An anonymous reader quotes a report from Reuters: The European Union's top court ruled on Tuesday that national authorities cannot retain phone data in a "general and indiscriminate" manner, but could use specific information to tackle some very serious crime. The court ruled on a case brought by the Supreme Court in Ireland where a man sentenced in 2015 to life imprisonment for murder appealed, saying the court of first instance had wrongly admitted traffic and location data of telephone calls as evidence.

The Luxembourg-based Court of Justice of the EU (ECJ) on Tuesday said it was up to a national court there to decide whether the evidence was allowed. But it also said the bloc's members cannot have laws in place that would allow crime prevention through the "general and indiscriminate" retention of such data. Some circumstances, such as particularly serious crime regarded as a threat to national security, could justify data retention but only in a narrower scope or for a limited time.

An anonymous reader quotes a report from the Washington Post: In the depths of the Amazon jungle, a dispute over WiFi turned deadly earlier this month when four Yanomami were killed in what the government is calling a "clash" between the Indigenous group and Venezuelan soldiers. On March 20, a group of Indigenous men approached soldiers at a military base in Parima B -- a remote part of the Venezuelan Amazon that borders Brazil -- to ask them for the WiFi password, according to five people with knowledge of the situation. The Indigenous community and the military had agreed to share the router, but the soldiers changed the password without the authorization of the Yanomami, igniting the conflict, said the five people, who spoke on the condition of anonymity to discuss a sensitive matter. Venezuelan Attorney General Tarek William Saab launched an investigation into what he referred to as a "clash" between the Venezuelan soldiers and the Yanomami. No information has been shared since the investigation started, and Saab did not answer questions from The Washington Post about the inquiry.

Starting this summer, Samsung says it will sell genuine parts and tools to customers needed to repair its Galaxy S20 and Galaxy S21 smartphones, along with its Galaxy Tab S7+ tablet. Fast Company reports: The company, which is partnering with device repair resource iFixit on the initiative, will also provide access to step-by-step repair guides, and it plans to support more devices and repairs over time. The program is similar to one that Apple announced last fall, allowing users to repair the display, battery, and camera on their iPhones. Samsung says it's launching the program to "promote a circular economy and minimize e-waste," though it's just as likely responding to regulatory pressure. Last year, the Federal Trade Commission (FTC) said it would crack down on illegal repair restrictions, and iFixit expects dozens of states to introduce right-to-repair laws this year. [...]

But while phone makers may now feel compelled to supply repair parts and guides to consumers, that doesn't mean the repairs themselves will be any easier. According to iFixit's Galaxy S21 teardown, some repairs involve work that's "unnecessarily sticky and complicated," requiring a heat gun to pry open the display panel and an isopropyl alcohol bath to loosen the "tar pit" around the battery. At least customers brave enough to make those repairs won't have any trouble getting the parts and tools they need.

T-Mobile said Wednesday that its shutdown of Sprint's 3G network is proceeding as planned, beginning on March 31st. The Verge reports: As part of the shutdown process, the company said in a statement emailed to The Verge, it will migrate customers over the next 60 days "to ensure they are supported and not left without connectivity, and the network will be completely turned off by no later than May 31." Earlier reports suggested that the actual shutdown date was being pushed to May 31st, which would have been the second delay; originally, T-Mobile was going to phase out the network in January but said in October that it would extend the deadline to March 31st.

Apple Stores and Apple Authorized Service Providers will now be alerted if an iPhone has been reported as missing in the GSMA Device Registry when a customer brings in the device to be serviced, according to an internal memo obtained by MacRumors. From the report: If an Apple technician sees a message in their internal MobileGenius or GSX systems indicating that the device has been reported as missing, they are instructed to decline the repair, according to Apple's memo shared on Monday. The new policy should help to reduce the amount of stolen iPhones brought to Apple for repair. The GSMA Device Registry is a global database designed for customers to report their devices as missing in the event of loss or theft. The report notes that Apple Stores and Apple Authorized Service Providers "are already unable to service an iPhone if the customer cannot disable Find My iPhone."

juul_advocate shares a report from iTWire: Apple's output of the iPhone SE will drop by a fifth in the coming quarter, indicating that the Russia-Ukraine conflict and fears of inflation have affected demand for the device, a report claims. The Nikkei Asia website reported that the company had been telling a number of suppliers that production orders for the next three months would be lower by about two or three million units. Orders for AirPods earphones were also down, by about 10 million units for the whole year, the website said, citing four unnamed individuals as sources. Apple announced the third-generation iPhone SE earlier this month at its "Peek Performance" event. It features the A15 Bionic chip, improved battery life, 5G connectivity, and a new camera system, among other things, for a starting price of $429.

