Browser MetaData Leakage

I read this recent post by Dr. Neal Krawetz with some wonder and amazement.

• One Smart Cookie - The Hacker Factor Blog

He followed that one up with another related post, Just Browsing. See also his Invasion of Privacy post for browser fingerprinting and some perspective on “private/incognito” browsing session tracking.

The identification that (in some cases) your cellphone carrier could be adding extra headers to your smart-device information requests is not shocking in this day and age. But that it could contain (leak) your personally identifiable cell phone number was quite a surprise!

From Dr. Krawetz’s post:

Consumer Cellular has agreements to use T-Mobile and AT&T networks. If my cellphone uses the T-Mobile network, then no extra headers are added to my HTTP requests. However, if my phone uses AT&T's network, then AT&T appends a lot of personal information to every HTTP request:

• X-Att-Imsi: This is my International Mobile Subscribed Identity and is unique to my phone.
• X-Att-Plmn-Id: This contains my MCC+MNC code; that's the mobile country code (MCC) and mobile network code (MNC). These values identify the country and carrier. For example, MCC 310 is the United States, and MNC 410 in the United States is Cingular Wireless (now AT&T).
• X-Up-Calling-Line-Id: This contains my cellphone number. Seriously: AT&T sends my direct cellphone number to every website my phone visits. Looking over my web server logs, I see other people who have been through this same path. Thanks to AT&T, I have direct phone numbers for people in Portland, Oregon and Cincinnati, Ohio and Roanoke, Virginia and... I'm actually surprised that my cellphone hasn't received more telemarketer calls.
• X-Up-Subno: This very-disturbing field includes a timestamp that shows when (down to the second) I signed up with Consumer Cellular.

That got me looking for more information and I didn’t find much.

This circa 2012 post goes into some additional details:

• Why are websites getting your mobile-phone number? – TechRepublic

It points to a test web page maintained by the interviewed researcher Collin Mulliner that can show some of your browser headers:

• MNO Privacy Checker – Colin Mulliner

Running several tests with my cellular devices (with Wi-Fi disabled to force the data cross AT&T’s network) came back “clean” of any PII meta data; at least as far as this particular test was able to detect.

More information on the project and issue details here: HTTP Header Privacy info page

• Is your mobile phone giving out your phone number? – Computerworld (2010)

It was noted by the post author that the issue was with “medium-price-ranged” phones that needed a Web proxy to reformat Web content. And that iPhones and Androids do not do this.

I do plan to hit this Choices and Controls | AT&T Privacy Policy site with my devices as well to then “opt-out” of several of their analytics services listed there.

Finally, Martin Brinkmann at ghacks.net has an astounding roundup of links related to online privacy checkers.

• The ultimate Online Privacy Test Resource List - gHacks Tech News

That one is a keeper in your bookmarks.

Constant Vigilance!

--Claus Valca

Miscellaneous Apple bites

Looks like I am literally picking low-hanging fruit from my “to-blog” tree branches.

I previously reported this on my the struggles GSD post but am reposting here for topic inclusion.

The takeaway was to quit Process Explorer. I’ve seen a few other software installations where I have needed to close out Process Explorer entirely to make sure it doesn’t get in the way of some installations. Weird.

Of course, iTunes wanted to be updated, so I used the Apple Software Updater but it complained about the “iPod Service” not being able to start so the install kept failing. I then tried to download and run the iTunes package rather than using the updater but that failed at the same point.
I found this post Service ‘iPod Service’ (iPod Service) could not be installed... over in the Apple Support forums and followed “rickybpta” steps.

• close SysInternals's Process Explorer ( if you have it and it's open )
• close all Task Manager(s)
• close Windows Services console ( services.msc )
• close all command prompts ( cmd.exe )
• open a cmd.exe as Admin
  • run: sc create "iPod Service" binpath= "C:\Program Files\iPod\bin\iPodService.exe"
  • close all command prompts ( cmd.exe )
• open Windows Services console ( services.msc )
  • look for "iPod Service", see if it's not Disabled. If so, start it
  • close Windows Services console ( services.msc )
• Run iTunes.msi again ( previously downloaded via the Apple Software Update's Only Download function )

That did the trick and it went on without any other fuss.

I had purchased a Yeti Blue USB microphone a while back to up my audio recording game. I had hoped to be able to eventually use it with my iPad/iPhone but there were some challenges reported so I’ve just stuck it out with my Windows 7 laptops where it has done a rocking-cool job of upping my audio game. Couple that with Audacity and The Levelator from The Conversations Network and while I am no audio-engineer, I can do a fine good job for most recording needs.

So it was exciting to see this news:

• The iPhone can use the Lightning to USB adapter with iOS 9.2 - iMore
• Lightning to USB Camera Adapter – Apple
• How to import your DSLR or other camera's photos to your iPhone or iPad – iMore
• Lightning to SD Card Camera Reader – Apple

I need to update this post Claus’s iPhone App List - Updated 01/2014 as I’ve gone through some serious changes with the iOS apps I carry. I have purchased more than a few as well…so they must be that good! “Hey Siri! Remind me to update that post!”

Apps of note to get (or are recommended)

Music Memos – Apple – This one looks interesting but I’m not sure it might really meet my audio-recording needs on my Apple gear.

GarageBand for iOS – Apple – This looked good too, but maybe there is a better audio mixing app for “studio” mixing.

Due – Apple App Store – This is the best reminder/count-down timer/recurring event reminder app ever. Period. Buy it.

Round – Apple App Store – Because Due doesn’t currently handle recurring reminder events of less than a day (that I am aware of), you can’t yet use it to set medication dosing reminders. This looks to be designed specifically for that need.

Mighty Timer – Apple App Store – free app to help with brewing your tea. Alvis and her husband gave Lavie and I some very nice porcelain cups along with some fancy Matcha style tea. It has to be brewed very carefully but is super good!

Cheers.

--Claus Valca

Stuff (being considered or obtained)

I don’t make a whole lot of “hardware” recommendations.

I don’t run ads or product click-through links on the blog that give me any benefit for your purchase.

So with that in mind, these are some recent purchases I’ve made that I have been very pleased with.

Or are links to hardware that I’m reviewing and considering picking up (for my reference).

Just passing them on in case you are interested.

Claus recommended gear:

• MEKO™ 2Pcs [2 in 1 Precision Series] Disc Stylus/Styli - Amazon.com - As an iPad/iPhone user, there are some applications that my finger tip (or that darned soft-pad tip stylus) just won’t do for, sketching and note-taking apps for example. I found this two-pack for a fine-tip stylus for $10 that was too good not to try. I’m blow away!  The fine-point tip is a weird looking contraption but it works like a dream - even though my Spiegen screen protector.  I love this thing!  It is a dual-tip with the fine-point on one end and the large squishy capacitive fabric tip on the other. With several spare tips included. The only “complaint” I have is that it didn’t come with a pocket clip. I salvaged on off a drafting pen barrel (like the kind you got as a kid to attach to your pencil if you were a geek). That works fine enough on it for my needs.  Seriously, if you use a stylus for an iPad/iPhone, give this one a shot. It’s cheaper than most you can pick up in a store and super-high quality.
• Kanguru FlashBlu30 (32GB) with Physical Write Protect Switch SuperSpeed USB3.0 Flash Drive ALK-FB30-32G - Amazon.com - My USB 2.0 16 GB Kanguru FlashBlu stick was showing it’s age. I’ve almost maxed out the capacity, lost the cap and broke the little plastic loop on the end. It still works but is battered and I need to check with Kangaru to see if they could send me a replacement clear cap and white loop end. Anyway, the 64 GB was what I really wanted but the price was pretty high for a budget dude like me. So I picked up the 32 GB version as a compromise. USB 3.0 with physical write-protect switch for when I am responding to an infected system. Can’t beat Kanguru brand!
• Netac U335 USB 3.0 64G Write Protection Flash Drive - Amazon.com - or maybe you can?  This 64 GB write-protected USB 3.0 stick was a crazy $30! Compare that to the $40 32 GB version I bought above.  I picked it up on a whim for the extra capacity and have been very impressed with the quality and performance.  It won’t (quite yet) replace my trusty Kanguru USB’s with their (mostly) aluminum bodies. Only complaint so far was that it didn’t include a lanyard and is could be easy to misplace the cap/ That said, it was an awesome value!

