I wish they would just run Linux natively and dump the whole Android part.
You do; but hardly anybody outside of this website would agree with you. As shitty as Android is (and it IS shitty!), it's STILL more-optimized for being a "phone appliance" than anything that would run under stock Desktop Linux.
It's not just about the hardware. I want to be able to buy a reasonably priced phone that doesn't phone back my private life to Google and yet has apps like Uber/Lyft so that I can travel without getting ripped off by cabs. Too much to ask?
Depends on what you call "Reasonably Priced"; but you can get a CURRENT MODEL iPhone SE, with a 4.7" screen, 12 MP camera capable of shooting 4k video, 64-bit A9 Dual Core ARM, WiFi, Bluetooth, Fingerprint Reader, etc. etc. (and a headphone jack!) for only $349 for 32 GB or $449 for 128 GB, Brand New. UNLOCKED (Carrier-Free) directly from Apple! Or you can get Carrier-Subsidized models for around $15 per month.
Personally, I call that pretty Reasonably Priced....And it will run the latest iOS (iOS 11), and will continue to get Updates (and it will REALLY get them!) for a long, long time!
And no, Apple doesn't make YOU the customer, like Google does.
Just because it has a LITTLE computer inside of it, like your Microwave Oven, DVD/BD Player, and Set Top Box, does NOT make it a "Desktop Replacement", FFS! There are a MILLION reasons why; not the least of which is an entirely different CPU architecture. Yes, I've heard of Compiling for a different Target; but that only solves 80% of the problems, and the other 20% are the toughies...
Remember, PHONES are optimized for BATTERY LIFE. Slow-Ass RAM (as compared to a modern Desktop), Slow-Ass Flash (as compared to a modern SSD), Slow-Ass CPUs (when not running code specifically designed for the PHONE's environment).
Not to mention the Human Interface, unusably small screen (especially for Developers), primitive LAN stacks, etc. etc.
Someday, maybe. But for now, and for a great many applications, a Laptop still smokes that idea to a very large extent. And guess what? It's PORTABLE TOO, just like a Smartphone!!!
An S8+ with Dex system is actually very close to perfect for me, what Canonical's Unity aspired to be probably. Even the Standard Android Dex desktop "thing" is pretty close to acceptably good. It's actually only really let down by the quality of the apps, I can't find a decent resizable "sh"-ish terminal or SSH client. There's quiet a few but they all have their own little oddities. After that there is a little bit of clunkiness in the GUI because Android isn't really "desktop" orientated but it's better than some tablet UI's.
They're very, very close. If this works well they'll potentially have nailed it.
Close to perfect?
So you won't mind having to RECOMPILE every-single-Linux-Application from scratch for ARM, AND solving all the x86-isms in it?
Yeah, sounds like a GREAT idea... NOT! Just like that ARM laptop that MS announced a day or so ago...
You pay $899 for an Applephone that has $220 worth of components in it and get a free dongle.
Do you seriously believe the Pixel phone's component cost is any higher than the iPhone's, Hater?
My son is on our family plan. His Samsung phone cost more than my iPhone 7.
The concept that Apple's phones are soooooooo damn expensive reminds me of the old PC vs Mac arguments when the Windows folks would trot out a Pro against the cheapest ready to fall of the usablity cliiff Windows machine. "Look how expensive it is!"
I have visions of these folks getting those cheap feature phones that are marketed to geriatrics on television.
I was talking Canadian price. At any rate, at $150 there are a lot of wired headphones to choose from, many will be better.
Yeah, they're "better", that is until you get your head yanked forward when you lean back in your office chair, and the always too short cable gets pulled taut; or when you put you headset on with your phone sitting in the passenger seat, and you head gets pulled down by your headset cable getting caught under the parking-brake handle...
Nah, not that. The lock screen asks for the passcode. This article is about the Apple ID password. (Again, I can't confirm how exactly it works - maybe it only asks for that when you use iCloud)
AppleID Passwords are asked for only when Making Purchases in the App Store, or iTunes Purchases. And if you have TouchID, you can use that, which is more secure (no authentication info leaves the device).