Apple is working on a subscription service for the iPhone and other hardware products, a move that could make device ownership similar to paying a monthly app fee, Bloomberg News reported Thursday, citing people with knowledge of the matter. From the report: The service would be Apple's biggest push yet into automatically recurring sales, allowing users to subscribe to hardware for the first time -- rather than just digital services. But the project is still in development, said the people, who asked not to identified because the initiative hasn't been announced, Bloomberg News reports.

The New Yorker argues that photos on newer iPhones are "coldly crisp and vaguely inhuman, caught in the uncanny valley where creative expression meets machine learning...."

"[T]he truth is that iPhones are no longer cameras in the traditional sense. Instead, they are devices at the vanguard of 'computational photography,' a term that describes imagery formed from digital data and processing as much as from optical information. Each picture registered by the lens is altered to bring it closer to a pre-programmed ideal." In late 2020, Kimberly McCabe, an executive at a consulting firm in the Washington, D.C. area, upgraded from an iPhone 10 to an iPhone 12 Pro... But the 12 Pro has been a disappointment, she told me recently, adding, "I feel a little duped." Every image seems to come out far too bright, with warm colors desaturated into grays and yellows. Some of the photos that McCabe takes of her daughter at gymnastics practice turn out strangely blurry. In one image that she showed me, the girl's upraised feet smear together like a messy watercolor. McCabe said that, when she uses her older digital single-lens-reflex camera (D.S.L.R.), "what I see in real life is what I see on the camera and in the picture." The new iPhone promises "next level" photography with push-button ease. But the results look odd and uncanny. "Make it less smart — I'm serious," she said. Lately she's taken to carrying a Pixel, from Google's line of smartphones, for the sole purpose of taking pictures....

Gregory Gentert, a friend who is a fine-art photographer in Brooklyn, told me, "I've tried to photograph on the iPhone when light gets bluish around the end of the day, but the iPhone will try to correct that sort of thing." A dusky purple gets edited, and in the process erased, because the hue is evaluated as undesirable, as a flaw instead of a feature. The device "sees the things I'm trying to photograph as a problem to solve," he added. The image processing also eliminates digital noise, smoothing it into a soft blur, which might be the reason behind the smudginess that McCabe sees in photos of her daughter's gymnastics. The "fix" ends up creating a distortion more noticeable than whatever perceived mistake was in the original.

Earlier this month, Apple's iPhone team agreed to provide me information, on background, about the camera's latest upgrades. A staff member explained that, when a user takes a photograph with the newest iPhones, the camera creates as many as nine frames with different levels of exposure. Then a "Deep Fusion" feature, which has existed in some form since 2019, merges the clearest parts of all those frames together, pixel by pixel, forming a single composite image. This process is an extreme version of high-dynamic range, or H.D.R., a technique that previously required some software savvy.... The iPhone camera also analyzes each image semantically, with the help of a graphics-processing unit, which picks out specific elements of a frame — faces, landscapes, skies — and exposes each one differently. On both the 12 Pro and 13 Pro, I've found that the image processing makes clouds and contrails stand out with more clarity than the human eye can perceive, creating skies that resemble the supersaturated horizons of an anime film or a video game. Andy Adams, a longtime photo blogger, told me, "H.D.R. is a technique that, like salt, should be applied very judiciously." Now every photo we take on our iPhones has had the salt applied generously, whether it is needed or not....

The average iPhone photo strains toward the appearance of professionalism and mimics artistry without ever getting there. We are all pro photographers now, at the tap of a finger, but that doesn't mean our photos are good.

