Security

You may not remember, but a modified copy of Xcode that surfaced on the web in 2015 was responsible for injecting malware into several iPhone and iPad apps that were subsequently uploaded to the App Store. Now, thanks to the Epic vs. Apple trial, internal Apple emails have revealed that more than 128 million iOS users were affected by the “XcodeGhost” malware.

An award-winning iPhone hack was used by the Chinese government to spy on Uyghur Muslims, giving Beijing total control of their phones.

A detailed report says that Chinese white-hat hackers used to participate in the annual Pwn2Own contest designed to uncover and exploit zero-day security vulnerabilities. The hackers win cash prizes, and the issues are reported to the companies concerned so that they can be fixed before details are shared publicly …

A new study published today takes an in-depth look at how apps used in schools are sharing children’s data with third parties. The research found the majority of school apps transmit data and that Android is 8x more likely to be sending that data to “very high-risk” third parties than iOS.

Apple released updates for iPhone, iPad, Mac, and Apple Watch today with multiple security updates. The patched flaws involved malicious web content that could lead to arbitrary code execution – and Apple says they may have been actively exploited.

The Cellebrite Physical Analyzer – the most intrusive phone-cracking tool offered by the company – no longer supports the direct extraction of iPhone data, according to a document shared with us. This follows the discovery and exploitation of a vulnerability by secure messaging app Signal.

Signal discovered multiple security vulnerabilities in Cellebrite’s software, and was able to find a way to booby-trap iPhones to corrupt the results of a scan using Physical Analyzer …

US military movements in Syria were revealed by location info available for purchase from smartphone apps, says a new report today. This included enough information to identify the location of an undeclared US military base in the country.

The sensitive location information was harvested from weather, games, and dating apps on the phones of US soldiers, and appears to include special ops personnel …

An AirDrop flaw means that doing nothing more than opening an iOS or macOS sharing pane within Wi-Fi range of a stranger can enable them to see your phone number and email address. You do not have to initiate an AirDrop transfer to be at risk.

The security researchers who discovered the vulnerability say that they disclosed it to Apple way back in May 2019, but the company still hasn’t provided a fix to the 1.5 billion affected devices …

Secure messaging company Signal has successfully used an iPhone SE to hack Cellebrite‘s phone-cracking software. The company says that anyone could place a file on their iPhone that effectively renders useless any data extraction performed on the phone, and that it will be doing this for Signal users.

Signal says that the file could also compromise all past and future reports generated from the Cellebrite Windows app …

An Apple Support document has revealed that Apple made a very rare change to the production of its A12 and S5 processors last fall. According to the company, Apple upgraded the Secure Enclave in those processors to a second-generation version of the Storage component during the fall of 2020.

Apple has published its latest Transparency Report covering government and private party requests for data from January 1 to June 30, 2020. This report reveals how many requests were made for user data around the world, and how many with which Apple could comply.

Internal documents released as part of the Epic Games lawsuit reveal an Apple anti-fraud engineer suggesting that App Store checks were grossly inadequate.

Epic cited two particularly damning quotes from Eric Friedman, head of the company’s Fraud Engineering Algorithms and Risk unit, in internal documents …

The Pwn2Own 2021 event is promoted by the Zero Day Initiative as a way to encourage developers and researchers to report zero-day vulnerabilities to the affected companies instead of selling these breaches to malicious hackers. This year, systems researcher Jack Dates was paid $100,000 after finding a new exploit in Apple’s Safari web browser.

Facebook will tell you if a page is satire, as well as if it isn’t, in a new initiative. When a satirical page uses the name of a politician, for example, it will be labeled “Satire Page” to ensure that people don’t mistake it for the real person.

Conversely, posts by politicians will be labeled as “Public Official” …

It was revealed over the weekend that a huge data breach saw personal data leaked from Facebook, including phone numbers, full names, and dates of birth. There’s now a way for you to check if any of your personal data was compromised …

Despite all the efforts companies make to improve the security of their devices, there’s always someone working to find new vulnerabilities. This time, a group of advanced hackers managed to infect devices running iOS, Android, and Windows through compromised websites.

A new backdoor threat has been discovered that aims to compromise Apple developers’ Macs with a trojanized Xcode project. This malware can record victims’ microphone, camera, keyboard, and also upload/download files. The first in the wild example of the threat was found within a US organization.

A study looking at new malware found in the wild during 2020 says that threats developed for macOS saw a huge jump – almost 1,100% compared to 2019. But taken into context, that total was less than 1% of the new malware that was discovered for Windows in the same period.

A group of researchers has uncovered what looks to be the first browser-based side-channel attack that’s built entirely from CSS and HTML. The JavaScript-free attack has been found to work across most modern CPUs including Intel, AMD, Samsung, and Apple Silicon. Interestingly, the findings say Apple’s M1 and Samsung’s Exynos chips can sometimes be more susceptible to these novel attacks.