Apple – Page 11

“NokiApple LumiPhone 1020 SE” merges Windows Phone body with budget iPhone guts

Apple, hackintosh, iphone se 3, Lumia 1020, Tech, windows phone / Mike M. / February 17, 2025

Remember the Lumia 1020? It’s back—in iPhone SE form.

The Lumia 1020 was a lot of smartphone in July 2013. It debuted with a focus “almost entirely on the phone’s massive camera,” Ars wrote at the time. That big 41-megapixel sensor jutted forth from the phone body, and Nokia reps showed off its low-light, rapid-motion camera abilities by shooting pictures of breakdancers in a dark demonstration room. The company also offered an optional camera grip—one that made it feel a lot more like a point-and-shoot camera. In a more robust review, Ars suggested the Lumia 1020 might actually make the point-and-shoot obsolete.

Front of the Lumia 1020, showing a bit of Windows Phone square grid flair. Casey Johnston

The Lumia 1020 contained yet another cutting edge concept of the day: Windows Phone, Microsoft’s color-coded, square-shaped companion to its mobile-forward Windows 8. The mobile OS never got over the users/apps, chicken/egg conundrum, and called it quits in October 2017. The end of that distant-third-place mobile OS would normally signal the end of the Lumia 1020 as a usable phone.

But there was a person named /u/OceanDepth95028 who saw beyond, and where others thought, “LOL,” this person thought, “Why not?” And this person looked at the Lumia 1020 and saw a third-generation iPhone SE inside of it. And then this person made that phone, and it booted. And the person saw that it was good, and they posted the tale to Reddit’s r/hackintosh.

“NokiApple LumiPhone 1020 SE” merges Windows Phone body with budget iPhone guts Read More »

Apple teases launch for “the newest member of the family” on February 19

Apple, IPhone / Mike M. / February 13, 2025

Big news for people who prefer their product announcements to be pre-announced: Apple CEO Tim Cook says that the company has something brewing for Wednesday, February 19. Cook referred to “the newest member of the family,” suggesting a launch event focused on a single product rather than multiple refreshes throughout its product lineup.

Most rumors point to the “family” being the iPhone and the “newest member” being an updated version of the entry-level iPhone SE. Last refreshed in March of 2022 with the guts of late 2021’s iPhone 13, the SE is the only iPhone in Apple’s lineup that still ships with large display bezels and a Home button. And it’s one of just three models (along with the iPhone 14 and 14 Plus) to still include a Lightning port.

Previous reporting has suggested that the next-generation iPhone SE could replace both the current SE and the iPhone 14 series in the iPhone lineup, since the new phone is expected to ship with an iPhone 14-style design with an edge-to-edge display and a notch cutout. The old SE and the 14 series have already been discontinued in the EU, where new phones are all required to use a USB-C port.

Apple does have other products it could announce alongside (or instead of) a new entry-level iPhone, if it wanted to. Rumors and references in macOS have all pointed to an early 2025 launch for new M4 MacBook Airs, and the rumor mill also thinks that a new Apple TV box, new HomePod products, and even new AirTags could all come at some point in 2025. High-end Mac desktops like the Mac Studio and Mac Pro are also long overdue for an update, though we reportedly won’t see those refreshes until closer to the middle of the year.

Apple teases launch for “the newest member of the family” on February 19 Read More »

Apple TV+ crosses enemy lines, will be available as an Android app starting today

Apple, Apple TV, culture / Paul Patrick / February 12, 2025

Apple is also adding the ability to subscribe to Apple TV+ through both the Android and Google TV apps using Google’s payment system, whereas the old Google TV app required subscribing on another device.

Apple TV+ is available for $9.99 a month, or $19.95 a month as part of an Apple One subscription that bundles 2TB of iCloud storage, Apple Music, and Apple Arcade support (a seven-day free trial of Apple TV+ is also available). MLS Season Pass is available as a totally separate $14.99 a month or $99 per season subscription, but people who subscribe to both Apple TV+ and MLS Season Pass can save $2 a month or $20 a year on the MLS subscription.

