Security News

Now an app developer called Mysk has discovered pasteboard's dark side - malicious apps could exploit it to work out a user's location even when that user has locked down app location sharing. In the simplest scenario, an iPhone user would take a photo, copy it between apps using the pasteboard, from which a malicious app could extract location metadata while comparing it with timestamps to determine whether it was current or taken in the past.

The United States Supreme Court has kicked out Apple's attempt to overturn a judgement in one of the cases in its 10-year patent fight with VirnetX. The Supremes rejected Apple's petition for a judicial review in a bid to overrule the 2016 decision of a lower court, which awarded VirnetX $302m, which later rose to $439.8m in damages, fees and interest for Apple's use of its patents. Apple had argued earlier this month that the "Federal Circuit has created a gaping loophole that facilitates massive damages in patent cases where the damages claims are based on prior licenses" - in essence saying that VirnetX had overvalued the inventions to the court.

Any cut-and-paste data temporarily stored to an iPhone or iPad's memory can be accessed by all apps installed on the specific device - even malicious ones. To illustrate his concerns, Mysk created a rogue proof-of-concept app called KlipboardSpy and an iOS widget named KlipSpyWidget.

That browser makers were voted down might explain why Apple has decided to enforce the change unilaterally, apparently against the wishes of the Certificate Authorities which issue certificates as a business. The browser makers are adamant that reducing validity is good for security because it reduces the time period in which compromised or bogus certificates can be exploited.

Safari will, later this year, no longer accept new HTTPS certificates that expire more than 13 months from their creation date. The aim of the move is to improve website security by making sure devs use certs with the latest cryptographic standards, and to reduce the number of old, neglected certificates that could potentially be stolen and re-used for phishing and drive-by malware attacks.

A malicious email campaign aimed at iPhone owners is making the rounds this week, using a bouquet of different themes to scam victims, just in time for Valentine's Day - including a fake dating app. Once the email body is clicked, the victim is taken on "a seemingly endless redirect loop," until neuropathy is left far behind, and the victim lands on what purports to be a dating app for Apple's iPhone.

Apple has joined the FIDO Alliance, an organization that aims to help reduce the use of passwords by providing free and open authentication standards. Nok Nok Labs, inventor of the FIDO specifications and a founding member of the FIDO Alliance, announced on Wednesday that Apple has not only become a member, but that it has also taken a leadership role as a board member.

Malicious software targeting users of Apple Macs has leapt over the last year, the security outfit said in its latest State of Malware report. Describing this as an "Exponential" increase, the firm said that detections of nasties targeted against innocent Apple fanbois were up 400 per cent year-on-year, while adding the caveat that its Mac userbase had also grown a bit.

The X-Force Threat Intelligence Index 2020 found that hackers are targeting manufacturing plants, making banking trojans more sophisticated, and spoofing tech brands to make phishing schemes successful. IBM Security releases the IBM X-Force Threat Intelligence Index annually, summarizing the most prominent threats identified by research teams.

Last month, engineers at Google published a very curious privacy bug in Apple's Safari web browser. Apple's Intelligent Tracking Prevention, a feature designed to reduce user tracking, has vulnerabilities that themselves allow user tracking.