Stuff I’m researching for future upgrades:

• Review: TP-Link AC3200 (Archer C3200) Wireless Router - Scott Hanselman
• D-Link AC3200 ULTRA Wireless Router Review and Giveaway - MakeUseOf blog
• The Best Wi-Fi Router (for Most People) - The Wirecutter
• The Best Powerline Networking Kit - The Wirecutter
• The Best Cable Modem - The Wirecutter
• Five Best USB 3.0 Flash Drives - Lifehacker - well, not really but since we were talking about USB drives earlier, here are what the hive-mind recommends.

I’m still quite pleased with the performance of my D-Link DIR-655 router. Performance is good on our laptops and Apple devices. It has been rock-solid dependable and there are still very occasional firmware updates offered.

That said, I’ve had it so long I don’t know if I would actually be getting better performance on another “modern” device.

On top of that it just WILL NOT authenticate to my first gen Chromecast stick. Not at all. Period. I can see my network on the Chromecast, I can put in my authentication information, but it will NOT authenticate to the WiFi. Grrr.

To get my Chromecast connected to our network, I have to first connect my portable D-Link DAP-1350 Wireless N Pocket Router to my DIR-655 and then connect the Chromecast to that one. Seriously a headache and it prevents me from leaving my Chromecast connected all the time as I don’t leave the DAP-1350 online full time.

Anyway, there is the stuff and what I’m considering.

I’d love to hear your comments or recommendations as well!

Cheers.

--Claus Valca

iOS Security News

It’s hard enough keeping current on just the Windows security ecosystem. Now that we are iOS mobile device users as well, there is a whole second ecosystem to keep a security eye on. Of course, those devices have software and need to communicate so there are those layers as well to monitor for security awareness.

So here are a round of articles and tools involving iOS security findings of late.

• 1,500 iOS apps have HTTPS-crippling bug. Is one of them on your device? - Ars Technica
• Critical HTTPS bug may open 25,000 iOS apps to eavesdropping attacks - Ars Technica

Per that second Ars Technica article by Dan Goodin, each are different bugs but both involve components of AFNetworking,

“an open-source code library that allows developers to drop networking capabilities into their iOS and OS X apps. Any app that uses a version of AFNetworking prior to the just-released 2.5.3 may expose data that's trivial for hackers to monitor or modify, even when it's protected by the secure sockets layer (SSL) protocol. The vulnerability can be exploited by using any valid SSL certificate for any domain name, as long as the digital credential was issued by a browser-trusted certificate authority (CA).”

• SSL MiTM attack in AFNetworking 2.5.1 - Do NOT use it in production! - Minded Security Blog - a more technical breakdown of the security issues. According to the post, the issue has been fixed in a newer 2.5.2 version of their library code. However it still requires developers to update their apps and get them on user’s devices where installed.
• iOS Code Report - SourceDNA’s searchable database to see if your iTunes Developer has released app(s) that remain vulnerable to the weaker code.
• SSL Analysis: Now With More Pinning - SourceDNA | Code Transparency for iOS & Android Apps, SDKs - SourceDNA Blog

This database reminded me of the ZAP - Zscaler Application Profiler that I had previously come across. It remains a great tool to look up the security of an iOS (or Android) application before -- or after -- you install it on your device.

From the “About” page link:

About ZAP

Zscaler Application Profiler (ZAP) is web based tool designed to streamline the capture and analysis of HTTP(S) traffic from mobile applications. ZAP is capable of analyzing traffic from both iOS and Android applications and includes the following functionality:

• Search: View summarized historical results for past scans.
• Scan: Proxy traffic from a mobile device through the ZAP proxy and the mobile app traffic will be automatically captured and analyzed
• iPCU: Upload your iOS device configuration file(.deviceinfo) to check risk score of installed application. It will give you overall risk score of your device. The information provided is based on out knowledge base.

ZAP classifies traffic into the following buckets and calculates an overall risk score for the application:

• Authentication: Username/password sent in clear text or using weak encoding methods.
• Device Metadata Leakage: Data that can identify an individual device, such as the Unique Device Identifier (UDID).
• Personally Identifiable Information Leakage: Data that can identify an individual user, such as an email address, phone number or mailing address.
• Exposed content: Communication with third parties such as advertising or analytics sites.

Zscaler also has a detailed video on this service on their blog: Zscaler Research: Introducing ZAP.

1. Check their historical report data on apps already researched, or
2. Connect your device to their proxy to do a scan on a new app/version not already captured historically, or
3. Upload your own iOS device config file.

Meanwhile on the far side of the globe, web security/developer Troy Hunt has been hard at work finding issues with additional iOS apps down under. His reviews provide great learning material to extend across other iOS application reviews closer to home.

• Troy Hunt: Mobile app privacy insanity – we’re still failing massively at this - Troy’s latest post examines some extreme data tracking methods used in iOS applications that should be cause for concern.
• Unearthing the hidden shortcomings in Aussie mobile app security - an earlier (but still related) post by Troy Hunt.
• Troy Hunt: Secret iOS business; what you don’t know about your apps - an earlier (but still related) post by Troy Hunt.

Troy offers a free Pluralsight course to help get into the issues around mobile app security, Hack Your API First – Pluralsight Training

Finally, here is a guide from the Telerik crew on how to use Fiddler to Capture Traffic from iOS Device

Constant Vigilance!

Claus Valca

Tiny iOS News - Outlook for iOS & Firefox mockup

I don’t think this update actually solves a core issue with the Outlook for iOS app. But it does signal to me that the development team for the product is at work so maybe a more secure solution could be coming, eventually.

• Outlook for iOS finally with IMAP Support - Cachys Blog (Google Translated)
• Microsoft Outlook - Apple App Store

The other thing (I think) I am waiting for is a Firefox app for iOS. Unfortunately, the way I understand it, third-party iOS browsers still need to use the browser rendering engine from Apple. So even though I use Chrome for iOS, at the core it is still powered the same as Safari for iOS.  Firefox has to comply as well.

• Mock-up: Firefox for iOS - Cachys Blog (Google Translated)

There isn’t a good way to tell if the final product will look anything like these images. I’m not really certain I like the result; seems very busy with all the different modal views.

Still, I’ll give it a shot if/when the final product comes out.

I do like the Chrome iOS feature that allows me to synchronize my settings and bookmarks between the iPad and iPhone. That is handy and looking at one of the rows of screenshots, Mozilla will have a similar feature in their release.

Cheers,

--Claus Valca

Fallout continues on the Outlook mobile app

I didn’t really bring my waders out so I’m remaining on the bank for now but here are some updates to the Outlook (Acompli-based) mobile app chatter.

If you are new to the discussion…maybe refer to this past GSD post: Outlook iOS App – Nice try but with caveats

First, Microsoft has released an update to their app to bring it to 1.0.2. Mostly UI and some feature/bug fixes.

• Outlook for the iPhone and iPad adds advanced settings and more – iMore
• Outlook for iOS available in a new version – Caschys Blog (Google translated page)

OK, René Winkelmeyer hasn’t had any new blog posts on the subject, but remains very (kindly) engaged in the comments on his last blog post on the issue; Updates on the latest Outlook iOS App issues. So keep dropping in there for now to see where the discussion is going.

Apparently the European Union Parliament's IT department has decided that the Outlook app isn’t ready for prime-time use by it’s supported user base.

• Outlook app: blocked in EU Parliament for IT security – Borns IT and Windows Blog (Google translated page)
• Safety deficiencies: MEPs not use Outlook for iOS – Caschys Blog (Google translated page)

My 2¢ ?

I continue to use it on my personal phone with a throwaway Outlook.com account just to use for testing the app. I’m still not using it now for any of my core personal email accounts, nor would I even consider using it – no matter how much better the GUI is than the stock iOS mail app – on my work-issued & MDM administered phone.

