MacRumors

Earlier this week, Gareth Wright disclosed his recent work showing that Facebook's app for iOS contains a security vulnerability that could allow malicious users to access login credentials held in a .plist file associated with the app. Obtaining a copy of that .plist file could allow a malicious users to automatically login in to the affected user's account on another device. The flaw reportedly also exists on Android devices.

Wright first discovered the issue while using iExplorer to browse files on his iPhone, discovering that the Facebook .plist file maintains the full oAuth key and secret needed to access his account in plain text. Working with a friend, Wright was able to demonstrate that simply moving that .plist file to another device granted that device access to his Facebook account.

After backing up his own plist and logging out of Facebook he copied mine over to his device and opened the Facebook app…

My jaw dropped as over the next few minutes I watched posts appear on my wall, private messages sent, webpages liked and applications added.

Scoopz then opened Draw Something on his iPad which logged him straight into my account where he sent some pictures back to my friends.

Wright outlines a number of different ways in which a malicious user could obtain the login credentials, including customized apps, hidden applications installed on public PCs, or hardware solutions such as a modified speaker dock that could siphon the data.

Facebook has issued a statement claiming that the issue only affects devices that have been jailbroken or lost, as it requires either installation of a custom app or physical access to the device. But as pointed out by Wright and confirmed by The Next Web, unmodified devices need not be lost in order to be targeted, as simply plugging in a device to a compromised computer or accessory would be sufficient to allow the data to be gathered.

Furthermore, The Next Web has confirmed that the same issue affects Dropbox for iOS, similarly allowing a user to simply copy the .plist file from one device to another in order to gain access to the account. Given that two high-profile apps are vulnerable to credential theft, it seems likely that other services are also affected by the same issue.

As multiple reports note, there is no evidence that this method of collecting login credentials is actively being used in a malicious manner, and users can protect themselves for the time being by not connecting their devices to public computers or charging stations.

Update: While Wright's initial post claims that the issue affects "locked passcoded unmodified iOS Devices" when connected to a PC set up to capture the .plist file, The Next Web has now updated its report to indicate that in its testing the technique does not work on devices protected with a passcode.

Apple has released its second update in two days to the OS X implementation of Java. The first update closed a vulnerability that has led to the infection of more than 600,000 Macs via a trojan horse. The infections have received increased media attention in the past day, including a splashed headline on the Drudge Report.

While yesterday's Java for OS X Lion 2012-001 update closed the vulnerability in Java 1.6.0_29, there's no indication what the new update -- called Java for OS X 2012-002 -- fixes. The update notes link to the same support document as update 2012-001.

Last year, Apple introduced a security update to OS X that would automatically remove malicious software from OS X installations. It isn't clear if the infected machines can be fixed via the internal OS X security mechanisms.

In OS X Mountain Lion, the next version of the OS X software that will be released this summer, Apple will include a feature called Gatekeeper. The new system relies not only on Mac App Store distribution as means of vetting apps, but also on a new "identified developer" program under which developers distributing their applications outside of the Mac App Store can register with Apple and receive a personalized certificate they can use to sign their applications. Apple can then use that system to track developers and disable their certificates if malicious activity is detected.

Previously-released data from NPD on U.S. Mac sales for January and February have demonstrated relatively anemic year-over-year growth, with January sales tracking only 1% above the previous January's performance and February sales coming in 4% higher. Still, analysts have suggested that ongoing growth in international markets could compensate for stagnation in the U.S. market as consumers continue to wait for product updates. Consequently, analysts have generally been holding firm on their predictions of 15-20% Mac unit growth on a worldwide year-over-year basis for the full quarter.

Some analysts had also held out hope that Apple could sneak in at least one update to its Mac lineup before the end of the quarter to provide a spark for Mac sales, but with the first group of Intel's Ivy Bridge processors not launching until the end of the month, Apple was unable to update its main Mac models within the first three months of the year.

Morgan Stanley analyst Katy Huberty is out with a new research note today incorporating NPD's data on U.S. Mac sales for March, and as might be expected given the lack of hardware updates, Apple continues to fall short of analyst expectations, with Mac shipments down 4% year-over-year for the first calendar quarter.

