Archive for September 7, 2018

Friday, September 7, 2018 [Tweets] [Favorites]

Call Recorder for FaceTime Won’t Be Compatible With Mojave

Chance Miller (tweet):

In an email to users this evening, Ecamm said that with macOS 10.14 Mojave, Apple has tightened the overall security of the operating system and FaceTime, rendering its Call Recorder for FaceTime software incompatible. Thus, the application will not be compatible with macOS 10.14 Mojave at launch[…] As for the future, Ecamm says it will “continue to assess the feasibility” of brining its Call Recorder software to Mojave, but that it currently has “no plans for a compatible version or for creating a replacement.”

I’m so glad that Apple is eliminating useful apps, nerfing others, and adding friction instead of acting on the actual malware at the top of its charts.

Update (2018-09-08): Greg Hurrell:

1/ Apple is nerfing a bunch of 3rd-party shit. Don’t think it will affect me, yet, but only because I have been very conservative with what I install for many years now (in the interests of not breaking shit), but am waiting for the time they kill something I can’t live without

2/ Once both the software and the hardware have gone south, there really won’t be anything keeping me in the Apple camp any longer. 😟

Ghostery Lite

Ghostery:

Extensions like Ghostery 5 that use an older (deprecated) API build will be disabled as soon as you upgrade to Mojave. We highly recommend that you give Ghostery Lite a try as we’ve designed it to work exclusively with the new Mojave changes. If for whatever reason you’d like to stick with Ghostery 5, here are the steps to reenable it after you upgrade to Mojave.

Update (2018-10-31): It’s now available.

Apple and Google Face Growing Revolt Over App Store “Tax”

Mark Bergen and Christopher Palmeri (Hacker News):

Netflix Inc. and video game makers Epic Games Inc. and Valve Corp. are among companies that have recently tried to bypass the app stores or complained about the cost of the tolls Apple and Google charge.

[…]

On Tuesday, video streaming company Netflix said it’s testing a way to bypass Apple in-app subscriptions by sending users to its own website. Currently, Netflix users on iPads and iPhones can subscribe via the App Store’s in-app-purchasing system. This makes subscribing simpler, but also gives Apple a 15 percent cut of those subscriptions. And as of May, Google Play billing for Netflix was unavailable to new or rejoining customers, according to Netflix’s website.

On iPhones in the U.S., Netflix was the No. 1 entertainment app by consumer spend and the most downloaded entertainment app on the Google Play store over the last 90 days, according to App Annie, which tracks the industry.

More recently, Epic Games, the maker of hit video game Fortnite, opted to ditch Google’s app store.

Dan Masters:

A more honest description:

“App Store subscribers comprise a large chunk of the Netflix subscriber base.

Therefore, Netflix is attempting to find a way to retain the otherwise-unsustainable $10 price point, without resorting to the recently tested advertising.”

cptaj:

I worked on an app that is in the same category as Netflix. A week before launch, Apple chose to reject us in spite of months of meetings and reviews with their app teams and assurances we were in-bounds since we were working with them for launch featuring.

It came down to the fact we required an email address and password for IAP so you could bring your subscription to the web or other platforms. While everyone else in the category did this, they decided that policy was going to change and we were just going to be the first people to deal with it. Since having an email-based account was core to the architecture and the UX, I went through a week of refactor hell to make emails/passwords optional to meet our launch date.

Since other apps still get to do this, it’s clear the policy change message was BS. I’ve suspected a lot has had to do with Apple’s ambitions in the streaming space and their desire to be in a position to offer bundling and other over the top services. They’re already trying to control the UX with the TV app and are offering companies better rev share rates to do the integration work.

It seems like Netflix is daring Apple to pull them from the store. If that’s what’s happening then I applaud them. I understand that Apple may think they’re protecting the consumer by creating a walled garden, but as a developer whose livelihood is tied to their decisions, I’m tired of being jerked around.

Previously: That 30% App Store Tax, 2 Years of App Subscriptions 2.0, App Store Subscriptions And You, Valve’s Steam Link App Rejected From the App Store.

Update (2018-09-08): See also: Merge Conflict.

Update (2018-12-31): Dan Gallagher:

Epic Games, the developer of the Battle Royale-style shooter game, is capitalizing on that popularity by launching its own app store. The company’s founder and CEO, Tim Sweeney, has long been critical of the app store business models propagated by Apple and Google, believing both companies take too large of a cut from app sales relative to the costs involved in running the stores.

