Apple’s iPadOS 15 breaks the app barrier

The announcement of new iPad software at this year’s WWDC conference had an abnormally large expectation hung on it. The iPad lineup, especially the larger iPad Pro, has kept up an impressively frantic pace of hardware innovation over the past few years. In that same time frame, the software of the iPad, especially its ability to allow users to use multiple apps at once and in its onramps for professional software makers, has come under scrutiny for an apparently slower pace. 

This year’s announcements about iOS 15 and iPadOS 15 seemed designed to counter that narrative with the introduction of a broad number of quality of life improvements to multitasking as well as a suite of system-wide features that nearly all come complete with their own developer-facing APIs to build on. I had the chance to speak to Bob Borchers, Apple’s VP of Worldwide Product Marketing, and Sebastien (Seb) Mariners-Mes, VP, Intelligent System Experience at Apple about the release of iPadOS 15 to discuss a variety of these improvements. 

Mariners-Mes works on the team of Apple software SVP Craig Federighi and was pivotal in the development of this new version.

iPad has a bunch of new core features including SharePlay, Live Text, Focuses, Universal Control, on-device Siri processing and a new edition of Swift Playgrounds designed to be a prototyping tool. Among the most hotly anticipated for iPad Pro users, however, are improvements to Apple’s multitasking system. 

If you’ve been following along, you’ll know that the gesture-focused multitasking interface of iPadOS has had its share of critics, including me. Though it can be useful in the right circumstances, the un-discoverable gesture system and confusing hierarchy of the different kinds of combinations of apps made it a sort of floppy affair to utilize correctly for an apt user much less a beginner. 

Since the iPad stands alone as pretty much the only successful tablet device on the market, Apple has a unique position in the industry to determine what kinds of paradigms are established as standard. It’s a very unique opportunity to say, hey, this is what working on a device like this feels like; looks like; should be.

 

So I ask Borchers and Mariners-Mes to talk a little bit about multitasking. Specifically Apple’s philosophy in the design of multitasking on iPadOS 15 and the update from the old version, which required a lot of acrobatics of the finger and a strong sense of spatial awareness of objects hovering out off the edges of the screen. 

“I think you’ve got it,” Borchers says when I mention the spatial gymnastics, “but the way that we think about this is that the step forward and multitasking makes it easier discover, easier to use even more powerful. And, while pros I think were the ones who were using multitasking in the past, we really want to take it more broadly because we think there’s applicability to many, many folks. And that’s why the, the discovery and the ease of use I think were critical.”

“You had a great point there when you talked about the spatial model and one of our goals was to actually make the spatial model more explicit in the experience,” says Mariners-Mes, “where, for example, if you’ve got a split view, and you’re replacing one of the windows, we kind of open the curtain and tuck the other app to the side, you can see it — it’s not a hidden hidden mental model, it’s one that’s very explicit.

Another great example of it is when you go into the app, switcher to reconfigure your windows, you’re actually doing drag and drop as you rearrange your new split views, or you dismiss apps and so on. So it’s not a hidden model, it’s one where we really try to reinforce a spatial model with an explicit one for the user through all of the animations and all of the kinds of affordances.”

Apple’s goal this time around, he says, was to add affordances for the user to understand that multitasking was even an option — like the small series of dots at the top of every app and window that now allows you to explicitly choose an available configuration, rather than the app-and-dock-juggling method of the past. He goes on to say that consistency was a key metric for them on this version of the OS. The appearance of Slide Over apps in the same switcher view as all other apps, for instance. Or the way that you can choose configurations of apps via the button, by drag and drop in the switcher and get the same results.

In the dashboard, Mariners-Mes says, “you get an at a glance view of all of the apps that you’re running and a full model of how you’re navigating that through the iPad’s interface.”

This ‘at a glance’ map of the system should be very welcome by advanced users. Even as a very aggressive Pro user myself, Slide Over apps became more of a nuisance than anything because I couldn’t keep track of how many were open and when to use them. The ability to combine them on the switcher itself is one of those things that Apple has wanted to get into the OS for years but is just now making its way onto iPads. Persistence of organization, really, was the critical problem to tackle.

“I think we believe strongly in building a mental model where people know where things are [on iPad],” says Mariners-Mes. “And I think you’re right when it comes persistence I think it also applies to, for example, home screen. People have a very strong mental model of where things are in the home screen as well as all of the apps that they’ve configured. And so we try to maintain a well maintained that mental model, and also allow people to reorganize again in the switcher.”