Huberty continues to believe that international growth will offset at least some of the flat performance in U.S. sales for the quarter, although she appears somewhat pessimistic that it will be able to reach her 15% growth target on a global basis. Nevertheless, Huberty seems optimistic that booming iPhone and iPad sales will make up for any shortfall on the Mac side due to the balance of profits among the segments.

Although the US retail market improved in March, Apple shipment growth decelerated as the company faced much tougher Y/Y comparisons due to a notebook refresh this time last year. US retail data suggest Apple shipments fell 4% Y/Y in C1Q12 compared to our estimate of 15% global Mac unit growth. We expect faster international growth to offset some of the deceleration in the US. In fact, the divergence between international and US growth has accelerated from about four points in prior quarters to 15 points in C4Q11. More importantly, we expect demand upside from iPhone and iPad (83% of gross profit) to more than offset any Mac downside (9% of gross profit).

On a broader basis, the PC market is seeing even more substantial declines in sales, with U.S. PC sales tracking for declines of 10-15% year-over-year for the quarter. That performance is, however, better than Huberty had been modeling for, and major PC manufacturers such as HP and Dell could see some upside if their final results fall in line with data released so far.

Announced at CES earlier this year, the LaCie's new Thunderbolt eSATA Hub is now shipping. The device allows external eSATA drives to be connected to Thunderbolt equipped Macs. The daisy-chainable hub includes two eSATA ports and retails for $199.

eSATA is a high performance drive connector used to connect external hard drives to your computer. eSATA has never been a standard option on Macs, but is a faster alternative to USB 2.0 and Firewire and is commonly found on high performance external drives and storage arrays.

For those who are have existing eSATA drives or are waiting for Thunderbolt drives to drop in price, this could be a good interim solution. The Hub isn't yet available for order on LaCie's website. We spoke to someone at LaCie's sales center who told us the first batch had sold out, but that more were to arrive in a few days. Interested parties can contact LaCie sales directly to place an order for one of these backordered units, and it'll ship out when LaCie receives them.

Steve Jobs biographer Walter Isaacson says Jobs' anger over Android was real and not "for show" as alleged by Google's Larry Page in an interview this week. Macworld UK attended a lecture Isaacson gave at the Royal Institution and the biographer said that Jobs felt Android's similarity to iOS was "history repeating itself", and compared it to Jobs' feeling that Microsoft's Windows was a rip-off of the Macintosh.

He did the integrated system again, iPod, iPad, and it worked, “but what happens? Google rips it off”.

Isaacson continued: “It's almost copied verbatim by Android. And then they licence it around promiscuously. And then Android starts surpassing Apple in market share, and this totally infuriated him. It wasn't a matter of money. He said: 'You can't pay me off, I'm here to destroy you'.”

Isaacson went on to say that he believes that Tim Cook will handle things differently and "will settle that lawsuit." Apple is currently involved in a number of lawsuits over Android with manufacturers around the world.

While Apple's lost iPhone 4 that surfaced on Gizmodo back in 2010 made the biggest headlines, a similar situation reportedly played out ahead of the iPhone 4S launch last year, with an Apple employee having apparently lost a prototype of the device at a San Francisco bar more than two months before it was publicly introduced.

Apple responded relatively quickly to the loss of the prototype iPhone, and early reports claimed that the company had worked with San Francisco police to track the device to a home in the Bernal Heights neighborhood of San Francisco. They were, however, unsuccessful in locating the iPhone. Controversy erupted when the San Francisco police initially denied that they had participated in any such investigation, leading to suggestions that Apple investigators had impersonated police officers in their search.

The San Francisco Police Department did finally admit that it had assisted Apple with a search of the home in question, but the home's owner, Sergio Calderón, threatened to file a lawsuit over the incident. He claimed that the Apple security officers who searched his home had given the impression that they were police officers, thus making their search of his home an illegal breach of his rights. The last significant update in the case came in early December, when CNET interviewed Calderón's lawyer, who indicated that settlement negotiations with Apple had ended and that a lawsuit would be filed in the following weeks.