Does Apple have a "Pro" problem? "[Y]ears of Apple and competitors slapping the name onto wireless earbuds and slightly fancier phones have made it hard to tell what 'Pro' even means," argues The Verge's Mitchell Clark. It could be the reason behind Apple's recently-launched Mac "Studio." From the report: From the jump, Apple made it clear who the Mac Studio and Studio Display were for. It showed them being used by musicians, 3D artists, and developers in its presentation, and the message was clear: these are products for creative professionals or people who aspire to be creative professionals. You know, the same exact crowd it's targeted with MacBook Pro commercials for years. "My first thought was, 'Oh, I wonder when the iPhone Studio comes out,'" says Jonathan Balck, co-founder and managing director of ad agency Colossus, in an interview with The Verge. "Pro was exclusive, and it was about one way of doing things, but the whole culture is moving toward creativity," he adds while musing whether we could see Apple's Pro branding shift to become Studio branding instead.

[T]o me, the Mac Studio line is a clear successor to Apple's iMac Pro. Both computers are powered by monstrous CPUs and come standard with 10Gb Ethernet and a healthy crop of Thunderbolt and USB ports. I'm convinced that, had Apple released the new Studio even two years ago, it would've put "Pro" in the name. (Though, to play devil's advocate, I'm not as sure it would've done so for the Studio Display.) Some marketing experts tell me that the word "Pro" is starting to get long in the tooth, and not just from overuse. "The previous term Pro is, in my opinion, outdated and dry," says Keith Dorsey, founder and CEO of the creative marketing group and management company YoungGuns Entertainment. Balck agrees; "If you look at the word Pro, that is in many ways restrictive," he says in an interview, explaining that when you say a product is "professional," it evokes ideas like job interviews, portfolios, and standoffishness. Pro products, he says, come across as just for those who use creativity to get a paycheck.

The reason Apple may need to, though, is because it led the industry in thoroughly overusing the word "Pro" to the point where it's lost all meaning. It's hard to pinpoint where exactly this started (though, in my mind, it was with the two-port MacBook Pro model), but now the word gets slapped on everything. Want to sell wireless earbuds for even more money? Those are Pro earbuds now. Want to have a regular and fancy version of your phone? No problem, call the nice one the Pro. [...] But Apple's new word, "studio," seems to come ready-made to excite the company's target audience.

"People around the world are using a new website to circumvent the Kremlin's propaganda machine by sending individual messages about the war in Ukraine to random people in Russia," reports the Wall Street Journal.

"The website was developed by a group of Polish programmers who obtained some 20 million cellphone numbers and close to 140 million email addresses owned by Russian individuals and companies."

A Tuesday report from the Daily Dot: Created by the hacking group known as Squad303, the tool, hosted at the domain 1920.in, loads a pre-written statement into a user's native SMS app that attempts to inform Russians about the ongoing conflict.

"Dear Russians, your media is being censored. The Kremlin is lying," the statement reads. "Find out the truth about Ukraine on the free internet and in the Telegram app. Time to overthrow dictator Putin!"

In a statement to the Daily Dot, a member of Squad303 described the effort as a "non-violent communication project" aimed at bypassing Russia's crackdown on independent news sources.

The domain name for the tool refers to Poland's surprise victory against Russian forces in 1920.

"We know that people wanted to get engaged to help Ukrainians. We wanted to deliver them a tool to start a dialog with Russians," the group said.... Squad303 claims that its tool has already been used to send out more than 6.3 million text messages, although the Daily Dot was unable to confirm the number.

An anonymous reader quotes a report from Ars Technica: Consumer Reports wants the Federal Communications Commission to take a closer look at whether Internet service providers are complying with a US law that prohibits them from charging hardware rental fees when customers use their own equipment. In a filing submitted to the FCC this week, Consumer Reports said it asked members about their Internet bills and got over 350 responses, with some suggesting violations of either the letter or spirit of the law. "Some contain allegations that the law is being violated, whereas others state the new statute is being respected. Many more stories suggest that ISPs dissuade consumers from using their own equipment, typically by refusing to troubleshoot any service disruptions if consumers opt not to rent the ISP's devices. Such practices result in de facto situations where consumers feel pressured or forced to rent equipment that they would prefer to own instead," Consumer Reports told the FCC.

