Google turns your Android phone into a security key

Your Android phone could soon replace your hardware security key to provide two-factor authentication access to your accounts. As the company announced at its Cloud Next conference today, it has developed a Bluetooth-based protocol that will be able to talk to its Chrome browser and provide a standards-based second factor for access to its services, similar to modern security keys.

It’s no secret that two-factor authentication remains one of the best ways to secure your online accounts. Typically, that second factor comes to you in the form of a push notification, text message or through an authentication app like the Google Authenticator. There’s always the risk of somebody intercepting those numbers or phishing your account and then quickly using your second factor to log in, though. Because a physical security key also ensures that you are on the right site before it exchanges the key, it’s almost impossible to phish this second factor. The key simply isn’t going to produce a token on the wrong site.

Because Google is using the same standard here, just with different hardware, that phishing protection remains intact when you use your phone, too.

Bluetooth security keys aren’t a new thing, of course, and Google’s own Titan keys include a Bluetooth version (though they remain somewhat controversial). The user experience for those keys is a bit messy, though, since you have to connect the key and the device first. Google, however, says that it has done away with all of this thanks to a new protocol that uses Bluetooth but doesn’t necessitate the usual Bluetooth connection setup process. Sadly, though, the company didn’t quite go into details as to how this would work.

Google says this new feature will work with all Android 7+ devices that have Bluetooth and location services enabled. Pixel 3 phones, which include Google’s Titan M tamper-resistant security chip, get some extra protections, but the company is mostly positioning this as a bonus and not a necessity.

As far as the setup goes, the whole process isn’t all that different from setting up a security key (and you’ll still want to have a second or third key handy in case you ever lose or destroy your phone). You’ll be able to use this new feature for both work and private Google accounts.

For now, this also only works in combination with Chrome. The hope here, though, is to establish a new standard that will then be integrated into other browsers, as well. It’s only been a week or two since Google enabled support for logging into its own service with security keys on Edge and Firefox. That was a step forward. Now that Google offers a new service that’s even more convenient, though, it’ll likely be a bit before these competing browsers will offer support, too, once again giving Google a bit of an edge.

from Android – TechCrunch https://tcrn.ch/2P2szvU
via IFTTT

Apple could release a 31.6-inch 6K external display this year

Analyst Ming-Chi Kuo has released a new report about future Apple products — 9to5mac obtained the report. The company could be working on a new 31.6-inch external display with a 6K resolution that could work particularly well with the Mac Pro. New iPad and MacBook Pro models with better displays are also in the works.

Apple used to sell external displays but stopped selling the latest model in 2016. The 27-inch Apple Thunderbolt Display had an aluminum case and an LED-backlit LCD display. It had four times less pixels than the 27-inch 5K iMac with a resolution of 2560×1440 pixels. And it never made the switch to Thunderbolt 3.

When Apple told TechCrunch that it was working on a Mac Pro, the company confirmed that there would be a new external display. “We want them to know we are going to work on a display for a modular system,” Apple SVP of Worldwide Marketing Phil Schiller told Matthew Panzarino.

According to Ming-Chi Kuo’s report, the new display will come earlier rather than later. Apple plans to launch the device during the second or third quarter of this year. I wouldn’t be surprised to see an announcement on June 3 at WWDC.

As for new iPad and MacBook Pro models, Ming-Chi Kuo has learned that Apple will use mini-LED technology to improve color gamut, contrast ratios, etc. This new technology should also improve battery performance compared to traditional LED displays.

Those new devices with mini-LED displays will arrive on the market at the end of 2020 or at some point during the first half of 2021. It’s unclear if Apple plans to update the MacBook Pro before then.

from Apple – TechCrunch https://tcrn.ch/2Kn38q3

A powerful spyware app now targets iPhone owners

Security researchers have discovered a powerful surveillance app first designed for Android devices can now target victims with iPhones.

The spy app, found by researchers at mobile security firm Lookout, said its developer abused their Apple-issued enterprise certificates to bypass the tech giant’s app store to infect unsuspecting victims.

The disguised carrier assistance app once installed can silently grab a victim’s contacts, audio recordings, photos, videos and other device information — including their real-time location data. It can be remotely triggered to listen in on people’s conversations, the researchers found. Although there was no data to show who might have been targeted, the researchers noted that the malicious app was served from fake sites purporting to be cell carriers in Italy and Turkmenistan.

Researchers linked the app to the makers of a previously discovered Android app, developed by the same Italian surveillance app maker Connexxa, known to be in use by the Italian authorities.

The Android app, dubbed Exodus, ensnared hundreds of victims — either by installing it or having it installed. Exodus had a larger feature set and expanded spying capabilities by downloading an additional exploit designed to gain root access to the device, giving the app near complete access to a device’s data, including emails, cellular data, Wi-Fi passwords and more, according to Security Without Borders.