Cheers,

--Claus Valca

Outlook iOS App – Nice try but with caveats

This week Microsoft released a “new” iOS app for Outlook.

Microsoft Outlook - App Store on iTunes

As I understand it, it is based on a previous “Acompli” iOS app purchased by Microsoft.

Nevertheless, it is slick, allows you to see multiple email accounts in a unified inbox, does some magic to try to sort mail into various groupings for easy processing, etc.

I downloaded it and it worked great for my Outlook accounts.

Here are more articles and details.

• A deeper look at Outlook for iOS and Android - Office Blogs
• Office everywhere: More great news for Office on iOS and Android - The Official Microsoft Blog
• Frequently asked questions about Outlook for iOS and Android – Microsoft
• Microsoft Outlook App Released for iOS and Android Devices - Next of Windows
• RELEASE: Outlook for iOS (RTM) & Outlook for Android (Preview) - Kurt Shintaku's Blog
• Microsoft launches Outlook for iOS and Android – BetaNews
• Outlook for iPhone and iPad is here — Office fans rejoice! – iMore
• Acompli-based Outlook for iOS, Android promises to do more in 24 seconds - Ars Technica

However, there are some potential security concerns..both for those who might like to use it with their corporate Outlook accounts and for standard users as well.

I can’t recommend using it (just yet) with any work-based accounts, nor would I consider using it on a workplace issued iPhone. At least not until more work is done.

If you are curious about the security fuss, take a look at these articles and choose accordingly.

• Warning – Microsofts Outlook app for iOS breaks your company security - {rene.winkelmeyer} - IBM Champion
• Updates on the latest Outlook iOS App issues -{rene.winkelmeyer} - IBM Champion
• Outlook for iOS app "breaks" corporate security, developer says - ZDNet
• Outlook Mobile in criticism – Caschys Blog (Google Translated page link)

I’m going to play with the the app some more for now with a toss-away Outlook account to get more familiar with the product.

I really like what I see but I’m just not sure about the security concerns just yet. I need to hear more debate and see more data before becoming convinced.

Constant Vigilance!

Clause Valca

A New (old) iPhone for Claus

IT Lavie went out a few months ago and (on her own) upgraded her iPhone 4 to a new iPhone 6 (16GB) model.  She enjoys it very much and the storage space is now double from what her model 4 had. She looked at the Plus model but settled on the standard 6 size. Compared to the 4, the size of the 6 was a pretty big jump in itself.

I’ve spent some time on it (while doing the migration support for her) and while the technical details of it are very nice, I haven’t been overwhelmed by either the more rounded styling nor the feel of it.

All that to say I much prefer the more solid and “blocky” feel of my older iPhone 5 unit. Plus the 64 GB storage size is super-duper.

And will all that said, a few weeks ago I got a new iPhone for free.

There I was a work on my lunch hour relaxing and closing out my RSS feed review. As I went to tuck it away I noticed that the screen seemed to be a bit “proud” of the bumper case edging. Currently I’m rocking a very trim Spigen iPhone 5 Case Neo Hybrid in the bright red. It is super trim and just a touch flashy with a soft polymer cover. I assumed I had just pushed the phone up a bit from behind and tried to snap it back it.

Nope.  After some trials I removed the phone from the case and discovered the touch-display screen itself was popping out of the actual phone case.

I didn’t capture any photos of the issue, but this post I found over by Travis Ehrlich at Gear Diary pretty well matched my experience exactly, photos and all, Is Your iPhone 5 Screen Lifting Up and Away?

I hadn’t dropped it, stepped on it, drove over it, or otherwise abused it (that I could remember) so the only thing that came to my mind was that the battery may be swelling causing the screen to be pushed up and off the phone body.

With images of the alien-body-popper scene fresh in my mind, and a battery meltdown/explosion I shut the phone off and called Apple.

They had me turn it back on, do some stuff to send diagnostics to them, confirmed the phone seemed to be in great shape (and reported I was very good on my battery/charging activity somehow), that it wasn’t included (based on SN) in the Apple battery recall scope, and advised me to run it in to an Apple Store for a Genius review.

The whole process of getting an appointment, waiting, etc. for an Apple Store service visit is a post in of-itself. However, for this one, one I finally found the store, and waited for a while (an hour?) the Genius took the phone into the back, came back out and informed me that yes, the battery inside the device was indeed swelling pretty nicely, that it was out of warranty, and not included in the battery recall scope.

However, they “graciously” would go ahead and replace it for me free of charge.  Only they didn’t have a replacement in their store. Would I be willing to go to another store that had it in stock? Yep.

So we secure wiped my iPhone (I had a back-up at home about a week or two old so no significant data loss worries) and pointed me to the 2nd Apple Store.

A mad dash across town and after some discussion with that store’s Genius staff, they eventually pulled the replacement unit. The Genius agent swapped my SIMM card between the phones after re-confirming my old one had already been wiped, I was able to talk them into getting me a piece of tape so I could pull and reuse my screen scratch protector (Spigen also). It came off fine and with some skilled tape-usage, I was able to get it transferred to the new phone lint/bubble-free.

A new (old) iPhone 5 64-GB phone in my hand.

The Genius couldn’t/wouldn’t tell me if this unit was refurb or new but from later production runs. Either way it looked brand new and ran just fine so I’m not complaining.

The phone has continued to operate well since.

Some forum crawls have found others with the same issue of a non-scope iPhone 5 with battery issues that Apple has replaced for free.  Some comments are that they may do so for phones with this problem up to one year beyond the original 2-year warranty period. I think it is currently a case-by-case basis at Apple’s discretion.

Regardless, I’m very pleased with the service provided in my case. It took a while to work through the process but it turned out well for me.  And having several Apple Stores in the Houston area was a real plus. I never considered going to the carrier’s stores for help and if you don’t have an Apple store around, you would likely need to send it in which would be a hassle also.

Hopefully this one will last for another two-years…So that may mean there would be an iPhone 7 or 8 model out to consider?

• iPhone 5 Battery Replacement Program - Apple Support
• Apple finds some iPhone 5 units have battery problems, opens replacement program - 9to5Mac
• iPhone 5 front glass panel separating/lifting a... - Apple Support Communities
• iPhone 5 screen popped out - can't push back in - MacRumors Forums

Cheers,

Claus Valca

Upgrading to iOS 8 (the long way ‘round)

Unless you totally are not into the Apple scene you may have heard that

• Apple recently released a new Apple iPhone 6 model, and
• Apple recently released a new system upgrade iOS 8.

Lavie’s 8GB iPhone 4 is getting very sad and tired and she is itchy to upgrade. I think the best deal for her (now out of her 2 year contract) would be to get either a 16 GB iPhone 5s or 5c. I’m leaning to the 5s myself even though it will be more expensive. However her thrifty-ness surprises me sometimes so she might be OK with the 5c.  She is not a power-user of apps or streaming so from a hardware perspective either should be more than adequate after the 4 she has now.

Last night I went ahead and decided to upgrade my 4th gen iPad Retina to iOS 8.  What should have been a quick process went super bad super fast.

It’s a 32 GB model but I have it jammed packed with videos (mostly sysadmin/training videos) and PDF whitepapers of for/sec/admin-related topics to read when I’m between activities.

As such I had < 5 GB of free space so I couldn’t do a WiFi only iOS update. But if you do the upgrade from iTunes you don’t need to have free space on your device.

Mistake #1: Not confirming/taking a backup.

Mistake #2: Plugging the device in to a powered USB hub rather than directly on my system.

I plugged the iPad into a brand-name USB powered hub extender and the iPad was detected ok.

I mis-read the initial prompt about do I want to backup some apps that were on the iPad and not my iTunes and said “no”.  Bad decision.

The update downloaded and began to apply.

As part of the process the iPad rebooted but it would not reconnect automatically to the USB port, which caused the iTunes update to fail.

I repeated again and more fails and each time I retried it said I had to do a device Restore. Yikes!

Finally after hunting down error codes and update failures I switched the cable over to a USB port directly on my laptop.  I did a hard-reset of the device and then the iOS 8 upgrade went on. Yea!

