Connect with us

Biz & IT

Review: Apple’s iPhone XR is a fine young cannibal

Published

on

This iPhone is great. It is most like the last iPhone — but not the last “best” iPhone — more like the last not as good iPhone. It’s better than that one though, just not as good as the newest best iPhone or the older best iPhone.

If you’re upgrading from an iPhone 7 or iPhone 8, you’re gonna love it and likely won’t miss any current features while also getting a nice update to a gesture-driven phone with Face ID. But don’t buy it if you’re coming from an iPhone X, you’ll be disappointed as there are some compromises from the incredibly high level of performance and quality in Apple’s last flagship, which really was pushing the envelope at the time.

From a consumer perspective, this is offering a bit of choice that targets the same kind of customer who bought the iPhone 8 instead of the iPhone X last year. They want a great phone with a solid feature set and good performance but are not obsessed with ‘the best’ and likely won’t notice any of the things that would bug an iPhone X user about the iPhone XR.

On the business side, Apple is offering the iPhone XR to make sure there is no pricing umbrella underneath the iPhone XS and iPhone XS Max, and to make sure that the pricing curve is smooth across the iPhone line. It’s not so much a bulwark against low-end Android, that’s why the iPhone 8 and iPhone 7 are sticking around at those low prices.

Instead it’s offering an ‘affordable’ option that’s similar in philosophy to the iPhone 8’s role last year but with some additional benefits in terms of uniformity. Apple gets to move more of its user base to a fully gesture-oriented interface, as well as giving them Face ID. It benefits from more of its pipeline being dedicated to devices that share a lot of components like the A12 and True Depth camera system. It’s also recognizing the overall move towards larger screens in the market.

If Apple was trying to cannibalize sales of the iPhone XS, it couldn’t have created a better roasting spit than the iPhone XR.

Screen

Apple says that the iPhone XR has ‘the most advanced LCD ever in a smartphone’ — their words.

The iPhone XR’s screen is an LCD, not an OLED. This is one of the biggest differences between the iPhone XR and the iPhone XS models, and while the screen is one of the best LCDs I’ve ever seen, it’s not as good as the other models. Specifically, I believe that the OLED’s ability to display true black and display deeper color (especially in images that are taken on the new XR cameras in HDR) set it apart easily.

That said, I have a massive advantage in that I am able to hold the screens side by side to compare images. Simply put, if you don’t run them next to one another, this is a great screen. Given that the iPhone XS models have perhaps the best displays ever made for a smartphone, coming in a very close second isn’t a bad place to be.

A lot of nice advancements have been made here over earlier iPhone LCDs. You get True Tone, faster 120hz touch response and wide color support. All on a 326 psi stage that’s larger than the iPhone 8 Plus in a smaller body. You also now get tap-to-wake, another way Apple is working hard to unify the design and interaction language of its phones across the lineup.

All of these advancements don’t come for free to an LCD. There was a lot of time, energy and money spent getting the older technology to work as absolutely closely as possible to the flagship models. It’s rare to the point of non-existence that companies care at all to put in the work to make the lower end devices feel as well worked as the higher end ones. For as much crap as Apple gets about withholding features to get people to upsell, there is very little of that happening with the iPhone XR, quite the opposite really.

There are a few caveats here. First, 3D touch is gone, replaced by ‘Haptic Touch’ which Apple says works similarly to the MacBook’s track pad. It provides feedback from the iPhone’s Taptic vibration engine to simulate a ‘button press’ or trigger. In practice, the reality of the situation is that it is a very prosaic ‘long press to activate’ more than anything else. It’s used to trigger the camera on the home screen and the flashlight, and Apple says it’s coming to other places throughout the system as it sees it appropriate and figures out how to make it feel right.

I’m not a fan. I know 3D touch has its detractors, even among the people I’ve talked to who helped build it, I think it’s a clever utility that has a nice snap to it when activating quick actions like the camera. In contrast, on the iPhone XR you must tap and hold the camera button for about a second and a half — no pressure sensitivity here obviously — as the system figures out that this is an intentional press by determining duration, touch shape and spread etc and then triggers the action. You get the feedback still, which is nice, but it feels disconnected and slow. It’s the best case scenario without the additional 3D touch layer, but it’s not ideal.