He goes on to explain the new ‘shelf’ feature that displays every instance or window that an app has open within itself. They implemented this as a per-app feature rather than a system-wide feature, he says, because the association of that shelf with a particular app fit the overall mental model that they’re trying to build. The value of this shelf may jump into higher relief when more professional apps that may have a dozen documents or windows open at once and active during a project ship later this year.

Another nod to advanced users in iPadOS 15 is the rich keyboard shortcut set offered across the system. The interface can be navigated by arrow keys now, many advanced commands are there and you can even move around on an iPad using a game controller. 

“One of the key goals this year was to make basically everything in the system navigable from the keyboard,” says Mariners-Mes, “so that if you don’t want to, you don’t have to take your hands off the keyboard. All of the new multitasking affordances and features, you can do through the keyboard shortcuts. You’ve got the new keyboard shortcut menu bar where you can see all the shortcuts that are available. It’s great for discoverability. You can search them and we even, you know, and this is a subtle point, but we even made a very conscious effort to rationalize the shortcuts across Mac and iPadOS. So that if you’re using universal control, for example, you’re going to go from one environment to the other seamlessly. You want to ensure that consistency as you go across.”

The gestures, however, are staying as a nod to consistency for existing users that may be used to those. 

To me, one of the more interesting and potentially powerful developments is the introduction of the Center Window and its accompanying API. A handful of Apple apps like Mail, Notes and Messages now allow items to pop out into an overlapping window.

“It was a very deliberate decision on our part,” says Mariners-Mes about adding this new element. “This really brings a new level of productivity where you can have, you know, this floating window. You can have content behind it. You can seamlessly cut and paste. And that’s something that’s just not possible with the traditional [iPadOS] model. And we also really strive to make it consistent with the rest of multitasking where that center window can also become one of the windows in your split view, or full size, and then go back to to being a center window. We think it’s a cool addition to the model and we look really look forward to 3rd parties embracing it.”

Early reception of the loop Apple gave at iPadOS 15 has an element of reservation about it still given that many of the most powerful creative apps are made by third parties that must adopt these technologies in order for them to be truly useful. But Apple, Borchers says, is working hard to make sure that pro apps adopt as many of these new paradigms and technologies as possible, so that come fall, the iPad will feel like a more hospitable host for the kinds of advanced work pros want to do there.

One of the nods to this multi-modal universe that the iPad exists in is Universal Control. This new feature uses Bluetooth beaconing, peer-to-peer WiFi and the iPad’s touchpad support to allow you to place your devices close to one another and — in a clever use of reading user intent — slide your mouse to the edge of a screen and onto your Mac or iPad seamlessly. 

CUPERTINO, CALIFORNIA – June 7, 2021: Apple’s senior vice president of Software Engineering Craig Federighi showcases the ease of Universal Control, as seen in this still image from the keynote video of AppleÕs Worldwide Developers Conference at Apple Park. (Photo Credit: Apple Inc.)Ê

“I think what we have seen and observed from our users, both pro and and otherwise, is that we have lots of people who have Macs and they have iPads, and they have other iPhones and and we believe in making these things work together in ways that are that are powerful,” says Borchers. “And it just felt like a natural place to be able to go and extend our Continuity model so that you could make use of this incredible platform that is iPadOS while working with your Mac, right next to it. And I think the big challenge was, how do you do that in kind of a magical, simple way. And that’s what Seb and his team and been able to accomplish.

“It really builds on the foundation we made with Continuity and Sidecar,” adds Mariners-Mes. “We really thought a lot about how do you make the experience — the set up experience — as seamless as possible. How do you discover that you’ve got devices side by side.?

The other thing we thought about was what are the workflows that people want to have and what capabilities that will be essential for that. That’s where thinks like the ability to seamlessly drag content across the platforms or cut and paste was we felt to be really, really important. Because I think that’s really what brings to the magic to the experience.”

Borchers adds that it makes all the continuity features that much more discoverable. Continuity’s shared clipboard, for instance, is an always on but invisible presence. Expanding that to visual and mouse-driven models made some natural sense.

“It’s just like, oh, of course, I can drag that all the way across all the way across here,” he says.

