Start up: sneaking iOS apps, spoofing Spotify, CIA director gets hacked, and more


One of these is probably chewing up your battery by playing silent audio (on Android too). But which? Photo by microsiervos on Flickr.

You can now sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.

A selection of 9 links for you. Like champagne for the mind! Perhaps. I’m charlesarthur on Twitter. Observations and links welcome.

iOS apps caught using private APIs » SourceDNA

Nate Lawson and team:

we noticed that these functions were all part of a common codebase, the Youmi advertising SDK from China.

We then associated the clusters of this SDK’s code with the release dates of the apps that contain them to see how it has evolved over time. The older versions do not call private APIs, so the 142 apps that have them are ok. But almost two years ago, we believe the Youmi developers began experimenting with obfuscating a call to get the frontmost app name.

Once they were able to get this through App Review, they probably became more confident they weren’t being detected and added the above behaviors in order. They also use the same obfuscation to hide calls to retrieve the advertising ID, which is allowable for tracking ad clicks, but they may be using it for other purposes since they went to the trouble to obfuscate this. The latest version of the Youmi SDK (v5.3.0), published a month ago, still gathers all the above information.

Apple has been locking down private APIs, including blocking apps from reading the platform serial number in iOS 8. Youmi worked around this by enumerating peripheral devices, such as the battery system, and sending those serial numbers as a hardware identifier.

Find out now! Just select your developer accounts from a list, and we’ll tell you what we found about your apps. We’ll also show the commercial and open-source code you’re using and alert you to future issues we find.

We found 256 apps (est. total of 1 million downloads) that have one of the versions of Youmi that violates user privacy. Most of the developers are located in China. We believe the developers of these apps aren’t aware of this since the SDK is delivered in binary form, obfuscated, and user info is uploaded to Youmi’s server, not the app’s. We recommend developers stop using this SDK until this code is removed.

Apple’s yanking the apps. Developer? Check it here. It’s always China, isn’t it? But nothing to stop apps from other countries doing the same.
link to this extract


The background data and battery usage of Facebook’s iOS app » MacStories

Federico Viticci:

With iOS 9’s improved energy consumption stats, it’s easier to guess one of the various tricks Facebook may be employing to stay active in the background and drain battery. On my girlfriend’s iPhone, for instance, iOS 9 reports 5 hours of on-screen usage for the last 7 days, and another 11 hours of background audio usage with Background App Refresh turned off.

My guess is that Facebook is hijacking audio sessions on iOS by keeping silent audio in the background whenever a video plays in the app. And because, by default, videos on Facebook auto-play on both Wi-Fi and Cellular and few people ever bother to turn it off, that means there’s a high chance the Facebook app will always find a way to play a video, keep audio in the background, and consume energy to perform background tasks. I’m not alone in noticing the mysterious “Facebook audio” background consumption, and video auto-play seems to me the most likely explanation at this point. I don’t know if turning off auto-play may fix the problem, but I’d recommend doing that anyway to save data.

Un-fricking-believable. The web is suddenly alive with people who have used iOS 9’s better battery monitoring system and discovered that Facebook is eating their battery like nobody’s business.

More discussion here, and a full-on Medium post, which shows Facebook using 3.4hrs in the background with background app refresh turned off.

Just delete it, and use the mobile site – navigate there and create a home page icon for it. And close the tab when done.
link to this extract


Microsoft announces price of 1TB Surface Book — $500 more than the top 13-inch MacBook Pro » GeekWire

James Risley:

The top-of-the-line 1TB Surface Book comes with 16GB RAM and a Core Intel i7 processor for a cool $3,199, $500 more than the fully tricked out 13-inch MacBook Pro, and the same price as the fully enhanced, much larger 15-inch option. The Surface Book does have a few more tricks up its sleeve than the MacBook Pro, including a touchscreen, removable keyboard and a 360-degree hinge, so the price difference isn’t without reason.

The 1TB option joins the lineup that starts at $1,499 for a 128GB Core i5 version. Microsoft isn’t offering many fine-grained customizations for its first laptop, like allowing for more RAM on its 128GB model, but most models look adequately powerful for the everyday user.

“Everyday user”? Wasn’t the point of the Surface Book that it was for some slightly mythical ultra-user? As for the touchscreen and removable keyboard… the case for the touchscreen is still pretty weak for the “everyday user”.
link to this extract


Teen says he hacked CIA director’s AOL account » New York Post

Philip Messing, Jamie Schram and Bruce Golding:

Hillary Rodham Clinton’s email scandal didn’t stop the head of the CIA from using his own personal AOL account to stash work-related documents, according to a high school student who claims to have hacked into them.

CIA Director John Brennan’s private account held sensitive files — including his 47-page application for top-secret security clearance — until he recently learned that it had been infiltrated, the hacker told The Post.

Other emails stored in Brennan’s non-government account contained the Social Security numbers and personal information of more than a dozen top American intelligence officials, as well as a government letter about the use of “harsh interrogation techniques” on terrorism suspects, according to the hacker.

The FBI and other federal agencies are now investigating the hacker, with one source saying criminal charges are possible, law enforcement sources said.

The hacker is getting investigated for criminal charges? Brennan is the one who ought to be prosecuted. If a kid in high school could do this, any Chinese or Russian hacker would have.
link to this extract


Why it’s OK to block ads » Practical Ethics

James Williams:

Think about the websites, apps, or communications platforms you use most. What behavioral metric do you think they’re trying to maximize in their design of your attentional environment? I mean, what do you think is actually on the dashboards in their weekly product design meetings?

Whatever metric you think they’re nudging you toward—how do you know? Wouldn’t you like to know? Why shouldn’t you know? Isn’t there an entire realm of transparency and corporate responsibility going undemanded here?