Consumer Reports' filing came in response to the FCC asking for public comment on the implementation of the Television Viewer Protection Act (TVPA), which took effect in December 2020. In addition to price-transparency rules for TV service, the law prohibited TV and broadband providers from charging rental or lease fees when "the provider has not provided the equipment to the consumer; or the consumer has returned the equipment to the provider." All the comments collected by Consumer Reports are available here. The FCC filing includes examples of complaints about AT&T, Comcast, Verizon, Charter Spectrum, Frontier, Windstream, and Cox, though the complaints weren't all about rental fees.

In its call for public input, the FCC asked for comment on "the extent to which (if at all) subject entities continue to assess charges for equipment that are expressly prohibited by the statute." [...] Consumer Reports said its questions for members were "designed to measure whether or not ISPs were in compliance... and also to solicit consumer opinion on whether or not it was difficult to use consumer-owned equipment versus renting those devices from the provider. Notably, neither of the two cable industry trade associations mentioned this issue in any detail in their comments filed last month at the Commission." Consumer Reports said that some of the responses "suggest the statute is not being complied with as vigorously as Congress intended... These allegations merit further investigation by the Commission." Consumer Reports offered to share contact information for the customers with the FCC so it can investigate further.

At its "Peek Performance" event, Apple today announced the third-generation iPhone SE, featuring the A15 Bionic chip, improved battery life, 5G connectivity, a new camera system, and more, all for a starting price of $429. MacRumors reports: The new iPhone SE features the same 4.7-inch display as the current model, but now offers the toughest glass in a smartphone on the front and back -- the same as on the back of the iPhone 13 and iPhone 13 Pro. The device's new 12MP Wide camera system offers a range of improvements and computational photography features including Deep Fusion, Photographic Styles, Portrait Mode, and Smart HDR 4.

The new iPhone SE contains the same A15 Bionic chip from the iPhone 13 and iPhone 13 Pro. [...] The A15 Bionic also gives the new iPhone SE longer battery life than the previous-generation and older 4.7-inch iPhone models despite having a compact form-factor and 5G connectivity. It continues to support fast charging and be compatible with Qi-certified chargers for wireless charging. Along with the new iPhone SE, Apple also unveiled the all-new Mac Studio and Studio Display, flagship M1 Ultra desktop processor, and updated iPad Air.

In a statement to TechCrunch, a Samsung spokesperson said the company will release a software update to allow users to have more control over throttling. "Samsung has not provided details about when the update will roll out to users," notes the report. From the report: "Our priority is to deliver the best mobile experience for consumers. We value the feedback we receive about our products and after careful consideration, we plan to roll out a software update soon so users can control the performance while running game apps," a spokesperson from Samsung said in an email.

Samsung's promise follows reports that the tech giant's phones are throttling the performance of around 10,000 apps, as first reported by Android Authority, and via Twitter complaints, plus Samsung's Korean community forums. The company's Game Optimizing Service (GOS) software, which optimizes the performance of CPU and GPU to prevent excessive heating when playing a game for a long time, appeared to be at the core of the issue, but the list of affected apps wasn't limited to games. However, Samsung has disputed claims that Game Optimizing Service was throttling non-gaming apps. "The Game Optimizing Service (GOS) has been designed to help game apps achieve a great performance while managing device temperature effectively. GOS does not manage the performance of non-gaming apps," the spokesperson said.

A new finding suggests Samsung is throttling the performance of thousands of Android apps on Galaxy smartphones, including Google and Samsung's first-party apps. XDA Developers reports: Samsung has an app called Game Optimization Service that comes preinstalled on many Galaxy phones. Although the name suggests the app helps improve gaming performance, it's apparently being used to limit the performance of non-gaming apps. Users on the Korean tech forum Meeco have posted a list of affected apps that are subject to performance throttling. The list includes 10,000 popular apps, including Instagram, TikTok, Netflix, Microsoft Office, Google Keep, Spotify, Snapchat, YouTube Music, and more. Samsung's own apps such as Samsung Pay, Secure Folder, Bixby, and others are also on the list. Notably, there are no benchmark apps on this blacklist.

