IT newspaper

How Apple could fix the Mac App Store

December 3rd, 2015 | Edited by | software

Dec
03

A few simple changes—and one major change—could improve the Mac App Store experience for both developers and customers.
Because I recently discussed the tradeoffs involved in selling apps only on the Mac App Store, some are convinced I hate the entire concept of the App Store. That’s not the case, though—I just think the current implementation is flawed and leads to bad experiences for both developers and sellers.
However, with a few simple changes—and one not-so-simple changes—the Mac App Store really could be the place to shop for Mac software, instead of a place where you only find apps that meet Apple’s narrow definition of what an app should be.

mac-app-store-el-cap-iconsoftware

The simple changes

The following changes should be relatively easy for Apple to implement, as none involves fundamentally altering the store’s operations. They are, in fact, mostly policy changes as opposed to complex technical changes.

Allow demos

There are no technical reasons Apple couldn’t offer demos. They could issue a license that expires in a given number of days or after a given number of uses. As a user, I know I like to try apps before I buy. As a developer, I want users to try my apps before they buy so they know they’re getting what they want.

Allow refunds

While you can’t get refunds on software you purchase at retail stores, Mac developers have long offered refunds on downloadable software. Panic, BareBones, Smile, and yes, even us at Many Tricks (and probably hundreds more) all have generous refund policies. I can’t speak for the others, but we see less than a 1 percent refund rate, which is an acceptable trade-off for a customer-friendly policy. So why can’t Apple officially offer refunds, too?

Allow paid upgrades

For many independent developers, reduced-cost (but still paid) major-version upgrades are a key revenue source. They’re also a benefit for existing customers, as they save money compared to the full cost of the new app.
For apps we sell in the App Store, we have to either choose to release a major new release for free, or set it up as a new app and list it at a discounted price to simulate upgrade pricing. But by doing this, everyone gets the low price, and prior customers aren’t rewarded for their original purchase.
Apple could easily let developers designate a release as a paid upgrade with its own price, available only to those who already own the app.

Treat the Mac App Store like an equal

If you compare the Mac App Store to the iTunes Store, the Mac App Store is clearly the ignored child. iTunes Store apps can use videos to demonstrate how they work. iTunes Store developers can use Apple’s TestFlight to beta test their apps. iTunes Store apps can implement app analytics to help with marketing and design decisions. The Mac App Store gets none of these tools. Speaking for Many Tricks, we’d use all of these tools if they were available

Allow interaction between developers and users

Pick any app at random on the Mac App Store, and you’ll find a few one-star reviews that have nothing to do with reviewing the software. Here’s one example, taken at random from a selection of many:
”I purchased this app and trying to burn disk with no success. It keeps crashing and it won’t load at all any more. I’ve gone through five discs with no luck.”
This “review” comes, of course, with a one-star rating. But the user isn’t reviewing the software, they’re asking for tech support help. But the app developers have no way to contact this user to solve their problem. The best they can do is leave another “review,” asking the user to get in touch with them. But it’s not a reply to the review, so there’s little chance the user will see it.
Apple could easily solve this problem by letting the registered developer of the app (you’d have to be logged in using the account associated with your app) send a response message to any posted review. Developers wouldn’t see the user’s address, of course, as it’d first be anonymized by Apple. Amazon, eBay, craigslist, and many other sites do something similar when buyers contact sellers; why can’t Apple?
Regardless of the “how,” something should be done: The current system is broken for both users trying to find actual reviews, and for developers trying to provide support.