Only it was a (mostly) factory restore.  Somehow, some backup items were found from an older backup (or maybe the device itself?) and restored.

I had to put all my music library, videos, photos, and videos specific to my VLC app library back on manually; a few apps that I hadn’t downloaded to iTunes also had to be restored/reinstalled. That took a very long time. Luckily all my (considerable) ebooks and whitepaper PDFs stored in Adobe Reader and Documents apps were all present and accounted for.

It took a long time (4-5 hours!) for the whole process before I was chilling again on the couch with the iPad but I finally got it tweaked back to the way it was before.  I’m wondering what I haven’t found missing yet because after the upgrade and auto/manual rebuild, I’ve now got around 10 GB of free space.

So this Saturday morning I’ve been busy doing manual iTunes updates (we don’t back up to iCloud) of both our iPhones as well.

I’m not in much hurry to upgrade my iPhone 5 just yet after that iPad update drama and Lavie’s iPhone 4 doesn’t qualify for the iOS 8.

I also figured out how to review and delete a bunch of old iTunes backups to clean house:

• iTunes: About iOS backups &
• Daily Tip: How to reclaim disk space by deleting old iOS backups | iMore

The other big headache after the upgrade and restoration was coming to terms with all the new features and setting changes brought by 8.  I had a ton of re-tweaking deep in the Settings to do to ensure it was set to my comfort levels.

Here is a list of iOS 8 items you may want to review before/after you do your iOS 8 journey. Many of these tips and suggestions have been super-helpful to me.

• iOS 8 is here. Get ready with these 3 steps. [Updated] - TechBlog
• iOS 8 Is Here: 10 Reasons To Install It Right Away - MakeUseOf blog
• 8 Things New iOS 8 Users Should Do First - ReadWrite
• iOS 8, thoroughly reviewed - Ars Technica
• Everything You Need to Know About iOS 8 - Lifehacker
• iOS 8 Is Out! Here Is What's New And What's Improved [Review] - AddictiveTips blog
• How to fix iPhone 6 and iOS 8 battery life problems! - iMore
• iOS8 3rd Party Keyboards Reviews - SwiftKey and Swype - Scott Hanselman
• Six big iOS 8 issues for enterprises - ZDNet

Cheers.

--Claus Valca

OneNote for iOS

Just like I post “linkfests” here for my archival reference and for sharing, I collect URL’s for family and friends as well.

These typically run much less technical; though admittedly more than fairly geeky.

Common subjects are interior design trends, architecture, recipes, Dr. Who fandom bits, short films, science, and faith/life-balance.

Unlike the GSD blog where they get shoved out on stage and dialog/feedback is relatively rare, these more personal links across the web are chosen with discussion and togetherness in mind. They are random encounters discovered that can be shared and reflected. We need to build out new dreams, wishes, and hopes as we re-discover the Lavie and Claus bond that isn’t centered around Alvis any longer.

The iPad makes a great platform to pull out on the couch when I’m sitting with Lavie. It’s a lot more comfortable (and feels more personal/intimate) than using either of our laptops.

Only sharing the sharing bit is a bit clunky.

I’ll send the URL collection out via email, but when we want to view the links together on the iPad, it requires opening the email client, finding the email (which can be quite buried…so it needs to be tagged/flagged), then clicking an embedded link. From there we review, then we need to return to the email client and hit the next one. Repeat.

It works but is a bit clunky.

What I wanted to do for some time is to select the HTML markup body of the email, paste it into a document editing app, then just use that as the launching place.

Probably because I’m still not very familiar with the iOS app landscape this discovery process has been more of a challenge than it should be.

My first hope was that Notability (App Store on iTunes) could handle embedded HTML markup copied and pasted. Nope.

Neither could Byword (App Store on iTunes) or Documents by Readdle (App Store on iTunes). In all cases it would strip out the HTML markup code and leave me with useless plain text.

Why was it hard to find a note-taking or document app that would keep copied HTML markup?

Eventually I found what I was looking for.

Microsoft OneNote for iPad  and Microsoft OneNote for iPhone (App Store on iTunes)

I’m very familiar with OneNote usage on the Windows desktop (I have an Office 2010 version) but didn’t think about using it on my iDevices.

One “gotcha” is that you will need to log in with a valid account to use the application. Having a Microsoft Outlook Live account makes the process very smooth. There were some extra validations and secret code-pasting required but it was easy to follow.

Once I had the application installed and linked, I tested it by copy/pasting a big block of HTML markup from one of my emails to Lavie and Alvis with tons-o-links into a fresh note page.

Hurrah! It looked like it kept the HTML formatting! I selected one of the links and it opened up quickly and perfectly in Safari.  Solution found!

I then installed the app on my iPhone. This time all I had to do was log in, no additional account validation was required second go round.

I must confess, the iPad version looks and works much more like the Windows desktop version than the iPhone version. However, having quick access to the notes is indeed handy.

To add another major boost to handy-access of things, I quickly discovered I could link the additional OneNote notebooks I have on my desktop via the OneNote 2010 application I use to both the iPad and iPhone apps. It leverages Microsoft’s OneDrive storage platform.

I’m still not ready to drink shoving all my electronic life to the “cloud”, but this is a handy start.

So, if you are looking for a way to keep HTML markup notes -- from web or email snippings -- on your iPad or iPhone, then the free OneNote iOS apps are a great option to consider. And doubly so if you have a Windows client version of OneNote 2010 or higher on your desktop.

Don’t have Microsoft OneNote for Windows desktop? Microsoft offers it for free:

Download OneNote 2013

Other platforms supported are Windows Phone, Mac, Android, Amazon, and the Web

Cheers.

--Claus Valca

Lavie’s iPhone loss Mystery - Resolved

This past Monday, Lavie called me at work terribly upset after her first visit to our new doctor. (Another rant story for another day.)

Turns out the visit had gone very well and our new doctor meets Lavie’s approval. Yea!

Turns out that somewhere between leaving the practice and getting home, she discovered her iPhone was lost. Noo!

I immediately logged into the Apple “Find my Phone” app on my own iPhone at work, entered her information in, and saw her phone…kind of.

The phone showed up but it couldn’t be located on a map. Turned off perhaps? In a dead zone?

We both had tried calling it to no avail.

I used the option to send a message to the phone and have a finder call us when it was discovered.

Alas, at the end of the day no call and the phone still wasn’t showing up.

Lavie was convinced it was on its way across one of our borders, I wasn’t sure and figured it was at the bottom of the elevator shaft or kicked under one of those heavy examination table/cabinet combos.

The doctor’s office staff said they looked and didn’t see it.

The practice security desk was contacted and didn’t report it being turned in but made a note in their log just in case.

Lavie was still deeply upset with the lost. (She has never lost any mobile phone she has ever owned.)

I was so calm about the loss that contributed to Lavie’s freaking out worse.

So the following day we worked on damage control.

I called our cellular carrier who disabled the SIMM card/# for the phone to prevent any unauthorized phone calls on our account. The rep was very kind and helpful.  No the phone hadn’t been used since her last call that morning to me. No new data usage or activity was showing up.

The phone had both a passlock code set on it as well as the “Find My Phone” feature with iCloud enabled.

I logged back into the iCloud and set it to “auto-wipe”.  I was pretty confident we wouldn’t have any data leakage/breach from it (hence my calmness) but was still curious why it was “dead” in the iCloud.

Luckily, we still had Alvis’s old iPhone 4 as well. After her marriage, her husband had bought her a new iPhone 5s on their own account. Her old phone was on our account, and a few months away from the 2-year contract end, so I elected to keep in on rather than paying an ETF to remove it.

So Lavie just carried Alvis’s phone for the day until I got back off work and we could drop by the local AT&T storefront.

The AT&T rep was very helpful. He cut a new SIMM card (for free!) with Lavie’s cell # on it, then swapped out the SIMM from Alvis’s phone with the new one, also releasing the hold on Lavie’s cell #. Almost good to go. I hung on to Alvis’s SIMM card as it was still good.

