Search This Blog

Showing posts with label Apple. Show all posts

Telemetry Data is Being Shared by Google and Apple Despite the user Explicitly Opting out

 

A new study revealing Apple and Google's monitoring of mobile devices is making headlines. It discusses how, despite the fact that both companies give consumers the possibility to opt-out of sharing telemetry data, the data is still shared. Both Google's Pixel and Apple's iPhone extract data from mobile devices without the users' permission. Both iOS and Android transfer telemetry, according to Trinity College researcher Douglas Leith, “despite the user explicitly opting out.” 

The analysis is a component of a complete study titled "Mobile Handset Privacy: Measuring the Data iOS and Android Send to Apple and Google." Perhaps it comes out that Google gathers much more data than Apple, almost 20 times more data from the Android Pixel users. 

“The phone IMEI, hardware serial number, SIM serial number and IMSI, handset phone number etc. are shared with Apple and Google,” as per the report. “When a SIM is inserted, both iOS and Google Android send details to Apple/Google. iOS sends the MAC addresses of nearby devices, e.g. other handsets, and the home gateway, to Apple, together with their GPS location. Currently there are few, if any, realistic options for preventing this data sharing.” 

According to the researcher’s observations, Google Pixel transfers approximately 1MB of data to Google servers during the first ten minutes of operation. For the same duration of time, the iPhone sends about 42KB of data to Apple servers. When the Pixel is turned off, it transfers approximately 1MB of data to Google every 12 hours, whereas the iPhone sends just 52KB. The report also indicated that, whether in use or not, both operating systems link to their back-end servers every 4.5 minutes on average. 

Nevertheless, third-party software and pre-installed apps that come with both the operating system were not included in the evaluations. The study focused solely on data collected by handset features and elements at the operating system level, such as Apple's Bluetooth UniqueChipID, Secure Element ID, and the transmission of Wi-Fi MAC address. Even after not being opened or used by the user, the highlight of the study is the ability of pre-installed applications and services, which are exclusive to handset manufacturers, to connect to the network. 

According to the study, telemetry data transmission poses major privacy issues. The study does highlight the importance of sending general user data to the software manufacturer, as this provides for the creation and release of critical device and security updates for specific models.

Malware Affecting Apple’s New M1 Chip Detected by Researchers

 

MAC malware has relatively been a less popular choice than its equivalents for Windows attacks, but the vulnerability to Apple computers has been more prevalent in the last few years. There are adware and even Mac-customized malware, and attackers still try to bypass Apple's new protections. Hackers have now made their debut in malware programmed to run Apple's latest M1 ARM processors, launched in November for MacBook Pro, MacBook Air, and Mac Mini. 

Apple's M1 chip is a divergence since 2005 from the Intel x86 architecture, which provides Apple a chance to bake some Mac security safeguards and functionality directly to its processors. This transition allowed legitimate developers to create the software version that runs on M1 "natively" and does not require translating via an Apple emulator named Rosetta 2. 

As per a blog published on 14th February by Mac security researcher Patrick Wardle, a Safari adware extension, originally written for Intel x86 chips, was modified to operate on new M1 chips. The malicious GoSearch22 extension has been traced to the Pirrit Mac adware family, according to Wardle. 

Researchers from the Red Canary along with the Pirrit Mac adware have written a blog on another strain of malware – Silver Sparrow – which varies from the one detected by Wardle. Although Silver Sparrow has not yet released malicious packages, the Red Canary researchers have confirmed that they are able to discharge malicious payloads at a time. Silver Sparrow compromised 29,139 macOS endpoints, including the high identification volumes in the U.S.A., the United Kingdom, Canada, France, and Germany, on February 17 in 153 countries, based on data from Malwarebytes given to Red Canary.

Kevin Dunne -President of Greenlight, said malware developers' capability to reverse engineer the M1 chip is only three months. Although the malware only has a minimum footprint, Dunne said that it will likely grow with time to harness more vectors of attack. 

“Once bad actors have control of the physical device, they can use that device as an access point to the networks that machine is connected to, either physically or via VPN,” Dunne said. “This reinforces the need for additional protection at the application layer, to constantly assess activity within those applications for unusual behaviour and mitigate potential risks in real time.”

Malware manufacturers and dealers are developing advanced devices and software with the way they produce and sell them, and so are the legal businesses, Jon Gulley, a security test application at nVisium added. 

For now, researchers have found that the native M1 malware doesn't appear to be an incredibly dangerous threat. However, the advent of these new strains is a sign of the future and of the need for detective devices to close the void.

Google Researcher Groß Identifies the BlastDoor Device in Apple iOS 14

 

Last year, Apple rolled out iOS 14 with many new features, tighter privacy laws, and elements that make the iPhone smarter, introducing to the iPhone and iPad versions a new safety mechanism primarily for the detection of malware attacks from the iMessage network. The BlastDoor Security Sandbox tool was launched in an upgrade to the iOS 14 in September 2020 and discovered that the MacOS 11.1 was running on the M1 powered Mac Mini after reverse engineering and is meant to protect parsing of untrusted data from messaging client iMessage. The service is claimed to be written in swift, a standard memory-safe language that is "significantly harder" for introducing classic vulnerabilities to memory manipulation into the codebase — in this iMessage.