The harder change

To really make the Mac App Store a vibrant and lively storefront for Mac apps, Apple should find a way to allow non-sandboxed apps, as well as other currently prohibited apps, into the store. “Danger!” you scream? Keep in mind that the Mac App Store was open for over a year without any sandboxing requirements, and the world didn’t end.
In fact, there are still non-sandboxed apps in the App Store today. Of our own Many Tricks’ products in the App Store, only Name Mangler is actually sandboxed. These non-sandboxed apps exist because Apple allowed them to remain (but not gain new features) in the store if they were there when the sandbox rule went into effect (March of 2012). For over three years, then, thousands of people have been buying and installing non-sandboxed apps, to absolutely no ill effect.
I’m not suggesting that Apple removes the sandbox. Rather, there should be some way for shoppers to browse non-sandboxed apps. Why? Because by removing the sandbox restriction, Apple can showcase an entire range of useful applications that users are not seeing today. Programs that rely on inter-application communication, for example. Programs could do more, too, if they were allowed to implement features that weren’t sandboxable.
Beyond the sandbox, Apple needs to let more complex apps into the store. Microsoft Office; virtualization apps like VMware Fusion and Parallels Desktop; Adobe’s entire product suite; backup apps like Carbon Copy Cloner and Backblaze; alternative browsers such as Firefox and Google Chrome; text expansion utilities like Typinator, TextExpander, and TypeIt4Me. I could go on, but Dan Counsell of RealMac Software has put together a great list (which is still just the tip of the iceberg).
By keeping these apps out of the App Store, Apple is presenting a limited view of just what the Mac can do. And as the Mac App Store is installed on every new Mac, many users probably don’t know any better and think that what they see is what they can get. That’s not good for users, not good for developers, and in the long run, not good for Apple.But what about the danger, you ask? Every developer in the App Store has to be registered with Apple. They can easily include kill switch functionality that would disable any rogue apps that get through the review process. And yes, every app in the store would still have to go through the review process, and meet Apple’s non-technical requirements for functionality, features, appearance, etc. But the sandbox wouldn’t have to apply, and apps that require extensions or System Preferences panels to run would be welcomed, assuming they passed the rest of the review.
Is this an easy thing for Apple to do? I don’t think so; the implementation details are complex (how would users access these “outside the box” apps? Do they show up in search results?). However, for the good of the platform and the App Store itself, I think it’s critical that the store offer a much broader selection of apps.

The final word

I honestly don’t expect Apple to address every item on this list. I’m not even sure if they’ll address any of them. But for the sake of the store, and its customers and developers, I hope they do implement many of them, at least: In the long run, a much better Mac App Store is better for everyone involved.

Source: www.macworld.com

 

How to add any website to Windows 10’s Start menu

December 1st, 2015 | Edited by | software

Dec
01

In Windows 10 you’ve got tons of choices for desktop programs, and apps from the Windows Store can be useful too. But there are still probably a few key webpages you turn to every day instead of a desktop program or modern UI app.
Wouldn’t you love to have those key sites available to you on the Windows 10 Start menu? Here’s how to do that.

The Edge way

Open Microsoft Edge and then navigate to the page you want to add. In the upper right-hand corner, click the three horizontal dots, and then from the drop down menu select Pin this page to Start. A pop-up window will appear asking you to confirm. Click Yes and you’ll find the site at the bottom of the live tile section in your Start menu.
The downside? This method is that links will only open in Edge. Fortunately, there’s a way around that. If you want links to open in your default browser instead of Edge, you have to use a little bit of trickery, but nothing too complicated.

startmenu

The non-Edge way

Open Internet Explorer and navigate to the webpage you want to add to Start. For our purposes, let’s say it’s Facebook.
Once you’re on Facebook, right-click in an open space on the site and select Create shortcut from the context menu. IE will then show a pop-up window asking if you want to create a desktop shortcut. Click Yes.
To do the same thing in Chrome and Firefox, go to the address bar and click-and-drag the icon to the left of “http,” and drop it on the desktop. The icon will either be a green lock, a rectangular piece of paper, or a globe.
Pro Tip: In my experience, you’ll generally get better looking icons using Internet Explorer for this step.
Next, right-click the desktop icon you just created and select Copy.