Apple TV+ has had a handful of critically acclaimed shows, including Ted Lasso, Slow Horses, and Severance. But so far, that hasn’t translated to huge subscriber numbers; as of last year, Apple had spent about $20 billion making original TV shows and movies for Apple TV+, but the service has only about 10 percent as many subscribers as Netflix. As Bloomberg put it last July, “Apple TV+ generates less viewing in one month than Netflix does in one day.”

Whether an Android app can help turn that around is anyone’s guess, but offering an Android app brings Apple closer to parity with other streaming services, which have all supported Apple’s devices and Android devices for many years now.

Apple TV+ crosses enemy lines, will be available as an Android app starting today Read More »

Apple now lets you move purchases between your 25 years of accounts

Apple, apple accounts, iCloud, iTunes, Mac, me.com, MobileMe, Tech / Paul Patrick / February 12, 2025

Last night, Apple posted a new support document about migrating purchases between accounts, something that Apple users with long online histories have been waiting on for years, if not decades. If you have movies, music, or apps orphaned on various iTools/.Mac/MobileMe/iTunes accounts that preceded what you’re using now, you can start the fairly involved process of moving them over.

“You can choose to migrate apps, music, and other content you’ve purchased from Apple on a secondary Apple Account to a primary Apple Account,” the document reads, suggesting that people might have older accounts tied primarily to just certain movies, music, or other purchases that they can now bring forward to their primary, device-linked account. The process takes place on an iPhone or iPad inside the Settings app, in the “Media & Purchases” section in your named account section.

There are a few hitches to note. You can’t migrate purchases from or into a child’s account that exists inside Family Sharing. You can only migrate purchases to an account once a year. There are some complications if you have music libraries on both accounts and also if you have never used the primary account for purchases or downloads. And migration is not available in the EU, UK, or India.

Apple now lets you move purchases between your 25 years of accounts Read More »

Report: iPhone SE could shed its 10-year-old design “as early as next week”

Apple, Tech / Mike M. / February 8, 2025

Gurman suggests that Apple could raise the $429 starting price of the new iPhone SE to reflect the updated design. He also says that Apple’s supplies of the $599 iPhone 14 are running low at Apple’s stores—the 14 has already been discontinued in some countries over its lack of USB-C port, and it’s possible Apple could be planning to replace both the iPhone 14 and the old SE with the new SE.

Apple’s third-generation iPhone SE is nearly three years old, but its design (including its dimensions, screen size, Home button, and Lightning port) hearkens all the way back to 2014’s iPhone 6. Put 2017’s iPhone 8 and 2022’s iPhone SE on a table next to each other, and almost no one could tell the difference. These days, it feels like a thoroughly second-class iPhone experience, and a newer design is overdue.

Other Apple products allegedly due for an early 2025 release include the M4 MacBook Airs and a next-generation Apple TV, which, like the iPhone SE, was also last refreshed in 2022. Gurman has also said that a low-end iPad and a new iPad Air will arrive “during the first half of 2025” and updated Mac Pro and Mac Studio models are to arrive sometime this year as well. Apple is also said to be making progress on its own smart display, expanding its smart speaker efforts beyond the aging HomePod and HomePod mini.

Report: iPhone SE could shed its 10-year-old design “as early as next week” Read More »

UK demands Apple break encryption to allow gov’t spying worldwide, reports say

Apple, Policy / Mike M. / February 7, 2025

The United Kingdom issued a secret order requiring Apple to create a backdoor for government security officials to access encrypted data, The Washington Post reported today, citing people familiar with the matter.

UK security officials “demanded that Apple create a backdoor allowing them to retrieve all the content any Apple user worldwide has uploaded to the cloud,” the report said. “The British government’s undisclosed order, issued last month, requires blanket capability to view fully encrypted material, not merely assistance in cracking a specific account, and has no known precedent in major democracies.”

Apple and many privacy advocates have repeatedly criticized government demands for backdoors to encrypted systems, saying they would harm security and privacy for all users. Backdoors developed for government use would inevitably be exploited by criminal hackers and other governments, security experts have said.

