Pixel Envy

Written by Nick Heer.

Archive for February, 2018

Forbes: Cellebrite Can Now Unlock Recent iPhones, Including the iPhone X

Thomas Fox-Brewster, Forbes:

Cellebrite, a Petah Tikva, Israel-based vendor that’s become the U.S. government’s company of choice when it comes to unlocking mobile devices, is this month telling customers its engineers currently have the ability to get around the security of devices running iOS 11. That includes the iPhone X, a model that Forbes has learned was successfully raided for data by the Department for Homeland Security back in November 2017, most likely with Cellebrite technology.

The Israeli firm, a subsidiary of Japan’s Sun Corporation, hasn’t made any major public announcement about its new iOS capabilities. But Forbes was told by sources (who asked to remain anonymous as they weren’t authorized to talk on the matter) that in the last few months the company has developed undisclosed techniques to get into iOS 11 and is advertising them to law enforcement and private forensics folk across the globe. […]

On some level, this is extremely impressive. The iPhone is the gold standard in consumer smartphone security — possibly in smartphone security period — and they keep improving with every generation. A flaw that allows someone to bypass an iPhone’s hardware-enforced encryption is very rare indeed; that’s why some security firms will pay up to a million dollars for that kind of an exploit.

But it is deeply troubling as well. While we don’t know anything about Cellebrite’s technique for breaching an iPhone’s security — including whether their method has been patched in an iOS 11 update — it is notable that a security firm has found an exploit but is unlikely to tell Apple about it. It’s concerning that three-letter agencies are hoarding zero-days, but at least those agencies are ostensibly publicly accountable. That doesn’t make it right, but it does make it slightly easier to stomach than a for-profit company charging $1,500 a pop to law enforcement agencies worldwide — some of which are less reputable than others, mind you — and not disclosing vulnerabilities to software vendors is callous. It puts users worldwide at risk for their financial gain.

Update: If you are worried about the possibility of Cellebrite — or anyone else who figures out their PIN cracking methodology — breaking into your phone, Ray “Redacted” has a good tip:

If you are concerned by this then one thing you can due to mitigate it is to change your iPhone PIN from a six digit number to an alphanumeric passphrase. The cellebrite exploit involves a brute force PIN trick that allows unlimited attempts without wiping.

Like any passphrase, it should contain a mix of lowercase and uppercase letters, numbers, and symbols. It can even be of a similar length, but a greater combination of character options means a longer cracking process.

Update: Fox-Brewster has confirmed with Cellebrite that their method can unlock iPhones running up to iOS 11.2.6, the latest public release.

Timers, Reminders, and Alarms

Dr. Drang explored all the conceivable ways you can tell your Apple devices to notify you about something at a specific time, and it’s quite the mess. There are huge inconsistencies between devices, basic failures in Siri’s competence, and baffling shortcomings to nearly every approach.

One thing I wanted to draw attention to, though, was this observation:

The number of alerts that can be set was the starting point for the last post. People want multiple timers in their HomePods. That’s great, but Apple’s never had multiple timers in any iOS device, which is why I’ve always used reminders instead.

This is true. But, while I don’t think Drang is framing this as a rebuttal, per se, to critics who have pointed out that the HomePod supports only a single timer, I think it’s much more glaring on that device for a good reason: it’s an appliance. All smart speakers1 are designed to be placed on a table or a desk, and many will be used in or near the kitchen. If you have two or three different dishes on the go, you may want two or three different timers, and a smart speaker seems like it should be able to provide that. It would be nice — very nice, at that — if the iPhone supported multiple timers; it’s almost an expectation for the HomePod to. And, for what it’s worth, I think the Apple Watch also ought to do that by now.


  1. Apple can emphasize the audio quality all they like, but by putting Siri in the HomePod, they opened it up to direct comparison against the Google Home and Amazon Echo. ↩︎

Some iCloud Storage Infrastrucure Has Been Switched From Microsoft Azure to Google Cloud

Jordan Novet, CNBC:

Apple periodically publishes new versions of a PDF called the iOS Security Guide. For years the document contained language indicating that iCloud services were relying on remote data storage systems from Amazon Web Services, as well as Microsoft’s Azure.