Add to Start

Now type “run” into the Cortana/search box. The top choice should be the Run desktop app.
Once Run opens, type in shell:programs, click OK, and an Explorer window will open.
Now just right-click in the main part of that window (be careful not to accidentally open a folder) and select Paste.
Your website is now in Start but it’s buried in the “All apps” list. To remedy this, just click Start > All apps and scroll down to the listing in the alphabetical list. Since we’re doing Facebook we’ll look under “F”.
Once you find it, just click-and-drag it onto the live tiles (right) side of the Start menu and you’re done.
After you’ve added your webpages to Start, feel free to delete your shortcuts from the desktop.
If you’d like to take this a step further and add an entire section of websites to Start, check out our earlier tutorial on
customizing the Windows 10 Start menu. This will teach you how to group tiles together.
The catch with websites using the non-Edge method is you can’t remove them from Start through the right-click context menu. Instead, you have to type shell:programs into Run and then delete the shortcuts in the Explorer window that opens.

Source: www.pcworld.com

New Chrome vulnerability can hand over control of your Android phone with just a link

November 21st, 2015 | Edited by | software

Nov
21

Fortunately, Google is already aware of the exploit, but it’s another sign of how essential regular security updates have become.

A security researcher revealed a new exploit that could allow someone to take control over someone else’s Android phone remotely with just one Chrome link.
Researcher Guang Gong showcased this nefarious plan at MobilePwn2Own, part of Tokyo’s PacSec conference. The full details weren’t revealed, in order to deter anyone with malicious intent from putting it into action.
Gong was able to take control of a Project Fi Nexus 6 by attacking a JavaScript vulnerability in Chrome. Through the exploit, he installed an application granting total access to the phone without any user notification.

angry-android

Luckily, a member of Google’s security team was at the event, so Google will soon be at work on a patch (along with offering a hefty reward bounty for Gong). As long as you avoid sketchy websites and stick to the Play Store for downloads, you should be fine, but it’s always to good to keep an eye on the security landscape.
Why this matters: The Stagefright vulnerability raised the issue of Android security to a higher level because of how easily someone could unknowingly infect their devices from an MMS message. In response, Google now sends out a monthly patch to Nexus devices, while other hardware makers have said they’re going to also step up their security game. It’s badly needed, as Android’s large marketshare demands a robust security structure and update system.
For comprehensive coverage of the Android ecosystem, visit Greenbot.com.

Source: www.pcworld.com

Google Chrome gets new iOS beta program

November 19th, 2015 | Edited by | software

Nov
19

Google is now letting iPhone and iPad users take a cutting-edge version of its browser for a spin.

Google is now letting iPhone and iPad users take a cutting-edge version of its browser for a spin. The company on Friday quietly launched a new Chrome for iOS public beta program, which leverages Apple’s TestFlight system to give users the chance to try out a new version of the browser.
Users can sign up by going to Google’s Chrome Beta page on their iOS device, and they’ll then be taken to a form where they can enter their name, email address and agree to Chrome’s terms of service. After that, Google will send an email to confirm their email address.

chrome-logo

Opting into the beta program ought to give users access to a version of the Chrome app that will have features before consumers get access to them. According to a post by 9to5Mac, that includes a new app icon that takes advantage of the 3D Touch capabilities built into the iPhone 6S and 6S Plus.
Users can press down hard on the Chrome beta icon and get a quick access menu for running a Web search and opening new tabs in both a standard browser window and Chrome’s Incognito Mode.
However, while it’s possible to put in your name for inclusion in Google’s beta program, it’s not clear how many people will actually get access to it. Apple now allows developers to test early versions of their apps with up to 2,000 people through TestFlight, and it seems like Google has already hit that cap. I applied to join the program with two different email addresses (one already associated with a TestFlight account, one not) and neither of them have been invited to join the beta.
Google may be taking in sign-ups and then weeding out inactive users in order to make room for other testers, but it seems like this program is likely going to be limited to an elite few, at least for the time being.
Like other beta software offerings, the Chrome beta isn’t designed to be the best option for people who want a bug-free browsing experience. Instead, the best people to take part in this testing will be those who want to try out the latest features and don’t mind a few rough edges.