“Bob, you say, of course,” Mariners-Mes laughs. “And yet for those of us working in platforms for a long time, the ‘of course’, is technically very, very challenging. Totally non obvious.”

Another area where iPadOS 15 is showing some promising expansionary behavior is in system-wide activities that allow you to break out of the box of in-app thinking. These include embedded recommendations that seed themselves into various apps, Shareplay, which makes an appearance wherever video calls are found and Live Text, which turns all of your photos into indexed archives searchable with a keyboard. 

Another is Quick Note, a system extension that lets you swipe from the bottom corner of your screen wherever you are in the system.

“There are, I think a few interesting things that we did with with Quick Note,” says Mariners-Mes. “One is this idea of linking. So, that if I’m working in Safari or Yelp or another app, I can quickly insert a link to whatever content I’m viewing. I don’t know about you, but it’s something that I certainly do a lot when I do research. 

“The old way was, like, cut and paste and maybe take a screenshot, create a note and jot down some notes. And now we’ve made that very, very seamless and fluid across the whole system. It even works the other way where, if I’m now in Safari and I have a note that refers to that page in Safari, you’ll see it revealed as a thumbnail at the bottom of the screen’s right hand side. So, we’ve really tried to bring the notes experience to be something that just permeates the system and is easily accessible from, from everywhere.” 

Many of the system-wide capabilities that Apple is introducing in iPadOS 15 and iOS 15 have an API that developers can tap into. That is not always the case with Apple’s newest toys, which in years past have often been left to linger in the private section of its list of frameworks rather than be offered to developers as a way to enhance their apps. Borchers says that this is an intentional move that offers a ‘broader foundation of intelligence’ across the entire system. 

This broader intelligence includes Siri moving a ton of commands to its local scope. This involved having to move a big chunk of Apple’s speech recognition to an on-device configuration in the new OS as well. The results, says Borchers, are a vastly improved day-to-day Siri experience, with many common commands executing immediately upon request — something that was a bit of a dice roll in days of Siri past. The removal of the reputational hit that Siri was taking from commands that went up to the cloud never to return could be the beginning of a turnaround for the public perception of Siri’s usefulness.

The on-device weaving of the intelligence provided by the Apple Neural Engine (ANE) also includes the indexing of text across photos in the entire system, past, present and in-the-moment.

“We could have done live text only in camera and photos, but we wanted it to apply to anywhere we’ve got images, whether it be in in Safari or quick look or wherever,” says Mariners-Mes. “One of my favorite demos of live text is actually when you’ve got that long complicated field for a password for a Wi-Fi network. You can just actually bring it up within the keyboard and take a picture of it, get the text in it and copy and paste it into into the field. It’s one of those things that’s just kind of magical.”

On the developer service front of iPadOS 15, I ask specifically about Swift Playgrounds, which add the ability to write, compile and ship apps on the App Store for the first time completely on iPad. It’s not the native Xcode some developers were hoping for, but, Borchers says, Playgrounds has moved beyond just ‘teaching people how to code’ and into a real part of many developer pipelines.

“ think one of the big insights here was that we also saw a number of kind of pro developers using it as a prototyping platform, and a way to be able to be on the bus, or in the park, or wherever if you wanted to get in and give something a try, this was super accessible and easy way to get there and could be a nice adjunct to hey, I want to learn to code.”

“If you’re a developer,” adds Mariners-Mes, “it’s actually more productive to be able to run that app on the device that you’re working on because you really get great fidelity. And with the open project format, you can go back and forth between Xcode and Playgrounds. So, as Bob said, we can really envision people using this for a lot of rapid prototyping on the go without having to bring along the rest of their development environment so we think it’s a really, really powerful addition to our development development tools this year.”

Way back in 2018 I profiled a new team at Apple that was building out a testing apparatus that would help them to make sure they were addressing real-world use cases for flows of process that included machines like the (at the time un-revealed) new Mac Pro, iMacs, MacBooks and iPads. One of the demos that stood out at the time was a deep integration with music apps like Logic that would allow the input models of iPad to complement the core app. Tapping out a rhythm on a pad, brightening or adjusting sound more intuitively with the touch interface. More of Apple’s work these days seems to be aimed at allowing users to move seamlessly back and forth between its various computing platforms, taking advantage of the strengths of each (raw power, portability, touch, etc) to complement a workflow. A lot of iPadOS 15 appears to be geared this way.

