Third party keyboard in iOS 8 key logging?

Gabe Weatherhead wrote about his concerns about iOS 8 key logging.

This is what I found (quoted from the documentation):

  • All capabilities of a nonnetworked custom keyboard
  • Keyboard can access Location Services and Address Book, with user permission
  • Keyboard and containing app can employ a shared container
  • Keyboard can send keystrokes and other input events for server-side processing
  • Containing app can provide editing interface for keyboard’s custom autocorrect lexicon
  • Via containing app, keyboard can employ iCloud to ensure settings and autocorrect lexicon are up to date on all devices
  • Via containing app, keyboard can participate in Game Center and In-App Purchase
  • If keyboard supports mobile device management (MDM), it can work with managed apps

My interpretation of the documentation is that a keyboard extension can enable network access if it is for the purpose of improving the application. What improvements warrant this, is up to the app developer.

It is a concern I share as well. Why would a keyboard need to send keystrokes?

Google’s Doubleclick ad servers exposed millions to malware

The Verge reported on Google’s Doubleclick serving malware.

The first impressions came in late August, and by now millions of computers have likely been exposed to Zemot, although only those with outdated antivirus protection were actually infected.

That means that millions of computers are on outdated antivirus.

And using an ad-blocker proves to be more effective than having an antivirus.

Need help moving from Android phone to iPhone?

Apple has provided a detailed guide for people who wish to move from Android phone to iPhone.

Why didn’t any other company think of this?

Apple says iOS 8 update keeps data private, even from the police

NYT Bits reported on iOS 8 privacy data.

“Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data,” the company said on the new webpage. “So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.”

“Our business model is very straightforward: We sell great products,” he said. “We don’t build a profile based on your email content or web browsing habits to sell to advertisers.”

Other tech companies need to take note.

Ways to think about watches

Benedict Evans shared his thoughts on ways to think about watches.

In fact, one could argue that the closest precedent for puzzlement is the mobile phone itself. If you tell the young people of today this they won’t believe you, but in the mid 1990s most people thought that mobile phones were an expensive niche product without mass-market potential. We already had phones, and pay phones, so why would you need this other thing? Mobile operators around the world (the disruptive innovators of the day) had to run advertising campaigns suggesting reasons why having a mobile phone might be useful. Price was obviously one reason this was hard to imagine, but there were more basic factors. Simple behaviors we take for granted today were different. People made plans to to meet their friends before going out in the evening, for example. We managed without mobile phones, and had to be persuaded into them. 

It seems to me that there are two kinds of puzzle around a new… thing. One is that you already have a thing that does this. For tablets this was the PC (and the smartphone) and for the iPod it was the Walkman – for the iPod the advantage of the new thing seems obvious now, but people took some persuading even at the time, and for tablets the scope of replacement remains unclear. But for another kind of new product, you don’t already have a thing that does this because there is no ’this’, and it’s not clear what ’this’ might be. A mobile phone is not a landline that doesn’t have a wire – it changes large parts of how you can live your life, so much so that it was not obvious in 1995 what would change. So too a smart watch. Yes, it tells the time, but what else?

We had discmans and walkmans, why would anyone want a portable MP3 player? We had mobile phones that came with keypads, why would anyone want a smartphone with a touchscreen? We have netbooks and laptops, why would anyone want a tablet?

Apple Watch – the smart watch for everyone

Ben Thompson share more of his thoughts on the Apple Watch.

This makes the Pebble sound a lot like a smartphone circa 2006. The thing is, though, the iPhone was never targeted at 2006-era smartphone users: it was targeted at everyone, and that meant it had to destroy our expectations of what a smartphone was in order to build a new one that happened to look exactly like an iPhone. Similarly, to be the sort of tentpole product Cook promised the Watch would be it must target more than current watch wearers: it must be a product so good that non watch-wearers will put something on their wrists, put up with nightly charging, spend hundreds or thousands of dollars every few years, and all the other sorts of behavior that no one thought any rational phone buyer would tolerate just eight years ago. In other words, it must swing for the fences, just like Apple seems to have done.

This brings a sense of déjà vu for some of us tech watchers. I’m reminded of how the iPod, the iPhone and the iPad were ridiculed by people who did not see their potential when they were announced.

Android Browser flaw a “privacy disaster” for half of Android users

Are Technica reported on Android Browser flaw bring a “privacy disaster” for half of Android users.

Baloch initially reported the bug to Google, but the company told him that it couldn’t reproduce the problem and closed his report. Since he wrote his blog post, a Metasploit module has been developed to enable the popular security testing framework to detect the problem, and Metasploit developers have branded the problem a “privacy disaster.” Baloch says that Google has subsequently changed its response, agreeing that it can reproduce the problem and saying that it is working on a suitable fix.

