Tag Archives: ITunes

How Long Was the iPhone Location Vulnerability Known?

I’m very intrigued by the Guardian’s piece iPhone keeps record of everywhere you go | Technology | guardian.co.uk but I’m wondering how new this information is, and whether other less transparent folk have already been using this gaping hole. Charles Arthur writes:

Security researchers have discovered that Apple‘s iPhone keeps track of where you go – and saves every detail of it to a secret file on the device which is then copied to the owner’s computer when the two are synchronised.

The file contains the latitude and longitude of the phone’s recorded coordinates along with a timestamp, meaning that anyone who stole the phone or the computer could discover details about the owner’s movements using a simple program.

For some phones, there could be almost a year’s worth of data stored, as the recording of data seems to have started with Apple’s iOS 4 update to the phone’s operating system, released in June 2010.

But it seems that folk on a forum have already been talking about it since January: Convert Iphone 4 Consolidated.db file to Google earth:

Someone called Gangstageek asked on Jan 6:

Is there a way to, or a program (for the PC) that can read the Consolidated.db file from the Iphone 4 backup folder and accurately translate the cell locations and timestamps into Google earth?

Other forum members helped him out. Indeed, an earlier forum, from November 2010, looked at the same file. kexan wrote on Nov 26:

We are currently investigating an iphone used during a crime, and we have extracted the geopositions located within consilidated.db for analysis. During this we noticed that multiple points have the same unix datestamp. We are unsure what to make of this. Its kind of impossible to be on several locations at once, and the points are sometimes all over town.

Going back even further, Paul Courbis wrote on his site (translated from the French), including a demo:

Makes it relatively easy to draw the data on a card to get an idea of ​​places visited by the owner of the iPhone..

I don’t have an iPhone so I’ve not been able to test this. But I’m guessing that this issue may have already been known for some time by some kind of folk. Indeed, there are tools in use by police and others that may have already exploited this kind of vulnerability.

The Phantom Threats We Face

This is a copy of my weekly Loose Wire Service column.

By Jeremy Wagstaff

We fear what we don’t know, even if it’s a guy in Shenzhen trying to make an honest living developing software that changes the background color of your mobile phone display.

Here’s what happened. I’ll save the lessons for the end of this piece.

A guy who prefers to go by the name Jackeey found a  niche for himself developing programs—usually called apps—for the Android cellphone operating system.

They were wallpaper applications—basically changing the background to the display.

That was until an online news site, VentureBeat, reported on July 28 that a security company, Lookout, had told a conference of security geeks that  that some downloadable applications to phones running the Android operating system would “collect a user’s browsing history, their text messages, the phone’s SIM card number and subscriber identification, voicemail phone number password” and send all this data to a website owned by someone in Shenzhen, China.

Yikes! Someone in China is listening to our conversations! Figuring out what we’re doing on our phone! Sending all this info to Shenzhen! Sound the alarum!

Word did indeed spread quickly. About 800 outlets covered the story, including mainstream publications like the Daily Telegraph and Fortune magazine: “Is your smart phone spying on you?” asked one TV station’s website.

Scary stuff.

Only it isn’t true. Firstly, VentureBeat had the story wrong: The applications in question only transmitted a portion of this data. No browsing history was transmitted, no text messages, no voicemail password.

VentureBeat corrected the story—sort of; the incorrect bits are crossed out, but there’s no big CORRECTION message across the top of the story—but the damage was done. Google suspended Jackeey’s apps. Everyone considered Jackeey evil and confirmed suspicions that a) Android was flakey on security and b) stuff from China was dodgy.

All kind of sad. Especially when you find that actually Jackeey himself is not exactly unreachable. A few keyword searches and his email address appears and, voila! he’s around to answer your questions. Very keen to, in fact, given the blogosphere has just ruined his life.

Here’s what he told me: He needed the user’s phone number and subscriber ID because people complained that when they change their phone they lose all their settings.

That’s it. That’s the only stuff that’s saved.

Needless to say he is somewhat miffed that no one tried to contact him before making the report public; nor had most of the bloggers and journalists who dissed his applications.

“I am just an Android developer,” he said. “I love wallpapers and I use different wallpaper every day. All I want is to make the greatest Android apps.”

Now of course he could be lying through his teeth, but I see no evidence in the Lookout report or anything that has appeared subsequently that seems to suggest the developer has done anything underhand. (The developer has posted some screenshots of his app’s download page which show that they do not request permission to access text message content, nor of browsing history.)

