Update on StoreKit External Entitlement for dating apps – News

Since February of this year, developers of dating apps on the App Store in the Netherlands have been able to use the StoreKit External Purchase Entitlement or the StoreKit External Purchase Link Entitlement to enable the capability to sell services through a payment system other than Apple’s in-app purchase system. Apple established these entitlements as part of our plan to comply with a recent Netherlands Authority for Consumers and Markets (ACM) order. Today we’ve introduced changes to these entitlements, which include:

  • Removal of the Separate Binary Requirement: Apple is eliminating the requirement that developers of dating apps in the Netherlands who choose to use the above entitlements must create and use a separate binary. This change means that developers may include either entitlement in their existing dating app, but still must limit its use to the app in the Netherlands storefront and on devices running iOS or iPadOS.
  • Payment Service Provider Criteria: Apple is providing updated and more-specific criteria to evaluate non-Apple payment service providers that developers of dating apps in the Netherlands may use.
  • Consumer Disclosures: Apps that use either entitlement need to include an in-app modal sheet that explains to users that they’re going to make purchases through an external payment system, and the potential impact that choice could have on the user. Apple is adjusting the language on the modal sheet and reducing the number of times the sheet must be displayed.

Developers of dating apps who want to continue using Apple’s in-app purchase system — which we believe is the safest and most secure way for users to purchase digital goods and services — may do so and no further action is needed.

As we have previously said, we disagree with the ACM’s original order and are appealing it. In the meantime, the changes we’ve made today demonstrate Apple’s ongoing commitment to fulfill its legal obligations in the Netherlands.

Learn more

GoPro launches Hero 10 Creator bundle with new Volta grip

(Pocket-lint) – GoPro has announced a new bundle for its flagship Hero 10 Black camera, called the Creator Edition.

The set includes the Media Mod, Light Mod and an all-new accessory, the Volta battery and remote control grip.

The Volta has a built-in 4900 mAh battery that combines with the Hero 10’s standard battery to triple the action camera‘s battery life.

It features integrated buttons that allow control of the camera’s main functions when used as a handle or selfie stick.

However, it can also control the camera wirelessly, so if you detach the Volta it can be used as a remote control.

The grip also has two legs that fold out to create a small tripod stand, it’s a pretty versatile little accessory,

As with almost all GoPro products the new grip is weather-resistant and rugged.

While it’s designed for the Hero 10, it will work with the Hero 9, too – and is capable of charging any USB-C device, such as your smartphone or a GoPro Max, for example.

GoPro is selling the Creator Edition bundle for GoPro subscribers at $581.96 / £558.46 starting today. It’s a small saving compared to GoPro’s current prices, but a significant saving over MSRP. For non-subscribers, the price jumps to $784.95 /  £759.95.

For the new Volta grip on its own, the price is $90.99 / £83.99 for subscribers and $129.99 / £119.99 for everyone else.

Writing by Luke Baker.

Mystery solved in destructive attack that knocked out >10k Viasat modems

Satellite dish with a private residence and a gray sky in the background.
Enlarge / A Viasat Internet satellite dish in the yard of a house in Madison, Virginia.

Viasat—the high-speed-satellite-broadband provider whose modems were knocked out in Ukraine and other parts of Europe earlier in March—confirmed a theory by third-party researchers that new wiper malware with possible ties to the Russian government was responsible for the attack.

In a report published Thursday, researchers at SentinelOne said they uncovered the new modem wiper and named it AcidRain. The researchers said AcidRain shared multiple technical similarities to parts of VPNFilter, a piece of malware that infected more than 500,000 home and small-office modems in the US. Multiple US government agencies—first the FBI and later organizations including the National Security Agency—all attributed the modem malware to Russian state threat actors.

Enter ukrop

SentinelOne researchers Juan Andres Guerrero-Saade and Max van Amerongen posited that AcidRain was used in a cyberattack that sabotaged thousands of modems used by Viasat customers. Among the clues they found was the name “ukrop” for one of AcidRain’s source binaries.

While SentinelOne said it couldn’t be sure its theory was correct, Viasat representatives quickly said that the theory was. Viasat also said that the finding was consistent with a brief overview the company published on Wednesday.

Viasat wrote:

The analysis in the SentinelLabs report regarding the ukrop binary is consistent with the facts in our report—specifically, SentinelLabs identifies the destructive executable that was run on the modems using a legitimate management command as Viasat previously described. As noted in our report: “the attacker moved laterally through this trusted management network to a specific network segment used to manage and operate the network, and then used this network access to execute legitimate, targeted management commands on a large number of residential modems simultaneously.”

AcidRain is the seventh distinct piece of wiper malware associated with Russia’s ongoing invasion of Ukraine. Guerrero-Saade and van Amerongen said AcidRain is an executable file for MIPS, the hardware architecture for the modems used by Viasat customers. The malware was uploaded to VirusTotal from Italy and bore the name “ukrop.”