A video posted by Korean YouTuber shows how blacklisted apps are subject to inferior performance while benchmark apps are given a free hand. In his test, the YouTuber changed the package name of the 3DMark benchmark app to Genshin Impact, one of the apps on the blacklist. The unmodified version of 3D Mark scored 2618 points in the Wild Life Extreme test. When he ran the same test with the spoofed version, there was a significant drop in the score -- 1141 points. In other words, the spoofed version performed 56% worse than the unmodified version. It's not immediately clear if the Game Optimization Service app is installed on every Galaxy phone. Samsung is reportedly aware of the issue and conducting an internal investigation. "While Samsung hasn't clarified why it's throttling Android apps, it's likely in an attempt to improve battery life," notes XDA.

Meta, formerly Facebook, has said that its grand ambition of building the ultimate "metaverse" won't be possible if there aren't drastic improvements in today's telecoms networks. CNBC reports: Dan Rabinovitsj, VP of connectivity at Meta, told CNBC at the Mobile World Congress tech event Monday that home networks and cellular networks aren't yet ready for the metaverse. "We're working closely with our colleagues to think about what's the next step in terms of innovation," he said, adding that Meta is also working with cellular partners. "If you really look at the pace of innovation in the telecom world, compared to other markets, it's been harder to go faster in this space," Rabinovitsj said. "One of the things that we've tried to change is that trajectory of innovation."

"We need to develop a common language around the performance of networks," Rabinovitsj said. "We're actually big believers in measurement as foundational in this next phase of work." Mark Zuckerberg, Meta's founder and CEO, said in a statement Sunday that "creating a true sense of presence in virtual worlds delivered to smart glasses and VR headsets will require massive advances in connectivity." Zuckerberg said this will need to be "bigger than any of the step changes we've seen before," adding that things like wide-scale immersive video streaming will take entirely new types of networks.

In response, Marc Allera, CEO of the consumer division of U.K. mobile network BT, told CNBC Wednesday that he expects the metaverse to place a strain on today's networks. However, he said the telecoms industry is spending billions on new technology. "When you stop and think about what you're able to do on a smartphone today, compared to 10 years ago, that's as a result of this industry and network operators investing huge amounts of money with no contribution made by content companies on these networks," Allera said ahead of a meeting with representatives from Meta. "I'll try and understand what their role in supporting this ecosystem is other than just asking what we're doing about it," he added.

Apple on Tuesday sent out invitations to the media for an event on March 8, with the tagline "Peek Performance." According to CNBC, the company is "expected to announce a new low-cost iPhone model" and a midrange iPad. From the report: Apple could announce a new low-cost iPhone with 5G support and a fingerprint reader, as well as a midrange iPad, according to media and analyst reports. The company currently offers a low-cost iPhone called the iPhone SE, which was introduced in the spring of 2020, and retails for $399. It's the most recent iPhone model with Apple's Touch ID fingerprint sensor. The new iPad is expected to be an updated version of the iPad Air, according to Bloomberg. That device was last updated in October 2020 and currently retails for $599.

Apple could also release iOS 15.4, the latest version of iPhone software, with several new features including the option to use facial recognition to unlock the device while wearing a mask, and the ability to accept contactless credit card payments without additional hardware.

Volvo has unleashed a big improvement in customer satisfaction after equipping its 1,500 service engineers with an Apple Watch to use during their day. What, on the face of it, seems a small change reflects extensive cultural change across the company, which is actively engaged in digital transformation across its business. Computerworld's Jonny Evans reports: Volvo has equipped its engineers (Personal Service Technicians) with an Apple Watch and iPhone (running the Volvo Service app) to help them work more efficiently than before. The company's primary focus is to improve customer service, as it recognizes that technicians are the main point of customer contact across the life of the Volvo they drive. So, how can an Apple Watch in a garage improve customer service?

- In use, the engineer will receive a Notification when a customer arrives at the garage with their car.
- The watch will show the customer's name, relevant notes, and car details.
- During the repair, engineers can access information -- and once the repair is complete, they can directly call the customer to tell them.
- They can also schedule and make a subsequent follow-up call.