The BlastDoor device, concealed inside iOS 14, has been identified by Samuel Groß, a security researcher with the Project Zero team of Google. The prosecutor wrote a blog post on the scope of the current framework to protect consumers from bad actors.

The main function of BlastDoor is to unpack and process incoming messages in a secure and isolated environment where any malicious code embedded in a message cannot communicate with, disrupt, or recover user data on the underlying operating system. The BlastDoor service only functions for iMessage, so it reads all the obtained data as a connection. When a link is submitted via iMessage, a sample of a webpage will first be made of the sending system and metadata (such as title and page descriptor) gathered until the link is bundled into a folder. This archive is then encrypted and directly submitted to iCloud servers with a temporary key. Once the connection is received, the keys sent to the receiver will be decoded. All this exists inside the operation BlastDoor. 

Since several security analysts had previously found out that the iMessage service did an inadequate job of sanitizing incoming user data, the need for a service such as BlastDoor was evident. In the last three years, several incidents have occurred in which security researchers or real-world attackers have discovered and exploited iMessage Remote Code Execution (RCE) problems to hack them by transmitting a simple email, picture, or video to a computer. 

In 2019, Groß and his fellow security researcher Natalie Silvanovich discovered "zero interaction" faults in iMessage, which could allow attackers to read the contents of iPhone files without any note or message. The BlastDoor device is likely to fix these problems.

Furthermoore, Groß stated in the blog post, "Overall, these changes are probably very close to the best that could've been done given the need for backwards compatibility, and they should have a significant impact on the security of iMessage and the platform as a whole."

Parler on the Verge of Permanent Expulsion

 

Launched in 2018, Parler has become a place of refuge for individuals that have been prohibited or suspended by popular social networks including Facebook and Twitter for abusing those stages guidelines. The Henderson, Nevada–based organization has named itself as a free speech option in contrast to mainstream social networks and adopted a more loosened up approach to content moderation, attracting conspiracy theorists, members of hate groups, and right-wing activists who have transparently induced violence.

Google has suspended US-based microblogging stage Parler, where the majority of the supporters of active President Donald Trump are moving their base from its application store, referring to posts inducing viciousness and requesting strong moderation for heinous content from the social networking service. All the while, Apple had given Parler, the social network supported by conservatives and extremists, an ultimatum to implement a full moderation plan of its platform inside the following 24 hours or face suspension from the App store. 

The move by the two Silicon Valley organizations came the day when Twitter forever suspended Trump's account because of the "danger of additional prompting of viciousness". 

In suspending the service, Google, whose software powers Android telephones, referred to its approach against applications that promote violence and gave recent examples from Parler, including a Friday post that started "How do we take back our country? Around 20 or so coordinated hits" and another promoting "Million Militia March" on Washington. 

"To ensure client security on Google Play, our longstanding strategies require that applications showing user-generated content have moderation policies and implementation that eliminates offensive substance like spots that prompt violence. All developers consent to these terms and we have reminded Parler of this clear policy in recent months," Google said in a statement. 

Meanwhile, Apple in a statement said it has gotten various complaints with respect to the offensive substance in Parler service, allegations that the application was utilized to plan, organize and encourage the criminal operations in Washington DC on January 6 that prompted death toll, various wounds and the devastation of property. 

Matze, who depicts himself as a libertarian, established Parler in 2018 as a "free-speech driven" alternative to mainstream platforms however started seeking right-leaning clients as prominent supporters of Trump moved there. On Parler, John Matze sent out an opposing vibe. "We won't give in to pressure from anti-competitive actors! We will and consistently have authorized our guidelines against brutality and criminal behavior. Yet, we won't cave to politically persuaded organizations and those authoritarians who scorn free speech!" he wrote in a message.

2010-2020 Decade Roundup: 10 Most Frequently Occurred Security Vulnerabilities

 


A decade has come to an end but the security vulnerabilities of this decade in the IT sectors cannot be forgotten. In this article, we will be learning about the 10 most frequently occurred cyber vulnerabilities, which allowed threat actors to breach applications, steal user credentials, and tried to hurt millions at once. 

Understandably, this list will not be enough to enlist all vulnerabilities that strangled the IT world in the entire decade. Hence, in this article, we will be focusing on the vulnerabilities that had affected Unix, Linux, macOS, servers, and cloud computing. 

1. BlueBorne: This security attack occurred via a Bluetooth implementation in Android, iOS, Linux, and Windows. Reports showed that the blueBorne bug had affected over 8.2 billion devices worldwide. It was on 12 September 2017 when the vulnerabilities were reported by Armis, an IoT security firm, for the first time. This bug of affecting many electronic devices such as smartphones, laptops, smart cars, and wearable gadgets. 

2. Badlock: It was on 12 April 2016 when it has been discovered that a crucial security bug is affecting devices with CVE-2016-2118. The security bug that had been found in Microsoft Windows and Samba was affecting the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) remote protocols supported by Windows and Samba network. 

3. DirtyCow: It was a very serious computer security vulnerability that was found in the Linux kernel. It had affected all Linux-based running devices, such as Android devices but there was an exception, this bug was only affecting those systems that were using older versions of the Linux kernel created before 2018. This bug is a local privilege escalation that exploits a race hazard in the implementation of the copy-on-write tool in the kernel's memory-management subsystem. It must be noted that those computers and devices that still use the older kernels remain vulnerable. 