“Despite what the Ukraine invasion has taught us, wiper malware is relatively rare,” the researchers wrote. “More so wiper malware aimed at routers, modems, or IoT devices.”

The researchers soon found “non-trivial” but ultimately “inconclusive” developmental similarities between AcidRain and a “dstr,” the name of a wiper module for VPNFilter. The resemblances included a 55 percent code similarity as measured by a tool known as TLSH, identical section header strings tables, and the “storing of the previous syscall number to a global location before a new syscall.”

“At this time, we can’t judge whether this is a shared compiler optimization or a strange developer quirk,” the researchers said.

One mystery solved, more remain

The Viasat statement indicates that the speculation was spot-on.

Viasat’s overview from Wednesday said that the hackers behind the destructive attack gained unauthorized access to a trust-management segment of the company’s KA-SAT network by exploiting a misconfigured VPN. The hackers then expanded their reach to other segments that allowed them to “execute legitimate, targeted management commands on a large number of residential modems simultaneously. Specifically, these destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to access the network, but not permanently unusable.”

How the threat actors gained access to the VPN is still unclear.

Also on Thursday, independent security researcher Ruben Santamarta published an analysis that uncovered several vulnerabilities present in some of the firmware that runs on the SATCOM terminals disrupted in the attack. One was a failure to cryptographically validate new firmware before installing it. Another is “multiple command injection vulnerabilities that can be trivially exploited from a malicious ACS.”

ACS appears to refer to a mechanism known as auto-configuration servers found in a protocol used by the modems.

“I am not saying that these issues were actually abused by the attackers, but certainly it does not look good,” Santamarta wrote. “Hopefully, these vulnerabilities are no longer present in the newest Viasat firmware, otherwise that would be a problem.”

Clearly, plenty of mystery still surrounds the disabling of the Viasat modems. But the confirmation that AcidRain was the payload responsible is an important breakthrough.

“I’m glad Viasat concurred with our findings on AcidRain,” Guerrero-Saade wrote in a private message. “I hope they’ll be able to share more of their findings. There’s a lot more to figure out in this case.”

Apple Maps now supports real-time road alerts from emergency vehicles

AppleInsider is supported by its audience and may earn commission as an Amazon Associate and affiliate partner on qualifying purchases. These affiliate partnerships do not influence our editorial content.

Apple Maps now supports real-time alerts sourced from Safety Cloud, a digital alerting platform used by emergency responders and construction zones.

Apple’s primary navigation app already supported real-time alerts from other drivers. The introduction of HAAS Alert’s Safety Cloud means that Apple Maps users can now receive road hazard warnings reported by professional personnel.

HAAS Alerts are sourced from first responders, towing professional, and other emergency vehicles. When users approach one of these incident sites or vehicles, they’ll receive a real-time alert on their Apple Maps.

The HAAS Alert Safety Cloud system is used by more than 1,200 public safety agencies, roadside assistance companies, towing operators, road workers, and other entities with vehicles or roadway equipment.

HAAS Alerts, although a lesser-known service among consumers, actually comes standard on many emergency vehicles manufactured by various brands. The company says its service integrates with aftermarket emergency vehicles, work zone equipment, telematics systems, and traffic management platforms.

Since the launch of Safety Cloud in 2017, the service has sent out more than 1 billion digital alerts.

“With the addition of Apple Maps as a Safety Cloud digital alerting partner, drivers using an iPhone as a travel companion will now be safer and better aware of upcoming roadway conditions. We applaud Apple for prioritizing driver safety and taking steps towards achieving the Vision Zero goal of eliminating all traffic fatalities and severe injuries,” said Jeremy Agulnek, senior vice president of Connected Vehicles at HAAS Alert.

Guide on the development of Android mobile apps

Mobile applications have already dominated a number of sectors. Despite the fact that it is not a new thing, mobile app development becomes more popular with each year. The reasons are multiple and quite understandable. Firstly, mobile apps enable quick 24/7 access to the required services and goods. Secondly, Covid-19 has shown us that it is much better to make operations online and avoid public places. This article will be devoted to the development of Android apps. This information will be beneficial for both business owners and people working in the IT sector.

What you should know about Android developers 

If you are going to hire android app programmer, make sure you understand what knowledge a perfect candidate must have. There is no doubt that specialized knowledge is extremely important in app development. However, a good Android specialist has to master a lot of things additionally.  It is essential to master Java and Kotlin programming languages. What’s more, a person has to know the latest update of the languages and their tools. 

 The knowledge of structured markup language XML is another beneficial bonus. It is used for the development of layouts in applications. Android Studio is also worth learning. It serves as a basis for further manuals. The chosen expert must also know how the databases work. This knowledge is vital for processing vast data flows.

