Flaws in Apple’s Intelligent Tracking Prevention Safari Feature Let People Be Tracked

Google researchers discovered multiple security flaws in Apple's Safari web browser that let users' browsing habits be tracked despite Apple's Intelligent Tracking Prevention feature.

Google plans to publish details on the security flaws in the near future, and a preview of Google's discovery was seen by Financial Times, with the publication sharing information on the vulnerabilities this morning.

The security flaws were first found by Google in the summer of 2019, and were disclosed to Apple in August. There were five types of potential attacks that could allow third parties to learn "sensitive private information about the user's browsing habits."

Google researchers say that Safari left personal data exposed because the Intelligent Tracking Prevention List "implicitly stores information about the websites visited by the user." Malicious entities could use these flaws to create a "persistent fingerprint" that would follow a user around the web or see what individual users were searching for on search engine pages.

Intelligent Tracking Prevention, which Apple began implementing in 2017, is a privacy-focused feature meant to make it harder for sites to track users across the web, preventing browsing profiles and histories from being created.

Lukasz Olejnik, a security researcher who saw Google's paper, said that if exploited, the vulnerabilities "would allow unsanctioned and uncontrollable user tracking." Olejnik said that such privacy vulnerabilities are rare, and "issues in mechanisms designed to improve privacy are unexpected and highly counter-intuitive."

Apple appears to have addressed these Safari security flaws in a December update, based on a release update that thanked Google for its "responsible disclosure practice," though full security credit has not yet been provided by Apple so there's a chance that there's still some behind-the-scenes fixing to be done.

Tags: Google, Safari

This article, "Flaws in Apple's Intelligent Tracking Prevention Safari Feature Let People Be Tracked" first appeared on MacRumors.com

Discuss this article in our forums

iPhones Can Now Be Used to Generate 2FA Security Keys for Google Accounts

A new update to Google's Smart Lock iOS app lets users set up their iPhone or iPad as a security key for two-factor authentication when signing into native Google services via Chrome browser.

Once the feature is set up in the app, attempting to log in to a Google service via Chrome on another device such as a laptop results in a push notification being sent to their iOS device.

The user then has to unlock their ‌iPhone‌ or ‌iPad‌ using Face ID or Touch ID and confirm the log-in attempt via the Smart Lock app before it can complete on the other device.

After installing the update, users are asked to select a Google account to set up their phone's built-in security key. According to a Google cryptographer, the feature makes use of Apple's Secure Enclave hardware, which securely stores ‌Touch ID‌, Face ID, and other cryptographic data on iOS devices.

The Smart Lock app requires that Bluetooth is enabled on both the ‌iPhone‌/‌iPad‌ and the other device for two-factor authentication to work, so they have to be in close proximity, but the advantage of the system is that it ensures the process is localized and can't be leaked onto the internet.

The Google Smart Lock app is a free download for ‌iPhone‌ and ‌iPad‌ on the App Store. [Direct Link]

(Via 9to5Google.com)


This article, "iPhones Can Now Be Used to Generate 2FA Security Keys for Google Accounts" first appeared on MacRumors.com

Discuss this article in our forums

Track Santa’s Journey From the North Pole Using Google’s Santa Tracker

MacRumors readers with children who still believe in Santa Claus may be interested to know that Google today launched its annual Santa tracking feature, allowing Santa to be tracked in real time on his journey to the North Pole as he prepares to deliver presents to kids around the world.

Google has provided its Santa tracking feature for a total of sixteen years now, giving children around the globe access to a little digital magic.


Santa can be tracked using a web browser on iPhone, iPad, or Mac by visiting Google's official Santa Tracking website. The site offers up a live map of Santa's current location, his next stop, a live video feed of his journey, and the estimated time that he will arrive in each specific location.

The Santa site provides pictures of locations that Santa has already visited, a live count of gifts that have been delivered, and Santa's current distance from your location. There are also a selection of games to play and videos to watch.

Other Santa tracking services are also available, such as the NORAD Tracks Santa Claus app and website, but Google's site is often the most interactive and detailed.

Tag: Google

This article, "Track Santa's Journey From the North Pole Using Google's Santa Tracker" first appeared on MacRumors.com

Discuss this article in our forums

iPhone 11 Was a Top 5 Trending Search on Google This Year

Google has shared its annual Year in Search lists, revealing that "iPhone 11" was the fifth-most trending search term on a worldwide basis in 2019, behind India vs South Africa, Cameron Boyce, Copa America, and Bangladesh vs India.