4. ForShawod: This decade has crippled Modern Intel/AMD processors with many security bugs. L1 Terminal Fault or Foreshadow affects modern microprocessors. The first version discloses sensitive information from PC and cloud network, whereas, the second version targets –Hypervisors (VMM), Virtual machines (VMs), System Management Mode (SMM) memory, and the Operating systems (OS) kernel memory. 

5. Heartbleed: It was a very dangerous cyber attack in the popular OpenSSL cryptographic software library that allowed stealing sensitive information under normal conditions by SSL/TLS encryption which is used to secure the Internet. SSL/TLS provides services such as communication security and privacy over the internet for applications including email, instant messaging (IM), Web, and some virtual private networks (VPNs). After this vulnerability Google had established ‘Project Zero’, its task is to secure the Web and society. 

6. iSeeYou: It was affecting Apple laptops, hackers were leveraging the vulnerability to exploit remote access and taking photographs of a person. Apple’s laptops involved a variety of operating systems, such as macOS, Linux, and Microsoft Windows. Therefore, litigations against this attack vary depending upon the operating system. In response to the discovery of this attack, the organization released iSightDefender to reduce the attack. 

7. Lazy: This security vulnerability affects Intel CPUs. The malicious actor uses this vulnerability to leak the FPU registers’ content which belongs to another process. This vulnerability is associated with Spectre and Meltdown vulnerabilities. Patches such as OpenBSD, Linux, Xen, and others have been released to address the vulnerability. 

8. Linux.Encoder: It is also known as ELF/Filecoder.A and Trojan.Linux.Ransom.A. It is the first ransomware Trojan that targets computers, servers, cloud, and devices functioning Linux. Also, there are additional variants of this Trojan that target Unix and Unix-like systems. 

9. POODLE: This attack is also known as the man-in-the-middle that exploits Internet and security software clients’ fallback to SSL 3.0. Any software which supports a fallback to SSL 3.0 is affected. To overcome its effects people have to disable SSL 3.0 on the client-side and the network-side. Various platforms such as Microsoft, Google, Apple, OpenSSL, and others have released software patches so they can protect their platforms against the POODLE security attack. 

10. Rootpipe: Rootpipe security vulnerability had been seen in OS X that gives privilege escalation. Exploiting security vulnerabilities on a system allows a hacker to gain superuser (root) access and with other bugs on a Mac, such as an unpatched Apache web browser, hackers can take advantage of root pipe to gain complete command of the running system and Apple computers or Network. According to the researchers in November 2017, a similar attack had been seen in macOS High Sierra which was giving easy access to the hackers into the system without a password and root account.

Apple iCloud Outage Caused Setup Issues and Account Activation Failures


On December 25th, Apple users started facing issues in iCloud sign-in in the early morning. The outage that lasted for around 24 hours prevented users from setting up new Apple gadgets and devices; users experienced problems in the activation of Apple Watch, HomePod, iPhone along with several other devices. Reportedly, the problem was caused by an unspecified problem that occurred in Apple's iCloud backend. However, it was only a matter of a day before Apple resolved the issue by the evening of December 26th. 

The problem surfaced around 5 a.m. on the day of Christmas, making users wait longer than usual to relish the experience of their Apple product for Christmas. On Friday, while replying to a supposedly eager customer, Apple's support team tweeted acknowledging the customer's eagerness and indicating that the iCloud outage that lasted until Saturday was a result of the heightened demand experienced by the company.  

"We know your mom is eager to have everything working and appreciate you helping to set them up. We are experiencing a high capacity at this time which is impacting your ability to set up iCloud, please try back in a couple of hours," the tweet read. 

A lot of users upon noting the unusually long waiting time, some for as long as 32 hours and device activation failures reported the same on Twitter, while others said to have faced complete activation failures.  

Furthermore, certain users facing similar troubles reported their problem at forums.macrumors.com, "I realize it's Christmas morning and Apple's activation servers are probably on overload, but this still seems unnecessarily frustrating," BeatCrazy wrote.  

While explaining the issue in-depth, BeatCrazy further told, " I'm able to start the pairing process using my iPhone, sign into their Apple IDs with their passwords, but I keep getting hung when Apple wants me to enter the passcode of another device. I'm given options like their iPad passcodes, or one of my Macs. After entering any of these, the watch spins for about 2 minutes and I get the error "Verification Failed - There was an error verifying the passcode of your (or insert family member name here) iPhone (or insert iPad/Mac)." Apple gives me a choice to "reset encrypted data", which I take as an offer to destroy all their existing Apple ID passwords and data - not a good option IMO."  

Seemingly, due to the ongoing COVID-19 pandemic, the year's wrap and the holiday season is busier than usual for Apple, which delayed the release of its newest iPhone 12 series by a month.

Hackers Use Bugs To Attack iOS and Android Devices; Google Doesn't Disclose Details

 

Google's cybersecurity team found a cluster of high-end vulnerabilities in iOS, Windows, Android, and Chrome earlier this week. According to Google, these vulnerabilities were in high usage, which means hackers used them to carry out attacks. It is an alarming issue for cybersecurity. Besides this, the vulnerabilities share some similarities, says Motherboard. One can assume that the same cybercriminals exploited them. According to cybersecurity findings, few vulnerabilities hid in font libraries, few in chrome's sandbox to escape, and others controlled the systems. 

