Security

We explained way back in 2014 why you might want to have an Apple ID recovery key. In those days, it was an extra precaution you could take against getting locked out of your account.

Apple abandoned recovery keys when it switched to a smarter two-factor authentication process, before reintroducing them in a new form in iOS 14. However, they now work in a different way. You definitely won’t want to enable one now, and you may not want to do so ever …

As Apple launched its new macOS operating system to the public yesterday, serious server outages occurred that saw widespread Big Sur download/install failures, iMessage and Apple Pay go down but more than that, even performance issues for users running macOS Catalina and earlier. We learned why that happened at a high-level yesterday, now security researcher Jeffry Paul has shared a deep-dive of his understanding along with his privacy and security concerns for Macs, especially Apple Silicon ones.

Update: Apple has shared a response to Paul’s concerns in an updated support document that includes what macOS does to protect your privacy and security, and three new steps it will take in the future for greater privacy and flexibility.

Almost all popular messaging apps offer link previews, which let users know the content of a URL in advance. However, security researchers Talal Haj Bakry and Tommy Mysk have discovered that these link previews can expose user data in both iOS and Android apps.

The notorious GravityRAT spyware, which initially targeted Windows PCs, now also enable attacks against Macs and Android devices.

Remote Access Trojans (RATs) are so-called because they masquerade as legitimate apps (the Trojan part) and then permit the compromised machine to be accessed remotely …

Update at the bottom: Another team with another cable able to hijack a Mac, among other devices.

The T2 exploit team who found a way to take over the security chip in modern Macs has demonstrated a way to do so without user intervention — using nothing more than a modified USB-C cable.

The ad-hoc team, who call themselves Team t8012 after Apple’s internal name for the chip, believe that nation-states may already be using this approach.

Speculation that the T2 security chip on modern Macs can be hacked has been confirmed by the team behind the research. A combination of two different exploits would give a hacker the ability to modify the behavior of the chip, and even plant malware like a keylogger inside it.

All Macs sold since 2018 contain the T2 chip, and because the attack uses code in the read-only memory section of the chip, there is no way for Apple to patch it …

Update: Apple implemented this request in iOS 14.5 and watchOS 7.4.

Face ID is normally a completely seamless way to unlock an iPhone and iPad: just swipe up and it unlocks automatically. At a time when we’re frequently wearing masks, however, it’s rather less seamless.

So we’d like to see Apple allow an unlocked Apple Watch to automatically unlock an iPhone and iPad …

Cisco has warned that an iOS 14 privacy feature can break some network setups used by corporations, schools, colleges, and retail chains.

The potential problems result from the the fact that iPhone and iPads on the latest OS default to using a random MAC address when connecting to Wi-Fi networks …

A new Bluetooth security flaw has been discovered that would potentially allow an attacker to connect to a user device without authentication.

The Bluetooth Special Interest Group (SIG), the body responsible for Bluetooth standards, has confirmed vulnerabilities separately discovered by two teams of security researchers…

After announcing new iOS privacy requirements back at WWDC in June, Apple has shared a new detailed document for developers as they prepare to create privacy “nutrition labels” for apps. The new iOS 14 feature will apply for all apps that are available in Apple’s App Stores with the goal to better inform consumers with a clear overview of an app’s privacy practices.

While Apple’s devices are typically more secure than the competition, that doesn’t mean they’re immune to flaws. In the case of the Mac, a new report highlights how Apple accidentally approved one of the most common malware threats to run on recent versions of macOS. While the original flaw was quickly fixed, another similar one has popped up.

Analysis of the TikTok app revealed references to Chinese servers in the code, which was subsequently removed in an update.

Two security researchers have given very different perspectives on whether or not this raises any privacy concerns …

A security researcher has found that Instagram kept deleted photos and private messages for more than a year after he deleted them. The company paid him $6,000 for the discovery …

Can police demand you unlock your phone if they want to examine it for evidence? Courts in different states have given different answers to this question, but New Jersey’s Supreme Court has ruled that the answer is yes. The court decided that a suspect can be forced to use his passcode to unlock his phone.

Despite the ruling coming from the state’s Supreme Court, however, that may not be the final, definitive answer …

One of the major security enhancements Apple has brought to its devices over the years is the Secure Enclave chip, which encrypts and protects all sensitive data stored on the devices. Last month, however, hackers claimed they found a permanent vulnerability in the Secure Enclave, which could put data from iPhone, iPad, and even Mac users at risk.