The benefit is that with all this information being made available through the Watch (and accompanying iPhone app), engineers don't need to use printed records, or access a PC to stay up to date. That's not only time-consuming, but learning how to use these systems takes up time. The company told me it took up to 6 months to train new recruits on the 15 different IT systems Volvo used before. Now, thanks to smart analysis and smart integration of legacy systems, what technicians need to know is always with them. The result is that paperwork doesn't disappear, technicians/engineers can stay focused, essential customer contact records aren't lost and engineers always have clarity and purpose. It all sounds so simple. It should sound simple. But it isn't simple. [...]

The project is already generating positive results. The company told me that 80% of technicians who use the app have increased their total customer satisfaction scores. Volvo also cites a 30% increase in post-service follow up calls and emails to customers, thanks to the tech pushing complex processes out of the way. Digitalization Director Markus Lundstrom said: "With the Volvo Service app we're connecting people through technology. At one workshop, customers report a 37% improvement in the ability to access their Personal Service Technician." The company also reported a 40% decrease in paper printouts. Volvo is also seeing the technicians use their new kit to get other tasks done. "Some of our teams use the Walkie-Talkie feature to communicate with each other across the facility," they said.

Samsung shipped an estimated 100 million smartphones with botched encryption, including models ranging from the 2017 Galaxy S8 on up to last year's Galaxy S21. Threatpost reports: Researchers at Tel Aviv University found what they called "severe" cryptographic design flaws that could have let attackers siphon the devices' hardware-based cryptographic keys: keys that unlock the treasure trove of security-critical data that's found in smartphones. What's more, cyber attackers could even exploit Samsung's cryptographic missteps -- since addressed in multiple CVEs -- to downgrade a device's security protocols. That would set up a phone to be vulnerable to future attacks: a practice known as IV (initialization vector) reuse attacks. IV reuse attacks screw with the encryption randomization that ensures that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts will each be distinct.

The design flaws primarily affect devices that use ARM's TrustZone technology: the hardware support provided by ARM-based Android smartphones (which are the majority) for a Trusted Execution Environment (TEE) to implement security-sensitive functions. TrustZone splits a phone into two portions, known as the Normal world (for running regular tasks, such as the Android OS) and the Secure world, which handles the security subsystem and where all sensitive resources reside. The Secure world is only accessible to trusted applications used for security-sensitive functions, including encryption.

Matthew Green, associate professor of computer science at the Johns Hopkins Information Security Institute, explained on Twitter that Samsung incorporated "serious flaws" in the way its phones encrypt key material in TrustZone, calling it "embarrassingly bad." "They used a single key and allowed IV re-use," Green said. "So they could have derived a different key-wrapping key for each key they protect," he continued. "But instead Samsung basically doesn't. Then they allow the app-layer code to pick encryption IVs." The design decision allows for "trivial decryption," he said.

Samsung responded to the academics' disclosure by issuing a patch for affected devices that addressed CVE-2021-25444: an IV reuse vulnerability in the Keymaster Trusted Application (TA) that runs in the TrustZone. Keymaster TA carries out cryptographic operations in the Secure world via hardware, including a cryptographic engine. The Keymaster TA uses blobs, which are keys "wrapped" (encrypted) via AES-GCM. The vulnerability allowed for decryption of custom key blobs. Then, in July 2021, the researchers revealed a downgrade attack -- one that lets attacker trigger IV reuse vulnerability with privileged process. Samsung issued another patch -- to address CVE-2021-25490 -- that remoged the legacy blob implementation from devices including Samsung's Galaxy S10, S20 and S21 phones.

An anonymous reader quotes a report from TechCrunch, written by security editor Zack Whittaker: Consumer-grade spyware is often sold under the guise of child monitoring software, but also goes by the term "stalkerware" for its ability to track and monitor other people or spouses without their consent. Stalkerware apps are installed surreptitiously by someone with physical access to a person's phone and are hidden from home screens, but will silently and continually upload call records, text messages, photos, browsing history, precise location data and call recordings from the phone without the owner's knowledge. Many of these spyware apps are built for Android, since it's easier to plant a malicious app than on iPhones, which have tighter restrictions on what kind of apps can be installed and what data can be accessed. Last October, TechCrunch revealed a consumer-grade spyware security issue that's putting the private phone data, messages and locations of hundreds of thousands of people, including Americans, at risk. But in this case it's not just one spyware app exposing people's phone data. It's an entire fleet of Android spyware apps that share the same security vulnerability.

