Security News

Apple this week updated its Platform Security Guide to provide more details on a couple of recently announced authentication features. Apple's Platform Security Guide contains detailed technical information on the security technologies and features implemented in its products.

Latest research has demonstrated a new exploit that enables arbitrary data to be uploaded from devices that are not connected to the Internet by simply sending "Find My" Bluetooth broadcasts to nearby Apple devices. "It's possible to upload arbitrary data from non-internet-connected devices by sending Find My broadcasts to nearby Apple devices that then upload the data for you," Positive Security researcher Fabian Bräunlein said in a technical write-up disclosed last week.

Alexandra Elbakyan, the creator of controversial research trove Sci-Hub, has claimed that Apple informed her it has handed over information about her account to the FBI. Elbakyan made the allegation in a week-old tweet that went unremarked-upon for longer than you'd imagine, given that Apple and the FBI have a history of conflict over whether the bureau should be allowed to peer into Apple customers' devices. At first I thought it was a spam and was about to delete the email, but it turned out to be about FBI requesting my data from Apple pic.

Apple says that more than 215,000 iOS apps were blocked by its App Store's App Review team for privacy violations in 2020, while another 150,00 were rejected because they were spamming or misleading iOS users. Ninety-five thousand additional apps were also removed from the App Store for using bait-and-switch tactics where new features and capabilities were added to fundamentally change their functionality after being approved.

The owner of the AirTag that called home can decrypt the location in the Find My message, but has no idea which relay device passed the message on. By limiting the length of the hidden message and repeating the same Bluetooth "Public keys" over and over again, Bräunlein's hope was that eventually a complete copy of all the data packets containing the hidden data might make it to Apple.

Security researchers have discovered a way to leverage Apple's Find My's Offline Finding network to upload data from devices, even those that do not have a Wi-Fi or mobile network connection. Using Bluetooth Low Energy, the data is being sent to nearby Apple devices that do connect to the Internet, and then sent to Apple's servers, from where it can be retrieved at a later date.

Apple's "Find My device" function for helping people track their iOS and macOS devices can be exploited to transfer data to and from random passing devices without using the internet, a security researcher has demonstrated. Security researcher Fabian Bräunlein with Positive Security developed a proof of concept, using a microcontroller and a custom MacOS app, that can broadcast data from one device to another via Bluetooth Low Energy.

In short, it's possible to use passing Apple devices to sneak out portions of information from one place to another, such as a computer on the other side of the world, over the air without any other network connectivity. Participating devices broadcast over BLE to other nearby attentive Apple devices, which in turn relay data back over their network connection to Cupertino's servers.

In 2020, Apple removed or rejected hundreds of thousands of applications from the App Store for engaging in various forms of fraudulent behavior, including spam, mischief, and privacy violations. An additional 95,000 apps were removed for violating the App Store policies, mainly for performing bait-and-switch maneuvers, where the app functionality is fundamentally changed - usually to commit nefarious actions - after approval in the App Store.

Acquisition will extend Jamf's Zero Trust Network Access, threat defense and data policy enforcement for Apple devices. Jamf, a provider of enterprise management software for Apple devices, has signed a definitive agreement to acquire Wandera, a provider of zero trust cloud security and access for mobile devices, in a deal valued at $400 million in cash.