Apple to compensate teenager who found Group FaceTime eavesdrop bug

Apple has said it will compensate the teenager who first found a security bug in Group FaceTime that allowed users to eavesdrop before a call was picked up.

The bug was initially reported to Apple by 14-year-old Grant Thompson and his mother, but the family struggled getting in contact the company before the bug was discovered elsewhere.

The payout will fall under Apple’s bug bounty, which incentivizes security researchers to claim a reward for privately submitting security bugs and vulnerabilities to the company.

The company said it will also offer an additional gift to Thompson’s education.

“In addition to addressing the bug that was reported, our team conducted a thorough security audit of the FaceTime service and made additional updates to both the FaceTime app and server to improve security, an Apple spokesperson told TechCrunch. “This includes a previously unidentified vulnerability in the Live Photos feature of FaceTime.”

“To protect customers who have not yet upgraded to the latest software, we have updated our servers to block the Live Photos feature of FaceTime for older versions of iOS and macOS,” said Apple.

On Thursday, Apple rolled out iOS 12.4.1, which Apple says “provides important security updates and is recommended for all users.” Apple’s separate security advisory also credited Thompson with finding the bug.

Update to iOS 12.1.4 to re-enable Group FaceTime

from iPhone – TechCrunch https://tcrn.ch/2TCZEQy

Update to iOS 12.1.4 to re-enable Group FaceTime

That nasty FaceTime bug is now a thing of the past. You can now download and update your iPhone and iPad to re-enable Group FaceTime again. iOS 12.1.4 is a bug fix release and doesn’t contain any new feature other than this one.

Shortly after people found out that you could eavesdrop on somebody’s microphone or camera by starting a fake Group FaceTime call, Apple disabled Group FaceTime altogether. If you’re running iOS 12.1.3 or earlier, you simply can’t start or join a FaceTime call with more than two persons.

The company has been working on a fix to re-enable Group FaceTime without the nasty bug. And that update is now available.

“We have fixed the Group FaceTime security bug on Apple’s servers and we will issue a software update to re-enable the feature for users next week,” Apple said in a statement last week. “We sincerely apologize to our customers who were affected and all who were concerned about this security issue. We appreciate everyone’s patience as we complete this process.”

Back up your iPhone or iPad to iCloud or your computer first using iTunes. You can then head over to the Settings app. Tap on ‘General’ then ‘Software Update’ to download and install the patch. The update is still propagating on Apple’s servers so it could take a few minutes before you see it.

from Apple – TechCrunch https://tcrn.ch/2GtnlHf

Many popular iPhone apps secretly record your screen without asking

Many major companies, like Air Canada, Hollister and Expedia, are recording every tap and swipe you make on their iPhone apps. In most cases you won’t even realize it — or ask for permission.

You can assume that most apps are collecting data on you. Some even monetize your data without your knowledge. But TechCrunch has found several popular iPhone apps, from hoteliers, travel sites, airlines, cell phone carriers, banks and financiers, that don’t ask or make it clear — if at all — that they know exactly how you’re using their apps.

Worse, even though these apps are meant to mask certain fields, some inadvertently expose sensitive data.

Apps like Abercrombie & Fitch, Hotels.com and Singapore Airlines also use Glassbox, a customer experience analytics firm, one of a handful of companies that allows developers to embed “session replay” technology into their apps. These session replays let app developers record the screen and play them back to see how its users interacted with the app to figure out if something didn’t work or if there was an error. Every every tap, button push and keyboard entry is recorded — effectively screenshotted — and sent back to the app developers.

Or, as Glassbox said in a recent tweet: “Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it?”

The App Analyst, a mobile expert who writes about his analyses of popular apps on his eponymous blog, recently found Air Canada’s iPhone app wasn’t properly masking out the session replays when they were sent, exposing passport numbers and credit card data in each replay session. Just weeks earlier, Air Canada said its app had a data breach, exposing 20,000 profiles.

“This gives Air Canada employees — and anyone else capable of accessing the screenshot database — to see unencrypted credit card and password information,” he told TechCrunch.

In the case of Air Canada’s app, although the fields are masked, the masking didn’t always stick. (Image: The App Analyst/supplied)

We asked The App Analyst to look at a sample of apps that Glassbox had listed on its website as customers. Using Charles Proxy, a man-in-the-middle tool used to intercept the data sent from the app, the researcher could examine what data was going out of the device.

