Stuart Breckenridge

Dropbox' Dirty Little Security Hack

philastokes:

If you have Dropbox installed, take a look at System Preferences > Security & Privacy > Accessibility tab. Notice something? Ever wondered how it got in there? Do you think you might have put that in there yourself after Dropbox asked you for permission to control the computer?

[…]

There’s at least three reasons why it matters. It matters first and foremost because Dropbox didn’t ask for permission to take control of your computer. What does ‘take control’ mean here? It means to literally do what you can do in the desktop: click buttons, menus, launch apps, delete files… . There’s a reason why apps in that list have to ask for permission and why it takes a password and explicit user permission to get in there: it’s a security risk.

[…]

Moreover, Dropbox is either clearly storing your Admin password in its own caches (very bad) or giving itself complete root privileges (also very bad); otherwise, it would have to ask you for the password again after you delete it from the list of apps allowed Accessibility privileges. This strikes me as not only underhand (because there’s no indication that it’s going to assume that kind of control) but also over the top.

It’s quite shocking that Dropbox would do this. It makes me want to move over to iCloud Drive. (Read the followup post to understand exactly how Dropbox are hacking their way around Apple’s security.)


iPhone 7 Prices

Husain Sumra, writing for Macrumors:

While the iPhone 7 Plus introduced today saw a general $20 increase compared to the iPhone 6s Plus it will replace, customers in some countries are finding prices on both the iPhone 7 and 7 Plus and other products increasing by even more due to fluctuations in exchange rates.

Strangely, prices in Singapore have decreased.


On the State of U.K. Broadband Infrastructure

As we wrap up this three month beta testing cycle for iOS 10, watchOS 3, and macOS Sierra, I estimate I’ve downloaded roughly 50GB across iPhone, iPad, Apple Watch, and Mac devices. I would also estimate that it’s taken, collectively, around an hour to download all that data on my 100Mbps cable connection. These beta cycles constantly remind me of when I lived in the U.K. and had an 8Mbps (best case (i.e. never)) copper connection. An iOS beta would take up to four hours to download.

It turns out that the U.K. was very nearly going to go all in on fibre in the early 90s, until the Conservative government put an end to the process.

Jay McGregor, writing for TechRadar:

The story actually begins in the 70s when Dr Cochrane was working as BT’s Chief Technology Officer, a position he’d climbed up to from engineer some years earlier.

[…]

He was asked to do a report on the U.K.’s future of digital communication and what was needed to move forward.

“In 1979 I presented my results,” he tells us, “and the conclusion was to forget about copper and get into fibre. So BT started a massive effort - that spanned in six years - involving thousands of people to both digitise the network and to put fibre everywhere. The country had more fibre per capita than any other nation.

But, in 1990, then Prime Minister, Margaret Thatcher, decided that BT’s rapid and extensive rollout of fibre optic broadband was anti-competitive and held a monopoly on a technology and service that no other telecom company could do.

“Unfortunately, the Thatcher government decided that it wanted the American cable companies providing the same service to increase competition. So the decision was made to close down the local loop roll out and in 1991 that roll out was stopped. The two factories that BT had built to build fibre related components were sold to Fujitsu and HP, the assets were stripped and the expertise was shipped out to South East Asia.

“Our colleagues in Korea and Japan, who were working with quite closely at the time, stood back and looked at what happened to us in amazement. What was pivotal was that they carried on with their respective fibre rollouts. And, well, the rest is history as they say.

In this particular instance, Thatcher et al. had the collective foresight of a gazelle. The TechRadar article goes on to cover the U.S., where a similar decision was made to split AT&T, which inevitably hindered the rollout of fibre.

Indeed, reviewing Akamai’s State of the Internet[PDF] report for Q4 2015, the U.K. and the U.S. don’t feature in the top 10 for Global Average Connection Speeds:

Country Q4 2015 Avg. Mbps
South Korea 26.7
Sweden 19.1
Norway 18.1
Japan 17.4
Netherlands 17.0
Hong Kong 16.8
Latvia 16.7
Switzerland 16.7
Finland 16.6
Denmark 16.1

Seriously short-sighted decision making.


Auditing My Apps for the App Store Cleanup

As I wrote a few days ago, Apple announced that they will be implementing new review procedures for already released apps and will remove those that meet any of the following criteria:

  • no longer function as intended; or
  • no longer meet current review guidelines; and,
  • apps which have not been supported with compatibility updates for a long time.

Analysing these criteria and taking the more detailed support page into account, I believe the following will be Apple’s general policy: Apps which haven’t been updated in the last 24 months and which crash on launch or no longer meet current review guidelines will fall into scope of being removed from the App Store.

What current review guidelines are applicable? My assumption is that this review process for historical apps will be automated and that Apple will not be conducting manual reviews to ensure, for example, UI modernity.1 That said, the red flags I think Apple will be looking for as a starting point are:

  • Apps that aren’t 64-bit;2
  • Apps that have iTunes metadata that is outdated (e.g. a privacy policy that returns a 404)

It is inevitable that the criteria will be updated over time. For example, I imagine that in a few years apps which don’t contain @3x assets will be considered abandoned.

Auditing my apps based on this analysis reveals the following:

App Updated within 2 years 64-bit Crash on launch Metadata intact
The FFI List Yes Yes No Yes
Baby’s Milk Yes Yes No Yes
Primes Yes Yes No Yes
Amazing Flag Quiz No No No Yes

Even though Amazing Flag Quiz still makes a small amount of money through in-app purchases, I firmly believe that it falls foul of the new rules. (I’ll be writing a new version of Amazing Flag Quiz as my next project.)

What would really help is if Apple didn’t leave so much of this to conjecture with only two days to go until they begin implementing. I am hoping for more information at their event on the 7th.

  1. Given the sheer volume of apps, I think manual reviews are a no-go. ↩︎

  2. Though not mentioned in the review guidelines, 64-bit has been required since 2015. ↩︎