Whether it will be enough to turn the corner on the perception of iPad as a work device that is being held back by software, I’ll reserve judgement until it ships later this year. But, in the near term, I am cautiously optimistic that this set of enhancements that break out of the ‘app box’, the clearer affordances for multitasking both in and out of single apps and the dedication to API support are pointing towards an expansionist mentality on the iPad software team. A good sign in general.

Malware caught using a macOS zero-day to secretly take screenshots

Almost exactly a month ago, researchers revealed a notorious malware family was exploiting a never-before-seen vulnerability that let it bypass macOS security defenses and run unimpeded. Now, some of the same researchers say another malware can sneak onto macOS systems, thanks to another vulnerability.

Jamf says it found evidence that the XCSSET malware was exploiting a vulnerability that allowed it access to parts of macOS that require permission — such as accessing the microphone, webcam, or recording the screen — without ever getting consent.

XCSSET was first discovered by Trend Micro in 2020 targeting Apple developers, specifically their Xcode projects that they use to code and build apps. By infecting those app development projects, developers unwittingly distribute the malware to their users, in what Trend Micro researchers described as a “supply-chain-like attack.” The malware is under continued development, with more recent variants of the malware also targeting Macs running the newer M1 chip.

Once the malware is running on a victim’s computer, it uses two zero-days — one to steal cookies from the Safari browser to get access to a victim’s online accounts, and another to quietly install a development version of Safari, allowing the attackers to modify and snoop on virtually any website.

But Jamf says the malware was exploiting a previously undiscovered third-zero day in order to secretly take screenshots of the victim’s screen.

macOS is supposed to ask the user for permission before it allows any app — malicious or otherwise — to record the screen, access the microphone or webcam, or open the user’s storage. But the malware bypassed that permissions prompt by sneaking in under the radar by injecting malicious code into legitimate apps.

Jamf researchers Jaron Bradley, Ferdous Saljooki, and Stuart Ashenbrenner explained in a blog post, shared with TechCrunch, that the malware searches for other apps on the victim’s computer that are frequently granted screen sharing permissions, like Zoom, WhatsApp, and Slack, and injects malicious screen recording code into those apps. This allows the malicious code to “piggyback” the legitimate app and inherit its permissions across macOS. Then, the malware signs the new app bundle with a new certificate to avoid getting flagged by macOS’ in-built security defenses.

The researchers said that the malware used the permissions prompt bypass “specifically for the purpose of taking screenshots of the user’s desktop,” but warned that it was not limited to screen recording. In other words, the bug could have been used to access the victim’s microphone, webcam, or capture their keystrokes, such as passwords or credit card numbers.

It’s not clear how many Macs that the malware was able to infect using this technique. But Apple confirmed to TechCrunch that it fixed the bug in macOS 11.4, which was made available as an update today.

Google unpauses privacy-focused changes to Chrome UA strings

Google is resuming work on reducing the granularity of information presented in user-agent strings on its Chrome browser, it said today — picking up an effort it put on pause last year, during the early days of the COVID-19 pandemic, when it said it wanted to avoid piling extra migration burden on the web ecosystem in the middle of a public health emergency.

The resumption of the move has implications for web developers as the changes to user-agent strings could break some existing infrastructure without updates to code. Although Google has laid out a pretty generous-looking timeline of origin tests — and its blog post emphasizes that “no User-Agent string changes will be coming to the stable channel of Chrome in 2021“. So the changes certainly won’t ship before 2022.

The move, via development of its Chromium engine, to pare back user-agent strings to reduce their ability to be used to track users is related to Google’s overarching Privacy Sandbox plan — aka the stack of proposals it announced in 2019 — when it said it wanted to evolve web architecture by developing a set of open standards to “fundamentally enhance” web privacy.

Part of this move toward a more private default for Chromium is depreciating support for third party tracking cookies. Another part is Google’s proposed technological alternative for on-device ad-targeting of cohorts of users (aka FLoCs).

Cleaning up exploitable surface areas like fingerprintable user-agent strings is another component — and should be understood as part of the wider ‘hygiene’ drive required to deliver on the goals of Privacy Sandbox.

The latter remains a massive, tanker-turning effort, though.