Nearly four months later and with no lawsuit having been filed, Network World has now followed up with the lawyer, David Monroe, to find out the status of the situation. Tellingly, Monroe repeatedly asserted that he had "no comment" on any of Network World's questions, all but confirming that he and his client did in fact reach a settlement with Apple. Unsurprisingly, that settlement would have included a nondisclosure agreement preventing Monroe or Calderón from commenting on the situation.

Having heard nothing more in the subsequent four months, I called Monroe yesterday and asked if he could update me on the status of that lawsuit.

"I have no comment about that," he replied.

I asked if there had been a settlement between Apple and his client, Sergio Calderone.

"I have no comment about that."

I mentioned the bit about him saying in December that a lawsuit was then imminent - within a few weeks -- and asked what had changed since then.

"I have no comment about that."

I was about to try a fourth round but by then we were both chuckling over the futility of the exercise.

Apple has refused to comment publicly on the situation all along, and did not respond to an inquiry from Network World regarding an update. Curiously, Apple's head of global security, John Theriault, left the company in November of last year, with sources indicating that his departure was indeed linked to the circumstances surrounding the lost iPhone 4S. Theriault now works as an independent management consultant in San Francisco.

For its part, the San Francisco Police Department conducted an internal investigation into its handling of the case, but it is unclear what the outcome of that investigation was.

Back in late February, we noted that Apple had begun selling Brazilian-assembled 8 GB iPhone 4 models in that country, yielding the first fruits from Foxconn's production lines starting up in the country. Foxconn has also been said to be gearing up for iPad production in Brazil, with domestic production of the iPhone and iPad providing a means by which Apple could avoid hefty import taxes in one of the world's most populous countries.

While Apple has yet to begin selling Brazilian-assembled versions of the iPhone 4S or even give any sign that it intends to do so, MacRumors has learned that Apple has been making better progress with the iPad. Specifically, the company has already received certification to sell Brazilian-assembled models of the 16 GB iPad 2 in Brazil alongside the current Chinese-assembled models. Apple already sells the full line of iPad 2 models in Brazil, but only the 16 GB models will continue to be available once the new iPad launches and it appears that Apple will be adding domestically-assembled models to the mix at that time.

Regarding the new iPad, certifications for all models of the new iPad are still pending for both Brazilian- and Chinese-assembled models, but it is clear that the company is making preparations to launch the device with at least some domestic production in Brazil. Apple will, however, be unable to launch the new iPad in Brazil until appropriate certifications are received, and the company has yet to announce a launch date for the device.

As with the iPhone, Chinese-assembled versions of iPad models manufactured for sale in Brazil would carry the BZ/A suffix on their model numbers as seen with most Apple products in that market, while their Brazilian-assembled counterparts would carry a BR/A suffix.

Ars Technica reports on a Tweet from Russian malware analyst Ivan Sorokin at Dr. Web claiming that the Flashback trojan has now infected over 600,000 Macs worldwide. That number reportedly includes 274 machines "from Cupertino", presumably meaning at Apple's headquarters.

According to Dr. Web, the 57 percent of the infected Macs are located in the US and 20 percent are in Canada. Like older versions of the malware, the latest Flashback variant searches an infected Mac for a number of antivirus applications before generating a list of botnet control servers and beginning the process of checking in with them.

The authors of the Flashback trojan have continued to tweak the software since it first surfaced last September, adjusting its tactics several times to include both social engineering tricks and exploits of vulnerabilities.

The most recently-seen version of Flashback surfaced earlier this week, exploiting a Java vulnerability that was unpatched on OS X. While Oracle had released an update closing the hole on Windows back in February, Apple had yet to issue a fix for Macs, as the company has historically maintained its own Java updates that are deployed some time after Oracle issues its own corresponding updates. But just a day after that report, Apple did update Java to address the vulnerability being exploited by Flashback.

Antivirus firm F-Secure has instructions on how users can determine whether their machines are infected by the Flashback trojan. The instructions do involve running commands in Terminal, and users should thus take care to follow the instructions exactly.

