beta versions of the software updates since June, many were caught off guard by Apple's much shorter notice of the final releases. By comparison, Apple started accepting apps built for iOS 13 on September 10 last year, over one week before the software update was released on September 19. From a story yesterday: "I think a lot of developers won't be sleeping tonight or will instead just give up and opt to release [their app] when they want to, instead of alongside the new OS," said iOS developer Shihab Mehboob in a message. "Apple has seemingly out of the blue decided to surprise developers with no real warning or care." [...] "Without advance warning like this, nothing is ready," a developer at High Caffeine Content, Steve Troughton-Smith, told me. "Developers aren't ready, the App Store is't ready, and everybody is rushing to react instead of having the chance to finish their apps properly." Steve ran through the normal iOS release process with me. Apple usually gives third-party app developers a heads up of about a week before the official public release of a new iOS. The company puts out a "Golden Master" copy of the new iOS and Xcode developer tool before the latest operating system is officially released to the public. This gives iPhone app developers the time they need to make sure the apps they've been building for the beta releases of the new iOS actually work on the final version. Sometimes there are critical bugs that are only revealed or could only be fixed at this point in the process. The extra time can also be used to add new features for any new devices announced at the Apple Event. Apple's approval process for apps also takes some time, so developers have that week to make sure they submit in time to guarantee their work will be in the App Store for the iOS release. "Gone are the hopes of being on the store by the time users install the new iOS 14 and are looking for new apps. Gone is the chance to get some last-minute fixes into your existing apps to make sure they don't stop working outright by the time users get to upgrade their OS," explained Steve. "There are some developers who have spent all summer working on something new, using the latest technologies, hoping to be there on day one and participate in the excitement (and press coverage) of the new iOS," he continued. "For many of them, they'll be incredibly upset to have it end like this instead of a triumphant launch, and it can dramatically decrease the amount of coverage or sales they receive."

Read more of this story at Slashdot.

On Tuesday, Apple will hold its annual September event called "Time Flies." Unlike in previous years, the company is not expected to announce new iPhones as they have reportedly been delayed "a few weeks" due to the pandemic. Macworld reports on what we can expect to see announced instead: Apple's invitation was light on details, as always, but it's hard to look at its "Time Flies" tagline and think that this won't mean showing off new models of the Apple Watch. Presumably that means a Series 6, but rumors have also circulated around an additional lower cost model to replace the aging Series 3. [...] While the iPad Pro received a minor update this past spring, the midrange iPad Air has remained unchanged since March 2019. Eighteen months is about the refresh cycle for iPads these days, so a revamped Air seems like a pretty good bet for this week's event. [...] There also remains the question of the iPad mini, last updated at the same time as the Air. It could very well see a similar update to stay in step with the Air, but given that Apple has often let the smaller tablet lie unchanged for years at a time -- which it seems to do with many products with the "mini" moniker -- it's hardly a sure thing. With new hardware naturally comes new software. The release of a new Apple Watch will certainly require watchOS 7, which in turn will need iOS 14. Likewise, new iPads are unlikely to ship without iPadOS 14. That gibes with a recent Bloomberg report that iOS 14 would be released in mid-September, following the usual schedule for Apple's mobile operating system updates. And given our brave new world where Apple events are not subject to the typical restrictions of time and scheduling, that might be all we have to look forward to this time around. That said, there are plenty of other things that Apple could talk about at this event, assuming they're ready to go -- everything from over-the-head AirPods to Apple silicon-powered Macs.

Read more of this story at Slashdot.

Higher ratings are the 'lifeblood' of the smartphone app world but what if they are inflated? From a report: Rating an iPhone app takes just a second, maybe two. "Enjoying Skype?" a prompt will ask, and you click on a 1-5 star rating. Millions of people respond to these requests, giving little thought to their fleeting whim. Behind the scenes, though, an entire industry has spent countless hours and lines of code to craft this moment. The prompt, seemingly random, can be orchestrated to hit your glowing screen only at times when you are most likely to leave a five star review. Gaming apps will solicit a rating just after you reach a high score. Banking apps will ask when they know it's payday. Gambling apps will prompt users after they are dealt the perfect Blackjack hand. A sporting app will give the nudge only when a user's team is winning. Apple has for a decade clamped down on "ratings farms" and "download bots" that companies use to fraudulently garner five-star scores and manipulate App Store rankings. And it has had some success. But these are blunt instruments trying to cheat the system in clear violation of Apple's rules. The more sophisticated techniques stay within the rules but draw on behavioural psychology to understand your mood, emotions and behaviour -- they are not hacking the system; they are hacking your brain. "The algorithms that are used are very hush-hush," says Saoud Khalifah, chief executive of Fakespot, a service that analyses the authenticity of reviews on the web. "They can target you when you are euphoric, when you have a lot of dopamine. They can use machine learning to determine [when] a user will be more inclined to leave positive reviews."

Read more of this story at Slashdot.

Apple said on Thursday that it will delay until early next year changes to its privacy policy that could reduce ad sales by Facebook and other companies targeting users on iPhones and iPads. From a report: The delay could benefit Facebook, which last week said the changes to the iOS 14 operating system would render one of its mobile advertising tools "so ineffective on iOS 14 that it may not make sense to offer it." Apple announced new privacy rules in June that were slated to take effect with the launch of its iOS 14 operating system this fall. Among them is a new requirement that advertisers who employ an Apple-provided tracking identifier, or other tools that have a similar function, must now show a pop-up notification asking for tracking permission. Facebook said last week it would quit using the tool that requires a prompt in its own apps but did not immediately respond to a request for comment on Thursday. Apple said Thursday that developers will still have the option to use the prompt when iOS 14 arrives.

Read more of this story at Slashdot.

WordPress founding developer Matt Mullenweg is accusing Apple of cutting off the ability to update its iOS app -- until or unless he adds in-app purchases so Apple can extract its 30 percent cut of the money. The Verge reports: Here's the thing: the WordPress app on iOS doesn't sell anything. I just checked, and so did Stratechery's Ben Thompson. The app simply lets you make a website for free. There isn't even an option to buy a unique dot-com or even dot-blog domain name from the iPhone and iPad app -- it simply assigns you a free WordPress domain name and 3GB of space. Is Apple seriously asking for WordPress owner Automattic to share a cut of all its domain name revenue? How would it even know which customers used the app? Or was this all a mistake? Apple, Automattic, and Mullenweg didn't immediately reply to requests for comment. As the article points out, all of this is happening in the shadow of Epic Games' gigantic fight against Apple, one that Apple responded to this very afternoon.

Read more of this story at Slashdot.