I’d also be remiss if I didn’t mention that the edges of the iPhone XR screen have a slight dimming effect that is best described as a ‘drop shadow’. It’s wildly hard to photograph but imagine a very thin line of shadow around the edge of the phone that gets more pronounced as you tilt it and look at the edges. It’s likely an effect of the way Apple was able to get a nice sharp black drop-off at the edges that gets that to-the-edges look of the iPhone XR’s screen.

Apple is already doing a ton of work rounding the corners of the LCD screen to make them look smoothly curved (this works great and is nearly seamless unless you bust out the magnifying loupe) and it’s doing some additional stuff around the edge to keep it looking tidy. They’ve doubled the amount of LEDs in the screen to make that dithering and the edging possible.

Frankly, I don’t think most people will ever notice this slight shading of dark around the edge — it is very slight — but when the screen is displaying mostly white and it’s next to the iPhone XS it’s visible.

Oh, the bezels are bigger. It makes the front look slightly less elegant and screenful than the iPhone XS, but it’s not a big deal.

Camera

Yes, the portrait mode works. No, it’s not as good as the iPhone XS. Yes, I miss having a zoom lens.

All of those things are true and easily the biggest reason I won’t be buying an iPhone XR. However, in the theme of Apple working its hardest to make even its ‘lower end’ devices work and feel as much like its best, it’s really impressive what has been done here.

The iPhone XR’s front-facing camera array is identical to what you’ll find in the iPhone XS. Which is to say it’s very good.

The rear facing camera is where it gets interesting, and different.

The rear camera is a single lens and sensor that is both functionally and actually identical to the wide angle lens in the iPhone XS. It’s the same sensor, the same optics, the same 27mm wide-angle frame. You’re going to get great ‘standard’ pictures out of this. No compromises.

However, I found myself missing the zoom lens a lot. This is absolutely a your mileage may vary scenario, but I take the vast majority of my pictures with the telephoto lens. Looking back at my year with the iPhone X I’d say north of 80% of my pictures were shot with the telephoto, even if they were close ups. I simply prefer the “52mm” equivalent with its nice compression and tight crop. It’s just a better way to shoot than a wide angle — as any photographer or camera company will tell you because that’s the standard (equivalent) lens that all cameras have shipped with for decades.

Wide angle lenses were always a kludge in smartphones and it’s only in recent years that we’ve started getting decent telephotos. If I had my choice, I’d default to the tele and have a button to zoom out to the wide angle, that would be much nicer.

But with the iPhone XR you’re stuck with the wide — and it’s a single lens at that, without the two different perspectives Apple normally uses to gather its depth data to apply the portrait effect.

So they got clever. iPhone XR portrait images still contain a depth map that determines foreground, subject and background, as well as the new segmentation map that handles fine detail like hair. While the segmentation maps are roughly identical, the depth maps from the iPhone XR are nowhere as detailed or information rich as the ones that are generated by the iPhone XS.

See the two maps compared here, the iPhone XR’s depth map is far less aware of the scene depth and separation between the ‘slices’ of distance. It means that the overall portrait effect, while effective, is not as nuanced or aggressive.

In addition, the iPhone XR’s portrait mode only works on people.You’re also limited to just a couple of the portrait lighting modes: studio and contour.

In order to accomplish portrait mode without the twin lens perspective, Apple is doing facial landmark mapping and image recognition work to determine that the subject you’re shooting is a person. It’s doing depth acquisition by acquiring the map using a continuous real-time buffer of information coming from the focus pixels embedded in the iPhone XR’s sensor that it is passing to the A12 Bionic’s Neural Engine. Multiple neural nets analyze the data and reproduce the depth effect right in the viewfinder.

When you snap the shutter it combines the depth data, the segmentation map and the image data into a portrait shot instantaneously. You’re able to see the effect immediately. It’s wild to see this happen in real time and it boggles thinking about the horsepower needed to do this. By comparison, the Pixel 3 does not do real time preview and takes a couple of seconds to even show you the completed portrait shot once it’s snapped.