 UI/UX design is another crucial point. It is the first thing users pay attention to. If you are currently looking for a person who can build appealing UI, visit https://stfalcon.com/en/services/hire-vue-developers. Remember that the interface should be easy to use and understand. Otherwise, customers will switch to your competitors. Apart from the technical knowledge the candidate has to keep abreast of the times and monitor all new trends and tendencies. It will help to boost the functionality of future Android apps. 

The advantages of Android app development 

 As you know, there are different types of mobile applications. There are cross-platform and one-platform mobile products. The last ones can be built for iOS and Android. Below we will consider some of the greatest advantages of Android app development. 

1) Low cost

 If you are thinking about starting a career as an app developer and don’t have a great sum of money, Android is a great option. It is explained by the fact that you can develop Android products with the help of any computer. 

 The community of Android platform enthusiasts is quite wide and loyal. You can always count on support, advice and all possible assistance, which is important for beginners.

2) Field of knowledge application

Java is the most frequently used language for Android app development. The main advantage of this language is that it can be applied for a range of purposes. It means that if you have learned Java but didn’t like app development, you can use your knowledge in another field. 

3) Application hosting cost

 To list your mobile application in a PlayMarket you have to pay. If we are talking about iOS products and AppStore, it will cost you $100 per year for one program. And in the Google Play Market, you pay $25 once upon registration. That’s all. No additional payments. 

4) Flexible solution 

 You should understand that Android apps are built not only for mobile phones. You can also develop a program for smart watch, Smart TV, VR or any other interesting project.

5) Rich sources

 The majority of the Android code is an open one. You can download it on any device. Thanks to easy and convenient access to the code you can analyse how it works from the inside. The code itself isn’t complicated and is split into modules. In such a way, if the end code doesn’t work, it will be easy to find the bug and solve it.

6) Large audience 

According to the latest investigations, there are 85% of Android users worldwide. It is somewhat near 2 billion people. It means that all these people need mobile apps for satisfying their demands and requirements. This fact is a great argument in favour of Android app development. 

7) Interactive development process 

 Interactivity may be the most attractive thing about Android development. By writing just a few lines of code, you will already see the result on the smartphone in your hands. Even as an experienced Android developer, the feeling of tangibility of what you do will not leave you

Final thoughts 

Android app development represents a world of opportunities. Mobile apps are beneficial for both clients and business owners. When compared with the iOS products the Android ones have larger audience, but more appealing cost. The final decision rests upon you, but Android products are definitely worth thinking about. 

Update on “reader” app distribution – News

Last year, Apple announced an update coming to the App Store in early 2022 that would allow developers of “reader” apps to include an in-app link to their website for account creation and management purposes. Starting today, with the update of App Store Review guideline 3.1.3(a), developers of reader apps can now request access to the External Link Account Entitlement. This entitlement lets reader apps link to a website that is owned or maintained by the developer, so that users can create or manage their account outside of the app. Reader apps are apps that provide one or more of the following digital content types — magazines, newspapers, books, audio, music, or video — as the primary functionality of the app.

Learn about the External Link Account Entitlement

IT giant Globant discloses hack after Lapsus$ leaks 70GB of stolen data

The silhouette of a child against a wall covered in ones and zeroes.

IT and software development firm Globant said in a statement Wednesday that it experienced a network breach. The statement appeared to confirm claims made by Lapsus$, a group that has successfully compromised Microsoft, Nvidia, Okta, and other victims in recent weeks.

Lapsus$ is a relative newcomer to the data-extortion scene. While the group’s tactics and procedures lack sophistication, members largely believed to be young and technically immature make up for it with persistence. Gang members were rumored to be among seven individuals arrested last week by London police.

Not dead yet

A leak Tuesday on the Lapsus$ Telegram channel included data the group said came from a recent hack on Globant, raising questions about precisely what relationship the suspects, aged 16 to 21, had with Lapsus$. On Wednesday, the FBI sought public assistance in tracking down the group.

London police don’t appear to have explicitly said the suspects were members of Lapsus$, “but, assuming [the suspects] are, we still don’t know how many other individuals are associated with the operation or where they may be based,” Brett Callow, a threat analyst with security firm Emsisoft, wrote in a private message. “For example, at least one of the members appears to be a native speaker—or, more accurately, writer—of Brazilian Portuguese.”

The Telegram post included a screenshot of data purportedly taken from Luxembourg-based Globant, which operates in 18 countries and has more than 23,500 employees. Folders for one of the purportedly stolen data caches had names like “apple-health-app,” “Facebook,” “C-SPAN,” and “DHL.” Another post on the same channel purported to show login credentials, many with weak passwords, for some of the servers Globant used to store the data.

A torrent link in the post indicated that the leaked cache of source code was about 70GB.