Screenshots of the ordinary-looking iPhone app, which was silently uploading a victim’s private data and real-time location to the spyware company’s servers (Image: supplied)

Both of the apps use the same backend infrastructure, while the iOS app used several techniques — like certificate pinning — to make it difficult to analyze the network traffic, Adam Bauer, Lookout’s senior staff security intelligence engineer, told TechCrunch.

“This is one of the indicators that a professional group was responsible for the software,” he said.

Although the Android version was downloadable directly from Google’s app store, the iOS version was not widely distributed. Instead, Connexxa signed the app with an enterprise certificate issued to the developer by Apple, said Bauer, allowing the surveillance app maker to bypass Apple’s strict app store checks.

Apple says that’s a violation of its rules, which prohibits these certificates designed to be used strictly for internal apps to be pushed to consumers.

It follows a similar pattern to several app makers, as discovered by TechCrunch earlier this year, which abused their enterprise certificates to develop mobile apps that evaded the scrutiny of Apple’s app store. Every app served through an app store has to be certified by Apple or they won’t run. But several companies, like Facebook and Google, used their enterprise-only certificates to sign apps given to consumers. Apple said this violated its rules and banned the apps by revoking enterprise certificates used by Facebook and Google, knocking both of their illicit apps offline, but also every other internal app signed with the same certificate.

Facebook was unable to operate at full capacity for an entire working day until Apple issued a new certificate.

The certificate Apple issued to Connexxa (Image: supplied)

But Facebook and Google weren’t the only companies abusing their enterprise certificates. TechCrunch found dozens of porn and gambling apps — not permitted on Apple’s app store — signed with an enterprise certificate, circumventing the tech giant’s rules.

After researchers disclosed their findings, Apple revoked the app maker’s enterprise certificate, knocking every installed app offline and unable to run.

The researchers said they did not know how many Apple users were affected.

Connexxa did not respond to a request for comment. Apple did not comment.

Researchers find a new malware-friendly hosting site after a spike in attacks

from iPhone – TechCrunch https://tcrn.ch/2Illl4Y

A powerful spyware app now targets iPhone owners

Security researchers have discovered a powerful surveillance app first designed for Android devices can now target victims with iPhones.

The spy app, found by researchers at mobile security firm Lookout, said its developer abused their Apple-issued enterprise certificates to bypass the tech giant’s app store to infect unsuspecting victims.

The disguised carrier assistance app once installed can silently grab a victim’s contacts, audio recordings, photos, videos, and other device information — including their real-time location data. It can be remotely triggered to listen in on people’s conversations, the researchers found. Although there was no data to show who might have been targeted, the researchers noted that the malicious app was served from fake sites purporting to be cell carriers in Italy and Turkmenistan.

The app is one of several under the so-called “stalkerware” umbrella, apps that can be surreptitiously installed on a victim’s phone to spy on their activity, location and messages in real-time.

Researchers linked the app to the makers of a previously discovered Android app, developed by the same Italian surveillance app maker Connexxa.

The Android app, dubbed Exodus, ensnared hundreds of victims — either by installing it or having it installed. Exodus had a larger feature set and expanded spying capabilities by downloading an additional exploit designed to gain root access to the device, giving the app near complete access to a device’s data, including emails, cellular data, Wi-Fi passwords and more, according to Security Without Borders.

Screenshots of the ordinary-looking iPhone app, which was silently uploading a victim’s private data and real-time location to the spyware company’s servers. (Image: supplied)

Both of the apps use the same backend infrastructure, while the iOS app used several techniques — like certificate pinning — to make it difficult to analyze the network traffic, Adam Bauer, Lookout’s senior staff security intelligence engineer, told TechCrunch.

“This is one of the indicators that a professional group was responsible for the software,” he said.

Although the Android version was downloadable directly from the Google’s app store, the iOS version was not widely distributed. Instead, Connexxa signed the app with an enterprise certificate issued by Apple to the developer, said Bauer, allowing the surveillance app maker to bypass Apple’s strict app store checks.

Apple says that’s a violation of its rules, which prohibits these certificates designed to be used strictly for internal apps to be pushed to consumers.

It follows a similar pattern to several app makers, as discovered by TechCrunch earlier this year, which abused their enterprise certificates to develop mobile apps that evaded the scrutiny of Apple’s app store. Every app served through an app store has to be certified by Apple or they won’t run. But several companies, like Facebook and Google, used their enterprise-only certificates to sign apps given to consumers. Apple said this violated its rules and banned the apps by revoking enterprise certificates used by Facebook and Google, knocking both of their illicit apps offline, but also every other internal app signed with the same certificate.

Facebook was unable to operate at full capacity for an entire working day until Apple issued a new certificate.

The certificate Apple issued to Connexa. (Image: supplied)

But Facebook and Google weren’t the only companies abusing their enterprise certificates. TechCrunch found dozens of porn and gambling apps — not permitted on Apple’s app store — signed with an enterprise certificate, circumventing the tech giant’s rules.

After they researchers disclosed their findings, Apple revoked the app maker’s enterprise certificate, knocking every installed app offline and unable to run.