But in the latest version, the Microsoft Azure reference is gone, and in its place is Google Cloud Platform. Before the January update, Apple most recently updated the iOS Security Guide in March.

When news of this deal first broke nearly two years ago, I was surprised that Apple was still so dependent on third parties for iCloud storage. I understand that these things take time, but iCloud is seven years old this year, and Apple has been providing various internet services for decades.

Apple maintains that they control the encryption keys and that Google cannot possibly intercept iCloud users’ data, which is true — with the possible exception of email, since it is stored unencrypted — but I don’t think that iCloud users expect their data to be stored in ways not entirely controlled by Apple, especially given the company’s emphasis on privacy.

For Chinese Users, Apple Moves to Store iCloud Keys in China

Stephen Nellis and Cate Cadell, Reuters:

When Apple Inc begins hosting Chinese users’ iCloud accounts in a new Chinese data center at the end of this month to comply with new laws there, Chinese authorities will have far easier access to text messages, email and other data stored in the cloud.

That’s because of a change to how the company handles the cryptographic keys needed to unlock an iCloud account. Until now, such keys have always been stored in the United States, meaning that any government or law enforcement authority seeking access to a Chinese iCloud account needed to go through the U.S. legal system.

Now, according to Apple, for the first time the company will store the keys for Chinese iCloud accounts in China itself. That means Chinese authorities will no longer have to use the U.S. courts to seek information on iCloud users and can instead use their own legal system to ask Apple to hand over iCloud data for Chinese users, legal experts said.

Nothing about this is good news, but it’s very hard to see what alternatives there are in this case. They could threaten to pull out of the Chinese market unless the law is changed, but that would do more damage to Apple than it would the Chinese government, with likely little effect. Also, it’s likely that iCloud not being offered in China would motivate people there to switch to a less secure alternative.

It’s difficult to reconcile this forced hand with Apple’s overall commitment to user privacy:

In a statement, Apple said it had to comply with recently introduced Chinese laws that require cloud services offered to Chinese citizens be operated by Chinese companies and that the data be stored in China. It said that while the company’s values don’t change in different parts of the world, it is subject to each country’s laws.

I’ve written several times previously about my discomfort with a handful of predominantly Californian companies controlling the flow and storage of much of the world’s data. For Chinese citizens, though, it was potentially beneficial to have the American legal system as a barrier for information requests.

See Also: Apple’s iCloud security overview, which appears to be the same in China, but also hasn’t been updated in about six months.

On the ‘Marketplace of Ideas’

Paris Martineau, the Outline:

Years of outbursts from hate group after hate group have forced these companies to realize that the laissez-faire attitude they’ve leaned on for so long doesn’t actually work, but rather, makes the entire thing rot from the inside. But the fact that platforms won’t fully commit to managing the content that people spew on these platforms leaves a vacuum of confusion and hypotheticals, which generally (like all things nowadays) lead to conspiracies and misinformation.

In all this time, no company has actually tried totally depriving bad ideas of oxygen. Trust me, this is a sentence I never thought I’d say, but in times like these, Twitter (and the tech world as a whole, really) could learn a thing or two from Medium.

Part of the reason that the marketplace of ideas often fails to return more intelligent and ethically cognizant discussions is because it is subsidizing sensationalism.

I also think one aspect of Twitter’s hesitance to ban nazis and other contemptible parties that is often ignored is that this is, in part, a side effect of the company being based in the United States, and run by ambassadors for that country’s extraordinarily permissive free speech laws. I recognize that I’m treading between broken glass here with some of my American readers, in particular, but it’s worth recognizing that unrestricted speech in all its forms is a uniquely American concept. Other developed nations also have a marketplace of ideas, but with restrictions — as in the marketplace of goods and services.

Something that is perhaps most notable about social platforms like Twitter is how they have packaged and exported the First Amendment. But the weird thing is that they don’t have to do that: they’re a private company, and they can make their own rules as they see fit. Martineau’s piece is a wise argument in favour of this.

The cynical part of me thinks that Twitter’s staunch adherence to and promotion of extremely permissive free speech is not a conscious philosophy, but simply a convenient way to avoid having to invest in moderating it.

