Good Reads for July, 2017
Every month, we’ll be bringing you a selection of meticulously memorised, if slightly longer, reads about the wonderful world of Apple. Sometimes they’ll be a comprehensive explanation of why ARKit is a big deal, or the latest breakdown of what made news in the Apple blogosphere recently. Other times, they’ll be an extremely technical read on a recent vulnerability that affected millions of iOS devices up until a few weeks ago. All I know is, bring your own Instapaper account, because this is Good Reads.
- While recent news has focused on Apple’s removal of VPN apps from the Chinese App Store, none of this is particularly new. People have been talking about Apple’s “walled garden” for as long as the App Store has been around, and Motherboard writes about the long and storied history of Apple removing “objectionable content” from the App Store. All of this is true, of course, as is the statement that with more than nine years of the App Store, we haven’t seen any widespread malware threats.
Each day, Apple is tasked with a near-impossible job: keeping its sprawling App Store free from malware, blatantly offensive content, and spam. In order to do it, the company requires each of the App Store’s roughly two million apps, from iFart to Twitter, to undergo an extensive approval process.
- 1Password found themselves in hot water this past month, after a change in business model found them sudden unpopularity. Going from the widely-lauded password manager to the red-headed stepchild of the Apple community with just one blog post, it’s pretty clear that 1Password want you to use their cloud-based subscription service. But what kind of technical implications does that have on the security of your passwords? Over at Medium, Kenn White breaks it down. Is this all just an overblown misunderstanding from a few mixed messages? You be the judge.
I made a comment on Twitter that seems to have blown up, and the misinformation that followed has been staggering. In the hundreds of comments & questions that followed and the dozens of sub-threads, it became obvious that Twitter was a really lousy medium for this kind of conversation. So, for the record, here’s my story.
- Vendors fixing CVEs in software releases happens all the time, and Apple is no exception. July’s iOS 10.3.3 release fixed a particularly nasty one, with CVE-2017-9417 being a remote code vulnerability affecting the Broadcom Wi-Fi chipset used in the iPhone 5 and later, iPad 4th generation and later, and the 6th generation iPod touch. Nitay Artenstein of Exodus Intelligence has a highly technical explanation of how an attacker could arbitrarily run code on your device when you’re in range of a compromised Wi-Fi network without being connected. Broadpwn is pretty scary stuff.
This research is an attempt to demonstrate what such an attack, and such a bug, will look like. Broadpwn is a fully remote attack against Broadcom’s BCM43xx family of WiFi chipsets, which allows for code execution on the main application processor in both Android and iOS. It is based on an unusually powerful 0-day that allowed us to leverage it into a reliable, fully remote exploit.
- I’m used up all of my inverted quotes for the week, and we’ve gotten through all the doom and gloom stories, so it must be time for something a little more upbeat. Ars Technica’s report on the state of Mac gaming has high hopes for the future, what with the VR features of macOS High Sierra and the Metal 2 graphics API. It remains to be seen whether Mac gaming will ever become a true competitor to PC or consoles, but with meagre software support and hardware improving all the time, it’s entirely possible that one day your gaming PC will be a Mac.
Gaming on a Mac may look more appealing than ever thanks to the introduction and gradual improvement of Apple’s relatively new Metal graphics API and a better-than-ever-before install base. On top of that, discrete Mac graphics processors have just seen some of their biggest boosts in recent years, VR support is on the way, and external GPU enclosures promise previously impossible upgradeability.