Back home, I backed up Alvis’s phone in iTunes, copied off all the photos from it (she said he already had them but I wanted to be sure), then wiped the phone.

I then restored the last backup we had in iTunes for Lavie’s old phone to this one. It was from late December 2013 but it had most everything.

I did have to spend some time re-adding a few apps but not that big a deal. Two hours later Alvis’s old iPhone was now fully migrated to being Lavie’s phone.

Lastly, I checked Lavie’s iCloud account again, and now there were two “Lavie’s iPhone” objects listed. The new one I just finished setting up (with GPS locator hovering over our residence on the map active) and the old one…still not located and “dead” with wipe pending.

So…we were out one iPhone 4..with one to two months left on our contract…and that pretty much it.

Only guess what?

Thursday night the security desk at the practice called.

Lavie’s phone had been found…where they couldn’t say…but she was welcome to come pick it up at our convenience.

So Friday Lavie picked up her phone.

It was almost drained but very much still powered on.  It did say “No Service” as the SIMM had been disabled by our carrier but it connected to our Wi-Fi with nary an issue like a grinning tomcat dragging in after a long night of adventure.

And the phone didn’t wipe.

Curious.

So today I figured out why the phone didn’t show up in iCloud, nor wipe itself as told.

First, Lavie recovered a few missing phone numbers out of her contacts that had been added since the original backup.

Then I got digging.

Going in the Settings and iCloud area, I could clearly see “Find my Phone” was switched on with a nice green indicator showing. What up iPhone?!!

Only there was a hazy semi-opaque haze to the page.

Lavie’s information was all present, but it appears she (we I) didn’t actually log back into iCloud on it after the last iOS 7 upgrade.

Once I did that, Bammo!  The phone wiped.

So, lessons learned from the experience:

• Make sure your iPhone/iPad is pass-coded. A longer passcode option can be selected over the standard four digit one.
• Set up Find my iPhone/iPad on your device. Correctly. iCloud: Set up Find My iPhone
• Test iCloud - Find My iPhone, iPad to make sure it really is seeing and tracking your device!
• If you carry a lot of passwords on your iPad/iPhone, be sure to keep them in a password manager app, not in Notes. MiniKeePass.
• Back up your iPad or iPhone device in iTunes (or via iCloud if that is  your thing) regularly. Like every week or so to capture Contacts changes and stuff.
• If you do loose your device, set the call-back message if found in iCloud.
• Call your mobile carrier and suspend your number just to be safe you don’t end up with any unauthorized calls.
• If in deep doubt you will find it again, set it to wipe.

More handy linkages:

• What to do if your iOS device is lost or stolen - Apple Support
• iCloud: Find My iPhone Activation Lock in iOS 7 - Apple Support
• iCloud: Set up Find My iPhone - Apple Support
• iCloud: Locate your device - Apple Support
• iCloud: Use Lost Mode - Apple Support
• Erase your device - iCloud Help - Apple Support
• What to do before selling or giving away your iPhone, iPad, or iPod touch - Apple Support
• Apple - iCloud - Find My iPhone, iPad, and Mac. - Apple Support
• iOS 7 Activation Lock cutting iPhone theft, damaging resale market - Ars Technica

Cheers.

--Claus V.

For the iOS crowd

A few nights ago, I came home from work and Lavie was quite frustrated with her iPhone.

She had heard a local news story about how the iPhone can track the user and how to disable the feature…only she couldn’t find the news story on the station’s web-site despite their comment.

I was familiar with a number of “feature” settings that could conceivable track and “spy” on your iPhone usage habits and personal travels, but none of those seemed to satisfy Lavie’s understanding of the news story.

Took me a few days but I finally tracked it down for Lavie:

• Does your smartphone spy on you? - khou.com

The applicable part was this bit in the story:

“On an iPhone, it’s a bit more complicated. Just go to ‘Settings’, click ‘Privacy’, then select ‘Location Services’, scroll down to ‘System Services’, that’s where you find ‘Frequent Locations’. Just turn that feature off.”

The news story wraps a lot of drama around the issue but it certainly succeeded in getting Lavie’s attention.

I also found these new-to-me reports of other iOS security concerns.

• Another iOS 7 Bug: This One Could Let Somebody Secretly Track You – ReadWrite
• New security flaw opens iPhone, iPads to covert keylogging - ZDNet

And by the way…

Dad?  These links are for you and that iPad.  I’d say you could blame it on the cats but you don’t have any pets in the house…

• CrackedMacScreen.com
• iCracked - Fix or Sell Your iPhone, iPad, or iPod Today
• iPad Repair - Professional iPad Screen Repair Service

Cheers,

--Claus Valca

Claus’s iPhone App List - Updated (Jan 2014)

So it has been a little while since I’ve posted an update to my last iPhone App List so I figured “why not now?”

Before we get to that, let me point out a few new apps I’ve added that stand out:

I have a very well-rounded collection of weather apps on my iPhone (see below). That class of apps is probably the most used set on a daily basis, followed by my RSS feed reader, web browser, and email app.

BeWeather - (free/$$) - App Store on iTunes - This one is new to me, though apparently Blackberry users have loved it for a long time. I really like the way the data is displayed and the background images are very pleasing but not distracting. The free version has almost all the features the average Joe could want, except a detailed (by the minute) precipitation forecast (available in the $$ version) and unlimited numbers of weather location saves (for when you want to quick-check the weather in more than your current location---also opened up in the paid version). Next time I get an iTunes card I’ll probably go ahead and buy it. However it faces some already stiff and entrenched competition from apps like Wunderground weather and The Weather Channel that cover all the same features and a few more. Still, I don’t mind having it handy and would recommend it. Check it out.

Reeder 2 - ($$) - App Store on iTunes - I had been using the previous version “Reeder” for my RSS feed reading. It went from ($$) to free a while back during a short window before the developer yanked it from the iTunes store. I could continue using it but decided to show my support and pony up the $$ for the new Reeder 2 edition. It has more bells and whistles and I really works nicely for my OMPL (standalone) RSS feed reading. I don’t use any cloud-based RSS services (now that Google’s feed service shut down). This app really rocks for my purposes; and it does support a lot of cloud-based RSS feed services if that is your thing.

VNC Viewer - (free) - App Store on iTunes - I spotted news that a free Android version of VNC was available and went looking to see if there was a free iOS version out. Yep. This is it. I use TightVNC on our home systems for my remote-support needs and VNC Viewer is pleasantly compatible with it. No surprise there. I found the iOS app interface for VNC Viewer to be very easy and stable to use. I did previously pay for the ($$$) version of Mocha VNC and it seems to have more features so I’m sticking with it, but I will keep VNC Viewer app on my phone and will use it as well.

The TeamViewer for iOS app offerings is a mess.  I’ve been using this TeamViewer for Remote Control (free) on my phone for the (very) limited times I’ve needed to perform emergency remote-support to family and friends while on the road but it was very kludgy. When I launched the app today it recommended I jump to a new version (not an upgrade of the current one I had). It pointed me to this one TeamViewer: Remote Control (also free) which has been optimized for iOS 7. So I downloaded it and installed along side. There is also this older (free) TeamViewer HD for Remote Control app for iOS as well. It’s a bit hard to tell the difference between the two older versions feature-wise. Anyway, if you need it and you have a newer platform/iOS version you probably want to go with the middle one I linked to above.

Microsoft Remote Desktop - (free) - this one is of limited value to me at the moment. I can use it to connect to an virtualized version of Window 7 (IETester) Enterprise I have, but since my primary systems are running Win 7 Home it doesn’t work. We don’t really use RDC/RDP at work so no use there.

CNP Mobile Outage Tracker - (free) - A while back my brother called me to check if we had power on our side of town. We did but he did not. Localized outage. I pointed him to this (regionally useful) app so he could check for status updates himself over his iPhone. If you live around the Houston area and have CenterPoint as your electricity infrastructure provider, you may find it useful. Works OK in an emergency but really could use an overhaul for iOS 7.