The UK is reportedly seeking access to data secured by end-to-end encryption with Apple’s Advanced Data Protection, which prevents even Apple from seeing user data. Advanced Data Protection is an optional setting that users can enable for iCloud backups, photos, notes, and other data.

“Rather than break the security promises it made to its users everywhere, Apple is likely to stop offering encrypted storage in the UK,” The Washington Post paraphrased its sources as saying. “Yet that concession would not fulfill the UK demand for backdoor access to the service in other countries, including the United States.”

Apple opposes UK snooping powers

The Technical Capability Notice was reportedly issued by the UK Home Office under the Investigatory Powers Act (IPA). The 2016 law is nicknamed the Snoopers’ Charter and forbids unauthorized disclosure of the existence or contents of a warrant issued under the act.

“Apple can appeal the UK capability notice to a secret technical panel, which would consider arguments about the expense of the requirement, and to a judge who would weigh whether the request was in proportion to the government’s needs. But the law does not permit Apple to delay complying during an appeal,” the Post wrote.

UK demands Apple break encryption to allow gov’t spying worldwide, reports say Read More »

DeepSeek iOS app sends data unencrypted to ByteDance-controlled servers

AI, Apple, Biz & IT, DeepSeek, Encryption, iOS, privacy, Security / Paul Patrick / February 6, 2025

Apple’s defenses that protect data from being sent in the clear are globally disabled.

A little over two weeks ago, a largely unknown China-based company named DeepSeek stunned the AI world with the release of an open source AI chatbot that had simulated reasoning capabilities that were largely on par with those from market leader OpenAI. Within days, the DeepSeek AI assistant app climbed to the top of the iPhone App Store’s “Free Apps” category, overtaking ChatGPT.

On Thursday, mobile security company NowSecure reported that the app sends sensitive data over unencrypted channels, making the data readable to anyone who can monitor the traffic. More sophisticated attackers could also tamper with the data while it’s in transit. Apple strongly encourages iPhone and iPad developers to enforce encryption of data sent over the wire using ATS (App Transport Security). For unknown reasons, that protection is globally disabled in the app, NowSecure said.

Basic security protections MIA

What’s more, the data is sent to servers that are controlled by ByteDance, the Chinese company that owns TikTok. While some of that data is properly encrypted using transport layer security, once it’s decrypted on the ByteDance-controlled servers, it can be cross-referenced with user data collected elsewhere to identify specific users and potentially track queries and other usage.

More technically, the DeepSeek AI chatbot uses an open weights simulated reasoning model. Its performance is largely comparable with OpenAI’s o1 simulated reasoning (SR) model on several math and coding benchmarks. The feat, which largely took AI industry watchers by surprise, was all the more stunning because DeepSeek reported spending only a small fraction on it compared with the amount OpenAI spent.

A NowSecure audit of the app has found other behaviors that researchers found potentially concerning. For instance, the app uses a symmetric encryption scheme known as 3DES or triple DES. The scheme was deprecated by NIST following research in 2016 that showed it could be broken in practical attacks to decrypt web and VPN traffic. Another concern is that the symmetric keys, which are identical for every iOS user, are hardcoded into the app and stored on the device.

The app is “not equipped or willing to provide basic security protections of your data and identity,” NowSecure co-founder Andrew Hoog told Ars. “There are fundamental security practices that are not being observed, either intentionally or unintentionally. In the end, it puts your and your company’s data and identity at risk.”

Hoog said the audit is not yet complete, so there are many questions and details left unanswered or unclear. He said the findings were concerning enough that NowSecure wanted to disclose what is currently known without delay.

In a report, he wrote:

NowSecure recommends that organizations remove the DeepSeek iOS mobile app from their environment (managed and BYOD deployments) due to privacy and security risks, such as:

Privacy issues due to insecure data transmission

Vulnerability issues due to hardcoded keys

Data sharing with third parties such as ByteDance

Data analysis and storage in China

Hoog added that the DeepSeek app for Android is even less secure than its iOS counterpart and should also be removed.