I avoid iCloud; but the iCloud sign-in Dialog asks for an "iCloud PW", (NOT the AppleID one); so I think they at least CAN be different.
From what I've read (can't confirm since I don't use iOS), the system sometimes asks for your password even if you use TouchID for authentication. If so, there's the flaw.
The only time that is true is the initial Lock-Screen (wherein it will ask for a PW under certain conditions, e.g. not logging-in for 48 hours, etc.), and I double-dog-dare anyone to do a MITM attack on THAT process!;-)
You need to learn the history of iCloud and the sipping of ALL your data without user knowledge before you go throwing stones from your fucking glass house.
Another Apple story where your butthurt is visible for everyone to see.
Citation, please.
And was this an early version of iCloud, Long-since fixed?
The fact that you'd only be asked for password in those situations is not sufficient to be sure it would not be a problem.
If I were the so inclined to try and exploit this so-called "flaw", I would write my application so that the malicious code does not execute for the first 30 days (and thus should not be noticed by those that are performing an app-store eligibility review), and then one day after that, and entirely at random, upon invoking some in-app purchase, the faked dialog pops up instead of the real one. The user enters their credentials, and a brief moment later, they are given the same message that would show up if a user happened to lose their network connectivity just after they got the dialog (I don't know what sort of notification this is for the iphone, so I can't say for sure that I know what it would it would be... maybe the app just says it lost connection to the store, or whatnot. I don't know). Anyways, after is has done this exactly once for a given user, it would not ever do it again.
I expect that most users would retry, and at this point the app would proceed normally via a real itunes purchase, while their password was still stored by the app in the first popup.
At some later point, this username and password combo could be sent to some home base by the application, perhaps as part of a request that retrieves high scores for other players, and the user would not necessarily ever know about it unless they were practically being voyeurs for every network packet their device sends and receives.
I'm honestly not sure what it says about my ethical standards that I would have taken the time to even think of this.
Pretty sure that iOS sandboxing would make those kinds of inter-app shenanigans impossible.
Well, normally I would agree, but this one is not quite phishing anymore, it is more an OS dialog impersonation attack, and the user cannot really see what is going on. Make this dialog appear when it is reasonable to expect, and the user really does not have much of a chance.
Again, why is this even news?
Impersonation of a Login Dialog can be done on ANY OS, period
NOPE.. This is an old problem, and it is usually fixed or worked around a lot better in other OS.
And yet, no examples. And don't just rely on Ctrl-Alt-Del...
Am I the only one that shakes my head every time I see this term used to describe a hacker/cracker/black hat that doesn't actually do research except to unlawfully break into other peoples stuff just to brag about it?
And to stay slightly on topic, this is just social engineering, not an OS flaw. Clickbait garbage.
This is where having a visual indicator that only the OS and user know about could help? It could be an image or a phrase, but the idea is that an application couldnâ(TM)t forge the OS dialogue, because it doesnâ(TM)t have access to that info.
At the same time, there are probably still limitations arising from an app asking for permissions it shouldnâ(TM)t need. This easier to vet for anything going through the App Store and possibly signed applications, but for anything else it is still user beware.
Apple did the "Permissions" the other way-around. The App can install; but it has to ask Permission when it goes to USE the Service for the first time, and the Permission can ALWAYS be revoked from the Settings "App". I think Android FINALLY changed to a similar security model; but it took 'em long enough!
No, it would be like saying android is insecure because Google regularly send emails asking to reset your gmail password. So when you get an email that looks similar you'll just click the link and enter your password.
On Android, I'm trying to remember any time I'm asked to enter my account password. When I add my account to the phone initially, and when I purchase something from the play store. I don't recall ever seeing a popup asking for my google account password in any other circumstance.
So the issue here is that by being asked for your password a lot (relatively, at least), then a user won't think twice when asked at any random time and will just enter it.
As I said, fortunately, iOS doesn't ask for your login every whipstitch, either. Only during certain specific APPLE tasks.