VLC for iOS - (free) - This app has gone through a series of updates. I really like it, especially being able to upload video files to it directly from my PC when I’m too lazy to connect my iPhone via USB and iTunes to drag-n-drop the files over. Plays great. Great features. Lots of fun.

Updated January 2014

Not a lot of “new” installations…though lots of existing apps have been updated to newer versions.

Here is an updated listing, semi-categorized, of iOS iPhone apps I’m using on my iPhone 5.

All links will be to the iTunes App Store page unless otherwise noted. I’ve updated the permanent link on the sidebar under “Claus’s Toolbox”.

I’m only listing Apps that I use (or plan to purchase relatively soon for use). This post is for me to self-reference and primarily be a way to recommend/share Apps with the few family and friends who have iPhone discussions with me.

A mini price-range key:

• free = free. May or may not be ad-supported. That said, if it is ad-supported or pop-up in-app notifications to upgrade to a paid-version are too annoying or obtrusive, the app is deleted.
• $ = $.99 to $2.99 range.
• $$ = $3 to $7.99 range.
• $$$ = $8 to $9.99 range
• $$$$ = over $9.99

Note that when posted, some apps may be on a special pricing discount for holiday or promotions. I’ll try to keep an eye on things but it’s only a rough guide.

“Default” apps that come installed/bundled with the iOS don’t get listed.

I have a few great Apps I won’t list for privacy reasons; banking/insurance/shipping/specific shopping/vendors, etc. Just because you don’t see those listed, doesn’t mean I don’t use them.

Finally, just because all these apps fit on and run on my iPhone 5 (64 GB), currently iOS 7.0.4, doesn’t mean they will all fit on your own iPhone.

Here’s the list.

Core Apps

• Reeder 2 - ($$) Supports “standalone” RSS feeds rather than one of many supported on-line RSS services. Newer version has many more nice interface features and GUI enhancements.
• Chrome - free
• Gmail - free
• Google Maps - free
• MiniKeePass - free
• Naturespace - free/in-app $ (and I purchase a LOT of these tracks)
• Wave Alarm - free (note I sprung for the in-app $ paid version). Wakes me up every day!
• Wave Timer - free (note I sprung for the in-app $ paid version)

Productivity/Organization Apps

• Agenda Calendar - $ - my core calendar app; supports reminders. Hard to view upcoming scheduled events at a glance
• Fantastical - $$ - I love the at a glance calendar event layout view (missing in Agenda) but lack of reminder support is serious. -2 on the scoring. Still becoming friends with this app.
• Clear - $
• Due - $$
• Easy Note + To Do - $
• Grocery List - Buy Me a Pie! - $

Weather Apps

• Weather Underground - free - (I paid $ for a 1-year in-app removal of ads) “realtime” radar data map display makes this app priceless to me! + it comes with lots of tropical weather (hurricane) tools and links so I may not need to purchase a hurricane-specific app.
• WeatherMap+ - $ - Super cool forecast data projections. Awesomeness!
• The Weather Channel® Max - $$
• BeWeather -free/$$ - very nice GUI and great features.
• NOAA Hi-Def Radar - $ - beautiful image quality but radar data lags from several to +5 min behind current time. I want near real-time radar data please!

Text/Reading Apps

• Adobe Reader for iPhone - free
• Byword - $
• Documents by Readdle - free - I love I can connect wirelessly between PC and iPhone for document transfers.
• Google Translate - free
• Kindle - free

Networking/IT/SysAdmin Apps

• Deep Whois - free
• Emerald Time - free
• Fing - Network Scanner - free
• Mocha iSys - free
• Mocha VNC for iPhone - $$
• IPv4 Subnet Calculator - $
• Network Ping Lite - free
• Networking Toolkit - free
• Nice Trace - traceroute - $
• Speedtest.net Mobile Speed Test - free
• TeamViewer: Remote Control - free
• Microsoft Remote Desktop - free

Faith Apps

• Bible! (Logos) - free
• PocketSword - free
• Bible Study With Accordance - free

Media & Sports Apps

• ABC Player - free
• CBS - free
• ESPN College Football - free - (requires free account registration. What can I say. I love college football.)
• ESPN SportsCenter - free - (using again after registering for free account).
• KUHF News/Classical 91.7 - free
• NBC - free
• NPR Music - free
• NPR News - free
• Pandora Radio - free/$$-subscription
• PBS - free
• PRI - free
• Science Friday - free
• SomaFM Radio Player - $$
• TED - free
• TV.com - free
• Vimeo - free
• VLC for iOS - free - rich media file player.
• XFINITY™ TV Player - free/requires Xfinity customer account
• YouTube - free
• The Masters Golf Tournament - free

Specialized Utilities

• Teslameter 11th - $ - cheap EMF/magnetometer detector.
• Converter Plus - free
• Decibel 10th - free
• DuckDuckGo Search & Stories - free
• Find My iPhone - free
• How to Cook Everything Essentials - free
• iHandy Carpenter - $
• Spyglass -$$
• Survival Guide - free
• CNP Mobile Outage Tracker - free

Photography/Art

• Adobe Photoshop Express - free/in-app $ upgrade
• Ink - free
• Paper (miSoft) - $

Health/Fitness/Education/Fun

• 7 Minute Workout - free
• 7 Minute Workout “Seven” with High Intensity Interval Training Challenge - free
• iHikeGPS - $$
• Learn German: Babbel - free
• Mind - free

Hardware Support
These are the primary “hardware” items I use (or will be using) with my iPhone. Note: Price rating system suspended here. Do the research if you are curious.

• Bluetooth Headset, Jabra WAVE - Got this in lieu of a Jawbone ERA. The reviews were good but the two factors that really sold me on this replacement headset for my battered Jawbone were the ability to connect/pair it to TWO iPhones at once (I now carry two, one from work and one is my personal) so hands-free car-driving is a joy again…and the fit around my ear due to the design means it stays fast and put when I am working and playing…no sag like the Jawbone ear loop does after a while. Highly Valca recommended device. Call quality is quite good (my own experience and feedback from family/friends on the far end).
• Jawbone JAMBOX Wireless Speaker - Christmas present from Lavie. GSD post: It just has to be bigger on the inside…
• Lightning Digital AV Adapter - Lightning to HDMI - Apple Store (U.S.) - Hey Mom, seen movie (insert title here) yet? Nope? Want to watch it right now off my iPhone on your HDMI TV? Great! Let’s go!
• Jawbone (version 2) - (obtained back in 2008) - still running strong, though highly battered. Now retired but still works in a pinch.

Previously Used Apps (free) Upgraded to Purchased Versions or Alternatives
These are apps that I previously had on my iPhone but later upgraded to purchased versions and/or removed to make way for another/different version of the same app function. They are still highly recommended.

• Byline - $ - dropped for now as they don’t support “standalone” RSS feed reading and Google Reader has gone bye-bye which is what I used with it for feed reading.
• Commander Compass Lite - free
• iHandy Level Free - free
• Mocha VNC Lite - free
• MapQuest - free
• MyRadar Weather Radar - free
• Alarm Clock - ZenAwake - $
• TeamViewer HD for Remote Control - free - (newer version/app available -- totally different install from this one).

Still pending purchase/installation - (sooner or later)

• Mailbox - free
• Hurricane Tracker - $
• Hurricane - $
• iFileExpress - free
• Documents To Go - $$$
• Photo Manager Pro - $

Hope you find this helpful.

--Claus V.

Microsoft Remote Desktop for iOS

At work we cannot (yet) use Microsoft Remote Desktop for iOS to connect to end-user systems for troubleshooting support.

At home, the Windows versions we have for daily use are “Home” editions and really don’t support Microsoft Remote Desktop sessions…at least not without some clever hacks that I don’t really need or care to implement.

So for now, at work remote control of end user systems from iOS devices remains a dream.

And at home, I find that running TightVNC works super-spiffy and that the Mocha VNC iOS app works just fine to allow me to remote-control our home Windows systems at will from my iPhone 5.

So for now, I really don’t have an environment where I can give the newly acquired/released Microsoft Remote Desktop client for iOS devices a shake. Maybe I’ll see if it can get it going with one of the Win7/8 Enterprise IETester virtual machines I have and use for testing at home.