It’s a bravura performance in terms of silicon. But how do the pictures look?

I have to say, I really like the portraits that come out of the iPhone XR. I was ready to hate on the software-driven solution they’d come up with for the single lens portrait but it’s pretty damn good. The depth map is not as ‘deep’ and the transitions between out of focus and in focus areas are not as wide or smooth as they are on iPhone XS, but it’s passable. You’re going to get more funny blurring of the hair, more obvious hard transitions between foreground and background and that sort of thing.

And the wide angle portraits are completely incorrect from an optical compression perspective (nose too large, ears too small). Still, they are kind of fun in an exaggerated way. Think the way your face looks when you get to close to your front camera.

If you take a ton of portraits with your iPhone, the iPhone XS is going to give you a better chance of getting a great shot with a ton of depth that you can play with to get the exact look that you want. But as a solution that leans hard on the software and the Neural Engine, the iPhone XR’s portrait mode isn’t bad.

Performance

Unsurprisingly, given that it has the same exact A12 Bionic processor, but the iPhone XR performs almost identically to the iPhone XS in tests. Even though it features 3GB of RAM to the iPhone XS’ 4GB, the overall situation here is that you’re getting a phone that is damn near identical as far as speed and capability. If you care most about core features and not the camera or screen quirks, the iPhone XR does not offer many, if any, compromises here.

Size

The iPhone XR is the perfect size. If Apple were to make only one phone next year, they could just make it XR-sized and call it good. Though I am now used to the size of the iPhone X, a bit of extra screen real-estate is much appreciated when you do a lot of reading and email. Unfortunately, the iPhone XS Max is a two-handed phone, period. The increase in vertical size is lovely for reading and viewing movies, but it’s hell on reachability. Stretching to the corners with your thumb is darn near impossible and to complete even simple actions like closing a modal view inside an app it’s often easiest (and most habitual) to just default to two hands to perform those actions.

For those users that are ‘Plus’ addicts, the XS Max is an exercise in excess. It’s great as a command center for someone who does most of their work on their iPhones or in scenarios where it’s their only computer. My wife, for instance, has never owned her own computer and hasn’t really needed a permanent one in 15 years. For the last 10 years, she’s been all iPhone, with a bit of iPad thrown in. I myself am now on a XS Max because I also do a huge amount of my work on my iPhone and the extra screen size is great for big email threads and more general context.

But I don’t think Apple has done enough to capitalize on the larger screen iPhones in terms of software — certainly not enough to justify two-handed operation. It’s about time iOS was customized thoroughly for larger phones beyond a couple of concessions to split-view apps like Mail.

That’s why the iPhone XR’s size comes across as such a nice compromise. It’s absolutely a one-handed phone, but you still get some extra real-estate over the iPhone XS and the exact same amount of information appears on the iPhone XR’s screen as on the iPhone XS Max in a phone that is shorter enough to be thumb friendly.

Color

Apple’s industrial design chops continue to shine with the iPhone XR’s color finishes. My tester iPhone was the new Coral color and it is absolutely gorgeous.

The way Apple is doing colors is like nobody else. There’s no comparison to holding a Pixel 3, for instance. The Pixel 3 is fun and photographs well, but super “cheap and cheerful” in its look and feel. Even though the XR is Apple’s mid-range iPhone, the feel is very much that of a piece of nicely crafted jewelry. It’s weighty, with a gorgeous 7-layer color process laminating the back of the rear glass, giving it a depth and sparkle that’s just unmatched in consumer electronics.

The various textures of the blasted aluminum and glass are complimentary and it’s a nice melding of the iPhone 8 and iPhone X design ethos. It’s massively unfortunate that most people will be covering the color with cases, and I expect clear cases to explode in popularity when these phones start getting delivered.

It remains very curious that Apple is not shipping any first-party cases for the iPhone XR — not even the rumored clear case. I’m guessing that they just weren’t ready or that Apple was having issues with some odd quirk of clear cases like yellowing or cracking or something. But whatever it is, they’re leaving a bunch of cash on the table.