In the United States, "Disney Plus" was the most trending search term, while "iPhone 11" ranked ninth. The lists are based on search terms that had the highest spike this year when compared to the previous year, according to Google.

No other smartphones cracked Google's top 10 trending search terms this year in either the United States or worldwide.


Apple released the iPhone 11, iPhone 11 Pro, and iPhone 11 Pro Max in September.

Visit the Year in Search page on Google Trends to view other popular searches.

(Hat tip to AppleInformed!)

Related Roundup: iPhone 11
Tag: Google
Buyer's Guide: iPhone 11 (Buy Now)

This article, "iPhone 11 Was a Top 5 Trending Search on Google This Year" first appeared on MacRumors.com

Discuss this article in our forums

Google Brings Incognito Mode to Google Maps App for iOS

Google today announced that it is extending Incognito mode to Google Maps on iOS devices, allowing users to look for directions privately without that information being saved to a Google Account.

Google introduced Incognito mode for Android devices earlier this year as part of a 2019 focus on making it easier to control, manage, and delete Location History information.


When you make a search in Google Maps while logged in to your Google Account, the places that you search for are saved to power features like restaurant recommendations and are added to your Location History.

When searching for a location in Google Maps in Incognito mode, the iPhone will not update Location History so places visited will not be saved to the Timeline, nor will personalization features in Maps be available.

Google Maps is also gaining a new bulk delete option for the Timeline, which uses Location History to help users remember the places and routes they've visited. With the bulk delete option, it's easier to find and delete multiple places from Timeline and Location History all at once.


This article, "Google Brings Incognito Mode to Google Maps App for iOS" first appeared on MacRumors.com

Discuss this article in our forums

Testing Google’s New ‘Stadia’ Cloud Gaming Platform on a Mac

Google this week began rolling out its new cloud gaming service, known as Stadia, which is designed to let you play games wherever WiFi is available on smartphones, laptops, tablets, TVs, and more.

Google Stadia doesn't work on the iPhone at this time (though you can use the app to manage your account), but you can play games on the Mac so we thought we'd give it a try in our latest YouTube video.

Subscribe to the MacRumors YouTube channel for more videos.

Right now, Stadia is available to those who ordered the Founders Edition bundle, which was priced at $129, but it will soon be available to everyone.

There are a few cloud-based gaming services on the market such as PlayStation Now and GeForce NOW, so Google Stadia isn't a new concept, but Google promises a simple hassle-free experience that works cross platform.

Basically, to use Google Stadia, you sign up for an account ($9.99 per month for 4K streaming and a selection of free games) and then you can access games on a Mac, Windows PC, Chromebook, or a TV using a Chromecast Ultra, with Stadia also available on Pixel 2, 3, and 4 smartphones running Android 10.

The $9.99 per month fee is to access the Stadia platform. You still need to purchase games separately, and major titles are going to cost anywhere from $30 to $60. There aren't a ton of games available right now, but you can play Red Dead Redemption 2, Rise of the Tomb Raider, Mortal Kombat 11, and a handful of other popular games.

We tested Stadia on a new 16-inch MacBook Pro, and found it to be simple and straightforward to use. All of our games were available right away after logging in to Google Stadia via a web browser, with no downloading or installing required to play.

Because these are cloud-based games, you can pick up where you left off on any compatible device, so a game started on the Mac can later be picked up on the TV.

Setup was simple, but the gameplay experience was, well, average. In testing, there was quite a bit of lag and several drops in resolution. Gameplay would be stable for a bit, but we also ran into some stretches where the gameplay was terrible.

Game quality also depended on the game. With Destiny, for example, we saw some hiccups but it was mostly stable, but with NBA 2K20, the game refused to recognize certain button presses and it just didn't work well, suggesting not all games are quite as optimized as they should be. Google definitely has some bugs to work out.

The Stadia service works with any Bluetooth controller, but Google has designed its own Google Stadia controller that shipped with its Founders Edition bundle. We used the Stadia controller, which is pretty similar to an Xbox controller.

Using Google Stadia requires a solid internet connection, so it's not for people who have slow connection speeds. You need at least 35Mb/s for 4K gaming, but even with a connection 10 times that, we had the aforementioned lag issues.

As mentioned before, Stadia is priced at $9.99 per month, but Google is also working on a free tier next year that won't have a monthly fee and will be limited to 1080p quality.

The Founder bundle that we tested Stadia with is no longer available, but Google does have a similar "Premiere" bundle that includes the white Stadia controller (instead of the blue founder model), a Chromecast Ultra, and 3 months of "free" Stadia Pro service. After that, it will cost $9.99 per month.