So, if you are curious, here are some links regarding the subject.

• Microsoft Launches Remote Desktop App for Android and iOS - The Next Web
• Microsoft Remote Desktop App For Android & iOS Available For Download - AddictiveTips
• Microsoft quietly announces new Remote Desktop apps for Android and iOS - BetaNews
• Microsoft to launch new remote desktop apps for iOS, Android - ZDNet

And if you want some interesting background, according to Kurt Shintaku, the app came from iTap via HLW Software Development which had been kicking around for a while, and was bought  by Microsoft.

INFO: Yeah, the Remote Desktop apps for Mac OS X, iOS & Android came from iTap technology acquired from HLW - Kurt Shintaku's Blog

Very interesting…

Claus Valca

More iOS 7 tips and notes

I still haven’t upgraded my iPhone 5 to iOS 7 yet.  So far I have 5 apps that I cannot update as they require iOS 7 to load. None of them are critical.

Neither of the girls in the Valca home have their iPhone 4 units on iOS 7 either.  Alvis did upgrade her iPad to iOS 7 without any drama and her beau just got his new iPhone 5s the other day. It’s kicking fast.

My bro just successfully upgraded his iPhone 5 to iOS 7 today and had no issues so I think I will get him to give me a tour and play on it a bit since we have the same model.

I had planned to do the upgrade this weekend as I expected some patches to come out in the period before the first release and now that was true (current version of post time is iOS 7.0.2).

But now I am reading rumors that an iOS 7.1 build might come out in a few more weeks so I think I will try to hold off the upgrade just a bit longer, especially since once you upgrade you can’t roll back to iOS 6 since Apple killed their signed firmware certificates for it.

So here is a collection of iOS 7 linkage I have grabbed so I can continue to review and pre-study and then refer-back to once I do the jump for some possible tweakage.

Downgrading from iOS 7 to iOS 6: Why Apple won’t let you - ExtremeTech

iOS 7, thoroughly reviewed -Ars Technica

Linkpost | 9.18.2013 - Chron.com’s TechBlog  - chock full of iPhone 5s/5c news and links!

Death to textures: iOS 6 and iOS 7 compared in pictures -Ars Technica

iOS 7 Review: Pretty Is as Pretty Does - Gizmodo

All The Apps Optimized for iOS 7 - Lifehacker

iOS 7 vs. iOS 6: A Look At The Major Interface Changes - Addictive Tips

iOS 7's Biggest Annoyances (and How to Fix Them) - Lifehacker

New lease on life or death sentence? iOS 7 on the iPhone 4 - Ars Technica

Upgraded to iOS 7? 5 Shiny New Things To Check Out Right Away - MakeUseOf

How to turn off iOS 7 frequent location tracking and increase your privacy - iMore

iOS 7 Smart Multitasking & Background App Refresh Explained - Addictive Tips

Everything You Need to Know About the iOS 7 Upgrade - Kinja

Linkpost | 9.19.2012 - Chron.com’s TechBlog

Eight things to love about iOS 7 [Updated] - Chron.com’s TechBlog

Here’s how to prepare for iOS 7 - Chron.com’s TechBlog

Before and after: The best iOS 7 app redesigns (Updating) - The Next Web

How to access list view in the Calendars app on your iPhone or iPad running iOS 7 - iMore

Lesser Known New Features & Changes In iOS 7 - Addictive TIps

How to disable Control Center access on the iOS 7 Lock screen - iMore

How to delete individual iMessages and texts in iOS 7 - iMore

iOS 7 lock screen bypass flaw discovered, and how to fix it - ZDNet

iPhone 5s Teardown - iFixit

Apple iOS 7 Uses New Multi-path TCP Protocol Extension - Daniel Miessler

Top 10 Secret Features of iOS 7 - Lifehacker

How to bring the bold fonts back to iOS 7 - iMore

iOS 7.0.2 now available, fixes Lock screen passcode bypass - iMore

Apple releases iOS 7.0.2 with fix for Lock screen passcode bypass flaw - 9to5Mac

iOS 7.0.1, iOS 7.0.2, and iOS 7.1 already seeing widespread testing inside Apple - 9to5Mac

Cheers

--Claus Valca

iOS 7 - Coming to something near you soon

I hesitated to post this linkfest on iOS 7.

Some of the links are old and some are geeky and not everybody who stops by GSD even has an iPhone/iPad/iWhatever device…and probably could care less.

So please indulge me with the link-dump on iOS 7.  No gushing (yet) shall occur.

I’m personally going to hold off dumping it on my iPhone 5 device for a few weeks until the blog-0-sphere settles down and the dust (and commenting/review/feedback) has been kicked up and spread around.

So this is for reference purposes only.

(And so I can figure out what to do when all the users I support at work with enterprise-issued iPhone 4S devices manually upgrade their devices and then tell me they don’t know how to work them in the new iOS version on Sept 19th.)

Fresh linkage I had saved on iOS 7 (& new iPhone model) news

• All the New Stuff in iOS 7 - Lifehacker
• iOS 7: what's changed since June? - The Verge
• Apple iPhone 5S: Everything You Need to Know - Gizmodo
• What's The Difference Between The iPhone 5S and 5C? – ReadWrite
• A tale of two iPhones: Hands-on with the iPhone 5S and iPhone 5C (update: video!) - Ars Technica
• iPhone 5s vs. iPhone 5c vs. iPhone 4s: Which iPhone model should you get? - iMore
• Potential Security Applications of the iPhone 5S M7 Motion Coprocessor - Lenny Zeltser on Information Security
• Apple gets ready for iOS 7 shock - TechBlog’s Dwight Silverman
• Apple introduces the iPhone 5S and 5C; iOS 7 update coming Sept. 18 - TechBlog’s Dwight Silverman
• iOS 7 Ships September 18 - AllThingsD blog
• Here’s who should (and shouldn’t) buy the iPhone 5S - TechBlog’s Dwight Silverman

Older linkage I had saved on iOS 7 news

• iOS 7 Feature: Multi-tasking in Landscape mode - The4Cast blog
• WWDC 2013 and iOS 7: What we didn't get - iMore.com
• A Complete Summary Of Major New Features & Changes In iOS 7 - AddictiveTips blog
• Flattened: An iOS 7 design gallery - Ars Technica
• Sure, iOS 7 Looks Awfully Familiar. It Also Looks Like A Winner – ReadWrite
• Apple's New iOS 7: What You Need To Know Now – ReadWrite
• Apple Announces iOS 7: New Design, Multitasking & Many New Features Are Coming Your Way [Updates] - MakeUseOf blog
• iOS 7 - Matt Gemmell
• Why does the design of iOS 7 look so different? - The Next Web
• iOS 7 preview: Notification Center - iMore.com

Whatever…

--Claus Valca

iPhone Traffic - ZAP’ed, Security, and Network Tap Tap Tapping

This week brought in a very interesting post from web security/developer Troy Hunt.

 Unearthing the hidden shortcomings in Aussie mobile app security - Troy Hunt’s blog

Please go read then come back.

Interesting isn’t it?

I know most GSD readers probably wouldn’t be surprised to find some of their favorite mobile-apps leak user ids and passwords in plain-text, but for those who don’t know, some do.

Case in point (that has now been reported as fixed!):  Zscaler Research: Mobile App Wall of Shame: ESPN ScoreCenter

Naturally that got me thinking about a common mantras in the For/Sec world; “know your tools” & “verify, verify, verify”.

What I want to do is some benchmarking and analysis of the mobile apps I use on my own iPhone to have a better understanding on what is happening with their network traffic. This would be valuable information to know for general usage, and critical knowledge in case you unknowingly encounter a Wi-Fi Pineapple in the wild or a more complex man-in-the-middle Wi-Fi attack and get your network traffic captured.