Representatives for both DeepSeek and Apple didn’t respond to an email seeking comment.

Data sent entirely in the clear occurs during the initial registration of the app, including:

organization id
the version of the software development kit used to create the app
user OS version
language selected in the configuration

Apple strongly encourages developers to implement ATS to ensure the apps they submit don’t transmit any data insecurely over HTTP channels. For reasons that Apple hasn’t explained publicly, Hoog said, this protection isn’t mandatory. DeepSeek has yet to explain why ATS is globally disabled in the app or why it uses no encryption when sending this information over the wire.

This data, along with a mix of other encrypted information, is sent to DeepSeek over infrastructure provided by Volcengine a cloud platform developed by ByteDance. While the IP address the app connects to geo-locates to the US and is owned by US-based telecom Level 3 Communications, the DeepSeek privacy policy makes clear that the company “store[s] the data we collect in secure servers located in the People’s Republic of China.” The policy further states that DeepSeek:

may access, preserve, and share the information described in “What Information We Collect” with law enforcement agencies, public authorities, copyright holders, or other third parties if we have good faith belief that it is necessary to:

• comply with applicable law, legal process or government requests, as consistent with internationally recognised standards.

NowSecure still doesn’t know precisely the purpose of the app’s use of 3DES encryption functions. The fact that the key is hardcoded into the app, however, is a major security failure that’s been recognized for more than a decade when building encryption into software.

No good reason

NowSecure’s Thursday report adds to growing list of safety and privacy concerns that have already been reported by others.

One was the terms spelled out in the above-mentioned privacy policy. Another came last week in a report from researchers at Cisco and the University of Pennsylvania. It found that the DeepSeek R1, the simulated reasoning model, exhibited a 100 percent attack failure rate against 50 malicious prompts designed to generate toxic content.

A third concern is research from security firm Wiz that uncovered a publicly accessible, fully controllable database belonging to DeepSeek. It contained more than 1 million instances of “chat history, backend data, and sensitive information, including log streams, API secrets, and operational details,” Wiz reported. An open web interface also allowed for full database control and privilege escalation, with internal API endpoints and keys available through the interface and common URL parameters.

Thomas Reed, staff product manager for Mac endpoint detection and response at security firm Huntress, and an expert in iOS security, said he found NowSecure’s findings concerning.

“ATS being disabled is generally a bad idea,” he wrote in an online interview. “That essentially allows the app to communicate via insecure protocols, like HTTP. Apple does allow it, and I’m sure other apps probably do it, but they shouldn’t. There’s no good reason for this in this day and age.”

He added: “Even if they were to secure the communications, I’d still be extremely unwilling to send any remotely sensitive data that will end up on a server that the government of China could get access to.”

HD Moore, founder and CEO of runZero, said he was less concerned about ByteDance or other Chinese companies having access to data.

“The unencrypted HTTP endpoints are inexcusable,” he wrote. “You would expect the mobile app and their framework partners (ByteDance, Volcengine, etc) to hoover device data, just like anything else—but the HTTP endpoints expose data to anyone in the network path, not just the vendor and their partners.”

On Thursday, US lawmakers began pushing to immediately ban DeepSeek from all government devices, citing national security concerns that the Chinese Communist Party may have built a backdoor into the service to access Americans’ sensitive private data. If passed, DeepSeek could be banned within 60 days.

This story was updated to add further examples of security concerns regarding DeepSeek.

Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.

DeepSeek iOS app sends data unencrypted to ByteDance-controlled servers Read More »

The Severance writer and cast on corporate cults, sci-fi, and more

Adam Scott, Apple, Apple TV, culture, Features, sci-fi, severance, streaming, TV / Tim Belzer / February 1, 2025

The following story contains light spoilers for season one of Severence but none for season 2.

The first season of Severance walked the line between science-fiction thriller and Office Space-like satire, using a clever conceit (characters can’t remember what happens at work while at home, and vice versa) to open up new storytelling possibilities.

It hinted at additional depths, but it’s really season 2’s expanded worldbuilding that begins to uncover additional themes and ideas.