It means that the bugs belonged to a string of vulnerabilities used to attack user's devices. As of now, there's no concrete information about who the hacker is and their targets. Usually, whenever bugs are found, it is ethically disclosed to release security patches to fix the issue, before the hackers can exploit them. However, in the current case, it is confirmed that the hackers are using the bugs. In 2019, in a quite similar incident, google had found a string of vulnerabilities that hackers used to attack the Uighur community. In China, the government conducts a massive scale campaign of surveillance and monitoring on the Muslim community. 

Vice reports, "according to a source with knowledge of the vulnerabilities, all these seven bugs are related to each other, who asked to remain anonymous as they were not allowed to talk to the press." However, the experts don't have any information on the present situation, as Google hasn't disclosed anything about the vulnerabilities, the hackers, or the targets. Fortunately, Apple released iOS 12 (released in 2018) security patch, which can fix Apple devices up to the iPhone 5 series. 

It so happens that when a company releases a security patch that fixes old machines, it generally means that the bug is highly dangerous. Still, we can only assume, as no data is available. "In any case, some of these bugs were very critical and gave hackers a lot of power when they used them. The iOS bugs, for example, were so dangerous that Apple pushed updates not just for the current iOS 14, but also for the older, not usually supported, iOS 12," reports the Vice.

Apple Patches-Up Three Actively Exploited And Identified Zero-Day Vulnerabilities In its iPhone, iPod and iPad Devices

 

This month Apple released iOS 14.2 and iPad 14.2, which patched up a sum total of 24 vulnerabilities in different parts of the OSes, including sound, crash reporter, kernel, and foundation. 

The multinational technology has fixed up three identified zero-day vulnerabilities in its iPhone, iPod, and iPad devices possibly associated with a spate of related flaws very recently found by the Google Project Zero team that additionally had an impact over Google Chrome and Windows. 

Ben Hawkes from Google Project Zero who was able to identify the zero-day vulnerabilities as "CVE-2020-27930 (RCE), CVE-2020-27950 (memory leak), and CVE-2020-27932 (kernel advantage escalation)," he said in a tweet. 

Apple likewise offered credit to Project Zero for recognizing these particular defects in its security update and gave a little more detail on each.

CVE-2020-27930 is 'a memory corruption flaw' in the FontParser on iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and iPad mini 4 and later, as indicated by Apple. 

The vulnerabilities take into account an attacker to process a “maliciously crafted font” that can prompt arbitrary code execution.

Apple described CVE-2020-27950 as a memory initialization issue in the iOS kernel that influences iPhone 6s and later, iPod tough 7th generation, iPad Air 2 and later, and iPad smaller than usual 4 and later. 

The defect would permit a pernicious application to reveal kernel memory, according to the company. The Apple update comes along with the time of updates by Google over the last two weeks to fix various zero days in Google Chrome for both the desktop and Android versions of the browser. 

Shane Huntley from Google's Threat Analysis Group claims that the recently fixed Apple zero-day flaws are identified with three Google Chrome zero-days and one Windows zero-day likewise uncovered over the last two weeks, possibly as a component of a similar exploit chain.

“Targeted exploitation in the wild similar to the other recently reported 0days,” he tweeted, adding that the attacks are “not related to any election targeting.” 

It is however critical to take into notice that both Apple and Google have had an infamous past with regards to vulnerability revelation. 

The two tech monsters famously butted heads a year ago over two zero-day bugs in the iPhone iOS after Google Project Zero analysts guaranteed that they had been exploited for quite a long time.

Mobile Versions of Several Browsers Found Vulnerable to Address Bar Spoofing Flaws

 

Several mobile browsers including Firefox, Chrome, and Safari were found vulnerable to an ‘address bar spoofing’ flaw which when exploited could allow a threat actor to disguise a URL and make his phishing page appear like a legitimate website, according to a report published by cybersecurity company Rapid7 which reportedly worked in collaboration with Rafay Baloch - an independent security researcher who disclosed ten new URL spoofing vulnerabilities in seven browsers. 
 
The browsers were informed about the issues in August as the vulnerabilities surfaced earlier this year; some of the vendors took preventive measures - patching the issues beforehand while others left their browsers vulnerable to the threat. 
 
Notably, the Firefox browser for Android has already been fixed by Mozilla, and for those who haven’t updated it yet make sure you do it now. While Google’s Chrome Browser on both Android and iOS is still vulnerable to the threat and is unlikely to be patched until September. Other affected browsers include Opera Touch, UC Browser, Yandex Browser, RITS Browser, and Bolt Browser. 

In order to execute an address bar spoofing attack, the attacker alters the URL which is displayed onto the address bar of the compromised web browser which is configured to trick victims into believing that the website they are browsing is monitored by an authenticated source. However, in reality, the website would be controlled by the attackers carrying out the spoofing attack. The attacker can trick his victims into providing their login details or other personal information by making them think as they are connected to a website like Paypal.com. 
 