Epic’s solution is to allow developers to keep 88% of the revenue their apps generate compared to the standard 70% allowed by Apple and Google. The first version of Epic’s store went live earlier this month for games designed for the PC and Mac and it has already had an impact on that end of the market.

A Deceitful “Doctor” in the Mac App Store

Nicole Nguyen (Hacker News, MacRumors, 9to5Mac, Wired, Techmeme):

Apple has removed a top Mac app called Adware Doctor, designed to “prevent malware and malicious files from infecting your Mac,” which, according to security researchers Patrick Wardle and Privacy 1st, was collecting users’ browsing history without their consent, violating Apple’s policies.

[…]

Adware Doctor, which costs $5, was the top paid app in the “Utilities” category, and the fifth top paid app overall, before it was removed Friday. The app appears to violate the App Store’s “Data Collection and Storage” guidelines, which prohibit developers from “surreptitiously discovering private data” or collecting data without consent. It is unclear whether customers who purchased the app will receive a refund.

Patrick Wardle (tweet):

Finally, the stellar reviews are bestowed upon Adware Doctor (and other applications by the same developer), are likely fake, as the application is specifically discussed in the insightful post, “Mac AppStore apps with fake reviews”.

[…]

By editing the system’s /etc/hosts file we can redirect this request to a server we control can capture what Adware Doctor is trying to upload. And what do you think that might be? If you guessed the history.zip file you would be correct!

[…]

When Adware Doctor is executed for the first time, it requests access to the user’s home directory (~) and all files and directories underneath it as well[…]

[…]

Apple also claims that “if there’s ever a problem with an app, Apple can quickly remove it from the store”. Maybe the key word here is “can”.

A full month ago, we reported our findings to Apple, which they acknowledged, and promised to investigate[…]…since then, crickets!

I’m not sure Wardle is correct that sandboxed apps are not supposed to be able to enumerate the running processes.

Update (2018-09-07): Thomas Reed (tweet):

There is a concerning trend lately in the Mac App Store. Several security researchers have independently found different apps that are collecting sensitive user data and uploading it to servers controlled by the developer. (This is referred to as exfiltrating the data.) Some of this data is actually being sent to Chinese servers, which may not be subject to the same stringent requirements around storage and protection of personally identifiable information like organizations based in the US or EU.

Jeff Johnson confirms that [[NSWorkspace sharedWorkspace] runningApplications] works in the sandbox.

Patrick Wardle:

Stoked that Apple has:

  • now removed the app (& dev’s others apps)
  • is adding extra sandboxing protection on “privacy-sensitive content like Safari history” in Mojave

Update (2018-09-08): John Gruber (tweet):

We can’t expect the app review process to flag every bad actor, but I do think we should expect Apple to take action when a bad actor is found.

Third, why wasn’t this developer “Yongming Zhang” flagged years ago? Adware Doctor started out named “Adware Medic”, the same name as a legitimate successful app from Malwarebytes[…]

[…]

Even if Apple isn’t willing to commit the human resources to tackle review fraud across the entire App Store — a Sisyphean task at this point, to be sure — they surely ought to tackle it for popular apps, and Adware Doctor was very popular. This app’s success, sketchy description, and the developer’s history of bad behavior should have set off alarm bells inside Apple.

[…]

Lastly, what’s going on with all the copies of the app that have already been bought and installed? Do existing copies still run? Isn’t this exactly the sort of scenario where Apple should use the kill switch to remotely disable installed copies of the app?

Privacy 1st:

What is sad is that it was reported by me on 12th of August and Apple didn’t even care... Attached are email screenshots

Malcolm Owen:

A second app, Open Any Files, takes over a system’s ability to handle documents that are not associated with an existing app, using the opportunity to advertise other apps that supposedly could open files. Aside from the extra affiliate-based behavior, the app was also found to have similar characteristics to Adware Doctor, in acquiring the browsing and search history of Safari, Chrome, and Firefox, as well as the App Store.

While the app was reported to Apple in December 2017, it is still available to download from the Mac App Store.

Howard Oakley:

For the first time since its introduction, Apple has left XProtect without any updates for over five months; that’s more than 150 days. The last XProtect update was version 2099 pushed on 13 March 2018, when many of us were struggling through snow and ice instead of the current heat and drought.

Stephen Silver (Hacker News, TechCrunch, MacRumors):

According to a new report from GuardianApp, “a growing number of iOS apps have been used to covertly collect precise location histories from tens of millions of mobile devices, using packaged code provided by data monetization firms. In many cases, the packaged tracking code may run at all times, constantly sending user GPS coordinates and other information.”

