WTF

Apple fails to block porn & gambling ‘Enterprise’ apps

Posted by | Apple, Apps, Developer, Entertainment, Gambling, Gaming, Mobile, payments, Policy, pornography, TC, WTF | No Comments

Facebook and Google were far from the only developers openly abusing Apple’s Enterprise Certificate program meant for companies offering employee-only apps. A TechCrunch investigation uncovered a dozen hardcore pornography apps and a dozen real-money gambling apps that escaped Apple’s oversight. The developers passed Apple’s weak Enterprise Certificate screening process or piggybacked on a legitimate approval, allowing them to sidestep the App Store and Cupertino’s traditional safeguards designed to keep iOS family-friendly. Without proper oversight, they were able to operate these vice apps that blatantly flaunt Apple’s content policies.

The situation shows further evidence that Apple has been neglecting its responsibility to police the Enterprise Certificate program, leading to its exploitation to circumvent App Store rules and forbidden categories. For a company whose CEO Tim Cook frequently criticizes its competitors for data misuse and policy fiascos like Facebook’s Cambridge Analytica, Apple’s failure to catch and block these porn and gambling demonstrates it has work to do itself.

Porn apps PPAV and iPorn (iP) continue to abuse Apple’s Enterprise Certificate program to sidestep the App Store’s ban on pornography. Nudity censored by TechCrunch

 

TechCrunch broke the news last week that Facebook and Google had broken the rules of Apple’s Enterprise Certificate program to distribute apps that installed VPNs or demanded root network access to collect all of a user’s traffic and phone activity for competitive intelligence. That led Apple to briefly revoke Facebook and Google’s Certificates, thereby disabling the companies’ legitimate employee-only apps, which caused office chaos.

Apple issued a fiery statement that “Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.” Meanwhile, dozens of prohibited apps were available for download from shady developers’ websites.

Apple offers a lookup tool for finding any business’ D-U-N-S number, allowing shady developers to forge their Enterprise Certificate application

The problem starts with Apple’s lax standards for accepting businesses to the enterprise program. The program is for companies to distribute apps only to their employees, and its policy explicitly states “You may not use, distribute or otherwise make Your Internal Use Applications available to Your Customers.” Yet Apple doesn’t adequately enforce these policies.

Developers simply have to fill out an online form and pay $299 to Apple, as detailed in this guide from Calvium. The form merely asks developers to pledge they’re building an Enterprise Certificate app for internal employee-only use, that they have the legal authority to register the business, provide a D-U-N-S business ID number and have an up to date Mac. You can easily Google a business’ address details and look up their D-U-N-S ID number with a tool Apple provides. After setting up an Apple ID and agreeing to its terms of service, businesses wait one to four weeks for a phone call from Apple asking them to reconfirm they’ll only distribute apps internally and are authorized to represent their business.

With just a few lies on the phone and web plus some Googleable public information, sketchy developers can get approved for an Apple Enterprise Certificate.

Real-money gambling apps openly advertise that they have iOS versions available that abuse the Enterprise Certificate program

Given the number of policy-violating apps that are being distributed to non-employees using registrations for businesses unrelated to their apps, it’s clear that Apple needs to tighten the oversight on the Enterprise Certificate program. TechCrunch found thousands of sites offering downloads of “sideloaded” Enterprise apps, and investigating just a sample uncovered numerous abuses. Using a standard un-jailbroken iPhone. TechCrunch was able to download and verify 12 pornography and 12 real-money gambling apps over the past week that were abusing Apple’s Enterprise Certificate system to offer apps prohibited from the App Store. These apps either offered streaming or pay-per-view hardcore pornography, or allowed users to deposit, win and withdraw real money — all of which would be prohibited if the apps were distributed through the App Store.

A whole screen of prohibited sideloaded porn and gambling apps TechCrunch was able to download through the Enterprise Certificate system

In an apparent effort to step up policy enforcement in the wake of TechCrunch’s investigation into Facebook and Google’s Enterprise Certificate violations, Apple appears to have disabled some of these apps in the past few days, but many remain operational. The porn apps that we discovered which are currently functional include Swag, PPAV, Banana Video, iPorn (iP), Pear, Poshow and AVBobo, while the currently functional gambling apps include RD Poker and RiverPoker.

The Enterprise Certificates for these apps were rarely registered to company names related to their true purpose. The only example was Lucky8 for gambling. Many of the apps used innocuous names like Interprener, Mohajer International Communications, Sungate and AsianLiveTech. Yet others seemed to have forged or stolen credentials to sign up under the names of completely unrelated but legitimate businesses. Dragon Gaming was registered to U.S. gravel supplier CSL-LOMA. As for porn apps, PPAV’s certificate is assigned to the Nanjing Jianye District Information Center, Douyin Didi was licensed under Moscow motorcycle company Akura OOO, Chinese app Pear is registered to Grupo Arcavi Sociedad Anonima in Costa Rica and AVBobo covers its tracks with the name of a Fresno-based company called Chaney Cabinet & Furniture Co.