Cloud gaming has been picking up in popularity over the course of the last few years, and now that Google has launched a cloud gaming service (Microsoft has one in the works too), it doesn't seem out fo the realm of possibility that Apple could launch something similar in the future as an expansion of Apple Arcade.

What do you think of Google's Stadia cloud gaming service? Let us know in the comments.

Tag: Google

This article, "Testing Google's New 'Stadia' Cloud Gaming Platform on a Mac" first appeared on MacRumors.com

Discuss this article in our forums

Android Security Flaw Let Apps Access People’s Cameras for Secret Video and Audio Recordings

A security flaw in Android smartphones from companies like Google and Samsung allowed malicious apps to record video, take photos, and capture audio, uploading the content to a remote server sans user permission.

The vulnerability was discovered by security firm Checkmarx, and was highlighted today by Ars Technica. The flaw had the potential to leave high-value targets open to having their surroundings illicitly recorded by their smartphones.

Image via Checkmarx

Android is meant to prevent apps from accessing the camera and the microphone on a smartphone without user permission, but with this particular exploit, an app could use the camera and the microphone to capture video and audio without express user consent. All an app needed to do was get permission to access a device's storage, which is commonly granted as most apps ask for this.

To demonstrate how the flaw worked, Checkmarx created a proof-of-concept app that appeared to be a weather app on the surface but was scooping up copious amounts of data in the background.

The app was able to take pictures and record videos even when the phone's screen was off or the app was closed, as well as access location data from the photos. It was able to operate in stealth mode, eliminating the camera shutter sound, and it could also record two-way phone conversations. All of the data was able to be uploaded to a remote server.

When the exploit was used, the screen of the smartphone being attacked would display the camera when recording video or taking a photo, which would let affected users know what was going on. It could be used secretly when a smartphone display was out of sight or when a device was placed screen down, and there was a feature for using the proximity sensor to determine when a smartphone was facedown.

Google addressed the vulnerability in its Pixel phones through a camera update that was launched back in July, and Samsung has also fixed the vulnerability, though it's not known when. From Google:
"We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure. The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners."
From Samsung:
"Since being notified of this issue by Google, we have subsequently released patches to address all Samsung device models that may be affected. We value our partnership with the Android team that allowed us to identify and address this matter directly."
According to Checkmarx, Google has said that Android phones from other manufacturers could also be vulnerable, so there may still be some devices out there that are open to attack. Google has not disclosed specific makers and models.

Since this is an Android bug, Apple's iOS devices are not affected by the security flaw.

It's not known why apps were able to access the camera without user permission. In an email to Ars Technica, Checkmarx speculated that it could potentially be related to Google's decision to make the camera work with Google Assistant, a feature that other manufacturers may have also implemented.


This article, "Android Security Flaw Let Apps Access People's Cameras for Secret Video and Audio Recordings" first appeared on MacRumors.com

Discuss this article in our forums

Apple Watch Competition to Grow as Google Plans Its Own Wearables Following Fitbit Acquisition

Google today announced it plans to release its own "Made by Google" wearables following its $2.1 billion acquisition of fitness tracker maker Fitbit. The deal is expected to close in 2020 pending regulatory approvals.
Over the years, Google has made progress with partners in this space with Wear OS and Google Fit, but we see an opportunity to invest even more in Wear OS as well as introduce Made by Google wearable devices into the market. Fitbit has been a true pioneer in the industry and has created engaging products, experiences and a vibrant community of users. By working closely with Fitbit's team of experts, and bringing together the best AI, software and hardware, we can help spur innovation in wearables and build products to benefit even more people around the world.
Fitbit confirmed that it will continue to support both Android and iOS, and that Fitbit health data will not be used for Google ads.

Tags: Google, Fitbit

This article, "Apple Watch Competition to Grow as Google Plans Its Own Wearables Following Fitbit Acquisition" first appeared on MacRumors.com

Discuss this article in our forums

Google Reportedly in Talks to Acquire Apple Watch Competitor Fitbit

Google is in talks to acquire popular fitness tracker maker Fitbit, according to Reuters, which could help the company better compete with the Apple Watch along with its existing Wear OS smart watch platform.


The report claims there is no certainty that the negotiations between Google parent company Alphabet and Fitbit will lead to any deal, and the exact price that Google has offered for Fitbit is unknown at this time.

Google does not currently sell any own-brand fitness trackers or smart watches, but its Wear OS platform runs on smart watches sold by several third-party brands, such as LG, Huawei, and Fossil.