But this isn't a flaw in IOS. It's like saying Android is insecure because of fake emails I get asking me to reset my gmail password
That all depends. If the users are conditioned to respond to those sorts of pop-ups because of the OS itself or because of apps bundled by Apple, then it could be considered an iOS flaw at least in the sense that poor design choices condition the user to be more susceptible to this sort of exploitation.
It was like Microsoft's UAC in the early days. So many apps were written in such a way that they unnecessarily triggered the UAC pop-up. Users just wanted it to go away so they could get on with what they were doing. As a result, users just became conditioned to always allow it. Bad actors who wished to exploit users could count on the fact that the vast majority of users would just OK whatever it was to make the pop-up go away. Think about that for a minute. The goal was to stop unwanted changes to the system. If I double-click an installer then I want to change the system and there is no need to ask me. However, if something that I did not launch myself fires up in the background and wants to change my system, that is not OK. The way Microsoft executed UAC was such that the user could not easily distinguish between the two and the user in haste to make the pop-up go away will allow whatever.
Back to Apple. If the user cannot distinguish between something like the two use cases I have described then there may be a flaw to be addressed. It may also just be a problem with the application ecosystem itself or a manifestation of the user community's predisposition for convenience. In any case, I think that calling it a "fundamental flaw in iOS" is hyperbole.
The iOS experience is NOT filled with UAC-like Permission Challenges. Never has (hopefully) never will.
The typical iOS User will ONLY be challenged in a very few situations:
1. Doing an OS Update. 2. Doing a Backup/Restore of their Device. 3. Downloading an App from the App Store. 4. iTunes Store Purchases/Rentals. 5. Creating/Changing your AppleID login credentials.
There MIGHT be a few others; but they are rare enough that I can't remember ever seeing them personally.
Notice that ALL of those are ONLY initiated by interactions with APPLE Services. If ANY NON-Apple App asks for your AppleID login, DELETE IT IMMEDIATELY!
And in devices with TouchID/FaceID, it BETTER be displaying the TouchID "dialog" (which DOESN'T pass CREDENTIALS), or it gets CANCELLED. In fact, I can't remember the last time I had to actually type-in my AppleID.
Nah, it's a fundamental flaw in iOS's UI. You will be asked for your Apple ID password ALL THE TIME on iOS. Worse, it can be triggered from inside an app by the app trying to use iCloud stuff.
And there's nothing "special" about the prompt. It's a regular dialog box with a regular password field. There is nothing that suggests any difference between a real "OS needs your password" and a fake "phisher is asking for your password."
There's a reason Microsoft used to make you press Ctrl-Alt-Del to enter your password in NT. It was to ensure that you pressed a key combination that no program could read, so that you could always be sure your password was going to the OS, not a phishing program. iOS has no similar thing, and does nothing else to make it clear your password is going to the OS and not some random app.
If something is asking for my AppleID, it needs to be displaying the "TouchID" "Dialog", or I'm not playing. And TouchID simply returns a Go/No-Go back to the App.
That's about as secure as it can get.
I do agree, however, that there should be something to distinguish a System-Generated Password Dialog from ANY other Dialog.
Slashdot Mirror
...a copy of Unix, might as well use the real thing and run iOS.
Exactly!
Both iOS and macOS are Darwin-based at their Core.
I wish they would just run Linux natively and dump the whole Android part.
You do; but hardly anybody outside of this website would agree with you.
As shitty as Android is (and it IS shitty!), it's STILL more-optimized for being a "phone appliance" than anything that would run under stock Desktop Linux.
It's not just about the hardware. I want to be able to buy a reasonably priced phone that doesn't phone back my private life to Google and yet has apps like Uber/Lyft so that I can travel without getting ripped off by cabs. Too much to ask?
Depends on what you call "Reasonably Priced"; but you can get a CURRENT MODEL iPhone SE, with a 4.7" screen, 12 MP camera capable of shooting 4k video, 64-bit A9 Dual Core ARM, WiFi, Bluetooth, Fingerprint Reader, etc. etc. (and a headphone jack!) for only $349 for 32 GB or $449 for 128 GB, Brand New. UNLOCKED (Carrier-Free) directly from Apple! Or you can get Carrier-Subsidized models for around $15 per month.
https://www.apple.com/iphone-s...
