Apple's iCloud Activation Lock, designed to disable stolen iOS devices, can be bypassed by fiddling with the login screen and iPad smart cover, potentially letting thieves wipe the devices and resell them.
In a report published this week, a security blogger identified a creative way to disable Activation Lock. Hemanth Joseph, a self-described "cyber security enthusiast" from India, uploaded a YouTube video in which he floods an iPad's Wi-Fi network login screen with character inputs and then opens and closes its Smart Cover.
Doing so takes advantage of a loophole in Apple's Wi-Fi login system: its password field apparently has no character limit, so entering an extremely long password will cause it to crash, after which opening and closing the iPad's smart cover will cause it to display the home screen. From there, a thief could restore the device as new and sell it online.
The Activation Lock was introduced in iOS 7. When it's working properly, it requires an Apple ID and password to reactivate an iOS device if its owner loses it and remotely wipes it using the Find My iPhone feature.
In a blog post, Joseph wrote that he shared his findings with Apple on Nov. 4, and the company responded a few days later that it was investigating the issue. An Apple representative did not immediately respond to a request for comment about its plans to fix the vulnerability.
The Activation Lock feature has been a hacking target before. In 2014, two hackers released a tool that allowed users to plug a bricked iOS device into their computer and alter the "hosts" file inside. The iPhone or iPad was then tricked into connecting to a hacked server, which unlocked the gadget.

Apple has backtracked on a plan to force iOS developers to encrypt their app communications by the end of the year.
The company had previously announced at its Worldwide Developers’ Conference in June that all apps submitted to the App Store will need support the App Transport Security (ATS) feature starting January 1st, 2017. It has not yet set a new deadline.
ATS is a feature first introduced in iOS 9 that forces apps to communicate with internet servers using encrypted HTTPS (HTTP over SSL/TLS) connections. It’s an improvement over the third-party frameworks that developers previously used to implement HTTPS because it ensures that only industry-standard encryption protocols and ciphers are used.
Even if ATS is enabled by default in iOS, on a technical level app developers can disable some of its features or can opt out of it entirely through various exception settings that ATS makes available.
A recent study performed by security firm Appthority on the top 200 apps present on iOS enterprise devices showed that 97 percent of them bypassed at least some ATS requirements and weakened the default and recommended configuration.
Apple planned to include ATS compliance as a requirement in its App Store review process starting next year and to require reasonable justifications for any exceptions. However, as the Appthority study showed, many developers are unprepared to fully enable ATS in their apps.
“At WWDC 2016 we announced that apps submitted to the App Store will be required to support ATS at the end of the year,” Apple said in an announcement on its developer site Wednesday. “To give you additional time to prepare, this deadline has been extended and we will provide another update when a new deadline is confirmed.”
There are many reasons why developers might not be ready or even able to encrypt all of their apps’ traffic. For example, many apps integrate with third-party advertising, analytics and media hosting services and the adoption of HTTPS by those services is not something that app developers can control.
As of December 22, the 3 percent ATS readiness figure among iOS apps had grown to only 5 percent, the Appthority researchers said Thursday in a blog post. “We assume that Apple, too, realized that an unacceptably high number of apps would fail to meet the ATS deadline unless it was extended.”
The researchers believe that even if Apple hasn’t abandoned its plans for full ATS compliance, this is not something that can be achieved very soon, which is probably why a new deadline hasn’t been announced yet.

Features

Apple has been working to dramatically improve its Maps app ever since it’s botched launch back in 2012. And it’s been successful: Maps is now packed with great features, thanks in part to Apple’s fleet of minivans capturing on-the-ground data. But it’s still not Google Maps, so Apple has a new plan.
According to Bloomberg, the company is reportedly planning to use drones to quickly update Maps with fresh data, like road conditions, street sign changes, and construction updates, and other information that car cameras would have difficulty photographing.
Last fall, Apple applied for permission from the Federal Aviation Administration to fly its drones for commercial purposes, back when that was restricted. Now the FAA has guidelines in place for commercial drones, but the rules prevent companies from flying drones over buildings or people.

New Maps features coming soon

Apple isn’t just trying to beat Google at its own outdoor mapping game. The company is also trying to compete with indoor mapping, which would let you use your iPhone to find your way around large, busy buildings like airports and museums. The technology comes courtesy of indoor mapping startup Indoor.io, which Apple bought last year.
Apple has been interested in indoor location-tracking for years, using the iBeacon protocol with indoor positioning to allow venues to send notifications when you’re near a physical Bluetooth touchstone (and have Bluetooth turned on with the venue’s app installed). We saw this in action with MLB’s At the Ballpark app at Citi Field, home of the New York Mets, back in 2013.
Google Maps already offers indoor maps, and it’s unclear if Apple’s will be more sophisticated or simply on par with the competition. Either way, Apple’s rumored Maps upgrades are significant, and a sign that Tim Cook and co. really are betting big on services—even ones that don’t contribute outright to the company’s bottom line.