Techradar - All the latest technology news
Isis trial begins as MetroPCS welcomes Google Wallet
Monday marked a busy day for mobile commerce in the U.S., as two contenders for customers took strides towards converting the market towards digital payment systems.
Mobile wallet service Isis was up first as it announced the official launch of its service in Salt Lake City, Utah and Austin, Texas.
The two locals will serve as trial runs and hopefully provide Isis the boost it needs to spread further throughout the country.
Starting Monday, residents of these cities can download the Isis Mobile Wallet from Google Play to their HTC Droid Incredible 4G LTE handsets. They can also pick up SIM cards at local retails and add credit, debit and loyalty cards to the wallet.
Google Wallet comes to MetroPCS
Google Wallet, which is considered the top dog in the mobile commerce market, also announced Monday that its services are expanding.
"Happy to announce that @metroPCS now supports Google Wallet!" a Google Wallet tweet boomed.
The service will start on the Samsung Galaxy SIII. Google Wallet is also carried by Sprint, though the service is available nationwide, unlike Isis.
What's more, Google is taking invite requests for "the next version of Google Wallet," an update that's coming soon.
Square, by the way, is apparently going on a hiring blitz, posting a slew of job openings for engineers. That, combined with the other mobile commerce news of the day, points to some exciting times ahead.
Lightning connector photo leaks point to possible iPad refresh
While the iPad mini is likely the star of an Apple event in San Jose, Calif. Tuesday, another iTablet could see a small though not insignificant change come its way as well.
After Apple introduced the new Lightning connector with the iPhone 5, many believed it was only a matter of time until Apple's other iOS devices followed suit.
Newly leaked photos have surfaced showing two such connectors, one of which is believed to be part of the iPad mini, while the other may be headed for the third-gen iPad.
Lightning strikes twice
The supposed Lightning connectors shown in the photos bend towards the left, indicating the chance the logic board will be located on the left of the rumored iPad mini, or as it already is on the new iPad.
Presumably such a design should help keep the device cooler while held on the right-hand side.
BGR's sources indicated the Lightning connector shown in the first image (which is markedly different than the mini's version) wouldn't be used in an iPad 3 refresh, but didn't elaborate further on what that meant.
Previous reports indicated the existing iPad's revamp wouldn't be dubbed the iPad 4, as the changes supposedly being made wouldn't alter the third-generation iPad that drastically.
In addition to finding out just what lies in store for the possible iPad mini and the new iPad's potential refresh, Apple may show off new Mac minis and a 13-inch MacBook Pro with Retina display Tuesday as well.
TechRadar is covering the event live, so tune in from 10 a.m. PDT (6 p.m. BST) for full coverage.
FTC issues facial recognition guidelines
Apparently someone at the U.S. Federal Trade Commission finally got around to watching Minority Report in their Netflix queue.
The agency in charge of consumer protection issued 30 pages of facial recognition guidelines Monday for companies using the now-trendy technology, and the executive summary started off by quoting the Steven Spielberg film.
"John Anderton... You could use a Guinness right about now," the report read, recalling the scene in which Tom Cruise's character is targeted by individualized ads.
After spending the next paragraph further discussing the 2002 movie, the FTC got into the finer details of what biometric-deploying companies should and shouldn't do.
In the biometrically recognized eye of the consumer
In the report, titled "Facing Facts: Best Practices for Common Uses of Facial Recognition Technologies," the commission laid out exactly what it felt those practices should look like.
Companies should incorporate "privacy by design," wrote the FTC. This means that information collected should be stored securely and disposed of when it's no longer needed.
The report gave examples, like if a young woman uploads a photo to virtually "try on" eyeglasses and later deletes her account, the photos should be discarded too.
There are times when no facial recognition should take place, too.
"Bathrooms, locker rooms, health care facilities or areas where children congregate" should be off limits, the report stated bluntly.
"You Are Being Filmed" sign is due for a companion
Consumers should always be aware of when something is detecting them and should know how the information collected is going to be used, including if the use changes.
Having the option to opt out or never opt into a program was also recommended. The FTC illustrated what could happen if individuals are automatically recognized by an app.
"Consider the example of a mobile app that allows users to identify strangers in public places, such as on the street or in a bar," the report read.
