This Week's Sponsor:

Inoreader

Boost Productivity and Gain Insights with AI-Powered Intelligence Tools

Security Researcher Demoes Bug To Execute Unsigned Code on iOS Devices

Security researcher Charlie Miller, former NSA analyst now working for consultancy firm Accuvant, plans to publicly demonstrate a new security hole that could allow regular App Store apps to download and execute unsigned code on any iOS device. As Forbes reports, Miller, who isn’t new to the Mac and iOS hacking and security scene, plans to detail his discoveries at the SysCan conference in Taiwan next week.

Full details of the security hole aren’t available – Miller is apparently saving the presentation for next week to give Apple time to fix the issue, and the company is indeed already working on an iOS 5.0.1 update – but Miller had a “stealth app” approved by Apple in the App Store to record a video of the hidden “functionality”. The app was called Instastock, and it behaved as a regular stock monitoring app until Miller recorded a video of his iPhone being subject to malicious attacks through the app, which has since been pulled. Apparently, since Apple found out about Miller’s app and YouTube video, he’s also been removed from the iOS Developer Program.

As you can see in the video, the app gets downloaded from the App Store as any other free or paid app. The first time Miller runs it on his iPhone, nothing happens and the app performs as advertised. But as soon as Miller activates the hidden functionalities on his web server, somehow connected to the iOS app, the app “phones home” and starts downloading and executing unsigned code. As per Apple’s technical rules and guidelines, App Store apps can only execute code approved by Apple. Yet with Instastock, Miller managed to make the iPhone vibrate remotely, open a YouTube video, and even download the device’s entire Address Book remotely. The app is seen exposing parts of the iOS filesystem, listing installed apps, and presumably giving access to a user’s documents, photos and more. In the video – which we’ve embedded below – you can also watch Miller execute commands remotely (from his computer to iPhone) using a command line interface.

Apparently, the hack has been made possible by a flaw in Apple’s JavaScript engine Nitro, introduced with iOS 4.3, that makes a series of system exceptions for Mobile Safari to render web pages faster. Forbes quotes Miller as saying “Apple runs all these checks to make sure only the browser can use the exception,” he says. “But in this one weird little corner case, it’s possible. And then you don’t have to worry about code-signing any more at all.”

Instastock has already been pulled from the App Store, and it’s unlikely that anyone else will figure out the exact bug that Miller has discovered before Apple releases iOS 5.0.1, which has reached beta 2 status and has been reported to introduce security fixes for iOS devices. Apple will likely include a fix for Miller’s discovery in iOS 5.0.1, but  in the meantime you can check out the interesting demo after the break.
Read more

iTeleport Adds “Launch” VNC Voice Command for iPhone 4S

iTeleport, a popular VNC client for iOS that allows users to remotely connect to Windows PCs and Macs, has added a new feature in its latest update that lets iPhone 4S users launch applications just by using their voice. iTeleport, which I reviewed here, has always been a fine app to connect via VNC to OS X and Windows, and recently the app added full Lion support with authentication through the OS’ username and password. Unlike Screens by Edovia, another great VNC app for iOS and Mac, iTeleport doesn’t use its own online service to make computers available over the air, relying on Google logins instead (via Google Talk protocol).

With version 5.2, iPhone 4S owners will be able to open Mac apps by saying “Launch” followed by an app’s name. Once connected to a Mac, the keyboard icon in the upper toolbar of iTeleport will display the standard iOS system keyboard with a compose box on top of it. And because the iPhone 4S comes with Siri and dictation, the keyboard will also have the dedicated microphone icon next to the spacebar. What happens with iTeleport is that if you say “Launch iTunes” through Siri’s dictation, the app won’t transcribe your command in the text box – it will directly launch the app as you can see in the screenshot above. The developers have apparently figured out a way to parse dictated commands directly inside the app to let it recognize installed applications, and launch them in seconds. In my tests, voice recognition in iTeleport has been as good as you’d expect from regular Siri, and app names such as Evernote, Google Chrome, iTunes and Sparrow were recognized instantly.

iTeleport was already a solid VNC app and this new feature will allow iPhone 4S users to save a few seconds when using a Mac remotely. iTeleport for iPhone and iPad can be downloaded on the App Store, and you’ll need the iTeleport Connect app to make your Mac available over the air.

