A study by Duo Labs looking at a series of name-brand PC makers revealed that their bundled software "is making us vulnerable and invading our privacy."
"Updaters are an obvious target for a network attacker, this is a no-brainer," wrote Duo Labs researcher Darren Kemp. "There have been plenty of attacks published against updaters and package management tools in the past, so we can expect OEM's to learn from this, right?
"Spoiler: we broke all of them."Every vendor shipped with a preinstalled updater that had at least one vulnerability resulting in arbitrary remote code execution as SYSTEM
Kemp noted that an analysis of Windows 10 notebooks from Acer, Asus, Dell, HP and Lenovo found that "every vendor shipped with a preinstalled updater that had at least one vulnerability resulting in arbitrary remote code execution as SYSTEM, allowing for a complete compromise of the affected machine."
He added, "the level of sophistication required to exploit most of the vulnerabilities we found is somewhere between that possessed by a coffee stain on the Duo lunch room floor and your average potted plant - meaning, trivial."
Even without third party partners adding their own poorly designed bloatware, Microsoft Windows 10 was discovered to continue to connect to Microsoft's servers and send unknown data, even after users activate data privacy settings.
Lenovo scrambles to save its sloppy security record
China's Lenovo—the largest producer of both Windows PCs and Android smartphones—responded to the report by issuing a security advisory that "recommends customers uninstall Lenovo Accelerator Application by going to the 'Apps and Features' application in Windows 10, selecting Lenovo Accelerator Application and clicking on 'Uninstall,'"
One of the components of the Lenovo Accelerator Application is UpdateAgent, which Duo Labs had called "one of the worst updaters" due to the fact that it pings Lenovo's servers for new updates every ten minutes.
Because there is "no verification or encryption protecting the transmission of updates, it's trivial for an attacker to insert malicious code," noted a report by ThreatPost.
Duo Labs researcher Mikhail Davidov noted of UpdateAgent, "It was unclear at the time of discovery what its legitimate use was for," adding that "Lenovo's decision to advise users to uninstall it manually seems strange to me, as an update can be pushed to all affected models to uninstall itself without requiring user interaction."
ThreatPost added, "These issues are not unique to Lenovo. All of the vendors' machines Duo Labs examined had similar flaws around a lack of encryption, privilege escalation and remote code execution vulnerabilities. Of those vendors who did encrypt the transmission of updates, for example, some were either poorly implemented or failed to include proper validation checks."
One year after Lenovo's Superfish scandal
Last year, Lenovo was discovered to have bundled Superfish adware on its notebook computers, software that was designed to hijacks users' browser sessions to inject customized advertisements but had a side effect of seriously degrading the security of encrypted connections.
To inject ads in pages involving encrypted HTTPS requests, Superfish loaded its own a self-signed root certificate on the Lenovo machines. Pages loaded over HTTPS are signed with this certificate, rather than the actual certificate of the site owner, allowing Superfish to decrypt the contents without the user knowing.
Bank of America's website being signed with a Superfish certificate, as noticed by Google security engineer Chris Palmer
Lenovo responded by saying it would stop sending ads to Superfish-tained machines and stop installing Superfish on its new Windows PCs, but did nothing to solve the actual problem Superfish created for users.
The company effectively blew off the findings of researchers by claiming in a statement that it "thoroughly investigated this technology and do not find any evidence to substantiate security concerns."
Windows, like Android, endangered by hardware partner's malice or incompetence
The fact that top tier PC makers are all bundling their own poorly designed software with Windows, introducing easy to exploit security vulnerabilities, has a clear parallel on Android, where hardware vendors routinely bundle not just buggy software updaters but often even purposely disable the security configuration settings that protect devices from installing apps from malicious third-party sources and in some cases install security backdoors.
A 2014 study by Bluebox Labs tested a dozen Black Friday bargain Android tablets from major retailers including Amazon, Best Buy, Kmart, Kohl's, Staples, Target and Walmart and reported "shocking" security flaws, malware and active backdoors installed on the new devices.
These flaws are on top of issues that affect the Android OS itself, which have included vulnerabilities such as Masterkey, FakeID and Stagefright.
Security is a key issue for Apple
While Google's chairman Eric Schmidt boasted to the media in 2014 that "our systems are far more secure and encrypted than anyone else, including Apple," groups that take privacy and security seriously, like the Electronic Frontier Foundation, have recommended Apple's messaging products for their end-to-end encryption while cautioning that Google did not provide similar security for its users.