"If such an app were to exist, a stranger could surreptitiously use the camera on his mobile phone to take a photo of an individual who is walking to work or meeting a friend for a drink and learn that individual's identity - and possibly more information, such as her address - without the individual even being aware that her photo was taken."
Having to choose whether or not data is collected goes against the care-free convenience that biometric technology is supposed provide.
But when the report gave examples like that, such guidelines make sense.
Guidelines aren't intended for FTC enforcement...yet
The FTC says that the 30-page report of guidelines is simply just that - guidelines
So far, nothing within the report is intended to serve as a template for law enforcement actions or regulation by the FTC.
That could of course change in the future.
"As we have seen with other technologies," the report said in its conclusion, "technological advances and the attendant business models they create often move faster than consumers' awareness or comfort."
Study finds security holes in Android apps millions download
Those free third-party apps for Android may not be as secure as most consumers think.
A group of computer scientists showed that as many as 185 million Android users could be exposing online banking info and social network credentials along with email/IM contacts and content.
The researchers identified 41 apps on Google's Play Market for Ice Cream Sandwich that leaked important information as it goes from phone to end server.
The scientists didn't publicly identify the infected apps but did say they were downloaded 39.5 million to 185 million times. Researchers blamed certificate authorities and websites for not putting in the proper protections.
The group, which consist of computer scientists from Germany's Leibniz University of Hannover and Philipps University of Marburg, presented its findings at this week's Computer and Communications Security conference.
The scientists recreated app use on a local area network to test an array of well-known exploits to steal sensitive information.
The researchers were able to break the secure sockets layers (SSL) and transport layer security (TLS) protocols used by apps to protect user's info. Though SSL and TLS technology is considered generally safe, breaches can occur when developers or websites don't take the proper steps to protect users.
"We could gather bank account information, payment credentials for PayPal, American Express and others," the researchers wrote in their paper.
"Furthermore, Facebook, email and cloud storage credentials and messages were leaked, access to IP cameras was gained and control channels for apps and remote servers could be subverted."
Android app: the study
The scientists started by downloading 13,500 free apps from Google Play and tested weather their SSL implementation was vulnerable to exploitation.
The researchers were curious how well these app could stand up to Man-In-The-Middle (MITM) attacks, which targets information that transfers over public Wi-Fi hotspots and other insecure networks.
After the static analysis the team found that 8 percent(or 1,074 apps) contained "SSL specific code that either accepts all certificates or all hostnames for a certificate and thus are potentially vulnerable to MITM attacks."
The researchers then picked 100 of the apps to manually audit by connecting them to a network that used an SSL proxy.
In some cases, apps accepted SSL certificates that were signed by the researchers even though they weren't a valid certificate authority. Other accepted certificates authorized a domain name to access user's data that wasn't the site the app was supposed to access.
Scientists successfully used SSLstrip attacks as well, which replaced SSL protocols with their own unencrypted version. Some apps also accepted certificates signed by authorities that were no longer valid.
Examples include an anti-virus app which accepted invalid certificates and allowed the team to feed its own malicious signature. Also a third-party app for a "popular Web 2.0 site with up to 1 million users" leaked Facebook and Google credentials when logged onto those sites.
The researches didn't disclose what specific apps were vulnerable, presumably so the susceptible apps wouldn't be branded easy targets. Instead they used general terms such as "very popular cross-platform messaging service."
Most of the programs used in the study seemed to be free, third-party apps rather than the official versions from sites and services.
Google not to blame, but can do plenty to help
The group also noted that none of the apps were developed by the search giant, but Google's engineers can help make these apps secure. One way is to make it clearer to users when the connection provided by an app is encrypted and when it isn't.
The study shows how vulnerable SSL and TLS protocols can be when developers don't take the proper steps to secure their infrastructures. Since SSL and TLS created the basis for almost all security for getting data from user to server, those software engineers should take note.
The authors pointed out a few methods Android developers can better protect their apps. One way is Certificate pinning, which makes it a lot tougher for apps to accept fake certificates.
But it seems like you get what you pay for when trusting sensitive information with a free third-party banking application.
Users looking to protect themselves can subject apps to the same static analysis as scientists did when downloading new programs. Or concerned users might want to refrain from transmitting personal data over public, unsecured Wi-Fi networks.