In fact, he seemed to be doing a pretty good job: His apps had been downloaded several million times. He declined to give his name, but acknowledged that he was behind both apps provided under the name Jackeey, and under the name iceskysl@1sters.

The story sort of ends happily. After investigating them Google has reinstated the apps to their app store and will issue a statement sometime soon. It told Jackeey in an email that “Our investigation has concluded that there’s no obvious malicious code in your apps, though the implementation accesses data that it doesn’t need to.”

VentureBeat hasn’t written an apology but they have acknowledged that: “The controversy grew in part because we incorrectly reported in our initial post that the app also sent your text messages and browser history to the website.”

For his part Jackeey is redesigning his apps to take into account Google’s suggestions. He points out that to do so will require him to have users set up an account and enter a password, which some users may be reluctant to do. And the Google suggestion is not entirely secure either.

Obviously this is all very unsatisfactory, in several ways.

Firstly, the journalism was a tad sloppy. No attempt was made to contact the developer of the app for comment before publishing—how would you feel if it was your livelihood on the line?—and the correction was no real correction at all.

Secondly, the internet doesn’t have a way to propagate corrections, so all the other websites that happily picked up the story didn’t update theirs to reflect the correction.

Thirdly, Google maybe should have contacted Jackeey before suspending the apps. It would have been kinder, and, given they’ve not found anything suspicious, the right thing to do.

Fourthly, us. We don’t come out of this well. We are somehow more ready to believe a story that includes a) security issues (which we don’t understand well) and b) China, where we’re perhaps used to hearing stories that fit a certain formula. Suspicious?

And lastly, perhaps we should look a little harder at the source of these reports.  We seem very quick to attribute suspicious behavior to someone we don’t know much about, in some scary far-off place, but less to those we do closer to home: Lookout’s main business, after all, is prominently displayed on their homepage: an application to, in its words, “protect yourself from mobile viruses and malware. Stop hackers in their tracks.”

So spare a thought for Jackeey. If you do a keyword search for him, the first hit is the story “’Suspicious’ Android wallpaper app nabs user data”, and links to 863 related articles. Below—a week after the hoo-ha, and after Google has sort of put things right–are headlines like: “Jackeey Wallpaper for Android steals your personal info”, “Your Rotten App, Jackeey Wallpaper” and “Jackeey steeling [sic] info on Android devices”.

In other words, anyone who checks out Jackeey’s wares on Google will find they don’t, well, check out.

I got back in touch with Jackeey to see how he’s holding up, a week after the storm broke. I’m in some pain, he says, “because mass negative press said that I steal users’ text messages, contacts and even passwords.” People have removed his applications from their phone, and people have been blasting him by email and instant messaging, calling him “thief”, “evil person” and other epithets.

“I am afraid that it will destroy my reputation and affect my livelihood forever,” he says.

I’m not surprised. We owe to folk like Jackeey to make apps for our phones, so we should treat him a little better.

Why Google Needs China?

Playing with the AdMob data on iPhone and Android devices—which is a bit old now, the U.S., a much bigger iPhone/Android market than the rest of the world, reflects the worldwide distribution of iPhone vs Android devices (the blue is iPhone):

image

The pattern seems to be mirrored elsewhere, but not evenly. In Australia, particularly, there seems little room for Android right now. Look at China, though: Almost as many Android devices as there are iPhones:

image

Ironic, really, that Google is so dependent on China to make headway with its phone OS. The third tier of countries follow a similar distribution:

image

Filling the Tablet Hole

This is a guest post by my old friend and collaborator, Robin Lubbock

I’m still waiting for this hole in the market to fill in. It’s the tablet hole. The space for a viewer/reader/player about the size of a novel. It’s easy to type on, it runs apps like an iPhone and everybody’s going to love it. But it’s not here yet.

 
Apple’s iPhone, let’s be frank, isn’t that wonderful a piece of technology. It’s a beautiful piece of sculpture: nice to look at and hold, and it’s just the right weight. But now that I’ve had mine for a year it has such a lag in its response time that it’s actually somewhat entertaining. You type, then sit back and after what seems like seconds you watch the keyboard apparently hitting keys of its own accord. Like one of those old pianos that plays itself, the keys moving in that wonderful ghostly way.