Apple’s ID does a lot of heavy lifting here, as usual. It often goes un-analyzed just how well the construction of the device works in conjunction with marketing and market placement to help customers both justify and enjoy their purchase. It transmits to the buyer that this is a piece of quality kit that has had a lot of thought put into it and makes them feel good about paying a hefty price for a chunk of silicon and glass. No one takes materials science anywhere as seriously at Apple and it continues to be on display here.

Should you buy it?

As I said above, it’s not that complicated of a question. I honestly wouldn’t overthink this one too much. The iPhone XR is made to serve a certain segment of customers that want the new iPhone but don’t necessarily need every new feature. It works great, has a few small compromises that probably won’t faze the kind of folks that would consider not buying the best and is really well built and executed.

“Apple’s pricing lineup is easily its strongest yet competitively,” creative Strategies’ Ben Bajarin puts it here in a subscriber piece. “The [iPhone] XR in particular is well lined up against the competition. I spoke to a few of my carrier contacts after Apple’s iPhone launch event and they seemed to believe the XR was going to stack up well against the competition and when you look at it priced against the Google Pixel ($799) and Samsung Galaxy 9 ($719). Some of my contacts even going so far to suggest the XR could end up being more disruptive to competitions portfolios than any iPhone since the 6/6 Plus launch.”

Apple wants to fill the umbrella, leaving less room than ever for competitors. Launching a phone that’s competitive in price and features an enormous amount of research and execution that attempt to make it as close a competitor as possible to its own flagship line, Apple has set itself up for a really diverse and interesting fiscal Q4.

Whether you help Apple boost its average selling price by buying one of the maxed out XS models or you help it block another Android purchase with an iPhone XR, I think it will probably be happy having you, raw or cooked.

Source link

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Biz & IT

Amazon “seized and destroyed” 2 million counterfeit products in 2020

Published

on

Enlarge / Amazon trailers backed into bays at a distribution center in Miami, Florida, in August 2019.

Amazon “seized and destroyed” over 2 million counterfeit products that sellers sent to Amazon warehouses in 2020 and “blocked more than 10 billion suspected bad listings before they were published in our store,” the company said in its first “Brand Protection Report.”

In 2020, “we seized and destroyed more than 2 million products sent to our fulfillment centers and that we detected as counterfeit before being sent to a customer,” Amazon’s report said. “In cases where counterfeit products are in our fulfillment centers, we separate the inventory and destroy those products so they are not resold elsewhere in the supply chain,” the report also said.

Third-party sellers can also ship products directly to consumers instead of using Amazon’s shipping system. The 2 million fakes found in Amazon fulfillment centers would only account for counterfeit products from sellers using the “Fulfilled by Amazon” service.

The counterfeit problem got worse over the past year. “Throughout the pandemic, we’ve seen increased attempts by bad actors to commit fraud and offer counterfeit products,” Amazon VP Dharmesh Mehta wrote in a blog post yesterday.

Counterfeiting is a longstanding problem on Amazon. Other problems on Amazon that harm consumers include the sale of dangerous products, fake reviews, defective third-party goods, and the passing of bribes from unscrupulous sellers to unscrupulous Amazon employees and contractors. One US appeals court ruled in 2019 that Amazon can be held responsible for defective third-party goods, but Amazon has won other similar cases. Amazon is again arguing that it should not be held liable for a defective third-party product in a case before the Texas Supreme Court that involves a severely injured toddler.

Amazon tries to reassure legit sellers

Amazon’s new report was meant to reassure legitimate sellers that their products won’t be counterfeited. While counterfeits remain a problem for unsuspecting Amazon customers, the e-commerce giant said that “fewer than 0.01 percent of all products sold on Amazon received a counterfeit complaint from customers” in 2020. Of course, people may buy and use counterfeit products without ever realizing they are fake or without reporting it to Amazon, so that percentage may not capture the extent of the problem.

Amazon’s report on counterfeits describes extensive systems and processes to determine which sellers can do business on Amazon. While Amazon has argued in court that it is not liable for what third parties sell on its platform, the company is monitoring sellers in an effort to maintain credibility with buyers and legitimate sellers.