Happy ‘International Blog Remembrance Day’, a New, Made-Up Holiday

Jason Koebler, Vice:

The general decline of the blog—not the news blog, but the BLOG BLOG—is a bummer. No offense to the many cool and worthwhile bloggers still posting to WordPress, Tumblr, XANGA(?), and good ol’-fashioned websites, but for the most part, the best blogs of our generation are being wasted in tweetstorms, Facebook rants, and reddit comments. I am not just making this up: There are entire conferences dedicated to preserving Web 1.0, back before our computers had become Facebook and Twitter machines.

On a related note, Laura Hazard Owen interviewed Jason Kottke for Nieman Lab:

[…] The way I’ve been thinking about it lately is that I am like a vaudevillian. I’m the last guy dancing on the stage, by myself, and everyone else has moved on to movies and television. The Awl and The Hairpin have folded. Gawker’s gone, though it would probably still be around if it hadn’t gotten sued out of existence.

On the other hand, blogging is kind of everywhere. Everyone who’s updating their Facebook pages and tweeting and posting on Instagram and Pinterest is performing a bloggish act.

Unlike a blog, though, the format of these posts often cannot be controlled by the author, and the author often doesn’t actually own what they’ve just published. The loss of the importance of actual blogs is a real sucker punch for the web.

The FCC’s Order Gutting Net Neutrality Is Now Official

Devin Coldewey, TechCrunch:

The FCC’s “Restoring Internet Freedom” order, which vastly curtails the agency’s 2015 net neutrality rules, has officially taken effect by being entered the Federal Register.

The order, published Thursday morning, may sound like the end of the line, but in fact this is the green light for everyone in the country, from citizens to attorney generals to governors and senators, to begin the official battle against the FCC’s ill-advised, technically backwards, and deeply unpopular rule.

Today also marks the first day that ISPs can legally discriminate against or promote any data they transmit as they wish. The day after the FCC voted to dismantle net neutrality legislation, Ajit Pai made an appearance on Fox & Friends to defend the decision he led:

John Bowden, the Hill:

Federal Communications Commission (FCC) Chairman Ajit Pai said Friday that supporters of net neutrality provisions that were repealed Thursday have been proven wrong, as internet users wake up still able to send emails and use Twitter after the regulations were struck down.

Of course, Pai isn’t stupid, and he knows that this is a completely disingenuous defence. For one thing, it will take sixty days after the repeal is published in the Federal Registry for it to take effect.

I should have written “for it to take permanent effect”.

So, now that Pai and the other Republicans on the FCC have killed net neutrality in the United States, what are companies doing on what is supposedly the first day they can invest more in their infrastructure and give consumers a better deal, as Pai repeatedly claimed?

Jacob Kastrenakes, the Verge:

AT&T has expanded its “sponsored data” program to cover customers on its prepaid wireless plans, offering them the ability to stream content from select partners without counting toward their data cap. The program was previously available to postpaid customers, but it now seems to apply to most AT&T wireless users.

[…]

Not coincidentally, the only three services I could find that support AT&T’s sponsored data are owned by AT&T: DirecTV, U-verse, and Fullscreen, all video services. If you’re an AT&T wireless customer deciding between DirecTV Now and a competitor, like Hulu or Sling TV, this program gives the AT&T-owned service a huge advantage.

What a surprise.

‘Trending’ on Social Media Is Worthless

Brian Feldman, New York magazine:

This is the other problem of “trending,” conceptually: It’s eminently gameable, but the platforms that use the term never make the rules clear. “Trending” is given the imprimatur of authority — videos or topics handed down from on high, scientifically determined to have trended — when really it’s a cobbled-together list of content being obsessively shared or tweeted about by people who love Justin Bieber. Or Logan Paul. Or who believe in crisis actors.

I increasingly believe that the code that drives social networks is built largely on an assumption of good user intentions. Yes, there are rudimentary tools to block users or report an offending post, but a lot of what makes these services so popular is that they assume that whatever you’re doing is probably okay. And there is nothing wrong with that, provided these services also aren’t: a) massively influential, and b) capable of having this philosophy exploited by bad-faith trolls, bots, and other bad actors. I don’t necessarily think that this is a naïve way to build a platform; I really do think that people are generally good, but it’s asking a lot for the handful of people who run these platforms to solve for integrity. Difficult as it may be, it’s necessary.