Last November, Chris Soghioan, the principal technologist for the American Civil Liberties Union, went even further to state that Apple's efforts to protect the privacy of its users, including end-to-end encryption of their communications, effectively separated its more affluent iOS users from the poor and disadvantaged forced to use Android.
"The security people I know at Google are embarrassed by Android," Soghioan noted.
Both Android devices and Windows PCs have a wide variety of over the counter spyware tools and privacy exploits that are easy for even amateurs to find, while even tools sold to law enforcement (including FinSpy, above, from global surveillance firm Gamma Group) note that they won't work on iPhones and other iOS devices unless their security has been jailbroken by the user.
Apple has doubled down on security and privacy as key features of its Mac and iOS platforms. Additionally, without any commercial interest in collecting user data for marketing purposes, Apple is in a unique position to defend user privacy and security.
Last summer, Apple introduced WebKit Content Blockers as a secure new App Extension to enable developers to create tools that filter out any web content, including display ads and user tracking.
The company is likely to outline further new initiatives in security and user privacy at its Worldwide Developer Conference to be held in San Francisco the week after next.
Of all the different ways for one to get their fix of news, RSS has persisted. RSS, for the uninitiated, stands for Rich Site Summary. It is a way to deliver content that is constantly changing, which is why it is perfect for news sites and blogs. It packages all their content into easily digestible feeds, that can be easily organized and read through any number of RSS reader apps. We will help you search through the best ones available on the App Store.
To tackle the challenge of finding the best RSS app, we took a look at what features we would deem most important. To start, we looked at whether you could add RSS feeds yourself, or if you needed an account of some sort (like Feedbin or Feedly). Sharing is also extremely important to news stories. That’s why we prioritized both saving options for yourself, as well as external sharing options to send to others. Lastly, we looked at the reading experience. How is the typography, cleanliness of the app, readability, and UI configurability options.
Apple launched their News app in iOS 9, which I admit is a great option for the casual user, but there is plenty of content coming in through RSS that you may want to do more with. Such as organizing it, grouping it, or marking articles as read. So if you are interesting in upgrading your existing RSS reader, or getting into one for the first time, read on.
Reeder 3
Reeder 3 RSS App Screenshots
Reeder is a very popular RSS app and has been for some time. Currently they are on the 3rd major version and it includes some great features. On the Home screen you have many options to get started including many services like Feedly, Feedbag, Feed Wrangler, etc. It even supports Read Later services like Readability and Instapaper. Lastly, it also supports raw RSS. You can easily add your own feed and put it on the same ground as all other options.
When browsing your feeds, it breaks it into 3 options. Starred, unread, and all. This makes it easy to sort and see whats new. There is also a wealth of customization for the UI. You can alter the background color into 4 shades, including night mode, and a sepia-like paper color. You can adjust the font itself, as well as the size. This is the most options for customization amongst all our apps.
The other big thing Reeder has going for it is the healthy list of sharing options. I doubt there is an option here you are looking for and won’t find. When I’m reading through news, sharing is something I do all of the time, and this makes it easy to save for myself, to something like Safari’s Reading List, Twitter, Messages, or anything in the iOS Share Sheet.
Device Support: iPad, iPhone
Sharing Options: The most sharing services of all our options
Notable Features: All encompassing list of sharing options. Many customization options for the UI including background colors and fonts.
Cost: $4.99
Unread
Unread RSS App Screenshots
Unread is probably the best looking app. For the casual user, this may be the best option. It offers a free mode that limits the number of articles you read. This is nice, because if you don’t use this all the time, you can get nearly all the premium features, for free.
The app is quick and simple, but the biggest problem is you can’t simply add an RSS feed. It does require you to use an account of some sort. Your options are Feed Wrangler, Feedbag, Feedly, Fever, or Newsblur. Some of these names sounding familiar yet?
While it is unfortunate you can’t add a RSS feed without an account, it isn’t a huge deal. Those often offer major benefits, but it is another step to go through. When adding an account, it was a nice touch they built in 1Password integration which is always appreciated. I added my Feedly account, and it easily broke it down into unread, all, and saved. As well as any categories, and subscriptions I had.