Amazon said it “invested over $700 million and employed more than 10,000 people to protect our store from fraud and abuse” in 2020, adding:

We leverage a combination of advanced machine learning capabilities and expert human investigators to protect our store proactively from bad actors and bad products. We are constantly innovating to stay ahead of bad actors and their attempts to circumvent our controls. In 2020, we prevented over 6 million attempts to create new selling accounts, stopping bad actors before they published a single product for sale, and blocked more than 10 billion suspected bad listings before they were published in our store.

“This is an escalating battle with criminals that attempt to sell counterfeits, and the only way to permanently stop counterfeiters is to hold them accountable through litigation in the court system and through criminal prosecution,” Amazon also said. “In 2020, we established a new Counterfeit Crimes Unit to build and refer cases to law enforcement, undertake independent investigations or joint investigations with brands, and pursue civil litigation against counterfeiters.”

Amazon said it now “report[s] all confirmed counterfeiters to law enforcement agencies in Canada, China, the European Union, UK, and US.” Amazon also urged governments to “increase prosecution of counterfeiters, increase resources for law enforcement fighting counterfeiters, and incarcerate these criminals globally.”

Stricter seller-verification system

Amazon said it had a “new live video and physical address verification” system in place in 2020 in which “Amazon connects one-on-one with prospective sellers through a video chat or in person at an Amazon office to verify sellers’ identities and government-issued documentation.” Amazon said it also “verifies new and existing sellers’ addresses by sending information including a unique code to the seller’s address.”

Most new attempts to register as a seller were apparently fraudulent, as Amazon said that “only 6 percent of attempted new seller account registrations passed our robust verification processes and listed products.” Overall, Amazon “stopped over 6 million attempts to create a selling account before they were able to publish a single listing for sale” in 2020, more than double “the 2.5 million attempts we stopped in 2019,” Amazon said.

The verification process isn’t enough on its own to stop all new fraudulent sellers, so Amazon said it performs “continuous monitoring” of sellers to identify new risks. “If we identify a bad actor, we immediately close their account, withhold funds disbursement, and determine if this new information brings other related accounts into suspicion. We also determine if the case warrants civil or criminal prosecution and report the bad actor to law enforcement,” Amazon said.

Amazon monitors product detail changes for fraud

One problem we wrote about a few months ago involves “bait-and-switch reviews” in which sellers trick Amazon into displaying reviews for unrelated products to get to the top of Amazon’s search results. In one case, a $23 drone with 6,400 reviews achieved a five-star average rating only because it had thousands of reviews for honey. At some point, the product listing had changed from a food item to a tech product, but the reviews for the food product remained. After a purging of the old reviews, that same product page now lists just 348 ratings at a 3.6-star average.

Amazon is trying to prevent recurrences of this problem, saying in its new report that it scans “more than 5 billion attempted changes to product detail pages daily for signs of potential abuse.”

Amazon also provides self-service tools to companies to help them block counterfeits of their products. Amazon’s report said that 18,000 brands have enrolled in “Project Zero,” which “provides brands with unprecedented power by giving them the ability to directly remove listings from our store.” The program also has an optional product serialization feature that lets sellers put unique codes on their products or packaging.

The self-service tool only accounts for a tiny percentage of blocked listings. “For every 1 listing removed by a brand through our self-service counterfeit removal tool, our automated protections removed more than 600 listings through scaled technology and machine learning that proactively addresses potential counterfeits and stops those listings from appearing in our store,” Amazon said.

Continue Reading

Biz & IT

Hackers who shut down pipeline: We don’t want to cause “problems for society”

Published

on

Enlarge / Problems with Colonial Pipeline’s distribution system tend to lead to gasoline runs and price increases across the US Southeast and Eastern seaboard. In this September 2016 photo, a man prepared to refuel his vehicle after a Colonial leak in Alabama.

On Friday, Colonial Pipeline took many of its systems offline in the wake of a ransomware attack. With systems offline to contain the threat, the company’s pipeline system is inoperative. The system delivers approximately 45 percent of the East Coast’s petroleum products, including gasoline, diesel fuel, and jet fuel.