You can see a full list of the policy-violating apps we found:

Apple refused to explain how these apps slipped into the Enterprise Certificate app program. It declined to say if it does any follow-up compliance audits on developers in the program or if it plans to change admission process. An Apple spokesperson did provide this statement, though, indicating it will work to shut down these apps and potentially ban the developers from building iOS products entirely:

“Developers that abuse our enterprise certificates are in violation of the Apple Developer Enterprise Program Agreement and will have their certificates terminated, and if appropriate, they will be removed from our Developer Program completely. We are continuously evaluating the cases of misuse and are prepared to take immediate action.”

TechCrunch asked Guardian Mobile Firewall’s security expert Will Strafach to look at the apps we found and their Certificates. Strafach’s initial analysis of the apps didn’t find any glaring evidence that the apps misappropriate data, but they all do violate Apple’s Certificate policies and provide content banned from the App Store. “At the moment, I have noticed that action is slower regarding apps available from an independent website and not these easy-to-scrape app directories” that occasionally crop up offering centralized access to a plethora of sideloaded apps.

Porn app AVBobo uses an Enterprise Certificate registered to Fresno’s Chaney Cabinet & Furniture Co

Strafach explained how “A significant number of the Enterprise Certificates used to sign publicly available apps are referred to informally as ‘rogue certificates’ as they are often not associated with the named company. There are no hard facts to confirm the manner in which these certificates originate, but the result of the initial step is that individuals will gain control of an Enterprise Certificate attributable to a corporation, usually China/HK-based. Code services are then sold quietly on Chinese language marketplaces, resulting in sometimes 5 to 10 (or more) distinct apps being signed with the same Enterprise Certificate.” We found Sungate and Mohajer Certificates were farmed out for use by multiple apps in this way.

“In my experience, Enterprise Certificate signed apps available on independent websites have not been harmful to users in a malicious sense, only in the sense that they have broken the rules,” Strafach notes. “Enterprise Certificate signed apps from these Chinese ‘helper’ tools, however, have been a mixed bag. Zoe example, in multiple cases, we have noticed such apps with additional tracking and adware code injected into the original now-repackaged app being offered.”

Porn apps like Swag openly advertise their availability on iOS

Interestingly, none of the off-limits apps we discovered asked users to install a VPN like Google Screenwise, let alone root network access like Facebook Research. TechCrunch reported this month that both apps had been paying users to snoop on their private data. But the iOS versions were banned by Apple after we exposed their policy violations, and Apple also caused chaos at Facebook and Google’s offices by temporarily shutting down their employee-only iOS apps too. The fact that these two U.S. tech giants were more aggressive about collecting user data than shady Chinese porn and gambling apps is telling. “This is a cat-and-mouse game,” Strafach concluded regarding Apple’s struggle to keep out these apps. But given the rampant abuse, it seems Apple could easily add stronger verification processes and more check-ups to the Enterprise Certificate program. Developers should have to do more to prove their apps’ connection with the Certificate holder, and Apple should regularly audit certificates to see what kind of apps they’re powering.

Back when Facebook missed Cambridge Analytica’s abuse of its app platform, Cook was asked what he’d do in Mark Zuckerberg’s shoes. “I wouldn’t be in this situation” Cook frankly replied. But if Apple can’t keep porn and casinos off iOS, perhaps Cook shouldn’t be lecturing anyone else.

Powered by WPeMatico

It’s Friday so relax and watch a hard drive defrag forever on Twitch

Posted by | Gadgets, Twitch, WTF | No Comments

It’s been a while since I defragged — years, probably, because these days for a number of reasons computers don’t really need to. But perhaps it is we who need to defrag. And what better way to defrag your brain after a long week than by watching the strangely satisfying defragmentation process taking place on a simulated DOS machine, complete with fan and HDD noise?

That’s what you can do with this Twitch stream, which has defrag.exe running 24/7 for your enjoyment.

I didn’t realize how much I missed the sights and sounds of this particular process. I’ve always found ASCII visuals soothing, and there was something satisfying about watching all those little blocks get moved around to form a uniform whole. What were they doing down there on the lower right hand side of the hard drive anyway? That’s what I’d like to know.

Afterwards I’d launch a state of the art game like Quake 2 just to convince myself it was loading faster.

There’s also that nice purring noise that a hard drive would make (and which is recreated here). At least, I thought of it as purring. For the drive, it’s probably like being waterboarded. But I did always enjoy having the program running while keeping everything else quiet, perhaps as I was going to bed, so I could listen to its little clicks and whirrs. Sometimes it would hit a particularly snarled sector and really go to town, grinding like crazy. That’s how you knew it was working.

The typo is, no doubt, deliberate.

The whole thing is simulated, of course. There isn’t really just an endless pile of hard drives waiting to be defragged on decades-old hardware for our enjoyment (except in my box of old computer things). But the simulation is wonderfully complete, although if you think about it you probably never used DOS on a 16:9 monitor, and probably not at 1080p. It’s okay. We can sacrifice authenticity so we don’t have to windowbox it.