Gestures are really great here as well. When you are in an article you can swipe left to right to go back a page, right to left to open a contextual menu, or bottom to top to go to the next post or article. The contactual menu that appears from the right allows you to save or mark an article as unread. This keeps the reading view nice and clean without any menus to clutter it. You can also view in your browser, change the theme, and share from the menu too.
A downside could be the lack of customization, but I easily forgive this fault. The app looks great as is, but i you do want to change it up, you can enter readability mode, or change to one of the 7 themes available. Unfortunately, those themes (including a night mode) are limited to the premium mode.
Device Support: iPad, iPhone
Sharing Options: iOS Share Sheet
Notable Features: Clean, minimalistic, gorgeous UI with no clutter while reading. Easy intuitive gestures.
Cost: Free (Pro $4.99 via in app purchase)
Mr. Reader
Mr Reader RSS App Screenshots
Unfortunately, Mr. Reader is iPad only. That may knock this off the list for many people. But if you read on your iPad, stick around because this app is great. It offers a hearty supply of syncing services (AOL Reader, Feedly, Feed Wranger, to start), and plenty of sharing options. This may actually have the most as far as sharing options go.
You can post to Tumblr, add to a link shortener, open with 12 different browsers, as well as a handful of 3 party apps such as Hootsuite, or searching Wikipedia.
Themes look great on Mr. Reader, and several are available. There are simple ones that make reading enjoyable, and night mode ones that are great for evenings.
You can change the toolbar position, set preferred view mode, change font family and size, as well as a built in tag system. You can also file your feeds away into different groups or folders. There are even more to be done inside the settings itself.
Device Support: iPad
Sharing Options: 12 browsers, many 3rd party apps, and syncing services
Notable Features: iPad only, but extensive sharing and integrations
Cost: $3.99
Newsify
Newsify RSS App Screenshots
If you like to read your news in a format thats akin to a newspaper, then you may really enjoy Newsify. It takes any of its repopulated options, or any RSS feed you fancy, and turns it into a view that looks similar to a newspaper. It groups them into a grid system with a little bit of text or a headline, and an accompanying image.
When viewing an article, you get a navigation bar on top, as well as a toolbar on bottom. On the bottom you can quickly mark an item as unread, save for later, or share. If you don’t like the newspaper styled layout, you can opt for a straight list option, but what fun is that.
Swiping to the right opens a menu on the left that shows all items, unread, or saved, as well as all your sources. It shows the last time it fetched for new articles down on the bottom. This is also how you get to settings. There are actually many options here for customizing, including a unique “Auto Night Mode” that comes in very handy. Otherwise, many options for font, size, and order.
You have lots of different sharing options which is always nice to see. Lots of services like Pocket, Evernote, or Instapaper. These special services aside, you have the old iOS Share Sheet standby with even more choices.
My biggest complaint is the banner ads. They look especially bad in night mode, where they are still blindingly white. If you upgrade to premium you can ditch them for a $2.99 a month IAP. Premium gives you full text search, no ads, automatic full text, and more images.
Device Support: iPad, iPhone, & Apple Watch
Sharing Options: The most sharing services of all our options
Notable Features: Unique newspaper-esque layout. Auto night mode comes in handy without having to manually change anything.
Cost: Free (IAP to remove adds, and to upgrade to premium $2.99/month)
Feedly
Feedly RSS App screenshots
Feedly has been mentioned several times so far in this post. It is two separate things. It is a service, that syncs your RSS articles between your devices and browsers, as well as giving you a built-in discovery section to find more feeds to follow. It is also an app that allows you to add your own feeds and view them on your device.
It isn’t very obvious how to add your own RSS feed unless you know how though. You actually take your URL, then paste it into the search bar used to find new content. It will then parse that URL and allow you to add it. You can customize how it displays your feeds, including a standard list view.
There are quite a few sharing options, but by far not the most we’ve seen in these apps. Essentially a few more than the standard Share Sheet. Of all of them, they seem to prioritize Twitter. It is in the share menu, in the bottom under the large “Share” button, and then there is a Twitter icon up at the top. So 3 places to get that story onto the bird-based social network.
Device Support: iPad, iPhone, & Apple Watch
Sharing Options: Many 3rd party apps, plus iOS Share Sheet
Notable Features: Built-in syncing service. Discovery of other feeds.