Siri and iPhone URL Schemes

Siri and iPhone URL Schemes

Alex Heath at iDownloadBlog came up with a way to let Siri launch third-party apps on an iPhone. The solution is far from integrated and it requires some tweaking, and it uses an iOS app’s internal URL scheme (example: fb:// for Facebook) and the Address Book to open apps, provided you’ve asked Siri to visualize a “contact card” with some shortcuts in it. You’re basically creating a fake Address Book entry for apps, and assigning a URL scheme to one of the available fields. Tapping on it will open the app or a specific section of the app.

If you have a select number of apps that you’d like to have quick access to with Siri, you could create a “Shortcuts” or “Favorites” contact and add each trigger. Telling Siri to “show shortcuts” would then pull up your list of app shortcuts to open within Siri.

Many have speculated that, in the future, Siri will gain new functionalities including the capability of launching apps directly from its voice-based interface. But wouldn’t it be cool to ask Siri “Open my Facebook messages” rather than just “Open Facebook app”? Or perhaps ask Siri “Go to my OmniFocus Home project” instead of just launching OmniFocus? And what about creating new content from Siri inside a specific section of an app (a new task inside an OmniFocus project), without actually opening it? That’s why I think URL schemes will be worth keeping an eye on – Apple could offer developers a new set of APIs to associate their apps’ sections and menus with Siri actions, and perhaps revamp the URL scheme architecture to include support for Siri and new APIs. This is just speculation on my side, but I think it’d be interesting to see Siri becoming a new, lightweight interface for basic tasks in external apps.

Meanwhile, if you really want to launch apps using Siri and the Address Book, check out iDownloadBlog’s tips here.

Permalink

Apple Releases iOS 5.0.1 Beta 2

Just 2 days after seeding iOS 5.0.1 beta 1 to developers, beta 2 of 5.0.1 is now available in Apple’s Dev Center. The build number is 9A404 and is available over-the-air (800MB for iPhone 4S, 45MB for iPad 2) for users with the previous iOS 5.0.1 beta 1 installed. To download updates OTA, open the Settings.app > General > Software Update. The original beta build apparently suffered from some bugs related to failed activations. Beyond these bug fixes, it doesn’t appear that iOS 5.0.1 beta 2 contains anything more.

iOS 5.0.1 beta 2 is available now in the iOS Dev Center.

UPDATE: It looks like the iOS 5.0.1 beta 2 OTA update for the iPhone 4S is not a delta update, 800MB is too large.

 

App Journal, Episode 7: Muon, Flint, Sociable, CoinKeeper

App Journal is a new series aimed at showcasing apps we have enjoyed using on our iPhones, iPads, and Macs, but decided not to feature in a standalone, lengthy review here on MacStories. App Journal is a mix of classic reviews, weekly app recommendations, and a diary of our experiences with apps that still deserve a proper mention.

After the release of iOS 5, iCloud and the first wave of new apps that take advantage of Apple’s new OS and sync services, the App Store is quickly marching towards a holiday season that will be huge, both for hardware sales as well as app and game releases, software deals, and new retail features at Apple’s physical stores. While we wait for the craziness to begin later this month, we take a look at a cool music visualizer for the iPad, a finance app for the iPhone, a Campfire client and a utility to update your status on multiple social networks at once.

Sounds cool? Follow us for this week’s app collection after the break, and stay tuned for more App Journals in the next weeks.

Muon

I found out about Muon when I first saw an ad in our site’s sidebar. I don’t manage advertising on MacStories anymore, so the encounter was completely random, and the fact that the developers are advertising on our site didn’t influence my decision to mention their iPad app on the Journal. Just making things clear.

That said, Muon is a nice music visualizer for the iPad, kind of like iTunes’ own visualizer but with more effects and touch controls. The app can fetch songs from your existing Music library, and displays AirPlay-compatible controls as a translucent bar at the bottom. You can tap on a song’s name at any time to change artist or album or pick a playlist, but I don’t like the blue design of the music picker menu. Visual effects are obviously Muon’s main feature, and interestingly enough the app comes with settings to control the Audio, Drag and Mutate reactions of the Visualizer. You can tweak things like Orbital Speed, Life Span, Color Entropy and Zoom & Blur, and you’ll notice that modifying these parameters really changes what’s displayed on screen.

The developers claim Muon can move up to 500,000 particles on the iPad 2, with a complex visualization engine that makes effects evolve with the beat of you music and gradually form different shapes and patterns that you can capture as presets, or screenshots with the dedicated camera button. The app supports video-out and AirPlay Mirroring, as well as dual monitor setups and full-screen view on the iPad.

Overall, Muon comes with some fairly advanced control options but I simply prefer to keep it running and let it decide which effects to use according to the song that’s playing. Muon is $0.99 on the App Store for a limited time.