One super-easy (and lazy) way I have found is to use ZAP - Zscaler Application Profiler.  From the “About” page link:

About ZAP

Zscaler Application Profiler (ZAP) is web based tool designed to streamline the capture and analysis of HTTP(S) traffic from mobile applications. ZAP is capable of analyzing traffic from both iOS and Android applications and includes the following functionality:

• Search: View summarized historical results for past scans.
• Scan: Proxy traffic from a mobile device through the ZAP proxy and the mobile app traffic will be automatically captured and analyzed
• iPCU: Upload your iOS device configuration file(.deviceinfo) to check risk score of installed application. It will give you overall risk score of your device. The information provided is based on out knowledge base.

ZAP classifies traffic into the following buckets and calculates an overall risk score for the application:

• Authentication: Username/password sent in clear text or using weak encoding methods.
• Device Metadata Leakage: Data that can identify an individual device, such as the Unique Device Identifier (UDID).
• Personally Identifiable Information Leakage: Data that can identify an individual user, such as an email address, phone number or mailing address.
• Exposed content: Communication with third parties such as advertising or analytics sites.

Zscaler also has a detailed video on this service on their blog: Zscaler Research: Introducing ZAP.

So you can either check their historical report data on apps already researched, you can connect your device to their proxy to do a scan on a new app/version not already captured historically, or even upload your own iOS device config file.

Wow.  Bookmark this resource link now!

However, there may be cases you want to do your own local network traffic capture and analysis…because you like pain and frustration (and hands-on learning perhaps).

Part I - In Which Hardware TAP Options are narrowed down

At work (when & where authorized) we can set up network packet captures either on a specific system or on the LAN using port-SPAN.

At home, I don’t have a managed switch (or dumb hub) that can do that.  I suppose I could buy a USB-NIC (so I can have two wired network ports on my laptop) and then capture traffic temporarily though one of these messy devices (home-built or purchased) but that isn’t quite as elegant as I would prefer.

Or (as the TinyApps bloggist kindly just reminded me) use Cain & Abel.

• Capturing Packets on a Broadcom Card - The Flying Frank
• Configuration - OXID.I

Instead I decided I'll pick up a specialized device that support a network TAP.  This way I can just hook it in line between my Wi-Fi router and the cable modem and capture everything that passes though. It may not be 100% on packet captures, but I think it will be good enough for my home testing.

So the next question is what device?

I’ve settled on the following options:

• Dualcomm DCSW-1005 USB Powered 5-Port 10/100 Fast Ethernet Switch TAP (Port Mirroring) - Amazon.com link
  • Dualcomm DCSW-1000/1005PT - Dualcomm product page
• Dualcomm DCGS-2005L 5-Port 10/100/1000 Gigabit Ethernet Switch Network TAP (Plastic Case) - Amazon.com link
• Dualcomm DCGS-2005 5-Port 10/100/1000 Gigabit Ethernet Switch Network TAP (USB Powered, Port Mirroring, PoE Pass-Through) - Amazon.com link
  • Dualcomm DCGS-2005/DCGS-2005L - Dualcomm product page

The DCSW-1005 model is an attractive basic option. It supports port-mirroring, is USB powered, and has 5-ports. (note only port #1 is mirrored to port #5).  The price is good.  The only “drawback” I see is that it only supports 10/100 speed on the network.  While I seriously doubt I would ever approach over 100 Mbps and cause a bottleneck on my home network…most all my other network equipment is 1000 Mbps capable.  So thinking forward, this could be slightly limiting down the road, or if I am asked by family/friends/associates to do some network troubleshooting on a “true” 1000 Mbps network, or tapping in between two network devices actually running at 1000 Mbps.  So there is that. Also, the buffer memory used by the device in the mirroring process is 256 KB. So if that gets saturated, there is the possibility of dropped packet captures.

The only difference between the DCGS-2005/2005L seems to be the “L” model has a metal cabinet while the other doesn’t. Of course, that option comes with a $20 markup as well.  I’m pretty sure the plastic cabinet would be just fine, but the vanity in me just likes the metal cabinet appearance a bit more. Probably just a bit more durable when tossed around in a go-bag and maybe it might dissipate heat a bit better? This model does support up to 1000 Mbps so there is that benefit since it is (at least $100 more expensive) but the buffer memory is just 104 KB. Hmmm. 

Should I be concerned about overloading either of the devices’ memory buffer when capturing home-network traffic? Probably not but what say you pros?

I did find these pretty basic and older reviews, including one from the guru of network security Richard Bejtlich.  I really didn’t find any more recent reviews of the device so if/when I get my hands on one, you can be assured I’ll have a write-up review.

• DualComm Port Mirroring Switch - TaoSecurity - (Sept. 2010)
• Review of Dualcomm 5-Port Pass-Through Port Mirroring Switch - LoveMyTool - Betty DuBois - (April 2010)
• Network Security Monitoring with Dualcomm DCSW-1005PT - CyberArms - D.Dieterle - (Nov. 2010)

Part II - In Which Other Alternatives are discovered

So let’s assume that you are already comfortable with network packet captures, installing network software, and making network configuration changes to Wi-Fi devices.

Are there any options to capture iPhone network traffic without going to the trouble and expense of picking up TAP hardware just for that task?

Yep.

First option is a tool called Paros. It is Java based (I know, I know..) and can assess web application vulnerabilities. The link has a Windows binary that appears back from August 2008.

Here is a nice walkthough on using Paros Sniff Your iPhone's Network Traffic by Jerod Santofrom to give you some introduction to it.

There was a comment on the Paros page providing information to a very current “fork” of Paros: ZAP

(Note: Not to be confused with the Zscaler ZAP service)

OWASP Zed Attack Proxy Project - OWASP - OWASP.org

There are tons of information on that page on this tool:

• Screenshots
• wiki videos page
• project pamphlet - a very quick intro
• project presentation - longer presentation

And here are some quick links on ZAP usage:

• Owasp ZAP - InfoSec Institute post
• Debugging SSL on Both iOS Devices and Simulators with Man-in-the-middle Proxies - CodeProject
• Intercepting iPhone traffic with your MacBook - Shaun Zinck’s blog

Next up, we have Fiddler, a free web debugging proxy from Telerik

• Capturing HTTP traffic on an iPhone with Fiddler - Scott Wojan’s DotRant blog
• Configuring Fiddler to Capture Web Traffic from an iPhone/iPad Device - ESRI Support Services blog
• How To Sniff iPhone Network Traffic - Matt McClure’s blog

Finally, if you are hard-core, just go use Wireshark.

• iPhone Meets Wireshark – Capture Wireless Network Traffic from Mobile Devices - EtherLook

Part III - Resources, References, & Pineapples

Here are some additional links related to all of the above discussions including the Dualcomm products, SPAN/TAP considerations, and the next network device I’m interested in picking up to play with; the Wi-Fi Pineapple.

SPAN Out of the Box (PDF Link) - John He’s Dualcomm Technology PowerPoint presentation at SharkFest 2010. Goes into details about SPAN/TAP considerations and specifics on what DualComm feels makes their product super special. SPAN out of the Box (Blip video)

B-7 (Battaglia) TAPS Demystified (PPT Link) - Samuel Battaglia’s Network Critical PowerPoint presentation at SharkFest 2010.

SPAN Port vs TAP (Video) - Betty DuBois- SharkFest 2009 presentation. PowerPoint presentation here (ZIP).

SPAN Port or TAP? CSO Beware - LoveMyTool blog - Tim O’Neill

Network Monitoring Madness: Poor Man’s Resource Linkfest - GSD blog post from 2010.

Let’s Get For/Sec-Motivated! - GSD blog post from 2011.

The beginners guide to breaking website security with nothing more than a Pineapple - Troy Hunt’s blog.

Your Mac, iPhone or iPad may have left the Apple store with a serious security risk - Troy Hunt’s blog.

Pineapple Surprise! Mixing trusting devices with sneaky Wi-Fi at #wdc13 - Troy Hunt’s blog.

Netgear DS104 4-Port 10/100 Dual Speed Hub with Uplink Button (Amazon link) - recommended to look into as well by TinyApps bloggist who reports he had good experience with it.

CaptureSetup/Ethernet - The Wireshark Wiki

CaptureSetup/WLAN - The Wireshark Wiki

Cheers!

--Claus Valca