Source: www.pcworld.com

BitLocker encryption can be defeated with trivial Windows authentication bypass

November 17th, 2015 | Edited by | software

Nov
17

Domain-joined Windows computers that use BitLocker should be patched as soon as possible.

Companies relying on Microsoft BitLocker to encrypt the drives of their employees’ computers should install the latest Windows patches immediately. A researcher disclosed a trivial Windows authentication bypass, fixed earlier this week, that puts data on BitLocker-encrypted drives at risk.
Ian Haken, a researcher with software security testing firm Synopsys, demonstrated the attack Friday at the Black Hat Europe security conference in Amsterdam. The issue affects Windows computers that are part of a domain, a common configuration on enterprise networks.
When domain-based authentication is used on Windows, the user’s password is checked against a computer that serves as domain controller. However, in situations when, for example, a laptop is taken outside of the network and the domain controller cannot be reached, authentication relies on a local credentials cache on the machine.
In order to prevent an attacker from connecting a stolen, lost or unattended laptop to a different network and creating a spoofed domain controller that accepts another password to unlock it, the authentication protocol also verifies that the machine itself is registered on the domain controller using a separate machine password.
This additional check doesn’t happen when the controller cannot be reached, because the protocol developers assumed that the attacker can’t change the user password stored in the local cache. However, Haken figured out a way to do it—and it only takes a few seconds if automated.

bitlockericonhero

How it works

First, the attacker sets up a mock domain controller with the same name as the one the laptop is supposed to connect to. He then creates the same user account on the controller as on the laptop and creates a password for it with a creation date far in the past.
When authentication is attempted with the attacker’s password on the laptop, the domain controller will inform Windows that the password has expired and the user will automatically be prompted to change it. This happens before verifying that the machine is also registered on the controller.
At this point the attacker will have the ability to create a new password on the laptop, which will replace the original one in the local credentials cache.
Logging in while connected to the rogue domain controller would still fail, because the controller does not have the machine password. However, the attacker could disconnect the laptop from the network in order to force a fallback to local authentication, which will now succeed because only the user password is verified against the cache.
This is a logic flaw that has been in the authentication protocol since Windows 2000, the researcher said. However, physical access did not used to be part of the Windows threat model, because in such a situation an attacker could boot from an alternative source, like a live Linux CD to access to the data anyway.
That all changed when BitLocker was introduced in Windows Vista. Microsoft’s full-disk encryption technology, which is available in the professional and enterprise editions of Windows, is specifically designed to protect data in case a computer is stolen or lost—in other words when an unauthorized individual has physical access to it.
BitLocker stores the data encryption key in a Trusted Platform Module (TPM), a secure hardware component that performs cryptographic operations. The key is unsealed from the TPM only if the same boot process is followed as when BitLocker was first activated.
The various stages of the boot process are cryptographically verified, so an attacker with physical access to a BitLocker-enabled laptop will not be able to boot from an alternative OS to read the data stored on its drive. The only possibility left for the attacker in this case is to boot normally to unlock the encryption key and then to bypass the Windows authentication to gain access to the data, which Haken’s attack allows.
Microsoft fixed the vulnerability Tuesday and published the corresponding MS15-122 security bulletin.
This attack shows that when it comes to security, we constantly need to reexamine old truths, Haken said.
BitLocker offers the option to enable preboot authentication using a PIN or a USB drive with a special key on it, in addition to the TPM. However, such configurations are a hard sell for enterprises, because they introduce friction for users and make it difficult for administrators to remotely manage computers, Haken said.
In its own documentation, Microsoft admits that preboot authentication is “unacceptable in the modern IT world, where users expect their devices to turn on instantly and IT requires PCs to be constantly connected to the network.”

Source: www.pcworld.com

Page 2 of 2912345...1020...Last »