Flint

For our communication needs here at MacStories, we use 37signals’ Campfire. For those who are not familiar with the service, it’s a fantastic chat tool for teams that, among other things, allows you to upload files, manage chat transcripts for multiple rooms, and visualize media such as pictures and videos with inline previews. We use Campfire every day to quickly put out news, casually hang out, and assign articles to each other. There’s no doubt Campfire has become an essential tool for getting things done over here.

In the past months I’ve been testing Flint, a native Mac client for Campfire that’s available on the Mac App Store. It’s been hard for me to switch from the browser-based, pinned tab for Campfire, but Flint is simply fantastic. The interface is elegant, gets out of the way and nicely highlights conversations in a Campfire room. There are profile pictures for users, and a popover at the bottom lets you see all participants in a conversation. The app supports most of Campfire’s web functionalities (image previews, sounds, but no emoji), and more importantly it’s perfectly integrated with Growl on OS X.

This is the main reason I use Flint – with Growl integration, I can take a look at what’s being said without opening the app and, from the Preferences, control the behavior of sounds, dock badges, keywords and enter/leave messages. In the past weeks, the developers have also released an update that improves the reliability and speed of the app from the first version – so if you gave it a try initially and went back to Campfire on the web, now it’s time to fire up the app again and see if things have improved for you.

I, for one, will keep using Flint to catch up with my team and get work done. If you’re serious about Campfire and have a Mac, Flint is $9.99 on the App Store. Read more

Apple’s Fifth Avenue Store Re-Opens Today With Its Redesigned Glass Cube

In just a short few hours, at 10 AM local time, Apple’s flagship retail store at 5th Avenue in New York City will have a grand re-opening after its glass cube was renovated and re-created. As you can see above though, Apple has spent the night removing all the barriers and plastic wrapping and the new design is bare for all to see. The new design has just three tall glass panes on all sides of the cube, coming to a total of just 15 panes — compare that number to the old design which had 90 panes.

Jump the break to view a picture before the plastic wrapping came off, to have a look at renderings of what the store was designed to look like and what the old cube (with its 90 panes) looked like.

We will update this post as more pictures come in and the grand re-opening begins.

[Image via 9to5 Mac]

Update: MacRumors shares more pictures of the redesigned cube, showing the new “seamless” design that eliminates most of the hardware that kept the old 90 glass panels together.

Update #2: View of the redesigned cube via @andinieffendi.

Read more

Apple’s Supply Chain Secrets

Apple’s Supply Chain Secrets

A recurring piece of information throughout this year has been how Apple’s supply chain is so integral to their success in recent years. Bloomberg Businessweek’s article from yesterday is just the latest this year and it chronicles a few stories of Apple’s impressive control over their supply chain and gives some interesting insight to how it works.

Apple has built a closed ecosystem where it exerts control over nearly every piece of the supply chain, from design to retail store. Because of its volume—and its occasional ruthlessness—Apple gets big discounts on parts, manufacturing capacity, and air freight. “Operations expertise is as big an asset for Apple as product innovation or marketing,” says Mike Fawkes, the former supply-chain chief at Hewlett-Packard (HPQ) and now a venture capitalist with VantagePoint Capital Partners. “They’ve taken operational excellence to a level never seen before.”

Included in the article are some fascinating stories from the supply chain - whether it be the hoarding of lasers so that that iSight’s green LED indicator light could be ‘invisible’ when off, to Apple buying up all the available air freight over Christmas of 1998 so it could ship their new translucent blue iMacs and to how Apple keeps its new products secret ahead of a launch.

At least once, the company shipped products in tomato boxes to avoid detection, says the consultant who has worked with Apple. When the iPad 2 debuted, the finished devices were packed in plain boxes and Apple employees monitored every handoff point—loading dock, airport, truck depot, and distribution center—to make sure each unit was accounted for.

Permalink

MacStories Product Review: Stem Innovation TimeCommand

You go through the same routine every morning right? Slap the snooze button a couple of times, roll out of bed, and turn on the blinding lamp sitting on your dresser. Good Morning! Well kids, there’s a clock in town that has pretty neat wake-up, sleep, and light dimming capabilities, while doubling as an iPhone, iPod, and iPad dock. The TimeCommand’s best qualities aren’t even time related — Sonic iQ technology (in other words: nice sounds) make this a snazzy bedroom or living room speaker when you’re rocking to your favorite tunes. Ready to integrate your iPhone and a light show into your daily routine? Let’s do this.

Read more