Code repository breached by script kiddies

“We have recently detected that a limited section of our company’s code repository has been subject to unauthorized access,” company officials wrote in a statement. “We have activated our security protocols and are conducting an exhaustive investigation.”

So far, the statement said, the investigators believe the stolen data was “limited to certain source code and project-related documentation for a very limited number of clients.” The current probe has yet to find evidence that other data or systems were breached.

Company representatives didn’t respond to an email asking when the breach occurred, if the data leaked was genuine, and if anyone has approached Globant demanding a ransom.

Last week, KrebsOnSecurity and Bloomberg reported that a core Lapsus$ member is a 16-year-old living in Oxford, England. A day later, London police said that at least one of the hacking suspects they arrested was 16 years old.

Lapsus$ employs a host of unsophisticated methods to successfully breach its victims. To bypass some targets’s multifactor-authentication protections, for example, members who obtained passwords would periodically attempt logging in to the affected accounts, a technique known as MFA prompt bombing. In many cases, prompts can be delivered through a regular phone call.

“No limit is placed on the amount of calls that can be made,” a Lapsus$ member recently wrote. “Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device.”

Other techniques involved SIM swaps and social engineering. Lapsus$ is not above bribery either; once an organization is targeted, the group goes after its customers and employees of its contractors.

The continuing activity of Lapsus$ is yet another testament to the group’s resilience. While organizations frequently focus on defending against zero-day exploits and other types of advanced threats, Lapsus$ should serve as a reminder that less esoteric hacking methods are often easier and just as effective.

Apple removes separate binary requirements from Dutch dating apps

AppleInsider is supported by its audience and may earn commission as an Amazon Associate and affiliate partner on qualifying purchases. These affiliate partnerships do not influence our editorial content.

Apple no longer requires Dutch developers to submit separate binaries for dating apps using external payment methods, but the feature is still limited to the Netherlands.

Since February, Apple had required any Dutch developer seeking to use external payment methods to submit two different app binaries. One for the Netherlands App Store, and another for the rest of the world.

Now, Apple has relaxed that requirement, stating that developers may submit only one binary even if external payment providers are used. However, the feature must only be enabled for iOS and iPadOS devices operating in the Netherlands.

Developers were also required to show dialogue boxes to users explaining the difference between Apple’s payment method and the external one. The language in the original box was heavily criticized so Apple has adjusted the language and will reduce the number of times it will be displayed.

Apple will also provide more-specific criteria to evaluate non-Apple payment service providers that developers may use.

Apple says that it disagrees with the Netherlands Authority for Consumers and Markets on their order and is appealing it. Since the ruling, Apple has been fined multiple times for not complying in a way that satisfies all aspects of the order.

Liberty Strategic Capital nabs majority stake in mobile security startup Zimperium for $525M – TechCrunch

Liberty Strategic Capital, the private equity firm launched last year by former treasury secretary Steven T. Mnuchin, announced today that it is acquiring a majority stake in mobile security startup Zimperium for $525 million.

With Zimperium, the firm takes a dive into mobile security, which Mnuchin sees at the front line of cybersecurity today. As he points out with employees using their own devices for years now, companies need to have a way to secure them, even when they don’t control the device directly.

“We all need to increase our focus on the protection of mobile devices and applications. Liberty Strategic Capital is investing in Zimperium because they’ve shown that they can lead the way in this multibillion-dollar market,” he said in a statement announcing the deal.

The company covers three parts of the mobile market, looking at device security, mobile applications security and mobile threat intelligence. In fact, last year the company discovered spyware called PhoneSpy in 23 Android apps designed to steal data. As TechCrunch’s Carly Page explained at the time of the news:

Researchers at mobile security firm Zimperium, which discovered PhoneSpy inside 23 apps, say the spyware can also access a victims’ camera to take pictures and record video in real time, and warned that this could be used for personal and corporate blackmail and espionage. It does this without a victim knowing, and Zimperium notes that unless someone is watching their web traffic, it would be difficult to detect.

The company didn’t share specific revenue figures, but reported that annual recurring revenue (ARR) grew 53%. Company CEO Shridhar Mittal is hoping that the investment will continue to drive that growth.

“We’ve helped leading public and private organizations across the globe strengthen mobile security, and as we enter a high growth phase to help even more organizations, Secretary Mnuchin and the team at Liberty Strategic Capital will be a tremendous asset to guide and propel our company forward,” Mittal said in a statement.

Under the terms of the deal, SoftBank will own a minority stake in the company; Mnunchin will lead the company’s board of directors. The transaction is expected to close some time in the next few months.

The company has been around since 2011, and raised $72 million, according to Crunchbase data. Its last round was in 2018, a modest $12 million investment led by Sierra Ventures. Minority investor SoftBank invested in the company a year earlier leading a $15 million round.

Apple and MLB announce “Friday Night Baseball” schedule beginning April 8