After watching the first six episodes of season two and speaking with the series’ showrunner and lead writer, Dan Erickson, as well as a couple of members of the cast (Adam Scott and Patricia Arquette), I see a show that’s about more than critiquing corporate life. It’s about all sorts of social mechanisms of control. It’s also a show with a tremendous sense of style and deep influences in science fiction.

Corporation or cult?

When I started watching season 2, I had just finished watching two documentaries about cults—The Vow, about a multi-level marketing and training company that turned out to be a sex cult, and Love Has Won: The Cult of Mother God, about a small, Internet-based religious movement that believed its founder was the latest human form of God.

There were hints of cult influences in the Lumon corporate structure in season 1, but without spoiling anything, season 2 goes much deeper into them. As someone who has worked at a couple of very large media corporations, I enjoyed Severance’s send-up of corporate culture. And as someone who has worked in tech startups—both good and dysfunctional ones—and who grew up in a radical religious environment, I now enjoy its send-up of cult social dynamics and power plays.

Employees watch a corporate propaganda video — Lumon controls what information is presented to its employees to keep them in line. Credit: Apple

When I spoke with showrunner Dan Erickson and actor Patricia Arquette, I wasn’t surprised to learn that it wasn’t just me—the influence of stories about cults on season 2 was intentional.

Erickson explained:

I watched all the cult documentaries that I could find, as did the other writers, as did Ben, as did the actors. What we found as we were developing it is that there’s this weird crossover. There’s this weird gray zone between a cult and a company, or any system of power, especially one where there is sort of a charismatic personality at the top of it like Kier Eagan. You see that in companies that have sort of a reverence for their founder.

Arquette also did some research on cults. “Very early on when I got the pilot, I was pretty fascinated at that time with a lot of cult documentaries—Wild Wild Country, and I don’t know if you could call it a cult, but watching things about Scientology, but also different military schools—all kinds of things like that with that kind of structure, even certain religions,” she recalled.

The Severance writer and cast on corporate cults, sci-fi, and more Read More »

In Apple’s first-quarter earnings, the Mac leads the way in sales growth

Apple, china, earnings, ipad, IPhone, Mac, Q1, Tech, tim cook / Paul Patrick / January 30, 2025

Apple fell slightly short of investor expectations when it reported its first-quarter earnings today. While sales were up 4 percent overall, the iPhone showed signs of weakness, and sales in the Chinese market slipped by just over 11 percent.

CEO Tim Cook told CNBC that the iPhone performed better in countries where Apple Intelligence was available, like the US—seemingly suggesting that the slip was partially because Chinese consumers do not see enough reason to buy new phones without Apple Intelligence. (He also said, “Half of the decline is due to a change in channel inventory.”) iPhone sales also slipped in China during this same quarter last year; this was the first full quarter during which the iPhone 16 was available.

In any case, Cook said the company plans to roll out Apple Intelligence in additional languages, including Mandarin, this spring.

Apple’s wearables category also declined slightly, but only by 2 percent.

Despite the trends that worried investors, Apple reported $36.33 billion in net revenue for the first quarter. That’s 7.1 percent more than last year’s Q1. This was driven by the Mac, the iPad, and Services (which includes everything from Apple Music to iCloud)—all of which saw slight upticks in sales. Services was up 14 percent, continuing a strong streak for that business, while the Mac and the iPad both jumped up 15 percent.

The uptick in Mac and iPad sales was likely helped by several new Mac models and a new iPad mini starting shipments last October.

Cook shared some other interesting numbers in the earnings call with investors and the press: The company has an active base of 2.35 billion devices, and it has more than 1 billion active subscriptions.

In Apple’s first-quarter earnings, the Mac leads the way in sales growth Read More »

Apple chips can be hacked to leak secrets from Gmail, iCloud, and more

a-series chips, Apple, Biz & IT, m-series chips, Security, side channels, speculative execution / Paul Patrick / January 28, 2025

MEET FLOP AND ITS CLOSE RELATIVE, SLAP

Side channel gives unauthenticated remote attackers access they should never have.