Personally, I call that pretty Reasonably Priced. ...And it will run the latest iOS (iOS 11), and will continue to get Updates (and it will REALLY get them!) for a long, long time!
And no, Apple doesn't make YOU the customer, like Google does.
Period.
Why can't my phone be my PC?
Because it's a PHONE, dammit!!!
Just because it has a LITTLE computer inside of it, like your Microwave Oven, DVD/BD Player, and Set Top Box, does NOT make it a "Desktop Replacement", FFS! There are a MILLION reasons why; not the least of which is an entirely different CPU architecture. Yes, I've heard of Compiling for a different Target; but that only solves 80% of the problems, and the other 20% are the toughies...
Remember, PHONES are optimized for BATTERY LIFE. Slow-Ass RAM (as compared to a modern Desktop), Slow-Ass Flash (as compared to a modern SSD), Slow-Ass CPUs (when not running code specifically designed for the PHONE's environment).
Not to mention the Human Interface, unusably small screen (especially for Developers), primitive LAN stacks, etc. etc.
Someday, maybe. But for now, and for a great many applications, a Laptop still smokes that idea to a very large extent. And guess what? It's PORTABLE TOO, just like a Smartphone!!!
And I'm talking as an Embedded Developer.
And just like clockwork, the AC above was punish-modded by all the Fandroids and Linuxbots, because it praised Apple and denigrated Linux and Android.
An S8+ with Dex system is actually very close to perfect for me, what Canonical's Unity aspired to be probably. Even the Standard Android Dex desktop "thing" is pretty close to acceptably good. It's actually only really let down by the quality of the apps, I can't find a decent resizable "sh"-ish terminal or SSH client. There's quiet a few but they all have their own little oddities. After that there is a little bit of clunkiness in the GUI because Android isn't really "desktop" orientated but it's better than some tablet UI's.
They're very, very close. If this works well they'll potentially have nailed it.
Close to perfect?
So you won't mind having to RECOMPILE every-single-Linux-Application from scratch for ARM, AND solving all the x86-isms in it?
Yeah, sounds like a GREAT idea... NOT! Just like that ARM laptop that MS announced a day or so ago...
Charge it every few days because it has so few applications that you never use it?
Exactly!
Does the Pixel even COME with a USB-C 3.5 mm Adapter? If not, then that IS unconscionable!
Apple INCLUDES:
1. A Lightning-based version of their standard included Headset.
2. A Lightning 3.5 mm Adapter.
If Google doesn't supply the equivalent with their phone, then where is the nerd outrage on /. ???
Their hatred for the iPhone is intense enough to overcome truth.
Don't I know it!!!
People are quoting a USD$9 price for the adapter.
That's for extra/replacement adapters. One comes with the iPhone.
Shhh, you just invoked his cognitive dissonance. It's Apple, therefore it is too damn expensive! Except when it isn't.
Does the Pixel even COME with a USB-C 3.5 mm Adapter? If not, then that IS unconscionable!
Apple INCLUDES:
1. A Lightning-based version of their standard included Headset.
2. A Lightning 3.5 mm Adapter.
If Google doesn't supply the equivalent with their phone, then where is the nerd outrage on /. ???
You pay $899 for an Applephone that has $220 worth of components in it and get a free dongle.
Do you seriously believe the Pixel phone's component cost is any higher than the iPhone's, Hater?
My son is on our family plan. His Samsung phone cost more than my iPhone 7.
The concept that Apple's phones are soooooooo damn expensive reminds me of the old PC vs Mac arguments when the Windows folks would trot out a Pro against the cheapest ready to fall of the usablity cliiff Windows machine. "Look how expensive it is!"
I have visions of these folks getting those cheap feature phones that are marketed to geriatrics on television.
Exactly! Spot on!!!
I was talking Canadian price. At any rate, at $150 there are a lot of wired headphones to choose from, many will be better.
Yeah, they're "better", that is until you get your head yanked forward when you lean back in your office chair, and the always too short cable gets pulled taut; or when you put you headset on with your phone sitting in the passenger seat, and you head gets pulled down by your headset cable getting caught under the parking-brake handle...