Related Roundups: Apple Watch, watchOS 6
Tags: Google, Fitbit
Buyer's Guide: Apple Watch (Buy Now)

This article, "Google Reportedly in Talks to Acquire Apple Watch Competitor Fitbit" first appeared on MacRumors.com

Discuss this article in our forums

Hands-On With Google’s MacBook Air-Style Pixelbook Go

Google earlier this month unveiled the Pixelbook Go, a new premium Chromebook that's similar to a MacBook Air or a MacBook Pro, but Chrome OS.

In our latest video, we went hands-on with the Pixelbook Go to see how it measures up to Apple's ‌MacBook Air‌ (the two have similar price points) and whether or not it can serve as a ‌MacBook Air‌ replacement.

Subscribe to the MacRumors YouTube channel for more videos.

Design wise, the Pixelbook Go looks rather similar to a MacBook featuring a lightweight chassis, a large trackpad, a 13-inch display with slim side bezels and a thicker top/bottom bezel, a keyboard with speaker grilles at each side, and a similar hinge mechanism.

A G logo at the top and a wavy, bumpy textured feel at the bottom sets it apart from the ‌MacBook Air‌. Like Apple's MacBooks, the Pixelbook Go offers a simple, clean design.


Pricing on the Pixelbook Go starts at $649 for an Core M3 processor and 64GB of storage, but we tested the upgraded Core i5 model with 8GB RAM and 128GB of storage, which is priced at $849. That's the model most similar to the entry-level ‌MacBook Air‌, which comes with a 1.6GHz Core i5 processor, 128GB of storage, and 8GB RAM for $1,100.

The Pixelbook Go is cheaper than the ‌MacBook Air‌, but there are some areas where it is definitely lacking in comparison. When it comes to the display, for example, it's adequate, but the HD quality just doesn't measure up to the ‌MacBook Air‌'s Retina display. There is an upgraded version of the Pixelbook Go with a 4K display, but that machine is priced at $1,400.

One area where the Pixelbook Go shines is its keyboard. The keyboard doesn't look too different from a MacBook keyboard, but it's super quiet thanks to Google's Hush Keys feature, satisfying to type on, and has the perfect amount of key travel. There are also custom keys, including a key for activating Google Assistant. There are speakers located to each side of the keyboard, and the sound quality is solid. The speakers are a touch louder than the ‌MacBook Air‌'s speakers at maximum volume, but the ‌MacBook Air‌ wins out when it comes to sound quality.


There's a MacBook Air-style trackpad on the Pixelbook Go, but MacBook competitors often have a hard time replicating the feel of Apple's trackpad, and the Pixelbook Go is no exception. There's a physical trackpad button that feels clunky and outdated compared to Apple's Haptic Trackpad.

The Pixelbook Go offers up to 12 hours of battery life, which is the same claim that Apple makes about the ‌MacBook Air‌. In practice, we see around five to eight hours of battery life from the ‌MacBook Air‌ depending on usage, and the Pixelbook Go has been hitting around eight hours.

There are two USB-C ports on Pixelbook Go (one on each side) along with a 3.5mm headphone jack, which is the same general port setup the ‌MacBook Air‌ offers, though the ‌MacBook Air‌ supports Thunderbolt 3.

What really sets the Pixelbook Go apart from the ‌MacBook Air‌ is the operating system. While the ‌MacBook Air‌ runs the full version of macOS, the Pixelbook Go uses Chrome OS. Chrome OS is a Linux-based OS that supports Chrome apps and some Android titles, but it is in general more limited in scope than macOS.


Chrome OS is designed for everyday tasks like browsing the web, creating documents, taking notes, and sending emails rather than more specialized tasks like photo and video editing. Technically, most people who buy something like an entry-level ‌MacBook Air‌ are probably primarily using it for the same purposes, but you do have a bit more flexibility with macOS.

The option to download Android apps has made Chrome OS more useful over the course of the last several years, and there are, for example, apps for photo and video editing, though we wouldn't recommend them for regular full-time usage.

All in all, for most people, the upgrade to the ‌MacBook Air‌ over the Pixelbook Go may be worth the price differential given the better screen quality and the option to use macOS, though it's still much cheaper than the ‌MacBook Air‌ when it comes to the entry-level $649 option. The Pixelbook Go is one of Google's nicest Chromebooks in terms of design, hardware, and the complete Google experience, so it is likely the better choice for those who prefer a Google ecosystem.

What do you think of the Pixelbook Go? Would you use it over a ‌MacBook Air‌? Let us know in the comments.

Tags: Google, Chrome

This article, "Hands-On With Google's MacBook Air-Style Pixelbook Go" first appeared on MacRumors.com

Discuss this article in our forums