Colonial Pipeline issued a statement Sunday saying that the US Department of Energy is leading the US federal government response to the attack. “[L]eading, third-party cybersecurity experts” engaged by Colonial Pipeline itself are also on the case. The company’s four main pipelines are still down, but it has begun restoring service to smaller lateral lines between terminals and delivery points as it determines how to safely restart its systems and restore full functionality.

Colonial Pipeline has not publicly said what was demanded of it or how the demand was made. Meanwhile, the hackers have issued a statement saying that they’re just in it for the money.

Regional emergency declaration

In response to the attacks on Colonial Pipeline, the Biden administration issued a Regional Emergency Declaration 2021-002 this Sunday. The declaration provides a temporary exemption to Parts 390 through 399 of the Federal Motor Carrier Safety Regulations, allowing alternate transportation of petroleum products via tanker truck to relieve shortages related to the attack.

The emergency declaration became effective immediately upon issuance Sunday and remains in effect until June 8 or until the emergency ends, whichever is sooner. Although the move will ease shortages somewhat, oil market analyst Gaurav Sharma told the BBC the exemption wouldn’t be anywhere near enough to replace the pipeline’s missing capacity. “Unless they sort it out by Tuesday, they’re in big trouble,” said Sharma, adding that “the first areas to hit would be Atlanta and Tennessee, then the domino effect goes up to New York.”

Russian gang DarkSide believed responsible for attack

Unnamed US government and private security sources engaged by Colonial have told CNN, The Washington Post, and Bloomberg that the Russian criminal gang DarkSide is likely responsible for the attack. DarkSide typically chooses targets in non-Russian-speaking countries but describes itself as “apolitical” on its dark web site.

Infosec analyst Dmitry Smilyanets tweeted a screenshot of a statement the group made this morning, apparently concerning the Colonial Pipeline attack:

NBC News reports that Russian cybercriminals frequently freelance for the Kremlin—but indications point to a cash grab made by the criminals themselves this time rather than a state-sponsored attack.

Dmitri Alperovitch, a co-founder of infosec company CrowdStrike, claims that direct Russian state involvement hardly matters at this point. “Whether they work for the state or not is increasingly irrelevant, given Russia’s obvious policy of harboring and tolerating cybercrime,” he said.

DarkSide “operates like a business”

This sample threat was posted to DarkSide's dark web site in 2020, detailing attacks made on a threat management company.
Enlarge / This sample threat was posted to DarkSide’s dark web site in 2020, detailing attacks made on a threat management company.

London-based security firm Digital Shadows said in September that DarkSide operates like a business and described its business model as “RaaC”—meaning Ransomware-as-a-Corporation.

In terms of its actual attack methods, DarkSide doesn’t appear to be very different from smaller criminal operators. According to Digital Shadows, the group stands out due to its careful selection of targets, preparation of custom ransomware executables for each target, and quasi-corporate communication throughout the attacks.

DarkSide claims to avoid targets in medical, education, nonprofit, or governmental sectors—and claims that it only attacks “companies that can pay the requested amount” after “carefully analyz[ing] accountancy” and determining a ransom amount based on a company’s net income. Digital Shadows believes these claims largely translate to “we looked you up on ZoomInfo first.”

It seems quite possible that the group didn’t realize how much heat it would bring onto itself with the Colonial Pipeline attack. Although not a government entity itself, Colonial’s operations are crucial enough to national security to have brought down immediate Department of Energy response—which the group certainly noticed and appears to have responded to via this morning’s statement that it would “check each company that our partners want to encrypt” to avoid “social consequences” in the future.

Continue Reading

Biz & IT

Apple brass discussed disclosing 128-million iPhone hack, then decided not to

Published

on

Getty Images

In September 2015, Apple managers had a dilemma on their hands: should, or should they not, notify 128 million iPhone users of what remains the worst mass iOS compromise on record? Ultimately, all evidence shows, they chose to keep quiet.

The mass hack first came to light when researchers uncovered 40 malicious App Store apps, a number that mushroomed to 4,000 as more researchers poked around. The apps contained code that made iPhones and iPads part of a botnet that stole potentially sensitive user information.

