Connect with us

Biz & IT

Apple’s increasingly tricky international trade-offs

Published

on

Far from Apple’s troubles in emerging markets and China, the company is attracting the ire of what should really be a core supporter demographic naturally aligned with the pro-privacy stance CEO Tim Cook has made into his public soapbox in recent years — but which is instead crying foul over perceived hypocrisy.

The problem for this subset of otherwise loyal European iPhone users is that Apple isn’t offering enough privacy.

These users want more choice over key elements such as the search engine that can be set as the default in Safari on iOS (Apple currently offers four choices: Google, Yahoo, Bing and DuckDuckGo, all U.S. search engines; and with ad tech giant Google set as the default).

It is also being called out over other default settings that undermine its claims to follow a privacy by design philosophy. Such as the iOS location services setting which, once enabled, non-transparently flip an associated sub-menu of settings — including location-based Apple ads. Yet bundled consent is never the same as informed consent…

As the saying goes you can’t please all of the people all of the time. But the new normal of a saturated smartphone market is imposing new pressures that will require a reconfiguration of approach.

Certainly the challenges of revenue growth and user retention are only going to step up from here on in. So keeping an otherwise loyal base of users happy and — crucially — feeling listened to and well served is going to be more and more important for the tech giant as the back and forth business of services becomes, well, essential to its fortunes going forward.

(At least barring some miracle new piece of Apple hardware — yet to be unboxed but which somehow rekindles smartphone-level demand afresh. That’s highly unlikely in any medium term timeframe given how versatile and capable the smartphone remains; ergo Apple’s greatest success is now Apple’s biggest challenge.)

With smartphone hardware replacement cycles slowing, the pressure on Cook to accelerate services revenue naturally steps up — which could in turn increase pressure on the core principles Cupertino likes to flash around.

Yet without principles there can be no brand premium for Apple to command. So that way ruin absolutely lies.

Control shift

It’s true that controlling the iOS experience by applying certain limits to deliver mainstream consumer friendly hardware served Apple well for years. But it’s also true iOS has grown in complexity over time having dropped some of its control freakery.

Elements that were previously locked down have been opened up — like the keyboard, for instance, allowing for third party keyboard apps to be installed by users that wish to rethink how they type.

This shift means the imposed limit on which search engines users can choose to set as an iOS default looks increasingly hard for Apple to justify from a user experience point of view.

Though of course from a business PoV Apple benefits by being able to charge Google a large sum of money to remain in the plum search default spot. (Reportedly a very large sum, though claims that the 2018 figure was $9BN have not been confirmed. Unsurprisingly neither party wants to talk about the terms of the transaction.)

The problem for Apple is that indirectly benefiting from Google eroding the user privacy it claims to champion — by letting the ad tech giant pay it to suck up iOS users’ search queries by default — is hardly consistent messaging.

Not when privacy is increasingly central to the premium the Apple brand commands.

Cook has also made a point of strongly and publicly attacking the ‘data industrial complex‘. Yet without mentioning the inconvenient side-note that Apple also engages in trading user data for profit in some instances, albeit indirectly.

In 2017 Apple switched from using Bing to Google for Siri web search results. So even as it has stepped up its rhetoric around user privacy it has deepened its business relationship with one of the Western Internet’s primary data suckers.

All of which makes for a very easy charge of hypocrisy.

Of course Apple offers iOS users a non-tracking search engine choice, DuckDuckGo, as an alternative choice — and has done so since 2014’s iOS 8.

Its support for a growing but still very niche product in what are mainstream consumer devices is an example of Apple being true to its word and actively championing privacy.

The presence of the DDG startup alongside three data-mining tech giants has allowed those ‘in the know’ iOS users to flip the bird at Google for years, meaning Apple has kept privacy conscious consumers buying its products (if not fully on side with all its business choices).

But that sort of compromise position looks increasingly difficult for Apple to defend.

Not if it wants privacy to be the clear blue water that differentiates its brand in an era of increasingly cut-throat and cut-price Android -powered smartphone competition that’s serving up much the same features at a lower up-front price thanks to all the embedded data-suckers.

There is also the not-so-small matter of the inflating $1,000+ price-tags on Apple’s top-of-the-range iPhones. $1,000+ for a smartphone that isn’t selling your data by default might still sound very pricy but at least you’d be getting something more than just shiny glass for all those extra dollars. But the iPhone isn’t actually that phone. Not by default.