On the front line of the operation is a collection of white-label Android spyware apps that continuously collect the contents of a person's phone, each with custom branding, and fronted by identical websites with U.S. corporate personas that offer cover by obfuscating links to its true operator. Behind the apps is a server infrastructure controlled by the operator, which is known to TechCrunch as a Vietnam-based company called 1Byte. TechCrunch found nine nearly identical spyware apps that presented with distinctly different branding, some with more obscure names than others: Copy9, MxSpy, TheTruthSpy, iSpyoo, SecondClone, TheSpyApp, ExactSpy, FoneTracker and GuestSpy. Other than their names, the spyware apps have practically identical features under the hood, and even the same user interface for setting up the spyware. Once installed, each app allows the person who planted the spyware access to a web dashboard for viewing the victim's phone data in real time -- their messages, contacts, location, photos and more. Much like the apps, each dashboard is a clone of the same web software. And, when TechCrunch analyzed the apps' network traffic, we found the apps all contact the same server infrastructure. But because the nine apps share the same code, web dashboards and the same infrastructure, they also share the same vulnerability.

The vulnerability in question is known as an insecure direct object reference, or IDOR, a class of bug that exposes files or data on a server because of sub-par, or no, security controls in place. It's similar to needing a key to unlock your mailbox, but that key can also unlock every other mailbox in your neighborhood. IDORs are one of the most common kinds of vulnerability [...]. But shoddy coding didn't just expose the private phone data of ordinary people. The entire spyware infrastructure is riddled with bugs that reveal more details about the operation itself. It's how we came to learn that data on some 400,000 devices -- though perhaps more -- have been compromised by the operation. Shoddy coding also led to the exposure of personal information about its affiliates who bring in new paying customers, information that they presumably expected to be private; even the operators themselves. After emailing 1Byte with details of the security vulnerability, the email address was shut down along with "at least two of the branded spyware apps," according to TechCrunch. "That leaves us here. Without a fix, or intervention from the web host, TechCrunch cannot disclose more about the security vulnerability -- even if it's the result of bad actors themselves -- because of the risk it poses to the hundreds of thousands of people whose phones have been unknowingly compromised by this spyware."

In a separate report, security editor Zack Whittaker explains how one can remove common consumer-grade spyware.

Protocol reports that Qualcomm will finally jump on the AV1 video codec bandwagon next year. Ars Technica reports: AV1 is the web's next open, royalty-free video codec, and widespread adoption will require hardware support from the world's chip vendors. Qualcomm's 2022 flagship SoC, the Snapdragon 8 Gen 1 chip, doesn't support AV1. Samsung's Exynos 2200 managed to ship the video codec this year in international versions of the Galaxy S22, while the MediaTek Dimensity 1000 SoC has been shipping in phones for over a year now with AV1 support. Apple is a founding member of the AV1 Alliance, but its devices also don't support the codec yet.

The report says Qualcomm's "upcoming flagship Snapdragon mobile processor" -- model number "SM8550" -- will support AV1. That would probably be called the "Snapdragon 8 Gen 2" SoC, due out in 2023. Wide adoption of AV1 seems inevitable, though it is taking a while. The codec is a successor to Google's VP8 and VP9 codecs and is being built by the Alliance for Open Media. The alliance's lineup is a who's who of tech companies, with founding members like Amazon, Apple, ARM, Facebook, Google, Intel, Microsoft, Mozilla, Netflix, Nvidia, and Samsung. Netflix and Google's YouTube are both making AV1 support "a requirement" for future products that want to support either video service. That should motivate just about every hardware and software vendor out there to get the job done. Aside from being open source and royalty-free, the report notes that the newer AV1 codec also has the benefit of being 30% more efficient than H.265.