Enterprise Signing Key, Activation Lock keys could have been compromised
An unidentified Twitter user is claiming that recent changes to Gatekeeper in OS X Mavericks and OS X Yosemite which has forced developers to re-sign their app credentials is actually the result of a security breach that successfully pilfered the Gatekeeper keys and possibly "many other keys for many other things," according to the user. A corraborating source was located by TUAW that has allegedly confirmed the breach and tied it to the recent alleged Activation Lock hack.
Report is very questionable, claims product will be called '6L'
Taiwanese Apple blog Apple Daily has published pictures of three components it claims are parts from the oft-discussed but little-seen 5.5-inch version of the "iPhone 6." The photos show what are said to be the display, logic board and battery of the device, but at least two of the three parts are identical to the claimed 4.7-inch iPhone, casting doubt on the entire report. The battery, however, may be a genuinely new part, and is said to be nearly double in capacity compared to the current iPhone 5s battery.
Company aims to fight ruling, calls decision 'not progressive'
Berlin, Germany has banned the Uber unlicensed cab service from city limits, citing concerns for passenger safety and the unregulated nature of the drivers for the service. The firm itself is liable for a fine of $33,000 per fare, with drivers themselves seeking riders likely to be hit with a $26,500 charge by authorities as well.
Third iteration of modified Apple tablet heads to Kickstarter
Last week, we launched the Crowdfunding Critic here on MacNN and Electronista, and promised that every Tuesday and Thursday we'd highlight a new campaign. While we were working on yesterday's selection, we got wind of this -- the Modbook Pro X, by Modbook, Inc., a modification of Apple's 15.4-inch MacBook Pro into a massive pen-enabled tablet. Based on it, we decided to do our second article in the series a day late, but we think this one is worth the wait.
Gmail for iOS now leverages Google Drive directly for archiving and attachments
Google has updated its Gmail for iOS (free) to allow users to leverage the company's Google Drive in two new ways: users can now save attachments in emails directly to Google Drive, and users can now access Google Drive directly from within the Gmail app to add attachments to outgoing messages. The update to version 3.14159 (yes, pi) also gives users more options with account management, such as deciding which of their Gmail account is seen without removing other accounts, and changing the Gmail profile pic.
Fixes boot loops
The team responsible for the Pangu jailbreak has released its first version in English, also the first to support OS X. The tool offers untethered breaks of iOS 7.1.x devices, but last week was released exclusively in Chinese and for Windows. It also gave people an option to install 25PP, an unofficial Chinese app store. For English-speaking users, 25PP installation is disabled by default. The update also solves a problem with iOS devices getting stuck in boot loops.
Public parking spot resale service claims legitimacy, will continue to operate
Startup public parking spot sale app Monkey Parking has vowed to fight the cease-and-desist served onto it earlier this week. The company is claiming that the order is a misinterpretation and invalid use of San Francisco police code, and believes that the model of selling a parking spot that a driver is about to depart is protected by free speech rights.
Security researchers find September vulnerability attack to Germany
According to Dell's security researchers, a single piece of software, surrepitiously installed on some Synology network attached storage devices, has mined $620,000 of virtual currency Dogecoin. A combination of a vulnerability discovered in September and users not updating the system software of the appliances enabled the hack to occur, which installed the mining package, forcing the devices to run hot and transfer data slowly due to the load from the miner.
Streamlines several tasks
Cydia, the app distribution platform for jailbroken iOS devices, has been updated to v1.1.10. The software has been given improved handling of sources and packages, namely by relocating functions that were previously buried within three different sections in the Manage tab. That tab has in fact been renamed Installed, and only contains what was in Manage's "Packages" section, along with a quick User/Expert/Recent selector at the top.
Based on 'beautiful kernel bug,' vulnerability may be difficult to quickly fix
Not one but two well-known hack researchers have now posted evidence of working jailbreaks for iOS 7.1.1, which until now had closed the existing loopholes used by other techniques such as evasi0n. While interest in and use of jailbreaks has waned as Apple has gotten better at closing vulnerabilities, enthusiasts and die-hard customizers continue to want the ability to use unofficial apps or tweak settings in the latest iOS releases.
Embattled studio shift to mobile so far failing to gain traction
In conjunction with Zynga's quarterly results, new CEO Don Mattrick revealed that founder Mark Pincus is stepping down as chief product officer at the embattled game producer. Mattrick also announced that Alex Garden, ex-general manager of Xbox Live, has been hired as president of Zynga Studios.