Apple may be taking a view that the most privacy sensitive iPhone users are effectively a captive market with little option but to buy iOS hardware, given the Google-flavored Android competition. Which is true but also wouldn’t bode well for the chances of Apple upselling more services to these people to drive replacement revenue in a saturated smartphone market.

Offending those consumers who otherwise could be your very best, most committed and bought in users seems short-sighted and short-termist to say the least.

Although removing Google as the default search provider in markets where it dominates would obviously go massively against the mainstream grain that Apple’s business exists to serve.

This logic says Google is in the default position because, for most Internet users, Google search remains their default.

Indeed, Cook rolled out this exact line late last year when asked to defend the arrangement in an interview with Axios on HBO — saying: “I think their search engine is the best.”

He also flagged various pro-privacy features Apple has baked into its software in recent years, such as private browsing mode and smart tracker prevention, which he said work against the data suckers.

Albeit, that’s a bit like saying you’ve scattered a few garlic cloves around the house after inviting the thirsty vampire inside. And Cook readily admitted the arrangement isn’t “perfect”.

Clearly it’s a trade off. But Apple benefitting financially is what makes this particular trade-off whiff.

It implies Apple does indeed have an eye on quarterly balance sheets, and the increasingly important services line item specifically, in continuing this imperfect but lucrative arrangement — rather than taking a longer term view as the company purports to, per Cook’s letter to shareholders this week; in which he wrote: “We manage Apple for the long term, and Apple has always used periods of adversity to re-examine our approach, to take advantage of our culture of flexibility, adaptability and creativity, and to emerge better as a result.”

If Google’s search product is the best and Apple wants to take the moral high ground over privacy by decrying the surveillance industrial complex it could maintain the default arrangement in service to its mainstream base but donate Google’s billions to consumer and digital rights groups that fight to uphold and strengthen the privacy laws that people-profiling ad tech giants are butting hard against.

Apple’s shareholders might not like that medicine, though.

More palatable for investors would be for Apple to offer a broader choice of alternative search engines, thereby widening the playing field and opening up to more pro-privacy Google alternatives.

It could also design this choice in a way that flags up the trade-off to its millions of users. Such as, during device set-up, proactively asking users whether they want to keep their Internet searches private by default or use Google?

When put like that rather more people than you imagine might choose not to opt for Google to be their search default.

Non-tracking search engine DDG has been growing steadily for years, for example, hitting 30M daily searches last fall — with year-on-year growth of ~50%.

Given the terms of the Apple-Google arrangement sit under an NDA (as indeed all these arrangements do; DDG told us it couldn’t share any details about its own arrangement with Apple, for e.g.) it’s not clear whether one of Google’s conditions requires there be a limit on how many other search engines iOS users can pick from.

But it’s at least a possibility that Google is paying Apple to limit how many rivals sit in the list of competitors iOS users can pick out an alternative default. (It has, after all, recently been spanked in Europe for anti-competitive contractual limits imposed on Android OEMs to limit their ability to use alternatives to Google products, including search. So you could say Google has history where search is concerned.)

Equally, should Google actually relaunch a search product in China — as it’s controversially been toying with doing — it’s likely the company would push Apple to give it the default slot there too.

Though Apple would have more reason to push back, given Google would likely remain a minnow in that market. (Apple currently defaults to local search giant Baidu for iOS users in China.)

So even the current picture around search on iOS is a little more fuzzy than Cook likes to make out.

Local flavor

China is an interesting case, because if you look at Apple’s growth challenges in that market you could come to a very different conclusion vis-a-vis the power of privacy as a brand premium.

In China it’s convenience, via the do-it-all ‘Swiss army knife’ WeChat platform, that’s apparently the driving consumer force — and now also a headwind for Apple’s business there.

At the same time, the idea of users in the market having any kind of privacy online — when Internet surveillance has been imposed and ‘normalized’ by the state — is essentially impossible to imagine.

Yet Apple continues doing business in China, netting it further charges of hypocrisy.

Its revised guidance this week merely spotlights how important China and emerging markets are to its business fortunes. A principled pull-out hardly looks to be on the cards.

All of which underscores growing emerging market pressures on Apple that might push harder against its stated principles. What price privacy indeed?