Bloomberg: Apple Is Negotiating the Purchase of Cobalt Directly From Miners

Jack Farchy and Mark Gurman, Bloomberg:

Apple Inc. is in talks to buy long-term supplies of cobalt directly from miners for the first time, according to people familiar with the matter, seeking to ensure it will have enough of the key battery ingredient amid industry fears of a shortage driven by the electric vehicle boom. 

The iPhone maker is one of the world’s largest end users of cobalt for the batteries in its gadgets, but until now it has left the business of buying the metal to the companies that make its batteries.

Normally, this is the kind of supply chain rumour that would put me to sleep halfway through reading the headline, but there’s a good reason why I’m sharing this.

You may remember a report from a couple of years ago about persistent child and illegal labour in the cobalt mining industry. After the Washington Post ran that story, Apple began treating cobalt similarly to the way they treat conflict minerals like tin and gold. By buying directly from the miners, Apple now has the opportunity to transparently verify the source of the cobalt they use.

Your ‘Lite’ App Should Be Your Only App

K.Q. Dreger, on the recent wave of so-called “lite” variants of increasingly-bloated apps:

What part of being fast, data conscious, and reliable is exclusive to old devices or those on poor networks? Why does Twitter Lite feel more like Twitter than anything the company’s done with their main website or app over the past few years? Are Facebook, Twitter, and Google truly so married to ads, analytics, and A/B testing frameworks that their only shot at making a reasonably sized, fast app is to start fresh? Will these lite variants actually stay that way, or will the bloat slowly creep back in?

I get the allure of building apps and operating systems that take advantage of the latest and greatest hardware, or to try to build up the app’s experience with more stuff. But maybe — just maybe — if a company feels like they need to release a “lite” version of their app to tidily deliver what they consider its core experience, maybe that app has become way too bloated.

‘Loading Accessories and Scenes’

From an Apple support document about troubleshooting HomePod setup problems:

Open the Home app on your iOS device and check that you see your accessories and scenes. If you see a message that says loading accessories and scenes, wait for the Home app to finish loading. If the Home app stays in a loading state for 30 minutes or longer, you should see an option to erase and reset the Home app.

First of all, I think the timeout for triggering this debugging mode for HomeKit accessories should be much shorter than thirty minutes.

But, as someone impacted by this problem since the developer betas of iOS 10, I kept my iPhone awake and running the Home app for half an hour. Twice. Both times, I did not see any option appear that would allow me to reset the Home app, its settings, or anything in iCloud. I also cannot find any additional options in Settings to reset any data.

Trusting Third Party Code

Felix Krause:

Third-party SDKs can often easily be modified while you download them! Using a simple person-in-the-middle attack, anyone in the same network can insert malicious code into the library, and with that into your application, as a result running in your user’s pockets.

31% of the most popular closed-source iOS SDKs are vulnerable to this attack, as well as a total of 623 libraries on CocoaPods. As part of this research I notified the affected parties, and submitted patches to CocoaPods to warn developers and SDK providers.

Last week, news broke that a third-party screen reading script often used by government and public websites was surreptitiously mining a cryptocurrency. A couple of years ago, a programmer pulled several of his scripts from a JavaScript registry; several applications that were dependent on one of these packages, in particular, subsequently failed to compile.

Even this very website has been susceptible to failures in third-party code, albeit on a minor scale: most ads are loaded from Carbon’s CDN; but, occasionally, they have served ad images from those advertisers’ servers. You may have seen the result of this when the ad image is blank, owing to the content security policy I’ve implemented here.

In response to the cryptocurrency mining screen reading script revealed last week, I wrote that we ought to treat third-party code as though it will, at some point, be carrying malware. I feel like that might be too generous. It is not realistic to tell developers to stop using third-party code, but they should not trust it.

Ad Filtering in Google Chrome

Dare Obasanjo (via Michael Tsai):

Chrome starts blocking ads unless they meet its rules. This is driving publishers to switch to “compliant” ad networks.

Would love to see stats on how many such publishers move to Google’s ad network. The strong arming so blatant.

Google’s ad network is the most popular in the world; Chrome is the most widely-used web browser.