Cost: Free
Honorable Mention
Flipboard
Flipboard is our honorable mention of this post. It is really positioned as a customized magazine. It looks really gorgeous and has been featured by Apple several times. They really push discovery, and give you lots of ways just to find new content. Content literally flips by as you go post to post.
If you do however attempt to bypass all of the actual curated content, at the bottom there is a search icon. Here you can actually enter a RSS feed URL. It will then add it to your “Following” list, which is the second tab on the bottom. This lets you easily just go in and read that particular feed.
Summary
We did try to shy away somewhat from syncing services and discovery apps, because it gets into a grey area of RSS, or just a news app. There are still many apps out there that we didn’t even touch on that count as an RSS reader, though.
Are there any really stellar ones you want to let us know about? How many people out there still use RSS, or have you migrated to the new Apple News app?
Please also let us know your suggestions for other app roundups as well.
In this week’s edition of our Apps of the Week post, we’ve hand-picked 5 titles for you to check out this weekend. The selections include a video streaming app with a unique twist, a different kind of Twitter client, a full-featured annotation app, and two new games that you won’t want to miss!
Look
look
The live video streaming app space is already crowded, with entries from major player like Facebook and Twitter. But Look offers something the others don’t: the ability to request a stream. Want to see what’s going on in Time Square? At the beach? The local bar? As long as someone at your desired location has the Look app installed, you can send them a notification asking for a live video stream. This is one of those things that sounds really cool on paper, but a lot of people have to start using it for it to be so. This app is available for free.
Finch for Twitter
finch
Twitter is know for its 140-character excerpts, but the social network can also be a great place for discovering great photos. That’s where Finch comes in. The app turns your timeline into beautiful streams of photos, with features like Following, Lists, and keyword/hashtag search. Use the Explore feature to discover new and interesting photos, and instantly save, retweet or like them. This app is available for $2.99.
Annotable
annote
Looking for a new annotation tool? Check out Annotable. It’s a full-featured, all-in-one annotation app with several customization options including rectangles, ovals, arrows, lines and text; 8 colors; 3 outlines and 3 blur styles. You can also highlight items and focus on a certain spot in an image with the Loupe tool. Many of the tools are included with the app, some must be unlocked with in-app purchases. Annotable is available for free.
Never Alone: Ki Edition
ki
Reimagined for mobile — Never Alone: Ki Edition includes every level and all the excitement of the original atmospheric puzzle platformer enjoyed by millions of PC and console players around the world. Experience the epic journey of Nuna and Fox as they search for the source of an eternal blizzard that threatens the survival of everything they have ever known. The mobile version features new touch controls and gorgeous graphics. This game is available for $4.99.
Sky Force Reloaded
sky
The sequel to the hit 2014 title Sky Force, “Reloaded” gives players more of the same great stunning shoot ’em up action with classic arcade elements. Features include beautiful and atmospheric levels with diverse missions, memorable battles with enormous bosses, upgradeable weapons, full voiceover and incredible electronic soundtrack.
The U.K. House of Commons has passed a limited version of its Investigatory Powers Bill after removing controversial elements that would have demanded that manufacturers like Apple to weaken or build backdoors into their encryption products.
UK House of Commons | Source: UK Parliament
According to report by Bloomberg, the bill passed despite some remaining opposition over concerns related to privacy and civil rights. The law grants spy agencies the power to continue bulk surveillance and the use of malware to break into the devices of suspected criminals.
However, the most objectionable components of the bill—related to proposals that would have weakened encryption—were stripped following intense criticism from civil liberties groups and technology companies.
Apple led a critical challenge of the legislation last winter, arguing in an eight page letter to the U.K parliamentary committee that "the creation of back doors and intercept capabilities would weaken the protections built into Apple products and endanger all our customers."
Apple's chief executive Tim Cook warned of "dire consequences" if the law passed with language weakening device encryption.
While noting that it cooperates with the U.K. and law enforcement to "catch criminals and save lives," Apple insisted that legal efforts to weaken device encryption on iPhones, iPads and Macs would fail to stop criminals seeking to hide, because those individuals could simply continue using other encryption technologies that are freely available to anyone.
"There are hundreds of products that use encryption to protect user data, many of them open-source and beyond the regulation of any one government," Apple's letter stated. "By mandating weakened encryption in Apple products, this bill will put law-abiding citizens at risk, not the criminals, hackers and terrorists who will continue having access to encryption."