“Exploitation all comes down to, "Javascript shenanigans." By messing with the timing between page loads and when the browser gets a chance to refresh the address bar, an attacker can cause either a pop-up to appear to come from an arbitrary website or can render content in the browser window that falsely appears to come from an arbitrary website”, the report explained. 
 
“With ever-growing sophistication of spear-phishing attacks, exploitation of browser-based vulnerabilities such as address bar spoofing may exacerbate the success of spear-phishing attacks and hence prove to be very lethal,” Baloch further told.

The new iOS 14 to drop Facebook's Audience Network Advertising to 50%


Facebook on Wednesday posted a response to the new iOS 14 on their official blog stating that the new iOS could lead to a 50% drop in their Audience Network advertising business.



Though the company had previously raised issues with iOS 14 and that it could impact their advertising, this Wednesday blog detailed exactly how. 

Facebook Audience Network collects data from the user ( Facebook's data) and provides targeted in-app advertisements. Advertisers use a unique device ID number known as the IDFA in order to make advertisements personalized. 

In iOS 14, these tracking IDFA would be made optional and the user can opt if they want their app to track or not. Facebook said they won't collect IDFA information in iOS 14 at all even though it will make a significant dent in their audience network advertising. 

"We know this may severely impact publishers' ability to monetize through Audience Network on iOS 14, and, despite our best efforts, may render Audience Network so ineffective on iOS 14 that it may not make sense to offer it on iOS14 in the future," Facebook said in the blog.

"While it's difficult to quantify the impact to publishers and developers at this point with so many unknowns, in testing we've seen more than a 50% drop in Audience Network publisher revenue when personalization was removed from mobile ad install campaigns," Facebook said. "In reality, the impact to Audience Network on iOS 14 may be much more, so we are working on short-and long-term strategies to support publishers through these changes." 

Facebook said that their advertising policies will be in compliance with iOS 14's and Apple's preconditions but the social network's whole revenue is derived from advertising and around a billion people view at least one Audience Network ad in a month, so the decision is bound to affect Facebook grandly. 

The blog further cleared some changes Facebook would do for iOS 14 and operations for their partners. The new iOS is expected to launch this year.

Pavel Durov called on Apple to oblige to install different application stores


Apple should allow users to install apps not only from its own App Store. This opinion was expressed by the founder of Telegram messenger Pavel Durov. According to him, Tim Cook (CEO of Apple) should be obligated to this at the legislative level.

The day before, high-ranking Telegram Manager, Vice President of the company founded by Pavel Durov, Ilya Perekopsky, spoke at a panel discussion with Russian Prime Minister Mikhail Mishustin and representatives of the IT industry in Innopolis. He said that Apple and Google are holding back the development of startups by charging a tax of a 30 percent Commission from app developers. Almost simultaneously with Perekopsky's speech, Durov published an article in which he called for Apple to be legally obliged to install an alternative App Store on the iPhone.

Durov is sure that if this is not done, then app developers, in particular, from Russia, will be forced to sell their startups for little money. At the same time, Apple's capitalization will only grow.
“Preventing two supranational corporations from collecting taxes from all of humanity is not an easy task. Corporations employ thousands of lobbyists, lawyers, and PR agents, and their budgets are unlimited. At the same time, app developers are scattered and scared, as the fate of their projects depends entirely on the favor of Apple and Google," wrote Pavel Durov.

The head of the TelecomDaily information and analytical agency Denis Kuskov noted that changing the market is quite difficult because these two companies are leading it. Therefore, Durov needs to accept this fact.

Durov recalled that in 2016, Apple banned the Telegram team from launching its own game platform: "We had to remove the telegram games catalog that we had already created and almost the entire platform interface, otherwise Apple threatened to remove Telegram from the AppStore." According to Durov, in a similar way the iPhone manufacturer does with many other developers.

Apple catches TikTok spying on million of iPhone users globally


Apple announced its latest OS iOS14 at this year's WWDC and during the beta testing for the same, the tech giant caught TikTok recording user's cut-paste data and whatever the user was typing on their keyboard.


The new alert on iOS14 lets the user know if any app is pasting from the clipboard and if they are reading from the cut-paste data. This alert leads to TikTok's reveal. This alert was added based on the research by German software engineer Tommy Mysk in February; he discovered that every app installed on an iPhone or iPad can access clipboard data. And thus Apple added this new banner alert in its latest OS.

Soon after the update, many users started complaining about the issue, “Hey @tiktok_us, why do you paste from my clipboard every time I type a LETTER in your comment box?” wrote @MaxelAmador actor and podcast host on Twitter. “Shout out to iOS 14 for shining a light on this HUGE invasion of privacy.” Though many other apps like Accu Weather, Call of Duty Mobile, and even Google News can read clipboard data it seems strange as to why TikTok would need to do so.

After finding this glitch, Apple released a patch and fixing the issue, even TikTok said in March that it would stop the practice but it seems like they are still snooping on user's data.

In response, the social media app stated, “For TikTok, this was triggered by a feature designed to identify repetitive, spammy behavior. We have already submitted an updated version of the app to the App Store removing the anti-spam feature to eliminate any potential confusion”. 

The clipboard tool in iOS helps the user to copy text and images and paste them on another app, the glitch leads to apps access this data, making it quite worrisome. And all this data could be accessed without the user's consent. Apple should be appalled for this expose but another pressing question remains- should the Android community be worried about the same?