 
One impact the iPhone has had on me (and I’m sure I’m not alone) is that I now find myself touching screens everywhere and expecting them to do something. Of course by and large they don’t, which is disappointing. David Pogue had an article in the Times this week about screens that play images and music, but aren’t touch sensitive. He points out that one of the screens he reviews looks as if it was originally designed to be touch sensitive. But it isn’t. Either the market won’t bear the cost, or the technology won’t bear the burden.

 
Manufacturers of tablet sized computers still seem to be stuck with the choice between power and portability. So you have a rash of e-readers that aim to trickle out their power over a long time, and so have slow two-tone screens that can’t be asked to do very much.

 
Add to that the absence of a standardized platform for e-books and you’ve created an unmanageable mess of choices for users.

 
Somewhere on the heels of the Kindle and Sony’s e-reader, you’ll soon have Plastic Logic’s business e-reader (see demo): a reader that’s aimed at people who like to print out documents before they read them. This may sound a little bizarre as a business proposition, but the reader does have a touch sensitive (if rather slow) screen. This alone puts it ahead of other readers. But how will people with Kindle accounts use it?

 
These are murky waters, but they are turbulent with activity and they will clear one day. I hope it’s one day soon.

Finger Painting, Angling and Tuning the Cello: the New Computing

I’m not overwhelmed by Nokia’s new appstore, Ovi, but using it does help remind one of what the real revolution in computing is (I have been talking a lot about revolutions lately, but there are basically three: the information revolution, the computing revolution, and the mobile revolution, which I’ll address later.)

The computing revolution is this: a small device, about the size of your hand, which is called a phone, but isn’t, really. It’s what Nokia can only dream of: a device so smart that even ordinary people can use it. It’s called the iPhone, and listening to some friends talk about it the other night brought home just how great an impact it has wrought, and will have.

One was talking about working with someone who, during a long car drive, would take his iPhone and look like he was about to throw it away. Then he would stop, his hand mid air, and then he would look at the screen. And then do it again. At first my friend thought he was having some sort of seizure, or was just really upset about something.

Then he realized he was angling. With his iPhone. (I can’t find the app right now.)

My other friend has a tuner in his, so he can tune his cello. “It’s geeky I know, but when I come home at the end of the day I can be up and playing quickly,” he said. Just point the device at the cello, hit a string and the iPhone display will indicate whether it’s in tune.

Both of these are great examples of how computing fulfills its promise by giving the user something they actually want, when they want it and in a form that fits their environment. What’s more, it’s easy enough for them to buy, install and use that they’re actually using it.

Which gives you some idea of how far behind the likes of Nokia are, and how long users have been waiting for this revolution to happen.

Then there’s the New Yorker cover, all drawn on the iPhone:

Colombo’s phone drawing is very much in the tradition of a certain kind of New Yorker cover, and he doesn’t see the fact that it’s a virtual finger painting as such a big deal. “Imagine twenty years ago, writing about these people who are sending these letters on their computer.” But watching the video playback has made him aware that how he draws a picture can tell a story, and he’s hoping to build suspense as he builds up layers of color and shape.

What I like about his story is that a) he has all the tools he needs in his pocket, just like the angler and the cello guy and b) he talked about not feeling too exposed—the painter, painting in a public place–because everyone assumed he was just checking email. This is a significant mini revolution in itself; a few years back, pre-Palm, someone poking around on a small screen in a public place might have seemed weird, but now the idea of what we do in social spaces has changed entirely.

(Now someone standing on a corner reading a paper or watching the world go by is viewed with suspicion.)

I’m no shill for Apple, but I think there’s a compound shift taking place here: by keeping the design elegant, making it easy for developers and users, the iPhone has captured the imagination of both. These guys may not be angling and tuning in a few years’ time, but already significant rivers have been crossed.

Now users have access to functions and features that they may not have considered the terrain of computing, but which now are part of their lives.

Computing will never be the same.

The Failure of the Open Field

It’s great that Apple has created a new platform with the iPhone and the App Store. But it’s also a ripping indictment of the personal computer industry—and cellphone industry—thus far. And not to be too nice to Apple: The beautiful stuff we’re seeing with the iPhone is mainly about pastime—not about productivity (or creativity.)

Here’s what Apple has done right: It’s created a beautiful device that works and seduces. It’s created a single environment and process for people to be able to buy, download and install applications. And then it’s set some standards so things don’t get out of hand.