Every so often, I get emails from readers implying that I’m treating Google’s attempts at creating silos or lock-in differently from Apple’s. I am, and there’s a very good reason for that: Google is using the web, an open platform, to strong-arm competitors and entangle users in their products. They are treating the web as though it were their private domain. We ought to reject these attempts.

AMP for Email Is a Terrible Idea

Devin Coldewey, TechCrunch:

The excuse that the mobile web isn’t fast enough is threadbare, and the solution of a special Google-designed sub-web transparently self-serving. It’s like someone who sells bottled water telling you your tap runs too slow.

AMP for email is just an extension of that principle. People leave Gmail all the time to go to airline webpages, online shops, social media, and other places. Places that have created their own user environments, with their own analytics, their own processes that may or may not be beneficial or even visible to Google. Can’t have that!

But if these everyday tasks take place inside Gmail, Google exerts control over the intimate details, defining what other companies can and can’t do inside the email system — rather than using the natural limitations of email, which I hasten to reiterate are a feature, not a bug.

If AMP is, indeed, a new thing for the open web — as Google has framed it — then it should be entirely separated from Google’s control and submitted to standards bodies for a more democratic development process. I have zero expectations of them doing so.

Chartbeat: Google AMP Traffic Has Doubled Since January 2017

Sara Fischer, Axios:

According to new data from Chartbeat, the vast majority of traffic growth publishers are seeing from platforms is now coming from Google AMP (Accelerated Mobile Pages) — or fast-loading mobile article pages on Google Search and Google News.

[…]

According to the data, mobile is driving almost all traffic growth for publishers from platforms, and has been since at least early 2017. And traffic to publishers using AMP specifically is up 100% since 2017.

Traffic to publishers from non-AMP Google referrals is nearly 65% less than traffic from AMP Google referrals. Google is digging even deeper into this proprietary format. That’s not good for the future of the web, nor is it good for the future of publishing. We’ve seen how news organizations too dependent on Facebook can see their traffic tank after an adjustment to the way News Feed works. Publishers should not tie their success to that of AMP, nor Google’s bias towards it.

Good vs. Better at Bad

Joe Cieplinski:

I say this with no small amount of respect for how hard this technology is and how far it has come recently. I’m as excited as the next geek when it comes to the future of AI and voice recognition. I think it’s all super cool.

But it’s not good. Not for most people. It’s barely past the point of being a parlor trick, if we’re being honest. Answering trivia questions? Turning on the lights? There’s a reason even early adopters generally resort to using these devices for a small set of simple tasks. That’s about all they can do reliably.

This is a fair point in the battle between virtual assistant technologies. We’re a long way from being able to treat them as actual assistants, rather than voice-based ways to add items to a list of reminders.

But I maintain that, even if Amazon and Google aren’t that much closer to a fully assistive software or hardware product, the ways in which Siri frequently fails are unacceptable. It does not maintain context; it is often disobedient, inexplicable, and incompetent. This stuff is hard, absolutely, but it also fails far too often — and inconsistently — at things that ought to be entirely trivial.

Uber Lost $4.5 Billion in 2017

Eric Newcomer, Bloomberg:

Adjusted net revenue last quarter increased 61 percent to $2.22 billion from the same period in 2016. Meanwhile, the total value of fares grew to $11 billion that quarter. It was the first full quarter under Dara Khosrowshahi, who took over the troubled business in September.

Despite a turbulent year for the ride-hailing company, sales were $7.5 billion. But the company also posted a substantial loss of $4.5 billion. There are few historical precedents for the scale of its loss.

In 2016, Pixel Envy earned $3 billion more than Uber, and I’m thrilled to report that the delta between me and Uber for 2017 was 50% greater.

A reminder that no taxi company could survive losses like those Uber has been posting; also, that the reason a fare with an Uber driver is cheaper is because it’s subsidized at below-market rates by venture capital firms; and that, despite some benefits for gig economy workers in the new tax code, Uber is among many gig-type companies that does not provide health coverage for their American drivers.