Nested folders still not officially supported in iOS
A bug in iOS 7.1 lets people place folders within folders, or even hide icons, users note. To pull off the folder trick, a person has to first completely fill an iOS homescreen with apps -- including both the regular grid and the dock, which in the case of an iPad can fit up to six apps. A user must then create a new folder by dragging one app on top of another. As the folder animation starts, though, a person has to quickly drag the folder they want nested into the new one.
Current technique limited by processor
A hacker going by the alias "winocm" has demonstrated what appears to be the first untethered jailbreak of iOS 7.1. The hack currently works only with the iPhone 4 however, since it's the only iOS 7-capable device with an A4 processor. winocm and well-known jailbreaker iH8sn0w are said to be working on a jailbreak for A5-based devices, like the iPhone 4S, iPad 2, and first-generation iPad mini. That could mean it will be some time before modern A7-based devices are cracked.
Discovery casts doubts on loss claims, accounting standards
The recently-shuttered and allegedly bankrupted Mt. Gox Bitcoin exchange has now said it has "found" nearly a quarter of the total "stolen" Bitcoins stored in a "wallet" -- the term for a digital file used to store the virtual currency -- that the company was no longer using. The 200,000 coins found represent some $115 million of the $470 million (in current trade value) lost by customers when the exchange closed down.
Vulnerability shut down, but fooled visitors into providing info
Late Wednesday afternoon, Electronic Arts reported that it had finally closed a serious vulnerability on its web servers that allowed hackers to host a fake "Apple ID" page -- part of a phishing scam that attempted to trick users into visiting the fake page and supplying personal information and credit card details that Electronista reported on earlier today. Netcraft, which originally spotted the compromised pages, reported the problem to EA on Tuesday night.
Says OS X is 'very safe' overall
At this week's Pwn2Own hacking contest, a group calling itself the Chinese Keen Team successfully used two vulnerabilities to run arbitrary code through Safari, according to ThreatPost. The exploit is reported to have been executed via a flaw in Safari's WebKit engine and a bypass of the sandboxing in recent versions of OS X. One member of Keen, Liang Chen, comments however that OS X is "regarded as very safe and has a very good security architecture," and that what vulnerabilities there are are "very difficult to exploit."
Ironically patches loopholes that allowed Evasi0n jailbreak to work
In a backhanded compliment, the security notes accompanying today's release of iOS 7.1 thank the jailbreaking hacker team known as Evad3rs -- known for their jailbreaking software, Evasi0n -- for finding several security flaws, which iOS 7.1 patches. Ironically, these discoveries are also what made the Evasi0n jailbreaking software work, and thus iOS 7.1 "breaks" the software and un-jailbreaks any iOS devices using Evasi0n.
Google services like Gmail and Google Now added to phone in five steps
A member of the XDA-developers forum who won a Nokia X at the Mobile World Congress has managed to hack and gain root access to the phone in order to bring Google applications and services to the device. The Nokia X, known for using the bare-bones free version of Android at its core, had opted to pull in Microsoft services to intentionally avoid Google's integration.
Role unspecified, but had reverse-engineered iOS, OS X for porting
A well-known hacker of OS X and iOS, who single-handedly rewrote the core of both operating systems to allow them to be ported to other devices and contributed to various jailbreak apps for iPhones, has announced that he will be joining Apple as an intern or employee later this year. The coder, known as "winocm," is 17 years old but already an expert reverse-engineer who says he has been doing "insane things" with the cores of iOS and OS X.
Use of security tokens allows Snapchat denial of service attack
Snapchat, the picture based messaging platform, appears to have more problems on its hands after its recent account breach. It has been discovered that the program can be used in denial-of-service attacks against iOS and Android based phones to disable or crash the devices through sending thousands of messages to the device in a matter of seconds.
Exploit blocked in iOS 7.1
A newly-discovered hack lets people disable Find My iPhone without first entering a password. Shown in a YouTube video (below), the exploit requires only making a few simple changes to a device's iCloud account. It's confirmed to work on iPhones and iPads running iOS 7.0.4, although it appears to be blocked in iOS 7.1, which is still in beta.
Continues minor interface tweaks
(Updated with evasi0n hack break, samples of new voices) Apple is now seeding a fifth beta of iOS 7.1 to developers. Changes appear relatively minor, but release notes mention "new natural-sounding Siri voices" for Japanese, the UK and Australian English dialects, and Mandarin Chinese. Apple also appears to be continuing visual tweaks to the OS, for instance by adding new Shift and Caps Lock buttons (below).