And while there has been some suggestions Google could be ready to ship Privacy Sandbox in early 2022, given the timelines it’s allowing for origin tests of the changes to user-agent strings — a seven phase rollout, with two origin trials lasting at least six months apiece — that looks unlikely. (At least not for all the constituent parts of the Sandbox to ship.)

Indeed, back in 2019 Google was upfront that the changes it had in mind would not come overnight, saying then: “It’s going to be a multi-year journey”. Albeit in January 2020 it seemed to dial up at least part of the timeline, saying it wanted to phase out support for third party cookies within two years.

Still, Google can’t realistically depreciate tracking cookies without also shipping changes in browser standards that are needed to provide publishers and advertisers with alternative means to do ad targeting, measurement and fraud prevention. So any delay to elements of the Privacy Sandbox could have a knock-on impact on its ‘two-year’ timeline to end support for third party cookies. (And 2022 may well be the very earliest the shift could happen.)

There’s push and pull going on here, as Google’s effort to retool web infrastructure — and, more specifically, to change how web users and activity can and can’t be tracked — has massive implications for many other web users; most notably the adtech players and publishers whose businesses are deeply embedded in this tracking web.

Unsurprisingly, it has faced a lot of pushback from those sectors.

Its plan to end support for third party tracking cookies is also under regulatory scrutiny in Europe — where advertisers complained it’s an anti-competitive power move to block third parties’ access to user data while continuing to help itself to masses of first party user data (given its dominance of key Internet services). So depending on how regulators respond to ecosystem concerns Google may not be able to keep full control of the timeline, either.

Nonetheless, from a privacy perspective, Chrome paring back user-agent strings is a welcome — if overdue — move.

Indeed Google’s blog post notes that it’s the laggard vs similar efforts already undertaken by the web engines underlying Apple’s Safari browser and Mozilla’s Firefox.

“As noted in the User Agent Client Hints explainer, the User Agent string presents challenges for two reasons. Firstly, it passively exposes quite a lot of information about the browser for every HTTP request that may be used for fingerprinting,” Google writes, fleshing out its rational for the change. “Secondly, it has grown in length and complexity over the years and encourages error-prone string parsing. We believe the User Agent Client Hints API solves both of these problems in a more developer- and user-friendly manner.”

Commenting on the development, Dr Lukasz Olejnik, an independent consultant and security and privacy researcher who has advised the W3C on technical architecture and standards, describes the incoming change as “a great privacy improvement”.

“The user-agent change will reduce entropy and so reduce identifiability,” he told TechCrunch. “I view it as a great privacy improvement because considering IP address and the UA string at the same time is highly identifying. UAs are not exactly simplified in Firefox/Safari in the way Chrome suggests doing them.”

Google’s blog post notes that its UA plan was “designed with backwards compatibility in mind”, and seeks to reassure developers — adding that: “While any changes to the User Agent string need to be managed carefully, we expect minimal friction for developers as we roll this out (i.e., existing parsers should continue to operate as expected).

“If your site, service, library or application relies on certain bits of information being present in the User Agent string such as Chrome minor versionOS version number, or Android device model, you will need to begin the migration to use the User Agent Client Hints API instead,” it goes on. “If you don’t require any of these, then no changes are required and things should continue to operate as they have to date.”

Despite Google’s reassurances, Olejnik suggested some web developers could still be caught on the hop — if they fail to take note of the development and don’t made necessary updates to their code in time.

“Web developers may be concerned as certain libraries or backend systems depend on the strict UA string existing as today,” he noted, adding: “Things may stop working as intended. This might be a sudden and surprising breakage. But the actual impact at a scale is unpredictable.”

Apple releases iPhone, iPad, Watch security patch for zero-day bug under active attack

Apple has released an update for iPhones, iPads and Watches to patch a security vulnerability under active attack by hackers.

The security update lands as iOS 14.4.2 and iPadOS 14.4.2, which also covers a patch to older devices as iOS 12.5.2. watchOS also updates to 7.3.3.

Apple said the vulnerability, discovered by security researchers at Google’s Project Zero, may have been “actively exploited” by hackers. The bug is found in WebKit, the browser engine that powers the Safari browser across all Apple devices.