This is something that should have been done years ago. Microsoft had oh so long to come up with a way for third-party developers to produce good applications and have them certified and delivered in a way that makes it easy for consumers to install them (and the developers to make a decent living from them.) Instead we have a world where increasingly users are reluctant to download apps because even the best of them come front-loaded with crapware and configuration changing tweaks.

Nokia and the other big cellphone players had a decade to get their act together: To make phones connect seamlessly with computers, and for third party developers to come up with applications that made their devices compelling. I hate installing anything on my N95 because I know it’s a nightmare. Why bother?

Now Apple have done what needed to be done. They’ve done well and they deserve to take over the market for these reasons alone. Now the iPhone has become an extraordinary device capable of some spine-tingling stuff. Computers, finally, are tapping into the creativity of individual developers. And at a price point that’s not free, but for most people is as cheap as makes no difference.

I doubt Microsoft will get it. I doubt Nokia will get it. That makes me sad. But I also have a deeper regret. That, because it’s Apple, I don’t think we’ll now see the really full potential of software ideas and development, because Apple is still a very closed-in world. That is part of the reason for its success. Making everything a single pipe tends either succeeds spectacularly or fails dismally.

But it also caps its potential. By acknowledging this success we’ve also admitted that the online chaos that we thought would work, would somehow organize itself, has not worked. Try to find a decent application for WIndows XP. Or for your N95. Try to browse and just see what’s out there, and experiment. You’re brave if you do. Apple’s walled garden approach is a roaring success because we’ve failed to make the unmown field work. And we had long enough.

From the Desk of David Pogue – So Many iPhone Apps, So Little Time – NYTimes.com

Puppy Love, Army Trojans and Perfecting the Phone Call

I make an appearance on the excellent Breakfast Club show on Radio Australia each Friday at about 01:15 GMT and some listeners have asked me post links to the stuff I talk about, so here they are.

Love on the net

Teenage social networking isn’t so bad, according to the MacArthur Foundation. According to the lead researcher on the project, called the Digital Youth Project, “their participation is giving them the technological skills and literacy they need to succeed in the contemporary world. They’re learning how to get along with others, how to manage a public identity, how to create a home page.”

The study, part of a $50 million project on digital and media learning, used several teams of researchers to interview more than 800 young people and their parents and to observe teenagers online for more than 5,000 hours.

The bit I like in the NYT report is the shameless flirting that goes on, cleverly disguised:

First, the girl posted a message saying, “hey … hm. wut to say? iono lol/well I left you a comment … u sud feel SPECIAL haha.” A day later, the boy replied, “hello there … umm I don’t know what to say, but at least I wrote something …”

U.S. Military Under Attack

Spooked by the rapid spread of a worm called Agent.btz, the U.S. military has banned everything from external hard drives to “floppy disks.”

USBs are a problem: Lenovo this week offered a software package to XP users with a Trojan dropper called Meredrop, found in one of the drivers.

And Telstra earlier this year handed out USB drives at a security conference that were infected with malware.

Could it be China?  The conclusions reached in this year’s US-China Economic and Security Review are far more dramatic than before. In 2007, it says, about 5m computers in the US were the targets of 43,880 incidents of malicious activity — a rise of almost a third on the previous year.

Much of the activity is likely to emanate from groups of hackers, but the lines between private espionage and government-sponsored operations are blurred. Some 250 hacker groups are tolerated, and may even be encouraged, by Beijing to invade computer networks. Individual hackers are also being trained in cyber operations at Chinese military bases.

 

How to Make the Perfect Phone Call

According to the UK Post Office, the perfect phone call should last nine minutes, 36 seconds and contain a mix of chat about family news, current affairs, personal problems and the weather.

Three minutes of that should be spent catching up with news about family and friends, one minute on personal problems, a minute on work/school, 42 seconds on current affairs and 24 seconds on the weather. Chat about the opposite sex should last 24 seconds. 12 seconds of every call should be set aside for a little quiet contemplation.

One in five people said they spent most time on the phone to their mother. The research, by the Post Office, revealed that the phrase “I’ll get your mother” is common. Only three per cent of people named their father as the person they spent most time on the phone with.

Susan042764

“Please help!,” she writes. “I took my husband’s iPhone and found a raunchy picture of him attached to an email to a woman in his sent email file. When I approached him about this, he admitted that he took the picture, but says that he never sent it to anyone.