Will fight Bromwich appointment, 'roving' investigation, excessive fees and qualifications
Apple has officially filed for an appeal of US District Judge Denise Cote's recent decision, which denied both Apple's request to suspend an antitrust external compliance monitor (ECM) while an appeal of the main judgement is considered, and a request to disqualify the current appointee, Judge Cote's personal friend and former DOJ Inspector General Michael Bromwich.
Group has made dubious boasts before, claims probably untrue
[Update: the group has closed its Twitter account, saying it has "suspended operations" indefinitely] A hacker "group" that has previously made dubious claims of playing a role in attacks such as the recent Dropbox outage has now claimed it hacked into Apple's "user database" and posted a printout of some outdated user information on Pastebin as "proof." The group previously claimed to have hacked into Dropbox's database, but then changed its story and said that it was responsible for a "denial of service" attack that caused the outage (Dropbox have denied both claims).
Custom graphics card not upgradable, PCIe storage still in doubt
A teardown of the new Mac Pro by upgrade experts Other World Computing will give cause for much celebration among DIY technophiles (who are, ironically, unlikely to be customers of the new workstation) -- the retailer says both the RAM and, more surprisingly, the central CPU unit of the Mac Pro are removable, paving the way to future upgrades. Its also possible that the proprietary connector used for the PCIe-based storage may be upgradable as well.
Taig now hosting unofficial version of jailbreak
Evad3rs -- the team behind the evasi0n jailbreak for iOS 7 -- has issued a second open letter, admitting that it "dropped the ball" on investigating whether Taig's app store contained pirated content. The evad3rs team recently acknowledged benefiting financially from its work. Around the same time the team severed ties, pulling Taig's store from evasi0n completely. In the new letter, evad3rs states that "after investigation and after notification from the community," it found examples of piracy such as "pirated tweaks, Apple App Store apps, and even pod2g's PodDJ app."
Does better in some areas, but can't compete on cost or specs
For many consumers, a quad-core i7 "Haswell" computer with SSD storage -- whether it is a Mac or PC -- is by far the fastest computer they've ever used, and meets everyday needs handily. Some, however -- creative professionals, scientists and others -- need all the power they can get and then some. The rapid sellout of the new Mac Pro -- surprising even Apple -- may revolve around the fact that its new design is a tough combination to beat, even for DIY PC builders.
Unofficial app store's pirated content creates firestorm
Chinese company Taig paid evad3rs $1 million to include its third-party app store for Chinese users of the evasi0n jailbreak for iOS 7, rumors claim. The store appeared only for Chinese users of the jailbreak, in place of the distribution platform offered elsewhere, Cydia; it has since been removed as an option. Taig's offering has been controversial, since it hosts a number of apps pirated from Apple's official App Store.
Sentence derided as 'vengeful, spiteful act'
Hacker Jeremy Hammond has been dealt a 10-year prison sentence for his role in the 2011 theft of emails and credit card data from intelligence company Strategic Forecasting (Stratfor). The sentence was handed down in a federal court in Manhattan, where the 28-year-old pleaded guilty to violating the Computer Fraud and Abuse Act (CFAA).
Classic programs re-created in HTML5 for web play
In unrelated developments, two recent "recreations" of former Mac and Nintendo classics have made their way into "web app" versions, bringing back familiar software for those of a certain age, providing a "living" demonstration of "old-school" programs and games and at the same time offering a showcase for the growing flexibility of web technologies. The year-old "CloudPaint," a tribute to the Macintosh's original graphics program MacPaint, has recently been updated with five levels of "undo" -- and another site offers a fully-playable HTML5 version of Super Mario. Both are available for use free of charge.
Airplane Mode, lack of warnings identified as soft spots
A new SRLabs video demonstrates one possible method of getting around both Touch ID and Activation Lock on a stolen iPhone 5s. The video points out that while Apple lets users locate and/or remotely wipe a device using the Find My iPhone app, a 5s can be set to Airplane Mode without unlocking if lockscreen access to Control Center is left enabled. Since Find My iPhone can only perform a wipe if a device is connected to the Internet, that may give a thief enough time to lift and mold a fingerprint to bypass TouchID, and begin hijacking Apple, Google, and other online accounts.