The researchers said they did not know how many Apple users were affected.

Connexxa did not respond to a request for comment. Apple did not comment.

Researchers find a new malware-friendly hosting site after a spike in attacks

from Android – TechCrunch https://tcrn.ch/2Illl4Y
via IFTTT

New iPhones sport three-camera arrays in latest rumors

One thing we count on for sure in this unpredictable world of ours: the will, indeed, be new iPhones. Another thing that’s looking — at the very least — pretty likely is the inclusion of a three-camera array. A number of different rumors from different sources are currently circling around the addition of a third lens for 2019 models.

New reports from “reliable sources” in the Chinese supply chain (by way of 9 to 5 Mac by way of Macotakara, a Japanese Apple blog) have the three-camera system popping on on models with 6.1 inch and 6.5 inch OLED screens, marking another real estate for the base level model of the flagship.

The larger camera configuration (which may well induce minor trypophobia among some users) is said to be a driving factor in the decision to increase screen size). We’re still very much in the “grain of salt” portion of the Apple rumor cycle, through as 9 to 5 notes, the source has had a solid track record with these sorts of rumors before.

All of that, one assumes, would also come with a price increase for the handset, which has been pushing the $1,000 mark for a couple of years now. And all of this in a year when the company’s still not quite ready to pull the trigger on 5G. All signs currently point to a 2020 date on that one.

from iPhone – TechCrunch https://tcrn.ch/2OTOCF5

New iPhones sport three-camera arrays in latest rumors

One thing we count on for sure in this unpredictable world of ours: the will, indeed, be new iPhones. Another thing that’s looking — at the very least — pretty likely is the inclusion of a three-camera array. A number of different rumors from different sources are currently circling around the addition of a third lens for 2019 models.

New reports from “reliable sources” in the Chinese supply chain (by way of 9 to 5 Mac by way of Macotakara, a Japanese Apple blog) have the three-camera system popping on on models with 6.1 inch and 6.5 inch OLED screens, marking another real estate for the base level model of the flagship.

The larger camera configuration (which may well induce minor trypophobia among some users) is said to be a driving factor in the decision to increase screen size). We’re still very much in the “grain of salt” portion of the Apple rumor cycle, through as 9 to 5 notes, the source has had a solid track record with these sorts of rumors before.

All of that, one assumes, would also come with a price increase for the handset, which has been pushing the $1,000 mark for a couple of years now. And all of this in a year when the company’s still not quite ready to pull the trigger on 5G. All signs currently point to a 2020 date on that one.

from Apple – TechCrunch https://tcrn.ch/2OTOCF5

Fleetsmith lands $30M Series B to grow Apple device management platform

Fleetsmith launched in 2016 with a mission to manage Apple devices in the cloud. It simplified an IT activity that had previously been complex with help from Apple’s Device Enrollment Plan. Over the last year, the startup has beefed up its offering considerably, and today it announced a $30 million Series B round led by Menlo Ventures.

Tiger Global Management, Upfront Ventures and Harrison Metal also participated. Under the terms of the deal, Naomi Pilosof Ionita, a partner at Menlo will join the company board. Her colleague Matt Murphy will become a board observer. With today’s announcement, the startup has now raised over $40 million, according to data supplied by the company.

Company co-founder and CEO Zack Blum says the original mission was about solving a pain point he and his co-founders were feeling around finding a modern approach to managing Apple devices. “From a customer perspective, they can ship devices directly to their employees. The employee unwraps it, connects to WiFi and the device is enrolled automatically in Fleetsmith,” Blum explained.

He says that this automated approach, combined with the product’s security and intelligence capabilities means that IT doesn’t have to worry about devices being registered and up-to-date, regardless of where an employee happens to be in the world.

It has moved from solving that problem for SMBs to having a broader mission for companies of all sizes, especially those with distributed work forces, who can benefit from enrolling in this automated fashion from anywhere. Once enrolled, companies can push security updates to all of the company’s employees and force updates if desired (or at least send strong reminders to avoid updating in the middle of a client meeting).

Over the last year, the company developed a dashboard for IT to monitor all of the devices under its management, including providing an overall health score with any potential problems it has found. For example, there may be a number of MacBook Pros without disk encryption enabled.

The dashboard ties into the identity management component of Office 365 and G Suite.  IT can import the employee directory into the dashboard from either tool, and employees can sign into Fleetmsith with either set of credentials, providing a quick way to manage all of employees in an organization.

Screenshot: Fleetsmith

Fleetsmith has also set up a partner program with Managed Service Providers (MSPs) to expand its reach further. MSPs manage IT for SMBs and building a relationship with these types of companies can help it expand much more quickly.

The approach seems to be working as the company has 30 employees and 1500 customers. With the new cash in pocket, it intends to hire more people and continue building out the product’s capabilities while expanding beyond the US to markets overseas.

Fleetsmith secures $7.7M investment to manage Apple devices

from Apple – TechCrunch https://tcrn.ch/2YWmEx0