Under the Guise of Security, Facebook is Promoting Their VPN in Their iOS App

Sarah Perez, TechCrunch:

Marketing Onavo within Facebook itself could lead to a boost in users for the VPN app, which promises to warn users of malicious websites and keep information secure – like bank account and credit card numbers – as you browse. But Facebook didn’t buy Onavo for its security protections.

Instead, Onavo’s VPN allow Facebook to monitor user activity across apps, giving Facebook a big advantage in terms of spotting new trends across the larger mobile ecosystem. For example, Facebook gets an early heads up about apps that are becoming breakout hits; it can tell which are seeing slowing user growth; it sees which apps’ new features appear to be resonating with their users, and much more.

This data has already helped Facebook in a number of ways, most notably in its battle with Snapchat. At The WSJ reported last August, Facebook could tell that Instagram’s launch of Stories – a Snapchat-like feature – was working to slow Snapchat’s user growth, before the company itself even publicly disclosed this fact.

Think about that: Facebook has one of the largest platforms in the world, and is using that influence to promote a service that they control to spot and preemptively eliminate potential competitors. The reason they’re able to do all of these things is because of their size and dominance.

I understand the reluctance by many regulators and industry observers to say that Facebook ought to be broken up into smaller, unaffiliated companies, but I’m struggling to see many other ways to keep the company’s influence in check. Largely ignoring it, as has been done so far, is bad for competition. Even if you ignore potential anticompetitive issues, there’s still a question of whether users of Facebook’s VPN are adequately aware of how the company accessed and uses their data.

Google Announces AMP For Email Spec

Gmail engineer Raymond Wainman:

You may have heard of the open-source framework, Accelerated Mobile Pages (AMP). It’s a framework for developers to create faster-loading mobile content on the web. Beyond simply loading pages faster, AMP now supports building a wide range of rich pages for the web. Today, we’re announcing AMP for Email so that emails can be formatted and sent as AMP documents. As a part of this, we’re also kicking off the Gmail Developer Preview of AMP for Email — so once you’ve built your emails, you’ll be able to test them in Gmail.

Not content with bifurcating the web with the introduction of a proprietary HTML-like webpage format, Google is now trying to split email clients into Gmail and everybody else. Gmail is already an email-like product and has some of the worst CSS support of mainstream email clients.

Of course, there’s a good chance the advanced capabilities of this format won’t catch on because email clients are already pretty fragmented as things stand today. It’s an area of the web where the lowest common denominators — HTML tables and old-school tags like <font> — are used with disturbing regularity, simply because it’s the only markup that works well in all clients. It’s frustrating enough to build emails as things are; I imagine many developers will reject this because it adds yet another layer of complexity to their workflow that may not be used by a large number of recipients.

Developers shouldn’t reject this on those grounds alone, however. Google’s increasing demands to bend open formats with proprietary variations is a fantastic reason to avoid AMP in email messages.

Apple Reportedly Focusing Less on Monolithic Annual iOS Updates

Mark Gurman, Bloomberg:

Apple’s annual software upgrade this fall will offer users plenty of new features: enabling a single set of apps to work across iPhones, iPads and Macs, a Digital Health tool to show parents how much time their children have been staring at their screen and improvements to Animojis, those cartoon characters controlled by the iPhone X’s facial recognition sensor.

But just as important this year will be what Apple doesn’t introduce: redesigned home screens for the iPhone, iPad and CarPlay, and a revamped Photos app that can suggest which images to view.

These features were delayed after Apple Inc. concluded it needed its own major upgrade in the way the company develops and introduces new products. Instead of keeping engineers on a relentless annual schedule and cramming features into a single update, Apple will start focusing on the next two years of updates for its iPhone and iPad operating system, according to people familiar with the change. The company will continue to update its software annually, but internally engineers will have more discretion to push back features that aren’t as polished to the following year. 

The biggest news here is that Apple is reportedly adjusting their internal processes to try to reduce the demands of an annual update. But I’m not sure how much will change externally because this sounds a lot like the way they presently release iOS updates: still a focus on new features in the autumn, with some features debuting later in that major version’s release cycle. Apple Pay Cash, for instance, was announced at WWDC in June with the implication that it would be release with iOS 11.0, but it wasn’t launched until November with iOS 11.2.

If the changes are as modest as this report makes them out to be, how much of an improvement can we realistically expect in software quality?