Patch fails to resolve lockscreen vulnerabilities
A newly-documented technique lets people bypass the lockscreen in iOS 7.0.2 and dial any phone number, not just emergency numbers. The method involves waiting for a notification, or forcing one by sending a text message or ejecting the SIM card. Once the notification pops up, a hacker has to swipe right on it while simultaneously swiping up on the Camera icon. While keeping a finger on the Camera icon, a person must then slide to unlock and tap the Emergency Call button. After dialing, hitting the Call button quickly two or three times should crash Springboard, but allow the call to go through once Springboard restarts.
Hacker group offering unusual reward for breaking iOS authentication
A group in German claims to have successfully worked around Apple's new Touch ID biometric system, albeit using an extremely elaborate system to do so, involving a high-resolution lifted fingerprint and creating a "fake finger" that mimics a real one that has the lifted fingerprint printed onto latex milk or wood glue and then applied -- and of course physical access to the iPhone that utilizes that particular fingerprint. A different hacker group is offering a reward for such a solution, including cash, Bitcoins, liquor and books as a reward.
Mimics previously-documented vulnerabilities
[Update: Apple acknowledges issue, says fix is on the way] A newly-documented technique lets people bypass an iOS 7 device's security to look at personal photos, according to accounts. Several steps are involved: swiping up Control Center from the lockscreen, opening Stopwatch, opening the Alarm Clock, holding down the power button until the "Power Down" prompt appears, then finally tapping Cancel and double-tapping the home button twice, but slightly longer on the second press. This opens up the multitasking menu, from which point a person can jump into the Camera app and browse or share a person's photos.
Command server down; risk low, but points out potential vulnerability
A file that looks like a image file and bears a camera-like filename with the extension not visible by default has been discovered to actually be a rogue application that could install a permanent "backdoor" on Mac systems and triggers Preview to open an image, fooling the user into thinking it was simply an unusual picture file. The purpose of the Trojan appears to be supportive of the hacker Syrian Electronic Army, which is in league with the totalitarian regime of Syria's present government. It is currently considered low-risk for a number of reasons.
Developer criticizes Google
Google has allegedly disabled media streaming capabilities for certain third-party apps available for the company's Chromecast dongle. Developer Koushik Dutta claims the company intentionally disabled his AllCast app, which allowed users to wirelessly stream a wide range of content, including locally stored media files, via HDMI.
Already in iOS 7 beta; hack demonstrated earlier today
Apple says it has already fixed an obscure security flaw that could have allowed hackers to access data on an iOS device through the use of a specially-designed custom USB device that looks like a charger but in fact contains a tiny Linux-powered computer designed to insert malware. The fix is already present in the most recent iOS 7 beta and will be incorporated into the OS when it is released to the public this fall, the company says, and involves notifying users whenever they connect to another computer, even through the power adapter.
Can affect Messages app thanks to group MMS, SMS use
While under normal circumstances most users would never see an unwanted or "spam" message in the OS X and iOS program Messages, Apple has now set up abuse reporting mechanism to help deal with those who have the issue. Using the email address email@example.com, users can send a screenshot of the unwanted message, phone number or email address of the spammer or harrasser, and time/date info on the message. Unwanted or spam SMS and MMS messages should still be reported to users' cellular providers rather than Apple.
Hacking attack has prompted changes, systems will be rolled out soon
MacNN has received reports that iTunes Connect, a crucial part of Apple's crippled Developer channel, is now online after an unprecedented week of closure following a hacker attack by a security researcher that exposed some data. While the attacker, Ibrahim Balic, has claimed he was just doing "security research," the company shut the system down and said it has been "working around the clock" to overhaul developer systems, update server software and rebuild the entire database to close vulnerabilities. Apple has launched a new "system status" page for the Developer Center.
AT&T equivalent harder to manage
A new hack should allow T-Mobile subscribers to use iOS' personal hotspot feature for free without jailbreaking, says the workaround's creator, iTweakiOS. A component buried in iOS, CommCenter, normally checks the signatures in carrier PLIST files and prevents those files from being usably edited. The T-Mobile hack is said to bypass CommCenter checks while also being relatively easy to apply.