Apple is introducing three M3 performance tiers at the same time. Credit: Apple

Apple-designed chips powering Macs, iPhones, and iPads contain two newly discovered vulnerabilities that leak credit card information, locations, and other sensitive data from the Chrome and Safari browsers as they visit sites such as iCloud Calendar, Google Maps, and Proton Mail.

The vulnerabilities, affecting the CPUs in later generations of Apple A- and M-series chip sets, open them to side channel attacks, a class of exploit that infers secrets by measuring manifestations such as timing, sound, and power consumption. Both side channels are the result of the chips’ use of speculative execution, a performance optimization that improves speed by predicting the control flow the CPUs should take and following that path, rather than the instruction order in the program.

A new direction

The Apple silicon affected takes speculative execution in new directions. Besides predicting control flow CPUs should take, it also predicts the data flow, such as which memory address to load from and what value will be returned from memory.

The most powerful of the two side-channel attacks is named FLOP. It exploits a form of speculative execution implemented in the chips’ load value predictor (LVP), which predicts the contents of memory when they’re not immediately available. By inducing the LVP to forward values from malformed data, an attacker can read memory contents that would normally be off-limits. The attack can be leveraged to steal a target’s location history from Google Maps, inbox content from Proton Mail, and events stored in iCloud Calendar.

SLAP, meanwhile, abuses the load address predictor (LAP). Whereas LVP predicts the values of memory content, LAP predicts the memory locations where instruction data can be accessed. SLAP forces the LAP to predict the wrong memory addresses. Specifically, the value at an older load instruction’s predicted address is forwarded to younger arbitrary instructions. When Safari has one tab open on a targeted website such as Gmail, and another open tab on an attacker site, the latter can access sensitive strings of JavaScript code of the former, making it possible to read email contents.

“There are hardware and software measures to ensure that two open webpages are isolated from each other, preventing one of them from (maliciously) reading the other’s contents,” the researchers wrote on an informational site describing the attacks and hosting the academic papers for each one. “SLAP and FLOP break these protections, allowing attacker pages to read sensitive login-protected data from target webpages. In our work, we show that this data ranges from location history to credit card information.”

There are two reasons FLOP is more powerful than SLAP. The first is that it can read any memory address in the browser process’s address space. Second, it works against both Safari and Chrome. SLAP, by contrast, is limited to reading strings belonging to another webpage that are allocated adjacently to the attacker’s own strings. Further, it works only against Safari. The following Apple devices are affected by one or both of the attacks:

• All Mac laptops from 2022–present (MacBook Air, MacBook Pro)

• All Mac desktops from 2023–present (Mac Mini, iMac, Mac Studio, Mac Pro)

• All iPad Pro, Air, and Mini models from September 2021–present (Pro 6th and 7th generation, Air 6th gen., Mini 6th gen.)

• All iPhones from September 2021–present (All 13, 14, 15, and 16 models, SE 3rd gen.)

Attacking LVP with FLOP

After reverse-engineering the LVP, which was introduced in the M3 and A17 generations, the researchers found that it behaved unexpectedly. When it sees the same data value being repeatedly returned from memory for the same load instruction, it will try to predict the load’s outcome the next time the instruction is executed, “even if the memory accessed by the load now contains a completely different value!” the researchers explained. “Therefore, using the LVP, we can trick the CPU into computing on incorrect data values.” They continued:

“If the LVP guesses wrong, the CPU can perform arbitrary computations on incorrect data under speculative execution. This can cause critical checks in program logic for memory safety to be bypassed, opening attack surfaces for leaking secrets stored in memory. We demonstrate the LVP’s dangers by orchestrating these attacks on both the Safari and Chrome web browsers in the form of arbitrary memory read primitives, recovering location history, calendar events, and credit card information.”

FLOP requires a target to be logged in to a site such as Gmail or iCloud in one tab and the attacker site in another for a duration of five to 10 minutes. When the target uses Safari, FLOP sends the browser “training data” in the form of JavaScript to determine the computations needed. With those computations in hand, the attacker can then run code reserved for one data structure on another data structure. The result is a means to read chosen 64-bit addresses.