They're also $300 fucking dollars. I paid $50 for my wired headphones five years ago, I'm happy with them and they still work.
Apple's EarPods are very competitively priced (for QUALITY Earbuds) at $160, not $300, Hater.
You pay $899 for an Applephone that has $220 worth of components in it and get a free dongle.
Do you seriously believe the Pixel phone's component cost is any higher than the iPhone's, Hater?
People are quoting a USD$9 price for the adapter.
That's for extra/replacement adapters. One comes with the iPhone.
Nah, not that. The lock screen asks for the passcode. This article is about the Apple ID password. (Again, I can't confirm how exactly it works - maybe it only asks for that when you use iCloud)
AppleID Passwords are asked for only when Making Purchases in the App Store, or iTunes Purchases. And if you have TouchID, you can use that, which is more secure (no authentication info leaves the device).
I avoid iCloud; but the iCloud sign-in Dialog asks for an "iCloud PW", (NOT the AppleID one); so I think they at least CAN be different.
From what I've read (can't confirm since I don't use iOS), the system sometimes asks for your password even if you use TouchID for authentication. If so, there's the flaw.
The only time that is true is the initial Lock-Screen (wherein it will ask for a PW under certain conditions, e.g. not logging-in for 48 hours, etc.), and I double-dog-dare anyone to do a MITM attack on THAT process! ;-)
Try using a non-Crapple device. That is the example.
EXACTLY the Non-Response I expected!
Way to defend your point, Hater!
You need to learn the history of iCloud and the sipping of ALL your data without user knowledge before you go throwing stones from your fucking glass house.
Another Apple story where your butthurt is visible for everyone to see.
Citation, please.
And was this an early version of iCloud, Long-since fixed?
The fact that you'd only be asked for password in those situations is not sufficient to be sure it would not be a problem.
If I were the so inclined to try and exploit this so-called "flaw", I would write my application so that the malicious code does not execute for the first 30 days (and thus should not be noticed by those that are performing an app-store eligibility review), and then one day after that, and entirely at random, upon invoking some in-app purchase, the faked dialog pops up instead of the real one. The user enters their credentials, and a brief moment later, they are given the same message that would show up if a user happened to lose their network connectivity just after they got the dialog (I don't know what sort of notification this is for the iphone, so I can't say for sure that I know what it would it would be... maybe the app just says it lost connection to the store, or whatnot. I don't know). Anyways, after is has done this exactly once for a given user, it would not ever do it again.
I expect that most users would retry, and at this point the app would proceed normally via a real itunes purchase, while their password was still stored by the app in the first popup.
At some later point, this username and password combo could be sent to some home base by the application, perhaps as part of a request that retrieves high scores for other players, and the user would not necessarily ever know about it unless they were practically being voyeurs for every network packet their device sends and receives.
I'm honestly not sure what it says about my ethical standards that I would have taken the time to even think of this.
Pretty sure that iOS sandboxing would make those kinds of inter-app shenanigans impossible.
Well, normally I would agree, but this one is not quite phishing anymore, it is more an OS dialog impersonation attack, and the user cannot really see what is going on. Make this dialog appear when it is reasonable to expect, and the user really does not have much of a chance.
Again, why is this even news?
Impersonation of a Login Dialog can be done on ANY OS, period
NOPE.. This is an old problem, and it is usually fixed or worked around a lot better in other OS.
And yet, no examples. And don't just rely on Ctrl-Alt-Del...
Am I the only one that shakes my head every time I see this term used to describe a hacker/cracker/black hat that doesn't actually do research except to unlawfully break into other peoples stuff just to brag about it?
And to stay slightly on topic, this is just social engineering, not an OS flaw. Clickbait garbage.
Exactly!
This is where having a visual indicator that only the OS and user know about could help? It could be an image or a phrase, but the idea is that an application couldnâ(TM)t forge the OS dialogue, because it doesnâ(TM)t have access to that info.
At the same time, there are probably still limitations arising from an app asking for permissions it shouldnâ(TM)t need. This easier to vet for anything going through the App Store and possibly signed applications, but for anything else it is still user beware.