It’s clear that carving out growth in a saturated smartphone market is going to be an increasingly tricky business for all players, with the risk of fresh trade-offs and pitfalls looming especially for Apple.

Negotiating this terrain certainly demands a fresh approach, as Cook implies is on his mind, per the shareholder letter.

Arguably the new normal may also call for an increasingly localized approach as a way to differentiate in a saturated and samey smartphone market.

The old Apple ‘one-sized fits all’ philosophy is already very outdated for some users and risks being caught flat-footed on a growing number of fronts — be that if your measure is software ‘innovation’ or a principled position on privacy.

An arbitrary limit on the choice of search engine your users can pick seems a telling example. Why not offer iOS users a free choice?

Or are Google’s billions really standing in the way of that?

It’s certainly an odd situation that iPhone owners in France, say, can pick from a wide range of keyboard apps — from mainstream names to superficial bling-focused glitter and/or neon LED keyboard skins or indeed emoji and GIF-obsessed keyboards — but if they want to use locally developed pro-privacy search engine Qwant on their phone’s native browser they have to tediously surf to the company’s webpage every time they want to look something up.

Google search might be the best for a median average ‘global’ (excluding China) iOS user but in an age of increasingly self-focused and self-centred technology, with ever more demanding consumers, there’s really no argument against letting people who want to choose for themselves.

In Europe there’s also the updated data protection framework, GDPR, to consider. Which may yet rework some mainstream ad tech business models.

On this front Qwant questions how even non-tracking rival DDG can protect users’ searches from government surveillance given its use of AWS cloud hosting and the U.S. Cloud Act. (Though, responding to a discussion thread about the issue on Github two years ago, DDG’s founder noted it has servers around the world, writing: “If you are in Europe you will be connected to our European servers.” He also reiterated that DDG does not collect any personal data from users — thereby limiting what could be extracted from AWS via the Act.)

Asked what reception it’s had when asking about getting its search engine on the Safari iOS list, Qwant told us the line that’s been (indirectly) fed back to it is “we are too European according to Apple”. (Apple declined to comment on the search choices it offers iOS users.)

“I have to work a lot to be more American,” Qwant co-founder and CEO Eric Leandri told us, summing up the smoke signals coming out of Cupertino.

“I understand that Apple wants to give the same kind of experience to their customers… but I would say that if I was Apple now, based on the politics that I want to follow — about protecting the privacy of customers — I think it would be great to start thinking about Europe as a market where people have a different point of view on their data,” he continued.

“Apple has done a lot of work to, for example, not let applications give data to each by a very strict [anti-tracking policy]; Apple has done a lot of work to guarantee that cookies and tracking is super difficult on iOS; and now the last problem of Apple is Google search.”

“So I hope that Apple will look at our proposal in a different way — not just one-fits-all. Because we don’t think that one-fits-all today,” he added.

Qwant too, then, is hoping for a better Apple to emerge as a result of a little market adversity.

Source link



Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Biz & IT

Safari and iOS bug reveals your browsing activity and ID in real time

Published

on

Getty Images

For the past four months, Apple’s iOS and iPadOS devices and Safari browser have violated one of the Internet’s most sacrosanct security policies. The violation results from a bug that leaks user identities and browsing activity in real time.

The same-origin policy is a foundational security mechanism that forbids documents, scripts, or other content loaded from one origin—meaning the protocol, domain name, and port of a given webpage or app—from interacting with resources from other origins. Without this policy, malicious sites—say, badguy.example.com—could access login credentials for Google or another trusted site when it’s open in a different browser window or tab.

Obvious privacy violation

Since September’s release of Safari 15 and iOS and iPadOS 15, this policy has been broken wide open, research published late last week found. As a demo site graphically reveals, it’s trivial for one site to learn the domains of sites open in other tabs or windows, as well as user IDs and other identifying information associated with the other sites.

“The fact that database names leak across different origins is an obvious privacy violation,” Martin Bajanik, a researcher at security firm FingerprintJS, wrote. He continued:

It lets arbitrary websites learn what websites the user visits in different tabs or windows. This is possible because database names are typically unique and website-specific. Moreover, we observed that in some cases, websites use unique user-specific identifiers in database names. This means that authenticated users can be uniquely and precisely identified.