I’ll give you a hint, though: it’s probably not any of the goals you have for yourself. Your goals are things like “spend more time with the kids,” “learn to play the zither,” “lose twenty pounds by summer,” “finish my degree,” etc. Your time is scarce, and you know it.

Your technologies, on the other hand, are trying to maximize goals like “Time on Site,” “Number of Video Views,” “Number of Pageviews,” and so on. Hence clickbait, hence auto-playing videos, hence avalanches of notifications. Your time is scarce, and your technologies know it.

But these design goals are petty and perverse. They don’t recognize our humanity because they don’t bother to ask about it in the first place.

Neatly argued, by stepping right back from the debate as framed by the ad industry.
link to this extract


I built a botnet that could destroy Spotify with fake listens » Motherboard

William Bedell:

I decided to prototype a robot with an endless appetite for music to see if Spotify could detect what it was doing.

Here is what I coded into life:

Image: William Bedell
First, a remote server used browser automation to sign up for Spotify accounts with randomly generated names, ages, and email addresses. This gave me a limitless supply of accounts to stream songs, so as not to alert Spotify by having a handful of users with inhuman amounts of activity.

A central command server periodically sent out Spotify login credentials to cloud servers (or repurposed personal computers) running dozens of Spotify clients, all masked behind virtual private networks. Each “user” logged in, listened to a few hours of music, then logged out. Their playlists were random selections from various artists I like. Then, I deployed the botnet using a patchwork of free cloud instances and my own hardware.

It was mesmerizing to watch the plays rack up. Unknown albums from minor celebrities I adore suddenly had tens of thousands of hits, where before they had virtually none. With minimal effort, I was generating $32.26 per day in royalties. Inevitably, my thoughts wandered to greed: how profitable would this music royalty factory be if I turned it on music I owned the rights to?

link to this extract


Intel has 1,000 people working on chips for the iPhone » VentureBeat

Mark Sullivan:

Intel now has a thousand people or more working to outfit a 2016 iPhone with its lauded 7360 LTE modem chip, sources say. If all goes well, Intel may end up providing both the modem and the fabrication for a new Apple system on a chip.

Sources close to the matter say Intel is pulling out the stops to supply the modems for at least some of the iPhones Apple manufactures in 2016. This phone will likely be the iPhone 7. VentureBeat was the first to report on the two companies’ work together, and more pieces are falling into place as the project progresses and grows.

Apple may dual-source the LTE modems in its new iPhones from both Intel and Qualcomm. Today, Qualcomm’s 9X45 LTE chip is baked into all iPhone modems.

This story makes one go “hmm..” right up to the point where it talks about dual-sourcing. Then it suddenly makes perfect sense: Apple would look to play the two off against each other, as with CPU supply.
link to this extract


E.U. rule change could be big headache for small businesses » Advertising Age

Kate Kaye:

“I think everybody was hoping [the ECJ] wouldn’t [rule against Safe Harbour], but we were kind of expecting them to rule it this way,” said Acxiom Chief Privacy Officer Jennifer Glasgow. But, she said, “This is not going to disrupt a lot of data flow today or tomorrow or next week.”

The Safe Harbor compact has helped streamline the data flow for more than 4,000 companies including data brokers, ad technology firms and ecommerce companies among others for 15 years. But alarmed by Edward Snowden’s revelations, the E.U. court decided the agreement is not strong enough to protect Europeans’ privacy, including against U.S. spies.

Most large firms handling massive amounts of data such as Google, Facebook and Amazon should already have other legal contracts in place, including previous agreements guiding heavily-regulated health and financial data, that should allow them to continue data transfer as usual. Smaller marketers and data vendors won’t be so lucky, which could have ripple effects throughought the marketing ecosystem.

Correction: the ECJ wasn’t “alarmed” by the revelations; it made a judgement in the light of those revelations about whether EU law could still be applied to data transferred to the US under Safe Harbour.

What’s weird is how people are acting as though this won’t make a difference. If you’re not allowed to transfer data US-owned servers on the basis that it might be rifled through by the US government, how can it not? (Of course, everyone would be howling for safety if these were Chinese-owned servers and companies; witness the US administration’s lockout of China’s Huawei from communications contracts.)
link to this extract


The secrets of a billionaire’s blood-testing startup » The New Yorker

Eric Lach:

Part of the Theranos story is the tension between commerce, science, and secrecy. Ken Auletta explored this tension in the magazine late last year, in his December profile of Holmes. For most of its existence, Auletta wrote, Theranos has “operated with a stealth common to many Silicon Valley startups.” The company has published little data in peer-reviewed journals describing its devices or its test results, and it has kept the workings of its technology a closely guarded secret. Holmes herself prefers speaking about the coming revolution that her company will bring rather than the specifics of the technology itself.

Holmes and the company say this is normal, that Theranos is only trying to protect itself and its trade secrets while it creates something new. The company says that it has taken steps to get its tests approved by the F.D.A. But there are many who say that health-care technology can’t be afforded the same hushed reception as a new model of the iPhone. “Science is peer-reviewed,” Lakshman Ramamurthy, a former F.D.A. official and a vice-president at the consulting company Avalere Health, said, reacting to the Journal article this week.

Of course, Holmes could be a billionaire, or a zeroinaire, depending how things pan out over the next few months.

What the WSJ story also shows (by its impact, and the puzzled followups) is how little understanding there is of biotech among most journalists. Science journalists tend to shy away from it because it involves business, and business journalists aren’t good at figuring out what questions to ask experts about the science.
link to this extract


One thought on “Start up: sneaking iOS apps, spoofing Spotify, CIA director gets hacked, and more

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s