Howard Oakley:

Having written quite a lot recently about Mojave’s new privacy protection, I have tended to gloss over the differences between privacy and security, why we need effective controls over both, and how those controls are so different. This article tries to explain using hypothetical examples as illustrations.

Update (2018-09-11): Howard Oakley (tweet):

I am stunned that Apple, a company which rightly refuses to sell cheap adaptor cables in its stores because it considers that we should only use high quality approved accessories, is continuing to sell (or give away, in some cases) four products which security researchers have demonstrated break Apple’s own rules, and grossly abuse the user’s privacy.

[…]

Can the App Store survive in its present form? Haven’t users finally lost faith in its bland assurance that its apps are screened and checked by Apple, and are ‘safe’ for us to use? When Apple has ignored the evidence of well-known security experts and failed to take action over these apps, how many others in the store might prove similarly malicious?

[…]

As of 0730 10 September 2018, Apple has finally removed the apps named above from its UK App Store, and apparently from its other App Stores too. However, there are still a lot of apps which need to be more thoroughly investigated as to their efficacy and legitimacy: search on adware for example to see a lot which make bold claims that would appear to be impossible under App Store rules.

Tom Reeve:

Dr Cleaner was reportedly removed from the Apple App Store on Friday and Dr Antivirus, also owned by Trend, was reportedly removed this morning.

Privacy 1st:

Update: Apple removed most of the TrendMicro apps including the fake developer account they had to promote the Open Any Files, which was reported as malware by @thomasareed from @Malwarebytes . Kudos to @Apple for fast action.

Thomas Reed:

Be suspicious of every single antivirus on the App Store. Even the legit ones are junk because of the limitations that will prevent them from detecting all threats.

Trend Micro:

Reports that Trend Micro is “stealing user data” and sending them to an unidentified server in China are absolutely false.

Trend Micro has completed an initial investigation of a privacy concern related to some of its MacOS consumer products. The results confirm that Dr Cleaner, Dr Cleaner Pro, Dr. Antivirus, Dr. Unarchiver, Dr. Battery, and Duplicate Finder collected and uploaded a small snapshot of the browser history on a one-time basis, covering the 24 hours prior to installation. This was a one-time data collection, done for security purposes (to analyze whether a user had recently encountered adware or other threats, and thus to improve the product & service). The data collected was explicitly identified to the customer in the data collection policy and is highlighted to the user during the install. The browser history data was uploaded to a U.S.-based server hosted by AWS and managed/controlled by Trend Micro.

Thomas Reed:

It’s hard to verify after the apps were removed, but I explicitly looked for in-app data collection notification and did not find any.

Howard Oakley:

Unlike another app which stole private data, Adware Doctor, which has also been taken down from the App Store, these three aren’t from a near-anonymous developer, but a multi-national corporation specialising in ‘cybersecurity’.

Trend Micro Inc. is a public-quoted corporation (KK) headquartered in Tokyo, founded nearly thirty years ago, with almost six thousand employees worldwide, and revenue (2017) of ¥148.8 billion. Surely, this isn’t the sort of company to be involved in the secretive collection of private data including full browser histories?

Liam Tung (via Hacker News):

The company notes that it disclosed this data collection in its end-user license agreements and that browser history data was uploaded to a US server hosted by Amazon Web Services and managed by Trend Micro.

Trend Micro blamed the behavior on the use of common code libraries and has now removed the browser data collection feature and deleted logs store on the AWS servers.

Update (2018-09-14): Graham Cluley:

In short, Trend Micro says that the code was designed to help the software determine if users had recently encountered online threats - and yet the code was also incorporated into products which were not security-related.

Dr Battery, for instance, is an app that purports to offer real-time monitoring of your Mac’s battery and determine which apps are draining resources the most. Why on earth would that need to take a gander at your browsing history?

[…]

Shared code libraries that aren’t actually required by a program to perform its function increase the threat surface, introduce security and privacy vulnerabilities that could impact your customers, and - potentially - give more opportunities for hackers to strike.

Adam Engst:

What could possibly be the excuse for a company that advertises itself as “a global leader in cybersecurity solutions” to engage in such behavior, which is not just a serious ethical lapse, but a clear violation of Apple’s App Store policies? And if Apple is going to claim that the App Store approval process protects users, it clearly needs to do a better job.