It’s not known who is actively exploiting the vulnerabilities, or who might have fallen victim. Apple did not say if the attack was targeted against a small subset of users or if it was a wider attack. It’s the third time (by our count) that Apple has pushed out a security-only update this year to fix flaws under active attack. Earlier this month the company released patches for similar vulnerabilities in WebKit.

Update today.

Apple releases important iPhone, iPad, Mac and Watch security patches

Apple has released a set of security updates for iPhones, iPads, Macs and Watches. There are no new features — but these are updates you will still want to install.

As part of these security fixes, iPhones and iPads will update to iOS and iPadOS 14.4.1, watchOS users will update to 7.3.2 and macOS Big Sur will update to 11.2.3. Those on older versions of macOS can install the latest version of Safari, bumping the version to 14.0.3.

Apple says these are “important” security updates and are “recommended for all users.”

These patches fix the same vulnerability — a memory corruption bug in WebKit, the engine that powers Apple’s Safari browser. The bug can be triggered by visiting a malicious web page containing code that can exploit the vulnerability. Once exploited, an attacker can run malicious code on the affected Apple device.

The bugs were reported by Google and Microsoft, but are not believed to be actively exploited by malicious hackers unlike recent security flaws.

Last month, Apple pushed out iOS 14.4 to fix three WebKit vulnerabilities that were being “actively exploited.” The vulnerabilities were chained together to break into the underlying iPhone software.

If you haven’t already, update today.

Apple launches an iCloud Passwords extension for Chrome users on Windows

Apple has introduced an iCloud Passwords Chrome extension that will make life easier for those who use both Windows computers and other Apple devices, like a Macbook or an iPhone. The new browser extension lets you access the passwords you saved in Safari on your other Apple devices, then use them within Chrome when you’re on a Windows PC.

You can also save any new passwords you create in Chrome to your iCloud keychain, so it’s synced across your Apple devices.

Image Credits: Apple

Apple didn’t formally announce the new feature, but reports of an iCloud Passwords extension had already been referenced in the release notes of the new iCloud for Windows 10 (ver 12), which arrived at the end of January. After the update, a “Passwords” section appeared in the app designated by the iCloud Keychain logo. This directed users to download the new extension, but the link was broken, as the extension was not yet live.

That changed on Sunday, according a report from 9to5Google, which found the new Chrome add-on had been published to the Chrome Web Store late on Sunday evening. Now, when Windows users access the new Passwords section, the dialog box that prompts the download will properly function.

Once installed, Chrome users on Windows will be able to access any passwords they saved or allowed iCloud Keychain to securely generate for them within Safari for macOS or iOS. Meanwhile, as Windows users create new credentials, these, too, will be synced to their iCloud Keychain so they can later be pulled up on Mac, iPhone, and iPad devices, when needed.

This is the first Chrome extension to support iCloud Keychain on Windows, as before Apple had only offered an iCloud Bookmarks tool for older Windows 7 and 8 PCs, which reached over 7 million users.

Image Credits: Apple

Some users who have tried the extension are reporting problems, but it seems that’s related to their PCs not having been first updated to iCloud for Windows 12.0, which is a prerequisite for the new extension to work.

Though Apple typically locks users into its own platforms, it has slowly expanded some of its services to Windows and even Android, where it makes sense. Today, Apple offers its entertainment apps like Apple Music and Apple TV on other platforms, including Android, and has launched Apple TV on its media player rival, Amazon Fire TV, among others. And 9to5Mac notes that Apple appears to be working to bring Music and Podcasts to the Microsoft Store in the future, as well.

Apple says iOS 14.4 fixes three security bugs ‘actively exploited’ by hackers

Apple has released iOS 14.4 with security fixes for three vulnerabilities, said to be under active attack by hackers.

The technology giant said in its security update pages for iOS and iPadOS 14.4 that the three bugs affecting iPhones and iPads “may have been actively exploited.” Details of the vulnerabilities are scarce, and an Apple spokesperson declined to comment beyond what’s in the advisory.

It’s not known who is actively exploiting the vulnerabilities, or who might have fallen victim. Apple did not say if the attack was targeted against a small subset of users or if it was a wider attack. Apple granted anonymity to the individual who submitted the bug, the advisory said.

Two of the bugs were found in WebKit, the browser engine that powers the Safari browser, and the Kernel, the core of the operating system. Some successful exploits use sets of vulnerabilities chained together, rather than a single flaw. It’s not uncommon for attackers to first target vulnerabilities in a device’s browsers as a way to get access to the underlying operating system.