“He claims that he went to the Genius Bar at the local Apple store and they told him it is an iPhone glitch – that photos sometimes automatically attach themselves to an email address and appear in the sent folder, even though no email was ever sent.

“Has anyone ever heard of this happening?,” she asks. “The future of my marriage depends on this answer!” Read more here.

Software, Slowly, Gets Better

Is it just me, or are software developers beginning to get their users? For a long time I’ve felt the only real innovation in software has been in online applications, Web 2.0 non-apps—simple services that exist in your browser—but now it seems that ordinary apps are getting better too.

Evernote, I feel, is one that’s really leading the charge. They’ve taken the feedback that us users have been giving them and have added, incremental release by incremental release, some really cool features. For example: now you can save searches in the Windows version. Reminds me of the old Enfish Tracker Pro, whose departure I still mourn. In fact, Evernote isn’t far off becoming a real database instead of a dumping ground for things you’ll read one day. Maybe.

Skype, too, have pulled their socks up. I hated 4.0  beta, not least for its big bumbling footprint. But the new version is better—a lot better. The main improvement is the option to make it look like your old Skype. But it has some nice new touches, including a chronology scroller that might interest Evernote’s legal department (Skype on the left, Evernote on the right):

image image

Move the bar on the right and you can move easily through old chats. Legal niceties aside, I think this kind of innovation is great to see, and almost restores my faith in designers realising that we don’t just use software in the here and now, but also as repositories of past heres and nows, if you know what I mean.

In short, our decision to commit to software is largely based on how much we will be able to get out of it. Not just in terms of hours saved in what we do now, but in what past information we’ll be able to get out of it. We have been using computers long enough now to have built up a huge repository of interactions and memos, and we want, nay we insist, to be able to get that stuff back. Quickly and easily. And, increasingly, to be able to move it to other places should we wish.

Google understands this relatively well. A chat in GTalk, for example, can be readily accessed via Gmail. And, now, we can also see and search our other data held within Google’s silos, right within Gmail, via some widgets from Google’s Gmail Labs. Here are two widgets that let you view your calendar:

image

and here’s one to see your documents within Google Docs:

image

Note the window at the top for searching through your document titles. This means one less step to access your data.

All these things have some basic concepts in common:

As I’ve mentioned, it’s about being able to get what you’ve put in out. Skype have listened to their customers and realised it’s less about the interface and more about the information the interface gives access to. If they were smart they’d find an easy way to send old chats to your email account or at least make it easy to search all your chats from one box. (I’m told that, or something like it, is coming in the ‘Gold’ version of  Skype 4.0 next year. Until now only group chats—three or more people can be saved to your contact list.)

image

Secondly, software should, where possible, work with other people’s software. Emusic’s new download manager (above), for example, does something that has been missing ever since the service launched. Previously, if you wanted to include MP3 files you’d bought from the service in iTunes, you’d need to either drag them across into iTunes or re-introduce the folder into iTunes. The new version of the downloader tool now synchronizes automatically with iTunes, meaning you don’t need to do anything. Thank God for that.

There are tons of other things that software needs to do that it presently doesn’t. I could start listing them but I need to go to bed. But maybe in this downturn developers could take a note from some of these examples, and use the time to look more carefully at what users need, at how they use your software, and explore new and better ways for them to use it for what they do, not what you think they should do.

The iPhone Dream

Shocking pricing from New Zealand’s vodafone, the first country to launch the iPhone 3G. A $200 iPhone? More like $2,000-$5,000 after charges.

As ReadWriteWeb points out:

Carrier greed worldwide is probably the major reason why the Mobile Web is struggling to take off.

You can’t blame them for trying to make some money while they still can, because that scraping sound is the rats trying to secure stowage on a sinking ship.

Vodafone NZ Charges “Like a Wounded Bull” For iPhone 3G – ReadWriteWeb

The iPhone Dream

Shocking pricing from New Zealand’s vodafone, the first country to launch the iPhone 3G. A $200 iPhone? More like $2,000-$5,000 after charges.

As ReadWriteWeb points out:

Carrier greed worldwide is probably the major reason why the Mobile Web is struggling to take off.

You can’t blame them for trying to make some money while they still can, because that scraping sound is the rats trying to secure stowage on a sinking ship.

Vodafone NZ Charges “Like a Wounded Bull” For iPhone 3G – ReadWriteWeb