Apple Plans to Expand Cloud-Based Services, Enters Cloud Computing Space


Apple is planning to invest more in streamlines and increasing its cloud-based and software services like iCloud, Newsplus, and Apple Music. The expansion will go along with devices like iPads, MacBooks, and iPhones. To be entirely sure about the reliability of the cloud-based service on all the Apple devices, the company has decided to rely on AWS (Amazon Web Services) and the cloud division. AWS, as you might know, is a subunit of Amazon that offers cloud-space solutions. According to CNBC's findings, Apple is said to pay Amazon $30 Million monthly for its cloud-based services. It also means that Apple is one of the biggest customers of AWS.


Nevertheless, Apple hasn't confirmed whether it uses Amazon's cloud services besides its iCloud. According to experts, Apple also has some of its cloud services on Google. Amazon transformed the management of the data center and hosting of the applications when it brought the AWS. Being the first one to offer services like these, AWS is currently ranked top in the world of cloud hosting. Since recent times, Google Cloud and MS Azure are also trying to increase their presence in cloud-space services.

"As a matter of fact, AWS crossed the $10 billion quarterly revenue mark in Q1 2020, bringing in revenue of $10.2 billion with a growth rate of 33%. AWS accounted for about 13.5% of Amazon's total revenue for the quarter, which is on the higher end. Google Cloud, which includes Google Cloud Project (GCP) and G-Suite, generated $2.78 billion in revenue in the first quarter this year, which marked as a 52% increase over the same quarter a year ago. Microsoft does not reveal Azure revenue, but it announced that its Azure revenue grew by 59% in Q1 2020 over the same quarter a year ago," says Taarini Kaur Dang from Forbes.

As it seems, Apple knows the importance of the high-end cloud support needed for offering the best services to its customers. Similar to other tech biggies, Apple has its cloud space team called ACI (Apple Cloud Infrastructure). Noticing Apple's recent advancements, it is fair to believe that Apple might revolutionize the cloud-space world.

The UK Government Vs Apple & Google API on the New COVID-19 App That Tells Who Near You is Infected!



Reportedly, the United Kingdom declared that their coronavirus tracing application is being run via centralized British servers and that’s how they are planning to take things forward and not via the usual “Apple-Google approach” which is a preferred one for most.

Per sources, the CEO of the Tech unit of the National Health Service mentioned that their new smartphone app will have its launching in the upcoming weeks, with the hopes of helping the country return to normalcy by beating coronavirus.

According to reports, the UK government believes that the contact-tracing protocol created by Apple and Google protects user privacy “under advertisement only”. Hence the British health service supports a system that would send the data of who may have the virus to a centralized server giving all the controls in the hand of the NHS.

The way of the NHS and that of Apple and Google, work via Bluetooth by putting a cell-phone on the wireless network, having it emit an electronic ID that could be intercepted by other phones in the vicinity. If a person tests positive for COVID-19 their ID would be used to warn the others near them.

Meaning, if you were near an affected person, your phone would show flags about their being infected, you’d be notified about it and if you may have caught the novel coronavirus you’d be alerted about that too, mention sources.

Per reports, Google and Apple especially had created an opt-in pro-privacy API for Android and iOS. The feature allows the user’s phone to change its ID on other phones near them and store it across different intervals of time.

Per sources, if a person is discovered to have COVID-19 they can allow the release of their phone’s ID to a decentralized set of databases looked over by healthcare providers and the nearby users would be notified about it.

The above-mentioned approach works best to help ensure that the users aren’t tracked by exploiting the above information. Google and Apple say that their protocol would make it next to impossible for them, the governments, and mal-actors to track people. The data wouldn’t leave the user’s phone unless they want it to, that too anonymously if and when.


A person, to declare themselves infected must enter a specific code from a healthcare provider after being tested positive which is a great way to curb fraudulent announcements about being infected.

The NHS, on the other hand, thought of proposing a centralized approach that makes the government, the party that has the coronavirus related details of all the users on their database for further analysis.

Per sources, for this application to be successful 60% of a population would have to download it and opt for it. Trust plays a major role here, if the users don’t trust the app it would be of no use to others either.

Reports mention that most countries prefer the Google and Apple method better, including Switzerland, Austria, and Estonia. Germany too is in strong support of a decentralized line whereas France had to face criticism for its inclination towards the centralized approach.

Nevertheless, the NHS is hell-bent on going forward with the centralized approach and is adamant that it will safeguard the privacy of people no matter what. In the centralized way of things, the NHS would capture all the IDs of phones with the app active on them and store the details on their database. Later on, if a user is found to be infected the NHS would make the call about all the hows, whens, and ifs of the warning procedure on the other phones.

If things were to work out the way NHS wants it to, the application would advise users to take steps to help them save themselves against the virus, like self-isolating if need be. The advice notified would be customized per the situation. They would also build a better database and help people with first-hand updates. People could also voluntarily provide detailed information about themselves to make the app’s experience more comprehensive.

Moreover, the centralized system would be way easier for conducting audits and analysis of the data that has been stored in the databases for further research about users that are at most risk.

But regardless of all the superficial advantages, the NHS would still be creating a database bursting with people’s personal information like their health statuses, their movements, and that too with the government having complete control of it.