Apple said additional details would be available soon, but did not say when.

It’s a rare admission by Apple, which prides itself on its security image, that its customers might be under active attack by hackers.

In 2019, Google security researchers found a number of malicious websites laced with code that quietly hacked into victims’ iPhones. TechCrunch revealed that the attack was part of an operation, likely by the Chinese government, to spy on Uyghur Muslims. In response, Apple disputed some of Google’s findings in an equally rare public statement, for which Apple faced more criticism for underplaying the severity of the attack.

Last month, internet watchdog Citizen Lab found dozens of journalists had their iPhones hacked with a previously unknown vulnerability to install spyware developed by Israel-based NSO Group.

In the absence of details, iPhone and iPad users should update to iOS 14.4 as soon as possible.

Apple will let you port Google Chrome extensions to Safari

Apple unveiled macOS 11 Big Sur earlier this week and talked about some of the improvements for Safari. In addition to native extensions, Apple is adding support for web extensions. It’s going to make it much easier to port an existing extension from Chrome, Firefox or Edge.

The company shared more details about how it’s going to work in a WWDC session. Safari already supports extensions, but if you’re using Safari, you know that there aren’t a ton of extensions out there.

On iOS and macOS, you can install content blockers and apps that feature a share extension. Content blockers let you provide a list of content to block when you load web pages, such as trackers and ads.

Share extensions let you add features in the share menu in Safari. For instance, Pocket or Instapaper take advantage of share extensions to run JavaScript on a web page and return the result to the app.

On macOS, developers can also take advantage of app extensions. 1Password uses that to integrate its password manager with Safari.

“These are great if you’re a native app developer already familiar with Swift or Objective-C,” Safari engineer Ellie Epskamp-Hunt said.

Other browsers have taken a different approach. They leverage web technologies, such as JavaScript, HTML and CSS. That’s why Apple is adding another type of extension with Safari Web Extensions.

Like other Safari extensions, web extensions designed for Safari are packaged with native apps. It means that developers will submit extensions to the App Store. Users will download an app that comes with an extension. The app doesn’t have to do anything, it can just be a place holder.

Apple is shipping an extension converter to let you port your extension quickly. When you run it, it’ll tell you if everything is going to work as expected. You can then package it in an Xcode project, sign it and submit it to the App Store.

Some extensions require a ton of permissions. They can essentially view all web pages you visit. That’s why Apple lets you restrict extensions to some websites, or just the active tab. You can also choose to activate an extension for a day so that it doesn’t remain active forever.

The user will get a warning sign the first time an extension tries to access a site and there will be a big warning banner in Safari settings before you activate an extension that can access all your browsing data.

This change could potentially mean that there will be a lot more extensions for Safari in the future. Many Chrome users don’t want to leave Chrome because they can’t find the same extensions. If developers choose to port their extensions to Safari, Apple could convince more users to switch to Safari.

Browsers are interesting again

A few years ago, covering browsers got boring.

Chrome had clearly won the desktop, the great JavaScript speed wars were over and Mozilla seemed more interested in building a mobile operating system than its browser. Microsoft tried its best to rescue Internet Explorer/Edge from being the punchline of nerdy jokes, but its efforts essentially failed.

Meanwhile, Opera had shuttered the development of its own rendering engine and redesigned its browser with less functionality, alienating many of its biggest fans. On mobile, plenty of niche players tried to break the Chrome/Safari duopoly, but while they did have some innovative ideas, nothing ever stuck.

But over the course of the last year or so, things changed. The main catalyst for this, I would argue, is that the major browser vendors — and we can argue about Google’s role here — realized that their products were at the forefront of a new online privacy movement. It’s the browser, after all, that allows marketers to set cookies and fingerprint your machine to track you across the web.

Add to that Microsoft’s move to the Chromium engine, which is finally giving Microsoft a seat at the browser table again, plus the success of upstarts like Brave and Vivaldi, and you’ve got the right mix of competitive pressure and customer interest for innovation to come back into what was a stagnant field only a few years ago.

Let’s talk about privacy first. With browsers being the first line of defense, it’s maybe surprising that we didn’t see Mozilla and others push for more built-in tracking protections before.