Apple did the "Permissions" the other way-around. The App can install; but it has to ask Permission when it goes to USE the Service for the first time, and the Permission can ALWAYS be revoked from the Settings "App". I think Android FINALLY changed to a similar security model; but it took 'em long enough!
No, it would be like saying android is insecure because Google regularly send emails asking to reset your gmail password. So when you get an email that looks similar you'll just click the link and enter your password.
On Android, I'm trying to remember any time I'm asked to enter my account password. When I add my account to the phone initially, and when I purchase something from the play store. I don't recall ever seeing a popup asking for my google account password in any other circumstance.
So the issue here is that by being asked for your password a lot (relatively, at least), then a user won't think twice when asked at any random time and will just enter it.
As I said, fortunately, iOS doesn't ask for your login every whipstitch, either. Only during certain specific APPLE tasks.
See: https://it.slashdot.org/commen...
But this isn't a flaw in IOS. It's like saying Android is insecure because of fake emails I get asking me to reset my gmail password
That all depends. If the users are conditioned to respond to those sorts of pop-ups because of the OS itself or because of apps bundled by Apple, then it could be considered an iOS flaw at least in the sense that poor design choices condition the user to be more susceptible to this sort of exploitation.
It was like Microsoft's UAC in the early days. So many apps were written in such a way that they unnecessarily triggered the UAC pop-up. Users just wanted it to go away so they could get on with what they were doing. As a result, users just became conditioned to always allow it. Bad actors who wished to exploit users could count on the fact that the vast majority of users would just OK whatever it was to make the pop-up go away. Think about that for a minute. The goal was to stop unwanted changes to the system. If I double-click an installer then I want to change the system and there is no need to ask me. However, if something that I did not launch myself fires up in the background and wants to change my system, that is not OK. The way Microsoft executed UAC was such that the user could not easily distinguish between the two and the user in haste to make the pop-up go away will allow whatever.
Back to Apple. If the user cannot distinguish between something like the two use cases I have described then there may be a flaw to be addressed. It may also just be a problem with the application ecosystem itself or a manifestation of the user community's predisposition for convenience. In any case, I think that calling it a "fundamental flaw in iOS" is hyperbole.
The iOS experience is NOT filled with UAC-like Permission Challenges. Never has (hopefully) never will.
The typical iOS User will ONLY be challenged in a very few situations:
1. Doing an OS Update.
2. Doing a Backup/Restore of their Device.
3. Downloading an App from the App Store.
4. iTunes Store Purchases/Rentals.
5. Creating/Changing your AppleID login credentials.
There MIGHT be a few others; but they are rare enough that I can't remember ever seeing them personally.
Notice that ALL of those are ONLY initiated by interactions with APPLE Services. If ANY NON-Apple App asks for your AppleID login, DELETE IT IMMEDIATELY!
And in devices with TouchID/FaceID, it BETTER be displaying the TouchID "dialog" (which DOESN'T pass CREDENTIALS), or it gets CANCELLED. In fact, I can't remember the last time I had to actually type-in my AppleID.
Nah, it's a fundamental flaw in iOS's UI. You will be asked for your Apple ID password ALL THE TIME on iOS. Worse, it can be triggered from inside an app by the app trying to use iCloud stuff.
And there's nothing "special" about the prompt. It's a regular dialog box with a regular password field. There is nothing that suggests any difference between a real "OS needs your password" and a fake "phisher is asking for your password."
There's a reason Microsoft used to make you press Ctrl-Alt-Del to enter your password in NT. It was to ensure that you pressed a key combination that no program could read, so that you could always be sure your password was going to the OS, not a phishing program. iOS has no similar thing, and does nothing else to make it clear your password is going to the OS and not some random app.
If something is asking for my AppleID, it needs to be displaying the "TouchID" "Dialog", or I'm not playing. And TouchID simply returns a Go/No-Go back to the App.
That's about as secure as it can get.
I do agree, however, that there should be something to distinguish a System-Generated Password Dialog from ANY other Dialog.