Attacks work on Macs running Safari 15 and on any browser running on iOS or iPadOS 15. As the demo shows, safarileaks.com is able to detect the presence of more than 20 websites—Google Calendar, YouTube, Twitter, and Bloomberg among them—open in other tabs or windows. With more work, a real-world attacker could likely find hundreds or thousands of sites or webpages that can be detected.

When users are logged in to one of these sites, the vulnerability can be abused to reveal the visit and, in many cases, identifying information in real time. When logged in to a Google account open elsewhere, for instance, the demo site can obtain the internal identifier Google uses to identify each account. Those identifiers can usually be used to recognize the account holder.

Raising awareness

The leak is the result of the way the Webkit browser engine implements IndexedDB, a programming interface supported by all major browsers. It holds large amounts of data and works by creating databases when a new site is visited. Tabs or windows that run in the background can continually query the IndexedDB API for available databases. This allows one site to learn in real time what other websites a user is visiting.

Websites can also open any website in an iframe or pop-up window in order to trigger an IndexedDB-based leak for that specific site. By embedding the iframe or popup into its HTML code, a site can open another site in order to cause an IndexedDB-based leak for the site.

“Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session,” Bajanik wrote. “Windows and tabs usually share the same session, unless you switch to a different profile, in Chrome for example, or open a private window.”

How IndexedDB in Safari 15 leaks your browsing activity (in real time).

Bajanik said he notified Apple of the vulnerability in late November, and as of publication time, it still had not been fixed in either Safari or the company’s mobile OSes. Apple representatives didn’t respond to an email asking if or when it would release a patch. As of Monday, Apple engineers had merged potential fixes and marked Bajanik’s report as resolved. End users, however, won’t be protected until the Webkit fix is incorporated into Safari 15 and iOS and iPadOS 15.

For now, people should be wary when using Safari for desktop or any browser running on iOS or iPadOS. This isn’t especially helpful for iPhone or iPad users, and in many cases, there’s little or no consequence of browsing activities being leaked. In other situations, however, the specific sites visited and the order in which they were accessed can say a lot.

“The only real protection is to update your browser or OS once the issue is resolved by Apple,” Bajanik wrote. “In the meantime, we hope this article will raise awareness of this issue.”

Continue Reading

Biz & IT

Microsoft warns of destructive disk wiper targeting Ukraine

Published

on

Getty Images

Over the past few months, geopolitical tensions have escalated as Russia amassed tens of thousands of troops along Ukraine’s border and made subtle but far-reaching threats if Ukraine and NATO don’t agree to Kremlin demands.

Now, a similar dispute is playing out in cyber arenas, as unknown hackers late last week defaced scores of Ukrainian government websites and left a cryptic warning to Ukrainian citizens who attempted to receive services.

Be afraid and expect the worst

“All data on the computer is being destroyed, it is impossible to recover it,” said a message, written in Ukrainian, Russian, and Polish, that appeared late last week on at least some of the infected systems. “All information about you has become public, be afraid and expect the worst.”

Around the same time, Microsoft said in a post over the weekend, “destructive” malware with the ability to permanently destroy computers and all data stored on them began appearing on the networks a dozens of government, nonprofit, and information technology organizations, all based in Ukraine. The malware—which Microsoft is calling Whispergate—masquerades as ransomware and demands $10,000 in bitcoin for data to be restored.

But Whispergate lacks the means to distribute decryption keys and provide technical support to victims, traits that are found in virtually all working ransomware deployed in the wild. It also overwrites the master boot record—a part of the hard drive that starts the operating system during bootup.

“Overwriting the MBR is atypical for cybercriminal ransomware,” members of the Microsoft Threat Intelligence Center wrote in Saturday’s post. “In reality, the ransomware note is a ruse and that the malware destructs MBR and the contents of the files it targets. There are several reasons why this activity is inconsistent with cybercriminal ransomware activity observed by MSTIC.”

Over the weekend, Serhiy Demedyuk, deputy head of Ukraine’s National Security and Defense Council, told news outlets that preliminary findings from a joint investigation of several Ukrainian state agencies show that a threat actor group known as UNC1151 was likely behind the defacement hack. The group, which researchers at security firm Mandiant have linked to the government of Russian ally Belarus, was behind an influence campaign named Ghostwriter.