In 2019, the Chrome team introduced handling cookies in the browser and a few months ago, it launched a broader initiative to completely rethink cookies and online privacy for its users — and by extension, Google’s advertising ecosystem. This move centers around differential privacy and a ‘privacy budget’ that would allow advertisers to get enough information about you to group you into a larger cohort without providing so much information that you would love your anonymity.

At the time, Google said this was a multi-year effort that was meant to help publishers retain their advertising revenue (vs their users completely blocking cookies).

iOS 13: Here are the new security and privacy features you need to know

It’s finally here.

Apple’s new iOS 13, the thirteenth major iteration of its popular iPhone software, is out to download. We took iOS 13 for a spin with a focus on the new security and privacy features to see what’s new and how it all works.

Here’s what you need to know.

You’ll start to see reminders about apps that track your location

1 location track

Ever wonder which apps track your location? Wonder no more. iOS 13 periodically reminds you about apps that are tracking your location in the background. Every so often it will tell you how many times an app has tracked where you’ve been in a recent period of time, along with a small map of the location points. From this screen you can “always allow” the app to track your location or have the option to limit the tracking.

You can grant an app your location just once

2 location ask

To give you more control over what data have access to, iOS 13 now lets you give apps access to your location just once. Previously there was “always,” “never” or “while using,” meaning an app could be collecting your real-time location as you’re using it. Now you can grant an app access on a per use basis — particularly helpful for the privacy-minded folks.

And apps wanting access to Bluetooth can be declined access

Screen Shot 2019 07 18 at 12.18.38 PM

Apps wanting to access Bluetooth will also ask for your consent. Although apps can use Bluetooth to connect to gadgets, like fitness bands and watches, Bluetooth-enabled tracking devices known as beacons can be used to monitor your whereabouts. These beacons are found everywhere — from stores to shopping malls. They can grab your device’s unique Bluetooth identifier and track your physical location between places, building up a picture of where you go and what you do — often for targeting you with ads. Blocking Bluetooth connections from apps that clearly don’t need it will help protect your privacy.

Find My gets a new name — and offline tracking

5 find my

Find My, the new app name for locating your friends and lost devices, now comes with offline tracking. If you lost your laptop, you’d rely on its last Wi-Fi connected location. Now it broadcasts its location using Bluetooth, which is securely uploaded to Apple’s servers using nearby cellular-connected iPhones and other Apple devices. The location data is cryptographically scrambled and anonymized to prevent anyone other than the device owner — including Apple — from tracking your lost devices.

Your apps will no longer be able to snoop on your contacts’ notes

8 contact snoop

Another area that Apple is trying to button down is your contacts. Apps have to ask for your permission before they can access to your contacts. But in doing so they were also able to access the personal notes you wrote on each contact, like their home alarm code or a PIN number for phone banking, for example. Now, apps will no longer be able to see what’s in each “notes” field in a user’s contacts.

Sign In With Apple lets you use a fake relay email address

6 sign in

This is one of the cooler features coming soon — Apple’s new sign-in option allows users to sign in to apps and services with one tap, and without having to turn over any sensitive or private information. Any app that requires a sign-in option must use Sign In With Apple as an option. In doing so users can choose to share their email with the app maker, or choose a private “relay” email, which hides a user’s real email address so the app only sees a unique Apple-generated email instead. Apple says it doesn’t collect users’ data, making it a more privacy-minded solution. It works across all devices, including Android devices and websites.

You can silence unknown callers

4 block callers

Here’s one way you can cut down on disruptive spam calls: iOS 13 will let you send unknown callers straight to voicemail. This catches anyone who’s not in your contacts list will be considered an unknown caller.

You can strip location metadata from your photos

7 strip location

Every time you take a photo your iPhone stores the precise location of where the photo was taken as metadata in the photo file. But that can reveal sensitive or private locations — such as your home or office — if you share those photos on social media or other platforms, many of which don’t strip the data when they’re uploaded. Now you can. With a few taps, you can remove the location data from a photo before sharing it.

And Safari gets better anti-tracking features

9 safari improvements

Apple continues to advance its new anti-tracking technologies in its native Safari browser, like preventing cross-site tracking and browser fingerprinting. These features make it far more difficult for ads to track users across the web. iOS 13 has its cross-site tracking technology enabled by default so users are protected from the very beginning.

First published on July 19 and updated with iOS 13’s launch. 

Read more: