iOS

iOS 8’s predictive QuickType keyboard found to suggest parts of your passwords [updated]

QuickType, Apple's new predictive keyboard featured on the iPhone, iPod touch and iPad devices running iOS 8, is reportedly plagued with a potentially dangerous oversight where the software would suggest parts of your passwords that you previously used on websites, as first reported by French-language blog iGen.fr [Google Translate].

A new thread on Apple's Support Communities website includes a note by one user who reported the keyboard offering “OrangeJuice” as a suggestion each time he would type in “AppleUser” because QuickType remembered the “OrangeJuice!2” password he previously used to log in to Outlook Web App.

Apple reportedly patches Find My iPhone vulnerability to hack Apple ID accounts

According to The Next Web this morning, Apple has allegedly patched a security hole in the Find My iPhone service which allowed nefarious users to brute-force Apple ID passwords, according to Twitter user @hackappcom who posted a proof of concept titled 'iBrute' to GitHub on Saturday.

This should be good news for celebrities who reported their iCloud accounts being hacked and saw their nude pictures posted online.

As Cody told you yesterday, Academy Award winner Jennifer Lawrence and several other celebrities found themselves in the middle of a major nude photo leak after attackers apparently exploited a vulnerability in Apple’s Find My iPhone service.

AdThief malware found infecting 75,000 jailbroken devices

Security researcher Axelle Apvrille recently published a paper about AdThief, a malware aimed at hijacking ad revenue from a reportedly 75,000 infected devices. First discovered in March 2014, and also known as "spad," the malware, which comes disguised as a Cydia Substrate extension, was found to replace the publisher ID of publishers with the one of the malware creator, effectively attributing all ad revenue to him.

iOS 8 lets native apps tap into Safari’s AutoFill & Passwords for frictionless login experience

In addition to using your device’s iSight camera to scan in credit card information, Safari in iOS 8 makes it easy for third-party apps to tap into the browser's AutoFill & Passwords feature for hassle-free logins.

Provided a user has previously saved their username and password for a specific website using Safari's AutoFill & Passwords feature, a native iOS app is now permitted to retrieve this information and re-use it to authorize a user quickly and securely, bypassing the login screen altogether...

PayPal integrating Touch ID into its iOS app

A year ago, PayPal CISO Michael Barrett spelled doom for existing verification methods based on passwords and expressed hope that the then unreleased iPhone 5s would kill the password once and for all. As it turned out, Apple limited the handset's fingerprint scanner to iTunes purchases and user authentication on the Lock screen.

But with the iOS 8 SDK now official, Apple has opened up Touch ID to developers and PayPal is first out of the gate with the official confirmation that it is working on integrating Touch ID authentication into its mobile apps...

iOS bug leaves email attachments unencrypted, Apple working on a fix

Do you access sensitive document attachments on your iPhone, iPod touch or iPad, stuff like contracts, invoices, bank statements and what not?

If so, your security and privacy could be compromised because iOS is storing email attachments in the clear - that is, in the unencrypted form - thus making stored attachments easily readable by using a piece of software to browse a person's on-device email folder for an IMAP account.

A researcher who claims to have discovered this security flaw has found that iOS 7.0.4 and later - including the latest iOS 7.1.1 - do not encrypt email attachments...

iOS, OS X and key iCloud services not affected by Heartbleed, Apple confirms

If you've as much as glanced at what's your inbox lately, chances are you've encountered messages in which your favorite apps and services announce emergency password resets in the wake of Heartbleed, a nasty bug that's attacking millions of websites. And unless you've been sleeping under a rock for the past week, you must be aware by now that a shockingly high number of websites are at risk.

The latest security scare stems from a devastating flaw in the OpenSSL software many websites use to authorize login sessions and encrypt and transmit user data. Long story short, the exploit allows attackers to easily scoop up the website’s encryption keys, passwords and user content, prompting tons of emergency password resets by some of the Internet's most popular services.

But what about your Apple ID? Have the keys to your account in the Apple cloud been compromised? How about iCloud or the App Store? According to an Apple spokesperson, its iOS and OS X platforms are protected against Heartbleed. Do I hear a collective sigh of relief?

Apple credits iOS 7.1 security changes to evad3rs and other jailbreak community members

Following the release of the first major iOS 7.1 software update earlier today, Apple has now updated contents of the support document which outlines security updates for its products with a link to this newly created document describing iOS 7.1 security improvements.

In it, Apple credits prominent members of the jailbreak community such as evad3rs, the team behind the evasi0n jailbreak, as well as Google and others who reported issues and helped contribute toward the security changes within iOS 7.1...

An in-depth look at how Touch ID, A7, and Secure Enclave boost iOS security

We know quite a lot about the iPhone 5s's fingerprint scanner, Touch ID. The advanced sensor works seamlessly and learns more about your prints over time so it continues to expand your fingerprint map as additional overlapping nodes are identified with each use.

It can match prints in any orientation, unless your fingers are greasy or wet, or there's some dirt or debris on the Home button. There's a 1 in 50,000 chance of a successful random match with someone else’s print, which is much better than the 1 in 10,000 odds of guessing a typical four-digit passcode.

The Touch ID sensor doesn't store actual fingerprint images and instead creates an encrypted profile of your print and stores it on a module on the A7 processor called the Secure Enclave that's walled off from the rest of the system.

After five unsuccessful fingerprint match attempts, or after every restart, the system asks for your passcode  so that hackers can’t stall for time. These are pretty much key pieces of information on Touch ID that was made public since its inception.

Today, Apple updated its iOS Security white paper [PDF download] with a few previously unknown specifics relating to how Touch ID works side by side with the A7 chip and its Secure Enclave portion to detect a fingerprint match in a highly secure manner. The document also details other security safeguards Apple put in place to prevent tampering with fingerprint data...

Following SSL vulnerability scare, iOS 7.0.6 hits 13.3 percent adoption in 48 hours

Now that Apple has fixed that nasty SSL bug across iOS devices, Macs and the Apple TV, the question arises as to how many active iPhone, iPod touch and iPad users are safe by running the latest iOS 7.0.6 software, which patches the dangerous vulnerability.

According to a new survey by Chitika, in 48 hours about 13.3 percent of North American users were on iOS 7.0.6. "More than two full days since Apple pushed the fix live, 13.3 percent of iOS traffic is driven by the latest update," the firm wrote.

Apple traditionally sees the strongest firmware adoption of any mobile platform because software updates are not dependent on carriers' good will and on-device alerts prompt users when a software update goes live, so the adoption rate should increase exponentially in the coming days and weeks...

New iOS security flaw discovered that allows covert keylogging

While the dust is far from settled on the nasty SSL bug found in iOS last week, a new security flaw in the mobile OS has been brought to light. The new flaw makes it possible for attackers to covertly log every touch a user makes, including keyboard and Touch ID presses.

Researchers at security firm FireEye made the discovery, saying in a blog post that the gap exists within iOS' multitasking feature that allows for the background monitoring, and it can be exploited via a malicious app install or remotely via a separate app vulnerability...

Timing of SSL bug fuels conspiracy theories about Apple and the NSA

By now you've probably already heard about the SSL bug that was discovered in iOS and OS X. Apple pushed an iOS update out on Friday to fix it, and it didn't sound like a big deal at the time, but we have since learned that it is an extremely serious security flaw.

The flaw leaves Apple devices open to what's called a man-in-the-middle attack, in where a malicious program poses as a trusted website to intercept communications or inject malware. And its existence has fueled conspiracy theories about Apple and the NSA...