Removing the free U2 album from Apple

One of the last things that Apple did during the iPhone 6 and iWatch event was give away a free U2 album to every iTunes users out there – whether you wanted to or not. Depending on which side of the fence you’re on, you’re probably overjoyed at the freebie, or appalled that Apple can just push a music album into your device. If you fall into the latter category, you’ll be happy to know that Apple has put up a link to remove the album from your iTunes library. This should put an end to the complaining. It won’t. But it should.

Tim Cook on Charlie Rose

You may have previously caught snippets of Tim Cook on Charlie Rose, but now the whole interview is available on Hulu, and it’s a good watch.

Significance of iCloud

John Gruber wrote an excellent piece on the importance and impact of iCloud.

David Auerbach on Slate suggested that we should not trust iCloud with our data:

Whether or not this particular vulnerability was used to gather some of the photos — Apple is not commenting, as usual, but the ubiquity and popularity of Apple’s products certainly point to the iCloud of being a likely source — its existence is reason enough for users to be deeply upset at their beloved company for not taking security seriously enough. Here are five reasons why you should not trust Apple with your nude photos or, really, with any of your data.

Gruber pointed out Auerbach’s flawed argument:

Over the years I’ve received numerous emails from past and former Genius Bar support staff, telling similar stories of heartbreak. Customer comes in, their iPhone completely broken, or lost, or stolen, and they had precious photos and videos on it. The birth of a child. The last vacation they ever took with a beloved spouse who has since passed away. Did they ever back up their iPhone to a Mac or PC with iTunes? No. In many cases they don’t even know what “iTunes on a PC” even means. Or maybe they connected the iPhone to iTunes once, the day they bought it and needed to activate it, and then never again.

This happened to thousands of people. It’s why Apple made cloud-based backups one of the fundamental pillars of iCloud. It still happens, today, to people who haven’t signed up for iCloud and enabled iCloud backups. It’s heartbreaking in most cases, and downright devastating in some. I’ve heard from Genius Bar staffers who eventually left the job because of the stress of dealing with customers suffering data loss. Once it is determined that the photos and videos are irretrievable from the device and have never been backed up, the job of the Genius staffer turns from technician to grief counselor. Bereavement is not too strong a word.

I know of many friends and relatives who lost their data simply because they never backed up any of the data. Contacts, photos, videos. All gone. And this is not just on iPhones. There are Android and Windows Phone users too. It is not a lack of backup capability in their phones. Rather, it is a lack of awareness of the benefits of backing up and pure laziness. Even when automatic backup has become a standard smartphone feature, many people still do not make use of it. You simply need to enable the function instead of having to manually connect your phone to your computer to back it up.

This brings us to the dilemma on hand:

This is, like almost everything in tech, a trade-off:

  • Your data is far safer from irretrievable loss if it is synced/backed up, regularly, to a cloud-based service.
  • Your data is more at risk of being stolen if it is synced/backed up, regularly, to a cloud-based service.

As a pharmacist by profession, it is a situation I encounter daily:

  • Your condition or symptoms are improved or treated if you take a medication.
  • You are more at risk of developing an adverse drug reaction if you take the medication.

So what do we do? We weigh the benefits and risks. If the benefits outweighs the risks involved, then it makes sense to administer the medication. The same goes for the dilemma of a cloud-based backup. Having a backup to restore your device in the event you lose your phone data is an insurance that can have broad-ranging impact. Let’s consider a photographer who shoots solely on his phone travels around the world to shoot materials for a photobook. Just as he is about to finish the trip, he loses his phone. If he backed up his phone daily, he would only have lost photos he shot on the day he lost his phone. Would he be worrying about his the risk of his phone being stolen or would it be more important for him to be able to back up his data?

Gruber comes to a similar conclusion:

Further, I would wager heavily that there are thousands and thousands more people who have been traumatized by irretrievable data loss (who would have been saved if they’d had cloud-based backups) than those who have been victimized by having their cloud-based accounts hijacked (who would have been saved if they had only stored their data locally on their devices).

Likewise, I believe there are more people who have found long-lost friends on Facebook, or met new friends they would never have without Facebook, than those whose Facebook accounts have been hacked. There are several precautions that you can take to protect your Facebook accounts, such as 2FA, strong passwords, avoid reusing passwords, and being careful with who you add and what you share. However, it is generally those who are tech savvy that would be familiar and comfortable with these. A look at the worst passwords gives you an idea of most people’s attitudes towards digital security.

It is wrong and irresponsible to suggest that people should not to back up their data. The reaction to the possible iCloud breach should be one that generates awareness of how hackers can use social engineering to guess login details, and to encourage good practices to minimise the risk of being hacked.