The success of the entire operation dwells on the people’s trust in the NHS, the UK government, and the governments of all the countries for that matter who have opted for the centralized system.

WhatsApp's New Feature Lets You Add More People To Group Video Calls!


Finally! The days of whining about the limited number of participants you could add to WhatsApp’s group video and audio calls are OVER! Praise digital advancement, because the limit has been increased from 4 to 8 participants.

For people stuck far away from their families and in times that strictly demand social distancing, video calling applications contribute a lot in keeping us all sane by helping us feel close to our loved ones.

People have often found the number of participants in the group video/audio calls a major limitation of the otherwise significantly efficient WhatsApp.

Hence when WhatsApp, taking into account the terrific rise in the usage of Video Calling applications, at long last has decided to increase the number of contacts you can add to a group video/audio call, we can’t help but be happy.

The new feature would be exclusively available for the users of Android and iOS beta. The installation of the 2.20.50.25 update for the iOS beta users and the 2.20.133 beta update for the Android users is a prerequisite for the accessibility of the feature.

From One Billion daily active WhatsApp users and 400 Million out of them being Indians this new feature was being expected for quite a long time, researchers mention.


For the group video call with the raised number of participants to function at all, all the participants must have the same versions of the application, meaning 2.20.133 beta for Android users and 2.20.50.25 beta update for iOS users. A new header also notifies users about the end-to-end encryption of the calls.

Per sources, in the last month alone the number of people who “video-call” and the time they spend doing it has increased sufficiently on a global level. The pandemic has brought people closer “online” while being physically distant.

Other famous video calling applications including Facebook’s Messenger and Apple’s FaceTime offer a provision to add 50 and 32 people at once, respectively.

This feature will roll out gradually so all you have to do is update your WhatsApp application, sit tight, and wait for your device to embrace it with open arms!

COVID 19 Contact Tracing: Is your Privacy at Risk?


Apple and Google's latest team up together to build a technology that will help trace the spread of coronavirus is a much-appreciated move, that will surely help the society to fight coronavirus. Still, one must also be aware of the privacy concerns, as the users will be sharing their data with these companies. The announcement came last Friday that the two companies are currently working together to build an application that will help in fining the COVID-19 trace. This process is called 'contact tracing,' and it will be carried with the help of Bluetooth technology that will benefit informing people as soon as they come in contact with an infected person.


Both the technology giants have assured that user privacy and security will be their utmost concern. According to cybersecurity experts, these companies who will be using user data such as- contacts, location; wouldn't be used for any other purposes. Even the companies won't have access to this information, and that is why these companies are prioritizing user privacy.

What about government surveillance? 
South Korea, while using technology to find the traces of infected people, is using CCTV footage, user location, credit card records, and even the conversation between individuals. This type of technological surveillance raises concerns about the privacy of individuals. According to cybersecurity experts, the South Korean government is releasing alerts that tell an individual's age, his neighborhood, his workplace, and also his location. None of such details are necessary as over sharing of these personal details can create a panic among the public. Some researchers have even gone to an extent, saying that this surveillance is expected to last even after the coronavirus pandemic ends.

According to experts, the government should tell the public about the reasons for data collection, so the public doesn't panic and even gets a better understanding of the situation. In the present time, it is evident that these surveillances used for health purposes, but another concern is that this data can be used for other purposes such as law enforcement. The important fact is to know about the limits of this surveillance and to keep an eye if it becomes a tool for mass surveillance.

COVID-19: Google and Apple Team up on Contact Trace Technology


Around the world, the governments and health departments are fighting together against the Coronavirus pandemic, coming up with solutions to reduce its effect, so the society and the people can recover from it at the earliest. Keeping this in mind, various software companies and enthusiasts, too, are continually working to build technologies to aware the people to stay safe. Apple and Google together have come forward to contact trace Coronavirus patients. They are working together in developing a technology that will let people know whether they have come in contact with any Coronavirus infected person.


"To further this cause, Apple and Google will be launching a comprehensive solution that includes application programming interfaces (APIs) and operating system-level technology to assist in enabling contact tracing," says Apple and Google. The initial aim is to help third party contact tracing applications work accurately. But the primary objective is to get rid of downloading dedicated apps while supporting the work. The approach by Apple and Google will keep in mind that- the users participating are voluntary and would stay anonymous. At the same time, their privacy will remain the utmost concern for both companies.

The contact tracing method will somewhat work like this- with the help device's Bluetooth connection signals; the user will know whether he/she has been in contact with an infected person long enough to catch the virus. If either of the people is tested positive for COVID-19 in the future, an immediate warning will be issued to the original handset owner, informing him about the situation. The companies, while addressing the privacy concern, say that neither GPS nor personal information of the user will be collected.

"All of us at Apple and Google believe there has never been a more important moment to work together to solve one of the world's most pressing problems. Through close cooperation and collaboration with developers, governments, and public health providers, we hope to harness the power of technology to help countries around the world slow the spread of COVID-19 and accelerate the return of everyday life," said the two companies in a joint statement.

HACKED- Windows 10, macOS, Adobe, VMware, Apple and Oracle at The Pwn2Own 2020!