128 million infected.

An email entered into court this week in Epic Games’ lawsuit against Apple shows that, on the afternoon of September 21, 2015, Apple managers had uncovered 2,500 malicious apps that had been downloaded a total of 203 million times by 128 million users, 18 million of whom were in the US.

“Joz, Tom and Christine—due to the large number of customers potentially affected, do we want to send an email to all of them?” App Store VP Matthew Fischer wrote, referring to Apple Senior Vice President of Worldwide Marketing Greg Joswiak and Apple PR people Tom Neumayr and Christine Monaghan. The email continued:

If yes, Dale Bagwell from our Customer Experience team will be on point to manage this on our side. Note that this will pose some challenges in terms of language localizations of the email, since the downloads of these apps took place in a wide variety of App Store storefronts around the world (e.g. we wouldn’t want to send an English-language email to a customer who downloaded one or more of these apps from the Brazil App Store, where Brazilian Portuguese would be the more appropriate language).

The dog ate our disclosure

About 10 hours later, Bagwell discusses the logistics of notifying all 128 million affected users, localizing notifications to each users’ language, and “accurately includ[ing] the names of the apps for each customer.”

Alas, all appearances are that Apple never followed through on its plans. An Apple representative could point to no evidence that such an email was ever sent. Statements the representative sent on background—meaning I’m not permitted to quote them—noted that Apple instead published only this now-deleted post.

The post provides very general information about the malicious app campaign and eventually lists only the top 25 most downloaded apps. “If users have one of these apps, they should update the affected app which will fix the issue on the user’s device,” the post stated. “If the app is available on [the] App Store, it has been updated, if it isn’t available it should be updated very soon.”

Ghost of Xcode

The infections were the result of legitimate developers writing apps using a counterfeit copy of Xcode, Apple’s iOS and OS X app development tool. The repackaged tool dubbed XcodeGhost surreptitiously inserted malicious code alongside normal app functions.

From there, apps caused iPhones to report to a command and control server and provide a variety of device information, including the name of the infected app, the app-bundle identifier, network information, the device’s “identifierForVendor” details, and the device name, type, and unique identifier.

XcodeGhost billed itself as faster to download in China, compared with Xcode available from Apple. For developers to have run the counterfeit version, they would have had to click through a warning delivered by Gatekeeper, the macOS security feature that requires apps to be digitally signed by a known developer.

The lack of follow-through is disappointing. Apple has long prioritized the security of the devices it sells. It has also made privacy a centerpiece of its products. Directly notifying those affected by this lapse would have been the right thing to do. We already knew that Google routinely doesn’t notify users when they download malicious Android apps or Chrome extensions. Now we know that Apple has done the same thing.

Stopping Dr. Jekyll

The email wasn’t the only one that showed Apple brass hashing out security problems. A separate one sent to Apple Fellow Phil Schiller and others in 2013 forwarded a copy of the Ars article headlined “Seemingly benign ‘Jekyll’ app passes Apple review, then becomes ‘evil’.”

The article discussed research from computer scientists who found a way to sneak malicious programs into the App Store without being detected by the mandatory review process that’s supposed to automatically flag such apps. Schiller and the other people receiving the email wanted to figure out how to shore up its protections in light of their discovery that the static analyzer Apple used wasn’t effective against the newly discovered method.

“This static analyzer looks at API names rather than true APIs being called, so there’s often the issue of false positives,” Apple senior VP of Internet software and services Eddy Cue wrote. “The Static Analyzer enables us to catch direct accessing of Private APIs, but it completely misses apps using indirect methods of accessing these Private APIs. This is what the authors used in their Jekyll apps.”

The email went on to discuss limitations of two other Apple defenses, one known as Privacy Proxy and the other Backdoor Switch.

“We need some help in convincing other teams to implement this functionality for us,” Cue wrote. “Until then, it is more brute force, and somewhat ineffective.”

Lawsuits involving large companies often provide never-before-seen portals into the inner-workings of the way they and their executives work. Often, as the case is here, those views are at odds with the companies’ talking points. The trial resumes next week.

Continue Reading

Trending