Not every app was leaking masked data, none of the apps we examined said they were recording a user’s screen — let alone sending them back to each company or directly to Glassbox’s cloud.

That could be a problem if any one of Glassbox’s customers aren’t properly masking data, he said in an email. “Since this data is often sent back to Glassbox servers I wouldn’t be shocked if they have already had instances of them capturing sensitive banking information and passwords,” he said.

The App Analyst said that while Hollister and Abercrombie & Fitch sent their session replays to Glassbox, others like Expedia and Hotels.com opted to capture and end session replay data back to a server on their own domain. He said that the data was “mostly obfuscated,” but did see in some cases email addresses and postal codes. The researcher said Singapore Airlines also collected session replay data but sent back to Glassbox’s cloud.

Without analyzing the data for each app, it’s impossible to know if an app is recording a user’s screens of how you’re using the app. We didn’t even find it in the small print of their privacy policies.

Apps that are submitted to Apple’s App Store must have a privacy policy, but none of the apps we reviewed make it clear in their policies that they record a user’s screen. Glassbox doesn’t require any special permission from Apple or from the user, there’s no way a user would know.

Expedia’s policy makes no mention of recording your screen, nor does Hotels.com’s policy. And Air Canada’s case, we couldn’t spot a single line in its iOS terms and conditions or privacy policy that suggests the iPhone app sends screen data back to the airline. And, in Singapore Airlines’ privacy policy, there’s no mention either.

We asked all of the companies to point us to exactly where in its privacy policies that permit each app to capture what a user does on their phone phone.

Only Abercombie responded, confirming that Glassbox “helps support a seamless shopping experience, enabling us to identify and address any issues customers might encounter in their digital experience.” The spokesperson pointing to Abercrombie’s privacy policy makes no mention of session replays, neither does its sister-brand Hollister’s policy.

“I think users should take an active role in how they share their data, and the first step to this is having companies be forthright in sharing how they collect their users data and who they share it with,” said The App Analyst.

When asked, Glassbox said it doesn’t enforce its customers to mention its usage in their privacy policy.

“Glassbox has a unique capability to reconstruct the mobile application view in a visual format, which is another view of analytics, Glassbox SDK can interact with our customers native app only and technically cannot break the boundary of the app,” the spokesperson said, such as when the system keyboard covers part of the native app/ “Glassbox does not have access to it,” the spokesperson said.

Glassbox is one of many session replay services on the market. Appsee actively markets its “user recording” technology that lets developers “see your app through your user’s eyes,” while UXCam says it lets developers “watch recordings of your users’ sessions, including all their gestures and triggered events.” Most went under the radar until Mixpanel sparked anger for mistakenly harvesting passwords after masking safeguards failed.

It’s not an industry that’s like to go away any time soon — companies rely on this kind of session replay data to understand why things break, which can be costly in high-revenue situations.

But for the fact that the app developers don’t publicize it just goes to show how creepy even they know it is.

---

Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Dozens of popular iPhone apps caught sending user location data to monetization firms

from iPhone – TechCrunch https://tcrn.ch/2Dcek24

Tesla has opened an Amazon store to spread its swag far and wide

Tesla has had a brisk merch business for years now, thanks to its fervent owner base and fans, who are enthusiastic supporters of the company and its CEO Elon Musk.

But until now, those Tesla-branded items — everything from water bottles and hats to jackets, chargers and once a surfboard — have been sold through the automaker’s own website.

Tesla has now expanded it merch ambitions and opened a store on Amazon. (A reader tipped TechCrunch off to the store; however, the story was first reported by Electrek). Tesla confirmed the store opened earlier this week.

It should be noted that, for now, the store on Amazon isn’t as robust as the one on Tesla’s website. However, there are at least two items that can only be found on the Amazon page: an iPhone 8+ case and a Tesla iPhone  X folio case. No prices are listed for the items and they’re currently “unavailable.”

 

In fact, every item on the store is “unavailable.”

It’s not clear when these items will be back in stock or why they aren’t available now. Did the company sell out already? Has it simply failed to make the items available? So many questions.

Tesla merchandise, especially specialty items, do tend to sell out quickly. For instance, the Tesla branded surfboard priced at $1,500 sold out in a day. However, the mini diecast Tesla models sold on the Amazon store appear to be in stock over at Tesla’s website. We’ll update the story when the mystery is solved.

from iPhone – TechCrunch https://tcrn.ch/2Bolsbo

Angela Ahrendts is leaving Apple

Angela Ahrendts will depart Apple in April, almost exactly five years after taking on a role as the company’s senior vice president of retail.

