An attack that targeted Apple devices was used to spy on China's Muslim minority -- and US officials claim it was developed at the country's top hacking competition. An anonymous reader shares an excerpt from an MIT Technology Review article: The Tianfu Cup offered prizes that added up to over a million dollars. [It was held in November 2018, shortly after the Chinese banned cybersecurity researchers from attending overseas hacking competitions.] The $200,000 top prize went to Qihoo 360 researcher Qixun Zhao, who showed off a remarkable chain of exploits that allowed him to easily and reliably take control of even the newest and most up-to-date iPhones. From a starting point within the Safari web browser, he found a weakness in the core of the iPhones operating system, its kernel. The result? A remote attacker could take over any iPhone that visited a web page containing Qixun's malicious code. It's the kind of hack that can potentially be sold for millions of dollars on the open market to give criminals or governments the ability to spy on large numbers of people. Qixun named it "Chaos."

Two months later, in January 2019, Apple issued an update that fixed the flaw. There was little fanfare—just a quick note of thanks to those who discovered it. But in August of that year, Google published an extraordinary analysis into a hacking campaign it said was "exploiting iPhones en masse." Researchers dissected five distinct exploit chains they'd spotted "in the wild." These included the exploit that won Qixun the top prize at Tianfu, which they said had also been discovered by an unnamed "attacker." The Google researchers pointed out similarities between the attacks they caught being used in the real world and Chaos. What their deep dive omitted, however, were the identities of the victims and the attackers: Uyghur Muslims and the Chinese government.

Shortly after Google's researchers noted the attacks, media reports connected the dots: the targets of the campaign that used the Chaos exploit were the Uyghur people, and the hackers were linked to the Chinese government. Apple published a rare blog post that confirmed the attack had taken place over two months: that is, the period beginning immediately after Qixun won the Tianfu Cup and stretching until Apple issued the fix. MIT Technology Review has learned that United States government surveillance independently spotted the Chaos exploit being used against Uyghurs, and informed Apple. (Both Apple and Google declined to comment on this story.) The Americans concluded that the Chinese essentially followed the "strategic value" plan laid out by Qihoo's Zhou Hongyi; that the Tianfu Cup had generated an important hack; and that the exploit had been quickly handed over to Chinese intelligence, which then used it to spy on Uyghurs. The US collected the full details of the exploit used to hack the Uyghurs, and it matched Tianfu's Chaos hack, MIT Technology Review has learned. (Google's in-depth examination later noted how structurally similar the exploits are.) The US quietly informed Apple, which had already been tracking the attack on its own and reached the same conclusion: the Tianfu hack and the Uyghur hack were one and the same. The company prioritized a difficult fix.

App Store Vice President Matt Fischer is on the stand answering questions from Apple and Epic lawyers, and one of the emails shared as evidence confirms that Apple has established special deals with major app developers like Hulu. From a report: In 2018, a tweet from developer David Barnard commented about App Store subscriptions being automatically cancelled through the StoreKit API, questioning why there hadn't been more offers to swap billing away from the App Store. Matt Fischer asked Cindy Lin about it, and she explained that Hulu is a developer with special access to a subscription cancel/refund API. Hulu is part of the set of whitelisted developers with access to subscription cancel/refund API. Back in 2015 they were using this to support instant upgrade using a 2 family setup, before we had subscription upgrade/downgrade capabilities built in. Apple does not further detail who other developers with special access might have been in the correspondence, but these are not features that all developers have access to. Apple has long said that the App Store provides a "level playing field" that treats all apps in the App Store the same with one set of rules for everybody and no special deals or special terms, but it's clear that some apps are indeed provided with special privileges.

Researchers at Brigham Young University conducted a study to see how much blue-light-reducing features like Apple's Night Shift improve sleep quality. Their conclusion? Night Shift doesn't help at all. From a report: In the study, which was published in Sleep Health, the BYU researchers assessed the sleep quality of 167 young adults, asking each to wear a wrist accelerometer before sleep. Participants were randomly assigned three conditions regarding iPhone use before bed: one group didn't use their iPhones at all, one group used their iPhones without Night Shift enabled, and another group used their iPhones with Night Shift enabled. "There were no significant differences in sleep outcomes across the three experimental groups," the researchers concluded. For individuals who slept more than 6.8 hours per night, there was some improvement in sleep quality for those who did not use their smartphones at all. But Night Shift didn't have a significant impact, and there was no difference between those who used smartphones and those who didn't when the amount of sleep was less than 6.8 hours per night. "This suggests that when you are super tired, you fall asleep no matter what you did just before bed... the sleep pressure is so high, there is really no effect of what happens before bedtime," said Chad Jensen, one of the researchers.