Update to iOS 11.2 Immediately, Apple’s Bad Bug Week Got Worse

Apple has another serious software flaw, this one isn’t a security vulnerability but it causes some iOS devices (iPhones, iPads) with third-party apps installed that use local notifications to get stuck in a reboot loop on December 2nd. iOS 11.2 is out now and resolves the issue along with adding other features like Apple Pay Cash to send money to your friends and family, and resolves other issues. If you’re already experiencing the reboot loop then Apple has some steps for you to do before updating.

Other workarounds include setting your time back by a day or disabling notifications for the apps that cause it, but it’s better to just update.

Some people have an idea that staying on an older version of the software is more stable or more secure, this is always a bad idea in our day of networked devices that are constantly under attack from governments and other bad actors.

It must really be crappy to be on the teams responsible for these issues this week but it’s difficult to blame anyone specifically for them. With the root exploit it looks like a reasonable mistake that could happen to anyone. We don’t have all the details of the December 2nd bug yet, but both of these issues require an extremely specific set of things to go wrong before they happen. I have no doubt that Apple’s QA processes will change to include testing for these kinds of issues, but there isn’t any perfect software. What they have done well is the delivery mechanism for getting those updates out to users.

When Android has issues like these they are difficult to resolve because so many different companies have to get involved in order for updates to get released to end-users. I don’t envy anyone trying to resolve that issue at Google.

 

Apple Has a Patch out for the macOS Root Access Security Vulnerability

Go to the Updates tab in the Mac App Store to apply it now, you won’t even need to reboot. Apple has more details about the update at this link.

Here’s the post from yesterday with the details of the vulnerability.

Update:
If you have any trouble with file sharing after applying this security patch Apple has another fix for that, oops.

The macOS Root Access Security Vulnerability

There’s a vulnerability in the latest version of macOS High Sierra (10.13.1) that may let anyone with physical access to a Mac log in and gain system administrator (root) access. Or, if they already have an account, upgrade their access to the system administrator (root) level.

You can work around the issue by setting a root password as described in this support document from Apple. They’re working on fixing it.

The vulnerability works like this:

  1. At any login or a privilege escalation dialog a user types in the username root
  2. The user hits the login button or enter a few times in quick succession
  3. The system enables the root user account and assigns it no password.

This is incredibly bad for Apple to have a vulnerability this easy to exploit, and it’s ridiculous that it was also apparently publicly available on Apple’s developer forums weeks ago.

Uber Hid Hack of Data From 57 Million Users & Drivers

Bloomberg’s Eric Newcomer:

Hackers stole the personal data of 57 million customers and drivers from Uber Technologies Inc., a massive breach that the company concealed for more than a year. This week, the ride-hailing firm ousted its chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a $100,000 payment to the attackers.

Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world, the company told Bloomberg on Tuesday. The personal information of about 7 million drivers was accessed as well, including some 600,000 U.S. driver’s license numbers. No Social Security numbers, credit card information, trip location details or other data were taken, Uber said.

Android Users’ Location Information Is Always Being Sent to Google

Quartz’ Keith Collins:

Many people realize that smartphones track their locations. But what if you actively turn off location services, haven’t used any apps, and haven’t even inserted a carrier SIM card?

Even if you take all of those precautions, phones running Android software gather data about your location and send it back to Google when they’re connected to the internet, a Quartz investigation has revealed.

Since the beginning of 2017, Android phones have been collecting the addresses of nearby cellular towers—even when location services are disabled—and sending that data back to Google. The result is that Google, the unit of Alphabet behind Android, has access to data about individuals’ locations and their movements that go far beyond a reasonable consumer expectation of privacy.

Quartz observed the data collection occur and contacted Google, which confirmed the practice.

Google claimed they weren’t doing anything with the data received from Android devices, and says they’ll stop doing it (at the end of the month) now that they’ve been caught by Quartz.

I’m not sure why anyone should trust Google’s word about what they were doing with this information when they explicitly use location information to target ads and were pulling this shit with no way for a user to disable it.

You can bet that companies like Google (photos), Facebook and their subsidiaries such as Instagram, and Twitter, also scrape location information whenever you upload photos to their services by reading the EXIF data attached to every photo. You can download apps like Metapho on iOS to remove the EXIF information from your photos before you share them.

Nick Heer on the iPhone X

There are plenty of reviews out there now, but few had much time with the iPhone X  before it was released because Apple chose to not give reviewers an opportunity to spend much time with it.

Nick Heer:

The iPhone X is a product that feels like it shouldn’t really exist — at least, not in consumers’ hands. I know that there are millions of them in existence now, but mine feels like an incredibly well-made, one-off prototype, as I’m sure all of them do individually. It’s not just that the display feels futuristic — I’ll get to that in a bit — nor is it the speed of using it, or Face ID, or anything else that you might expect. It is all of those things, combined with how nice this product is.

Uber Had the Opportunity to Monitor Everything on Your iPhone’s Screen

Daniel Jalkut:

Yesterday, Gizmodo reported that Uber had been granted an entitlement for their iOS app that allowed them to capture an image of an iPhone’s screen at any time, even when the Uber app was not the active app on the phone. This is a big deal, because users don’t typically expect than an iPhone app that is not active might have the ability to eavesdrop on anything they are doing.