As noted by The Tech Block and The Next Web, during his Talk Show podcast with Dan Benjamin, DaringFireball's John Gruber offered up some additional confirmation of the existence of a 7.85" iPad. Gruber reports that he has been told by "numerous" people that this size iPad is something Apple has been "noodling with".

When asked by Benjamin if he thought a 7.85" iPad would ever be released, Gruber responded (at ~1hr 19min):

“Well, I don’t know. What I do know is that they have one in the lab…a 7.85 inch iPad that runs at 1024×768… it’s just like the 9.7" iPad shrunk down a little bit. Apps wouldn't need to be recompiled or redesigned to work optimally on it. It's just the iPad smaller.

Gruber has offered accurate information in the past and seems to have many contacts with Apple. Gruber does point out that Apple has many prototype products that never make it to market, and reminds us that Steve Jobs once said that he's was as proud of the products that Apple hasn't done as the ones they have.

It has been clear to us that a 7.85" iPad has been in late prototyping stages. Reports have been coming from the Chinese supply chain about such a device for months. This indicates that Apple isn't just toying around the the form factor in their labs in Cupertino, but is also working with supplies on possible production. As Gruber said, this still isn't a sign that Apple will necessarily release such a device.

The reason why a 7.85" screen might make sense for a new iPad has been detailed in the past, and we have a paper mockup that can be printed out to compare its size to a 9.7" iPad.

An internal AppleCare document published by 9to5Mac reveals that Apple is currently investigating complaints about poor Wi-Fi performance in some new iPad models.

In the United States, contact centers and retail stores should capture iPad (3rd generation) Wi-Fi only devices if they exhibit any issue related to Wi-Fi.

Symptoms can include, but are not limited to:

- Intermittent connectivity
- Slow Wi-Fi speeds
- Wi-Fi network not seen.

This policy seems limited to Wi-Fi models and not to the LTE models. Affected customers will reportedly get their iPad replaced and their unit sent to Apple hardware engineers for further investigation.

User reports of weak Wi-Fi signals began shortly after the new iPad's launch.

Apple has started sending out emails to Australian customers who may have been misled about the advertised "4G" capabilities of the new iPad.

Apple explains in the email that the new iPad is not compatible with Australian LTE or WiMAX networks, but does support "fast cellular networks" such as HSPA, HSPA+, and DC-HSDPA

The offer for returns is a response to complaints by Australian regulators that Apple's use of the term "4G" in its Australian marketing may have misled some customers into thinking that the new iPad would work on Australian LTE/WiMAX networks.

Apple is allowing Australians who purchased the new iPad before March 28th to return it for a full refund.

In a new interview with Bloomberg Businessweek, Google co-founder and CEO Larry Page claims that Steve Jobs' war on Android was "for show", a move that served as a rallying point for Apple and its employees.

I think the Android differences were actually for show. I had a relationship with Steve. I wouldn’t say I spent a lot of time with him over the years, but I saw him periodically. [...]

I think [the fury around Android] served their interests. For a lot of companies, it’s useful for them to feel like they have an obvious competitor and to rally around that.

Page goes on to claim that he believes companies should not be looking at their competitors and instead should simply be doing their best to improve the world.

Jobs had mentored Page and Sergey Brin in Google's early days, and Jobs reportedly requested a meeting with Page last year after Page took over as CEO. According to Page, the two discussed the business of running a company during that amicable meeting. But Jobs made clear in his authorized biography that he intended to "destroy Android", threatening to wage "thermonuclear war" in an attempt to bring down what he viewed as a stolen mobile platform.

At least publicly, Page suggests that Jobs' position was somewhat more nuanced, with the two able to maintain a relationship while Jobs' anger toward Android included a bit of posturing to keep the rapidly-growing competitor at the forefront of Apple's attention.

Earlier today, we noted that nTelos Wireless, a CDMA carrier based in Waynesboro, Virginia, announced that it would begin carrying the iPhone 4S and iPhone 4 on April 20. Pricing for the device comes in at $50 below the standard pricing charged by Apple and the major national carriers.