Pwn2Own is a well-known computer hacking contest which is held once every year at the CanSecWest security conference. In this contest, the contestants are tested on how well they could exploit commonly used software and mobile devices with formerly unheard of vulnerabilities.

An issue as grave as the Coronavirus pandemic has clearly not affected the spirits of the Pwn2Own 2020 hacking competition which got done with its first two days.

On Day 1, security researchers and participants bagged a handsome amount of over $180,000 for exploiting the Windows 10, Ubuntu Desktop and macOS, mention sources.

Reportedly, a “team from the Georgia Tech Systems Software and Security Lab succeeded in exploiting a kernel privilege escalation to execute code on macOS” by way of Safari. The attack mechanism that ended up winning for the team $70,000 was comprised of 6 vulnerabilities.

Per the event page (thezdi.com), Georgia Tech employed a “6 bug chain to pop calc and escalate to root”.

The team that has won several preceding editions of the hacking contest, Team Fluoroacetate, won themselves a victorious $40,000 after they employed a “local privilege escalation exploit” meant for the Windows 10.

Reports mention that one of the two members of the aforementioned team also won himself a smashing amount of $40,000 for yet another privilege escalation exploit pursuing Windows 10.

As per sources, the RedRocket CTF team got themselves a win, owing to it to one of their members, Mafred Paul, who bagged an attractive amount of $30,000 for a local privilege escalation exploit focused on Ubuntu Desktop. The hack was about the manipulation of the ‘Input validation bug’.

On Day 2, The Fluoroacetate successfully targeted the Adobe Reader with a local privilege escalation by employing a pair of UAFs, mentioned sources and grabbed an amount of $50,000.

Per reports, the Synacktiv team targeted the VMware Workstation but unfortunately to no avail in the given duration of time. There also were special demonstrations of the Zero Day Initiative against the Oracle VirtualBox.

This was the very first time the organizers allowed “conditional remote participation” in the Pwn2Own hacking contest, understandably because of the increased concerns of people about traveling due to the Coronavirus outbreak.



Users can now Use 2 Step Verification on their Chrome and Safari Browser


Google has launched a new feature for ensuring users' security. You will now be able to enroll for 2 Factor Authentication Keys from Web browsers. Google is allowing you to enroll security keys on Android and macOS devices by making it easier to register for keys. "Two-factor authentication, also called multiple-factor or multiple-step verification, is an authentication mechanism to double-check that your identity is legitimate."


When you sign in into your account it asks for a username and password, this is the first verification process. Two-factor authentication adds another security layer after this to confirm your identity. It (2FA) could be a pin, a password, a one time password, a physical device, or biometric. It should be something only you have to know. Two-factor authentication is very important as a password isn't as protective as we believe. Cyber attackers can test billions of password combinations in a second.

Two-factor authentication or two-step verification adds another layer of protection besides a password, and it is hard for cybercriminals to get this second factor and reduces their chance to succeed. Now Google is offering these 2FA authentication keys, and you can register for these on macOS devices using Safari (v. 13.0.4 and up), and Android devices running Android 7.0 “N” and up, using the Google Chrome web browser (version 70 and up). Users can register these independently or with those who have signed up for the Advanced Protection Program. It's available for all users given you're using the mentioned version of the software.

What is Security Keys? 

Security Keys are the most secure form of two-factor authentication (2FA) or two-step verification to protect against various threats like hacking and phishing. Users are provided with physical keys that they can insert into the USB port of their device, when required the user will touch the key. On Android devices, the user will have to tap the key on their NFC ( Near Field Communication) enabled device. Android users can also opt for USB and Bluetooth keys. Apple mobile users will be provided Bluetooth-enabled security keys.

Apple Becomes the First Major US Company to Say that the ‘Corona’ Epidemic Will Hit Its Finances



The iPhone maker cautions that disturbance in China from the coronavirus will result in revenues falling short of forecasts'. Underscoring the fact that production and sales were influenced, Apple says that "worldwide iPhone supply would be temporarily constrained". 

Sales of Apple products would be lower, bearing in mind that most stores in China are either closed or operating at reduced hours, the company says, "while our iPhone manufacturing partner sites are located outside the Hubei province - and while all of these facilities have reopened - they are ramping up more slowly than we had anticipated.” 

 "All of our stores in China and many of our partner stores have been closed," it added. "Additionally, stores that are open have been operating at reduced hours and with very low customer traffic. We are gradually reopening our retail stores and will continue to do so as steadily and safely as we can."

Experts have assessed that the virus may contribute towards the reduction in the demand for smartphones significantly in the first quarter in China, the world's biggest market for gadgets. 
The car industry is yet another sector that has been influenced by disturbance to its supply chain. 

A week ago, the heavy equipment manufacturer JCB said it was cutting production in the UK because of a shortage of components from China. Wedbush analyst Daniel Ives wrote in a note to customers, "While we have discussed a negative iPhone impact from the coronavirus over the past few weeks, the magnitude of this impact to miss its revenue guidance midway through February is clearly worse than feared," 

New virus cases outside the 'epicenter area’ has been declining throughout the previous 13 days. There were 115 new cases outside Hubei reported on Monday, sharply down from about 450 a week back. In any case, regardless of expectations that factories and shops are slowly easing back to normal, Apple's warning, however, will underline that China's economy will be greatly influenced by the coronavirus.