On the XARA Mac and iOS exploits

“As a Mac developer, I know that getting through the rigorous review process is sometimes an even bigger hurdle than actually writing an app. I’d like to think that this stringent and detail-focused process at least ends up providing security and quality.

The ‘malware’ that passed through the review wasn’t detectable by static analyzers, and the trojan didn’t do anything a ‘normal’ app wouldn’t do. It used existing systems, such as url handler registration and bundle id spoofing, in ways that exposed serious weaknesses.”

Taylor Swift Criticism Spurs Apple to Change Royalties Policy

“Less than 24 hours after Ms. Swift complained publicly that Apple was not planning to pay royalties during a three-month trial period of its new streaming music service, the company changed course, and confirmed that it will pay its full royalty rates for music during the free trial.”

TouchArcade's Patreon

“…the App Store of 2015 is a very different place. Free to play games have almost entirely taken over, and the hyper-metrics-driven business models of giant free to play developers has given rise to a new form of analytics-driven marketing known as user acquisition. Instead of buying banner ads on sites like TouchArcade to reach consumers, marketing a new free to play iOS game involves funneling often hundreds of thousands of dollars (or more) in to companies whose sole purpose is to run elaborate in-app promotion networks to get people to download a new free to play game. In the face of this new style of game marketing, traditional advertising revenue has all but completely dried up, and TouchArcade is dying.”

Hardening privacy with a custom hosts file

I don’t care for companies casually collecting data on my web browsing habits, so one of the first things I set up on a new computer is a custom hosts file. The hosts file maps human-readable domain names (whatever.com) to IP addresses (192.168.0.1) and on most operating systems is consulted before checking an upstream DNS server, which means you can block domains you would prefer your computer not contact.

(Note that on some earlier versions of OS X, it is not true that hosts is consulted first. However, in 10.9 and 10.0, it appears to be.)

The reason I do this is not to block ads — it’s primarily to block tracking. Most ads bring tracking along for the ride, so it has the side effect of blocking a lot of ads. However, I’m happy to accept ads from web pages that are in HTML and do not include tracking.

A custom hosts file can also provide a baseline level of protection against known malware and phishing sites.

The easiest way to set this up is with a hosts file updater that will track trusted host blocking lists and reload them for you when they change. On OS X, I use Gas Mask. On Windows, I use HostsMan.

There are several blocking lists to choose from. I settled on the following three:

– http://someonewhocares.org/hosts/hosts
– http://winhelp2002.mvps.org/hosts.txt
– http://www.malwaredomainlist.com/hostslist/hosts.txt

On Gas Mask, simply add these three URLs as remote sources and activate them as a combined hosts file. The process is similar in HostsMan.

That’s pretty much all there is to it. To make sure it’s working, pop open a Terminal window and try to ping one of the domains. It should be unsuccessful.

Allowing a remote entity to change your hosts file does introduce the possibility of a MITM attack (for example, if one of the above source URLs gets hijacked) so be mindful of that should you decide to go this route.

I find that on very rare occasions a website’s core functionality fails to work because it is unable to source JavaScript from a blocked domain. If this happens, simply restore the original (empty) hosts file temporarily. Don’t forget to put your shields back up when you’re done.

The second best way to protect your privacy is to uninstall (or never install) Flash or the Java runtime. Do this too, while you’re in there! At a minimum, install a browser extension that prevents Flash or Java content from running unless you explicitly allow it, such as ClickToPlugin or ClickToFlash.

No technique that I know of prevents all tracking, so this is certainly not foolproof, but I find it more comforting than having my presence effortlessly scooped up and data-mined by sites using conventional analytics tools.

Prying parents: Phone monitoring apps flourish in S. Korea

“Last month, South Korea’s Korea Communications Commission, which has sweeping powers covering the telecommunications industry, required telecoms companies and parents to ensure Smart Sheriff or one of the other monitoring apps is installed when anyone aged 18 years or under gets a new smartphone.”