Apple's global fight against overreaching governments
Cook took the same stance in the United States, where he maintained a very public stand against efforts by the Federal Bureau of Investigations to use the courts to require the company to develop a broken version of iOS that would enable law enforcement to bypass a variety of security mechanisms in order to hammer away at encrypted iPhones.
The FBI later withdrew its motions to force Apple to unlock devices related to a New York drug-related case as well as developing software to break into a company device assigned to dead terrorist shooter in San Bernardino.
In parallel, encryption-weakening legislation proposed in the U.S. Congress was withdrawn this spring after political support evaporated as the public increasingly sided with Apple's stance on privacy and civil rights.
In April, Apple's general counsel Bruce Sewell testified at a hearing of the U.S. House Energy and Commerce that the company has twice refused demands from Chinese authorities to turn over source code over the past two years.
The testimony came in response to unsupported accusations by Captain Charles Cohen, a state law enforcement official from Indiana, who suggested that Apple hands over data to the Chinese government but was simply unwilling to help U.S. law enforcement access private data.
Representative Anna Eshoo, a Democrat from California, refuted the Captain's suggestion and forced Cohen to admit that his only source of information was media reports.
A variety of other technology companies, including Facebook, Google's Alphabet, Microsoft, Twitter and Yahoo have joined Apple in lobbying against legislation that could undermine customers' faith in their products and brands.
Though new MacBooks aren't expected to launch until later this year, a new supply chain report claims that one key component supplier is sending parts to Apple as the company gears up for a completely revamped notebook design.
Notebook hinge manufacturer Jarllytec allegedly began shipping metal injection molding hinges for new 13-inch MacBooks to Apple last month, according to China's Commercial Times. Sales for the month of May were said to have increased 107.2 percent year over year thanks to Apple's apparent preparations.
Jarllytec is also said to be preparing to ship metal injection molding hinges for a new 15-inch MacBook Pro in the third quarter of calendar 2016, which runs from July through September.
Hinges are, of course, a crucial component in terms of the durability of notebooks, connecting the keyboard and processing components of a MacBook to the Retina display in a clamshell design that allows for portability. Apple is said to have redesigned the hinge on its 2016 notebooks, allowing for continued durability with thinner form factors.
Thus far, rumors have pegged Apple's revamped MacBook Pro lineup for a late 2016 launch, in time for the holiday shopping season. That would suggest that shipments from Jarllytec are not meant to be taken as a sign that a new notebook launch is imminent.
Notably, Apple is set to host its annual Worldwide Developers Conference next week, but the event is expected to focus on software, while hardware upgrades are likely to wait until later this year.
According to analyst Ming-Chi Kuo of KGI Securities, Apple's MacBook Pro models are set to be redesigned with a touch-sensitive OLED display that will replace the row of function keys on current MacBook designs. The notebook overhaul is also expected to bring Touch ID secure fingerprint logins to the Mac for the first time.
Like last year's 12-inch MacBook, the new Pro models are expected to adopt speedy USB-C connectivity. It's also possible that Apple could use USB-C for charging and ditch its MagSafe connector, according to photos of an alleged MacBook Pro chassis that leaked online last month.
Apple on Tuesday released an important update to its iTunes U iOS app, adding features like a cloud-capable document picker. Google meanwhile debuted Motion Stills, an iPhone app that creates unusual GIFs based on Live Photos.
The iTunes U update, version 3.3, lets users add materials stored on various cloud services. On top of Apple's iCloud Drive, other examples include Box, Dropbox, and Google Drive.
Teachers can now import class rosters from Apple School Manager, and point students to specific iTunes U courses through the separate Classroom app. Finally, Explain Everything and Notability project files can be used either as course materials by staff or hand-ins by students.
Google's Motion Stills uses special video stabilization technology to freeze the background of a Live Photo during the GIF conversion process. The app also tries to calculate the optimal start and stop points for a loop, and toss any blurry frames.
Notably Motion Stills works without signing into Google services, or even an internet connection. Multiple GIFs can be combined into a montage, and any output can be shared via messaging apps or social networks.
The app nominally works on any iPhone with iOS 9 or later. Only the iPhone SE, iPhone 6s, and iPhone 6s Plus support Live Photos, however.