The defragging will never stop at TwitchDefrags, and that’s comforting to me. It means I don’t have to build a 98SE rig and spend forever copying things around so I have a nicely fragmented volume. Honestly they should include this sound on those little white noise machines. For me this is definitely better than whale noises.

Powered by WPeMatico

This robot maintains tender, unnerving eye contact

Posted by | Gadgets, hardware, robocalypse, robotics, WTF | No Comments

Humans already find it unnerving enough when extremely alien-looking robots are kicked and interfered with, so one can only imagine how much worse it will be when they make unbroken eye contact and mirror your expressions while you heap abuse on them. This is the future we have selected.

The Simulative Emotional Expression Robot, or SEER, was on display at SIGGRAPH here in Vancouver, and it’s definitely an experience. The robot, a creation of Takayuki Todo, is a small humanoid head and neck that responds to the nearest person by making eye contact and imitating their expression.

It doesn’t sound like much, but it’s pretty complex to execute well, which, despite a few glitches, SEER managed to do.

At present it alternates between two modes: imitative and eye contact. Both, of course, rely on a nearby (or, one can imagine, built-in) camera that recognizes and tracks the features of your face in real time.

In imitative mode the positions of the viewer’s eyebrows and eyelids, and the position of their head, are mirrored by SEER. It’s not perfect — it occasionally freaks out or vibrates because of noisy face data — but when it worked it managed rather a good version of what I was giving it. Real humans are more expressive, naturally, but this little face with its creepily realistic eyes plunged deeply into the uncanny valley and nearly climbed the far side.

Eye contact mode has the robot moving on its own while, as you might guess, making uninterrupted eye contact with whoever is nearest. It’s a bit creepy, but not in the way that some robots are — when you’re looked at by inadequately modeled faces, it just feels like bad VFX. In this case it was more the surprising amount of empathy you suddenly feel for this little machine.

That’s largely due to the delicate, childlike, neutral sculpting of the face and highly realistic eyes. If an Amazon Echo had those eyes, you’d never forget it was listening to everything you say. You might even tell it your problems.

This is just an art project for now, but the tech behind it is definitely the kind of thing you can expect to be integrated with virtual assistants and the like in the near future. Whether that’s a good thing or a bad one I guess we’ll find out together.

Powered by WPeMatico

Don’t keep cell phones next to your body, California Health Department warns

Posted by | California Department of Public Health, cell phone radiation, FCC, Gadgets, Health, Physics, Radiation, radioactivity, TC, WTF | No Comments

 The California Department of Public Health (CDPH) issued a warning against the hazards of cellphone radiation this week. Yes, the thing we are all addicted to and can’t seem to put down is leaking electromagnetic radiation and now California has some guidance to safeguard the public. Read More

Powered by WPeMatico

Pepper the robot can perform funerary rites, but it shouldn’t

Posted by | Gadgets, pepper, robotics, Softbank, TC, WTF | No Comments

 It’s not really clear just what “humanoid” robots are actually for. I’ve seen them do all kinds of things, but almost none of them well; at our recent Robotics event in Boston, several leading experts in the field questioned their necessity. But we grew up with Data and Robby and Cylons, and so now we have Pepper. Performing funeral rites for cash-strapped people in Japan. Read More

Powered by WPeMatico

The WriteyDesk is a desk you can write on

Posted by | Birch, Gadgets, office equipment, TC, whiteboard, WTF | No Comments

 Whether you’re an unsung mathematical genius with a penchant for writing complex equations all over everything or a damn vandal, you’ll find the WriteyDesk quite useful. This test is essentially a big whiteboard that upon which you can write, draw, or sketch and it’s erasable. It comes in white or “birch” and is $300 on Kickstarter ($400 when it hits… Read More

Powered by WPeMatico

Unreal’s ‘photorealistic character sample’ is like a Rob Lowe from the uncanny valley

Posted by | 3D modeling, Gaming, TC, unreal engine, WTF | No Comments

 Making the character models you see in games is a very involved process, and as a few recent titles have shown, the faces especially are hard as hell to do right. The folks behind Epic’s Unreal Engine, which powers more than a few of those games, have kindly offered a ‘photorealistic character sample’ — a Rob Lowe-looking dude who looks almost real enough to touch. Almost. Read More

Powered by WPeMatico

Watch manufacturer Sinn loses its mind with a hybrid mechanical/Apple Watch band

Posted by | chronograph, Gadgets, luxury brands, sinn, TC, watches, WTF | No Comments

Sinn-Dual-Strap-System-3 As we approach the coming mechanical watch apocalypse strange things will begin happening. Dogs and cats shall live together. Beloved watch brands shall buy each other for no good reason. And storied and historical watchmakers will bow to the will of Cupertino. Behold, then the first horseman: it’s called the Sinn Dual Strap System and it consists of two strap halves. On one half you… Read More

Powered by WPeMatico