When a target moves the mouse pointer anywhere on the attacker webpage, FLOP opens the URL of the target page address in the same space allocated for the attacker site. To ensure that the data from the target site contains specific secrets of value to the attacker, FLOP relies on behavior in Apple’s WebKit browser engine that expands its heap at certain addresses and aligns memory addresses of data structures to multiples of 16 bytes. Overall, this reduces the entropy enough to brute-force guess 16-bit search spaces.

Illustration of FLOP attack recovering data from Google Maps Timeline (Top), a Proton Mail inbox (Middle), and iCloud Calendar (Bottom). Credit: Kim et al.

When a target browses with Chrome, FLOP targets internal data structures the browser uses to call WebAssembly functions. These structures first must vet the signature of each function. FLOP abuses the LVP in a way that allows the attacker to run functions with the wrong argument—for instance, a memory pointer rather than an integer. The end result is a mechanism for reading chosen memory addresses.

To enforce site isolation, Chrome allows two or more webpages to share address space only if their extended top-level domain and the prefix before this extension (for instance, www.square.com) are identical. This restriction prevents one Chrome process from rendering URLs with attacker.square.com and target.square.com, or as attacker.org and target.org. Chrome further restricts roughly 15,000 domains included in the public suffix list from sharing address space.

To bypass these rules, FLOP must meet three conditions:

It cannot target any domain specified in the list such that attacker.site.tld can share an address space with target.site.tld
The webpage must allow users to host their own JavaScript and WebAssembly on the attacker.site.tld,
The target.site.tld must render secrets

Here, the researchers show how such an attack can steal credit card information stored on a user-created Square storefront such as storename.square.site. The attackers host malicious code on their own account located at attacker.square.site. When both are open, attacker.square.site inserts malicious JavaScript and WebAssembly into it. The researchers explained:

“This allows the attacker storefront to be co-rendered in Chrome with other store-front domains by calling window.open with their URLs, as demonstrated by prior work. One such domain is the customer accounts page, which shows the target user’s saved credit card information and address if they are authenticated into the target storefront. As such, we recover the page’s data.”

Left: UI elements from Square’s customer account page for a storefront. Right: Recovered last four credit card number digits, expiration date, and billing address via FLOP-Control. Credit: Kim et al.

SLAPping LAP silly

SLAP abuses the LAP feature found in newer Apple silicon to perform a similar data-theft attack. By forcing LAP to predict the wrong memory address, SLAP can perform attacker-chosen computations on data stored in separate Safari processes. The researchers demonstrate how an unprivileged remote attacker can then recover secrets stored in Gmail, Amazon, and Reddit when the target is authenticated.

Top: Email subject and sender name shown as part of Gmail’s browser DOM. Bottom: Recovered strings from this page. Credit: Kim et al.

Top Left: A listing for coffee pods from Amazon’s ‘Buy Again’ page. Bottom Left: Recovered item name from Amazon. Top Right: A comment on a Reddit post. Bottom Right: the recovered text. Credit: Kim et al.

“The LAP can issue loads to addresses that have never been accessed architecturally and transiently forward the values to younger instructions in an unprecedentedly large window,” the researchers wrote. “We demonstrate that, despite their benefits to performance, LAPs open new attack surfaces that are exploitable in the real world by an adversary. That is, they allow broad out-of-bounds reads, disrupt control flow under speculation, disclose the ASLR slide, and even compromise the security of Safari.”

SLAP affects Apple CPUs starting with the M2/A15, which were the first to feature LAP. The researchers said that they suspect chips from other manufacturers also use LVP and LAP and may be vulnerable to similar attacks. They also said they don’t know if browsers such as Firefox are affected because they weren’t tested in the research.

An academic report for FLOP is scheduled to appear at the 2025 USENIX Security Symposium. The SLAP research will be presented at the 2025 IEEE Symposium on Security and Privacy. The researchers behind both papers are:

• Jason Kim, Georgia Institute of Technology

• Jalen Chuang, Georgia Institute of Technology

• Daniel Genkin, Georgia Institute of Technology

• Yuval Yarom, Ruhr University Bochum

The researchers published a list of mitigations they believe will address the vulnerabilities allowing both the FLOP and SLAP attacks. They said that Apple officials have indicated privately to them that they plan to release patches.