We've been updating that article with mentions of several other carriers that have also announced iPhone launches for that date, and it is quickly becoming apparent that this is a rather significant coordinated rollout to small CDMA carriers. Among the carriers launching the iPhone on April 20:

- nTelos Wireless (Virginia)
- Alaska Communications (Alaska)
- Appalachian Wireless (Kentucky)
- GCI (Alaska)
- Cellcom (Wisconsin): Website updated with "coming soon" banner, and WSAW reports that April 20 is the launch date.
- Matanuska Telephone Association (Alaska)

With six small carriers having already announced today, we're also asking readers to let us know if they spot word of any others involved in this rollout.

Mississippi-based C Spire Wireless was the first regional carrier in the United States to begin offering the iPhone last November, and today's announcements represent a significant expansion of that channel. While the carriers announcing availability today represent only a small fraction of U.S. mobile phone users, the trend of making the iPhone availability to these customers may help some of these carriers remain viable as the cellular marketplace continues to become increasingly dominated by the major carriers.

Update: GCI has confirmed to MacRumors that it will be offering the GSM version of all iPhone models, including the iPhone 3GS, which will be free with a two-year contract. The carrier operates both GSM and CDMA networks, and it was initially unclear on which network the latest iPhone models would run. All of the other carriers announcing today operate CDMA networks.

Apple subsidiary FileMaker today announced the launch of its new lineup of FileMaker 12 database applications, launching new themes and "Starter Solutions" to help users get up and running, as well as significantly enhancing integration with iOS devices.

"Databases only boost productivity if people genuinely enjoy using them," said Ryan Rosenberg, vice president, marketing and services, FileMaker, Inc. "Everyone wants a great database, but not everyone is a great designer. Let FileMaker 12 handle the design and you’ll create dazzling databases that are incredibly easy to use, on iPad, iPhone, desktop and the web."

Among the key new features in FileMaker 12:

- Over 40 new themes specifically designed to translate among desktop, iPad, and iPhone. New tools help users customize the default themes to create their own unique database documents.

- Sixteen rebuilt Starter Solutions provide templates upon which users can build their databases depending on the type of data being stored. As with themes, the templates can be easily customized to suit users' needs.

- Enhanced container fields for storing files within databases, improving performance and ease of use.

- Quick Charts for streamlining the process of creating new charts based off of database entries.

- Significantly enhanced iOS compatibility with free new FileMaker Go apps for iPad [App Store] and iPhone [App Store]. The new apps are compatible only with Filemaker 12, and the company continues to offer the $39.99/$19.99 FileMaker Go 11 apps for use with earlier versions of the software.

Pricing for FileMaker 12 on the desktop remains the same as in the previous version, with FileMaker Pro 12 priced at $299 for new users and $179 for upgrade users and FileMaker Pro 12 Advanced checking in at $499 and $299 respectively. The basic FileMaker Server 12 is priced at $999/$599, while FileMaker Server 12 Advanced carries a price tag of $2,999/$1,799. All versions are available today.

While Sprint is behind other major U.S. carriers Verizon and AT&T in its buildout of next-generation LTE networks, the carrier does appear to preparing to maintain one advantage of its offerings as it makes the transition by continuing to offer unlimited data even for LTE devices.

The initial confirmation was picked up by TechHog, which noticed that the carrier was promoting LTE and unlimited data for the LG Viper, which is likely to be the first LTE device to launch on Sprint's network. From Sprint's LG Viper press release:

“LG Viper pairs perfectly with our unlimited data plans to bring customers the benefit of new technology, including our upcoming 4G LTE capabilities at a great price,” said David Owens, vice president-Product Development, Sprint.

Sprint representatives later confirmed to TechHog and Engadget that the carrier indeed plans to include LTE data in its unlimited "Everything" plans.

Sprint reported last week that its deal with Apple will allow it to launch an LTE iPhone at the same time as other carriers, with its likely smaller LTE coverage footprint not being a factor in its ability to offer such a device. Apple, which debuted LTE in the new iPad last month, is expected to bring the faster technology standard to the iPhone later this year.