I have long felt that the sandboxing infrastructure on both iOS and Mac should be used to more accurately convey to users specifically what the apps they install are capable of doing. Currently the sandboxing system is used primarily to identify to Apple what a specific app’s privileges are. The requested entitlements are used to inform Apple’s decision to approve or reject an app, but the specific list of entitlements is not easily available to users, whose security is actually on the line.

This is absolutely fucking ridiculous. Fuck Uber. Apple should be ashamed for working with them at any level. Allowing an app to covertly record your screen without any prompting is exactly the kind of thing that Apple’s iOS app review process should prevent.

Uber claims they didn’t do anything wrong with this ability, the security researchers told Gizmodo that they didn’t detect anything going on with this code.

There are companies that are less trustworthy than Uber, but few have the opportunity to be as evil on such a large scale. Enabling them to do anything more than operate at a basic level on your platform is a mistake. At this point Apple should block them entirely and attempt to help the Taxi industry to reform and compete with Uber. Not that Apple would ever would, but still that would be the best thing to come out of this. The next best thing would be the improvements to the entitlement system that Jalkut suggests.

I wouldn’t even bother to wonder what Uber are doing on Android, where security is a fucking joke and carriers are still selling devices running ancient versions of that operating system that are affected by dozens of security vulnerabilities. This is especially true for pay-as-you-go phones sold cheaply at places like Walmart, Target, and so on. Those carriers and stores are endangering their customers by continuing to sell these devices.

iOS 11 Out Today; Here’s How to Check If You Have Any Apps That Won’t Run

iOS 11 is going to be available today. If you’ve been reading Nuclear Monster for a while you already know that some apps won’t be compatible with iOS 11 as Apple drops the 32bit software layer. Developers have been expecting this change for a long time, and it’s unfortunate that some haven’t been able to update their apps, but here is how you check to see if any of the apps you use haven’t been updated for iOS 11 yet.

  1. Open Settings and tap General
  2. Within General Settings, Tap on About
  3.  Tap on Applications:
  4. You should be presented with a list of applications that won’t be compatible with iOS 11:
    Hopefully these developers will update their apps, but if there’s anything critical to you in this list without an update available you might want to consider holding off on an upgrade to iOS 11.

Apple iPhone & Watch Event Follow-up

After the recent Apple event ended I wanted to follow-up on a few points about the new iPhones as well as the cellular stuff for the Watch.

First of all, there’s the size comparison between the X and the 8 Plus.

It’s clear after watching this Apple developer video about making apps for the X that the X’s screen really isn’t as wide as the 8 Plus. This makes the X more of a taller 4.7-inch non-Plussed iPhone. You can see the width in this screenshot of that video below and the height in the one above:

This means that the X won’t get the same layout for display as apps on the Plus phones. These measurements are in points, abbreviated as pt, because they’re a more reliable indicator when developing for high DPI (Retina) screens and devices like the iPhone. The baked-in rounded corners of the display, the area at the bottom of the screen for the on-screen home-swipe indicator, and the status bar accommodations, are all going to trim the total pixels of the display available to apps.

Marques “MKBHD” Brownlee has a great hands-on video demonstrating the X in motion. I strongly recommend watching it to anyone considering that device over the 8 or 8 Plus:

The notch for the front-facing camera and other sensors, and the “ears” on the right and left side of the iPhone X, are going to take some getting used to. I suspect that Apple can’t wait to get rid of it as soon as possible. In the video you can see MKBHD watching a movie trailer or clip and it’s shocking to see the X displaying in “full” mode with the movie partially occluded by the notch.

The naming of these devices is also bonkers this year. By calling one device the X, and pronouncing that as 10, this is going to be confusing as hell for people who want to compare it to the 8.  They should have called one of these phones something else in order to distinguish the X line of devices as high-end if they’re set on continuing this practice into the future.

I wonder what this means for the future of the iPhone. Is Apple going to have three phones announced in September 2018? Maybe they’ll update the SE in the first half of the year as well. I would expect them to bring this edge-to-edge screen to all of their handheld devices eventually, but that might take a while. I’ll look forward to an iPhone Plus device with that screen, or one with even less bezel, hopefully next year.

The supposition I’ve heard from other writers about the higher cost of the iPhone X is that it gives Apple the ability to make a smaller batch of devices with different parts that they might not be able to source at the scale they need for a typical iPhone launch. If that’s true, well, I don’t give a shit about Apple’s supply issues, neither will anyone else so it’s good that Apple didn’t make a big deal out of that during the event and simply presented the X as a futuristic device available today.

The one distinguishing physical feature of the iPhone 8 versus the 7 is the glass back. I haven’t seen the back of my iPhone since the last time I changed the case. I don’t think most people use their phones without a case unless they don’t mind replacing them often.

With the Series 3 Watch there’s that cellular plan to think about. If you get a Series 3 Watch with LTE you don’t have to activate a plan at all. It’s optional. If you do, It turns out that it’ll be ten bucks a month to bring it online and tie it to your iPhone’s cellular plan according to iMore who also have more details rounded up. Although they’re missing Sprint’s information that attaching the Watch to their network will cost the same $10. The Watch also won’t roam onto other networks even if your iPhone can.

The more expensive Series 3 with cellular also has twice as much internal storage, iMore guesses that this is due to the Apple Music support. It’s also gonna have worse battery life if you want to use it to replace your iPhone and remain on LTE all day. And since you have to have an iPhone on your carrier’s plan to use the Watch on a cellular network it can’t be a real replacement for an iPhone today.