In an email, an Apple representative declined to say if any such plans exist. “We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these types of threats,” the spokesperson wrote. “Based on our analysis, we do not believe this issue poses an immediate risk to our users.”

Apple chips can be hacked to leak secrets from Gmail, iCloud, and more Read More »

With iOS 18.3, Apple Intelligence is now on by default

Apple, HomePod, iOS, ios 18, ios 18.3, iPadOS, macOS, macOS Sequoia 15, macOS Sequoia 15.3, Tech, tvos, visionOS, watchos, watchOS 11, watchOS 11.3 / Tim Belzer / January 27, 2025

As is custom, Apple rolled out software updates to all its platforms at once today. All users should now have access to the public releases of iOS 18.3, macOS Sequoia 15.3, watchOS 11.3, iPadOS 15.3, tvOS 15.3, and visionOS 2.3.

Also, as usual, the iOS update is the meatiest of the bunch. Most of the changes relate to Apple Intelligence, a suite of features built on deep learning models. The first Apple Intelligence features were introduced in iOS 18, with additional ones added in iOS 18.1 and iOS 18.2

iOS 18.3 doesn’t add any significant new features to Apple Intelligence—instead, it tweaks what’s already there. Whereas Apple Intelligence was opt-in in previous OS versions, it is now on by default in iOS 18.3 on supported devices.

For the most part, that shouldn’t be a noticeable change for the majority of users, except for one thing: notification summaries. As we’ve reported, the feature that summarizes large batches of notifications using a large language model is hit-and-miss at best.

For most apps, not much has changed on that front, but Apple announced that with iOS 18.3, it’s temporarily disabling notification summaries for apps from the “News & Entertainment” category in light of criticisms by the BBC and others about how the feature was getting the substance of headlines wrong. The feature will still mess up summarizing your text messages and emails, though.

Apple says it has changed the presentation of summaries to make it clearer that they are distinct from other, non-AI generated summaries and that they are in beta and may be inaccurate.

Other updates include one to visual intelligence, a feature available on the most recent phones that gives you information on objects your camera is focused on. It can now identify more plants and animals, and you can create calendar events from flyers or posters seen in your viewfinder.

With iOS 18.3, Apple Intelligence is now on by default Read More »

UK opens probe into Google’s and Apple’s mobile platforms

anittirust, Apple, cma, Google, Policy, syndication, UK / Tim Belzer / January 23, 2025

Last week, the CMA opened its first such case, reviewing Google’s dominance in search and advertising.

The CMA is already in the process of probing Google and Apple in a separate investigation into mobile web browsers and cloud gaming, which has provisionally found the two companies were “holding back competition” in browsers.

“Android’s openness has helped to expand choice, reduce prices, and democratize access to smartphones and apps. It’s the only example of a successful and viable open source mobile operating system,” said Oliver Bethell, Google’s senior director of competition.

“We favor a way forward that avoids stifling choice and opportunities for UK consumers and businesses alike, and without risk to UK growth prospects,” he added.

Apple, which says its app platform supports hundreds of thousands of UK jobs, said it would “continue to engage constructively” with the CMA.

“Apple believes in thriving and dynamic markets where innovation can flourish,” the company said. “We face competition in every segment and jurisdiction where we operate, and our focus is always the trust of our users.”

The CMA’s probe will add to the worldwide scrutiny that both companies are already facing over their dominance of the smartphone market.

Apple clashed with Brussels several times last year over the implementation of the Digital Markets Act, making changes to its platform after the European Commission accused the iPhone maker of failing to comply with its “online gatekeeper” rules.

If designated, the UK’s “strategic market status” lasts for a five-year period, and companies can be fined up to 10 percent of global turnover for breaching conduct rules.

UK opens probe into Google’s and Apple’s mobile platforms Read More »