Also promises HSPA speed boost for iPhone 4S
An updated hacked carrier profile for AT&T unlocks early access to HD Voice for the iPhone 4S and 5, among other features, says developer iTweakiOS. The update is moreover said to enable faster HSPA speeds on the iPhone 4S, up to 21Mbps down, as well as early access to disaster and Amber alert systems. Troubleshooting efforts deal with unstable HSPA+ connections and iPad users losing signal entirely with a previous update.
iFixit holding giveaway in the spirit of Independence Day
Today, iFixit, the self-repair advocate and tutorial site, announced its upcoming event, Liberation Week, running from July 1-5, 2013. iFixit seeks to combat planned obsolescence by giving users access to the information needed to repair and upgrade products. Citing Independence Day, iFixit will be giving away free iPhone Liberation kits - tools to open one's iPhone for self-repair access - to the first 1776 claimants. Stating that the consumer should have the right to open their phone, the kits includes a pentalobe screwdriver, so that users can replace the original screws with ones with standard Phillips head screws provided. Pentalobe screws are intended to be tamper-resistant, as there are no readily available screwdrivers with a compatible head. Also in the kit is a #00 Phillips screwdriver, to use in future openings of one's iPhone.
Some will be driven to distraction by 'unanswered call' in music
Indie LA-based band Mars Argo have prominently used the iPhone's distinctive "Marimba" ringtone -- the default one that relatively few owners ever change -- as the basis of an entire song for their latest single, ironically titled "Don't Call Me." While many will find the gimmick catchy in the effervescent pop song, iPhone owners who are Pavlovian in their response to a ringing iPhone should likely approach the song with caution -- the tone is used continuously throughout the track, though there are sections where it fades into the background.
iFixit's tear down reveals one of Apple's most repairable products
Tech site iFixit has uploaded a new teardown for the latest AirPort Extreme, Apple's first 802.11ac wireless base station. Opening the device revealed an interior space to allow for a hard drive to be installed, however hopes of at-home storage upgrades were dashed by no available plug-in options on the logic board. The AirPort Extreme offers a Delta Electronics 12V, 5A power supply, much akin to Mac Mini technology. Thanks to a simply disassembly iFixit staff have categorized the wireless base station, along with Apple TV and Mac Mini, as the most repairable Apple product in recent history.
Bigger-capacity battery, dual mics, Samsung-provided storage
Two initial teardowns of the latest MacBook Air model by Mac specialists OWC and iFixit have revealed a number of small changes but mostly similarities between the latest revision and the current model. Overall, no huge changes were made to the interior layout of the 11-inch device, apart from a completely redesigned Airport card and other minor tweaks. The investigation did turn up that the battery in the unit features a 6.7 percent capacity increase in the same space, aiding the dramatically increased battery life.
Leaked documents allegedly cover PRISM, supporting systems
More documents allegedly related to the National Security Agency (NSA) and its data harvesting activities has surfaced, courtesy of hacking collective Anonymous. The group released a total of 13 documents that it claims "prove that the NSA is spying on you," and that its spying activities are not just covering Americans, but also people in over 35 different countries.
Charges of widespread monitoring follow discovery of Verizon NSA data collection
Just a day after respected UK newspaper The Guardian reported that a leaked secret US court order showed that the National Security Agency (NSA) was harvesting millions of phone records and "telephony metadata" from Verizon customers, a new report from The Guardian and the Washington Post has charged that the NSA is further using a secret program called PRISM to harvest usage data from the internal servers of most of America's major tech companies -- including Apple, Google, Microsoft and many others.
Enables use with third-gen Apple TV
A new hack dubbed PlexConnect allows the third-party Plex media server to run on second- and third-generation Apple TVs without jailbreaking, the creators of Plex say. The technique involves running a program on a computer which disguises itself as the Trailer app; changing a setting on the Apple TV is then all that's needed to put everything into motion. The Plex team notes that PlexConnect uses the latest transcoder, supports iTunes DRM, and can also handle AC3 5.1 sound when using the current preview release of Plex.
Apps claimed to be compromised, Sky advises apps safe
British broadcaster Sky is the latest victim of hacking by the Syrian Electronic Army. Just as in previous attacks, one of its Twitter accounts was taken over by the hackers, but in an unusual maneuver, SEA also managed to gain access to the corporation's Android app listings, replacing the app descriptions on Google Play with "Syrian Electronic Army was here."
Does not require jailbreaking, doubles throughput rates
An altered carrier update that has been modified by two hackers successfully increases the bandwidth available for iPhone 5 units on T-Mobile's US network, tests have found. The patch to the carrier update file, which was originally distributed to add LTE signal to the iPhone 5 using T-Mobile's 1900MHz band, works on both unlocked AT&T units as well as "native" T-Mobile iPhone 5 devices without requiring a jailbreak, though instructions vary for customers using jailbroken iPhones.