Ghostwriter worked by using phishing emails and theft domains that spoof legitimate websites such as Facebook to steal victim credentials. With control of content management systems belonging to news sites and other heavily trafficked properties, UNC1151 “primarily promoted anti-NATO narratives that appeared intended to undercut regional security cooperation in operations targeting Lithuania, Latvia, and Poland,” authors of the Mandiant report wrote.

All evidence points to Russia

Ukrainian officials said UNC1151 was likely working on behalf of Russia when it used its skill in harvesting credentials and infiltrating websites to deface Ukraine’s government sites. In a statement, they wrote:

As of now, we can say that all the evidence points to the fact that Russia is behind the cyber attack. Moscow continues to wage a hybrid war and is actively building forces in the information and cyberspace.

Russia’s cyber-troops are often working against the United States and Ukraine, trying to use technology to shake up the political situation. The latest cyber attack is one of the manifestations of Russia’s hybrid war against Ukraine, which has been going on since 2014.

Its goal is not only to intimidate society. And to destabilize the situation in Ukraine by stopping the work of the public sector and undermining the confidence in the government on the part of Ukrainians. They can achieve this by throwing fakes into the infospace about the vulnerability of critical information infrastructure and the “drain” of personal data of Ukrainians.

Damage assessment

There were no immediate reports of the defacements having a destructive effect on government networks, although Reuters on Monday reported Ukraine’s cyber police found that last week’s defacement appeared to have destroyed “external information resources.”

“A number of external information resources were manually destroyed by the attackers,” the police said, without elaborating. The police added: “It can already be argued that the attack is more complex than modifying the homepage of websites.”

Microsoft, meanwhile, didn’t say if the destructive data wiper it found on Ukrainian networks had merely been installed for potential use later on or if it had actually been executed to wreak havoc.

There’s no proof that the Russian government had any involvement in the wiper malware or the website defacement, and Russian officials have flatly denied it. But given past events, Russian involvement wouldn’t be a surprise.

In 2017, a massive outbreak of malware initially believed to be ransomware shut down computers around the world and resulted in $10 billion in total damages, making it the most costly cyberattack ever.

NotPetya initially spread spread through a legitimate update module of M.E.Doc, a tax-accounting application that’s widely used in Ukraine. Both Ukrainian
and US government officials have said Russia was behind the attacks. In 2020, federal prosecutors charged four Russian nationals for alleged hacking crimes involving NotPetya.

Continue Reading

Biz & IT

Backdoor for Windows, macOS, and Linux went undetected until now

Published

on

Researchers have uncovered a never-before-seen backdoor written from scratch for systems running Windows, macOS, or Linux that remained undetected by virtually all malware scanning engines.

Researchers from security firm Intezer said they discovered SysJoker—the name they gave the backdoor—on the Linux-based Webserver of a “leading educational institution.” As the researchers dug in, they found SysJoker versions for both Windows and macOS as well. They suspect the cross-platform malware was unleashed in the second half of last year.

The discovery is significant for several reasons. First, fully cross-platform malware is something of a rarity, with most malicious software being written for a specific operating system. The backdoor was also written from scratch and made use of four separate command-and-control servers, an indication that the people who developed and used it were part of an advanced threat actor that invested significant resources. It’s also unusual for previously unseen Linux malware to be found in a real-world attack.

Analyses of the Windows version (by Intezer) and the version for Macs (by researcher Patrick Wardle) found that SysJoker provides advanced backdoor capabilities. Executable files for both the Windows and macOS versions had the suffix .ts. Intezer said that may be an indication the file masqueraded as a type script app spread after being sneaked into the npm JavaScript repository. Intezer went on to say that SysJoker masquerades as a system update.

Wardle, meanwhile, said the .ts extension may indicate the file masqueraded as video transport stream content. He also found that the macOS file was digitally signed, though with an ad-hoc signature.

SysJoker is written in C++, and as of Tuesday, the Linux and macOS versions were fully undetected on the VirusTotal malware search engine. The backdoor generates its control-server domain by decoding a string retrieved from a text file hosted on Google Drive. During the time the researchers were analyzing it, the server changed three times, indicating the attacker was active and monitoring for infected machines.

Based on organizations targeted and the malware’s behavior, Intezer’s assessment is that SysJoker is after specific targets, most likely with the goal of “​​espionage together with lateral movement which might also lead to a ransomware attack as one of the next stages.”

Continue Reading

Trending