The company says Ahrendts’ responsibilities will now be handled by Deirdre O’Brien, whose title is changing from “senior vice president of People” to “senior vice president of Retail + People”

Story developing…

from Apple – TechCrunch https://tcrn.ch/2Bmivbg

iOS 12.2 beta includes new Animojis and fake 5G logo

Apple has released a new beta version of iOS 12.2 yesterday. While the final version isn’t available just yet, here’s what you should expect: new Animojis and a fake 5G logo if you’re an AT&T customer.

If you have an iPhone X, XS, XS Max or XR, you’ll see new animals in the Animoji collection. As 9to5mac spotted, you will be able to record video message and replace your head with a giraffe, an owl, a shark or a warthog. These Animojis will also work during FaceTime calls.

Here’s a picture from 9to5mac with the new lineup:

More interestingly, Apple succumbed to AT&T’s marketing plot to rename 4G into 5G. MacRumors noticed that some AT&T users now have a ‘5G E’ icon in the top right corner when they upgrade to the beta version of iOS 12.2. Some Android phones already show a 5G E icon after an AT&T update.

But don’t get fooled, this isn’t 5G — this icon replaces the LTE icon. AT&T has basically rebranded LTE with carrier aggregation as 5G Evolution. But it still runs on the same network.

Here’s a picture from the MacRumors forums:

The same thing happened in the U.S. during the transition from 3G to 4G. AT&T decided to rebrand its 3G HSPA+ network to 4G. It’s the reason why many carriers talk about LTE instead of 4G.

AT&T confused everyone back then, and the company is about to do the same again. It’s too bad Apple is helping AT&T with this iOS update.

Disclosure: TechCrunch is a Verizon Media company.

from Apple – TechCrunch https://tcrn.ch/2GbCiP2

Report: Smart speaker adoption in U.S. reaches 66M units, with Amazon leading

Smart speakers had a good holiday. Amazon already said its Echo Dot outsold all other items on its site this holiday season, which hinted toward the sizable growth for the voice-powered speaker market. Today, research firm CIRP is reporting the U.S. installed base for speakers grew to 66 million units in December 2018, up from 53 million in the September 2018 quarter and just 37 million in December 2017.

However, holiday sales didn’t have much impact on the market shares for the various speaker brands, the firm found.

Amazon Echo devices still lead the U.S. market with a 70 percent share of the installed base, followed by Google Home at 24 percent, then Apple HomePod at 6 percent, the report said.

“Holiday shoppers helped the smart speaker market take off again,” said Josh Lowitz, Partner and Co-Founder of CIRP, in a statement. “Relative market shares have remained fairly stable, with Amazon Echo, Google Home, and Apple HomePod accounting for consistent shares over the past few quarters. Amazon and Google both have broad model lineups, ranging from basic to high-end, with even more variants from Amazon. Apple, of course, has only its premium-priced HomePod, and likely won’t gain significant share until it offers an entry-level product closer to Echo Dot and Home mini,” Lowitz added.

Also of interest is that some portion of those buying a smart speaker for their home already own one. According to CIRP, 35 percent of smart speaker owners now have multiple devices, as of December 2018. That’s up from 18 percent in December 2017.

This figure is key to the device markers’ larger strategies, because it means that once a company is able to get that first sale, the consumer may return to buy more devices from the same vendor.

Amazon had gained an early advantage here, initially convincing more users to buy another speaker compared with Google Home users. A year ago, almost double the number of Echo users had multiple devices, versus Google Home owners. But Google is catching up, and now about a third of Echo and Google Home users have multiple devices.

It’s worth noting that CIRP data – like much that’s produced by market research firms – isn’t always going to match up exactly with other firms’ estimates and forecasts.

For example, Strategy Analytics this fall said that Amazon’s Echo market share in the U.S. was 63 percent, to Google’s 17 percent and Apple HomePod’s 4 percent. Meanwhile, eMarketer’s 2019 U.S. forecast predicts Amazon Echo will end up with around a 63.3 percent market share this year, versus Google Home’s 31 percent, with all others like HomePod and Sonos, reaching 12 percent.

That said, the broad strokes across all reports point to the same general findings – that Amazon is leading the U.S. market by a wide margin, and while that margin may be shrinking, it’s not going away soon.

from Apple – TechCrunch https://tcrn.ch/2MUztlW