mysk

mysk, 2 days ago to random

Just skipped Setapp free trial and started a paid subscription. We'll support all alternative marketplaces. We're lucky that half of our team is located in the EU so we have the chance to experience alternative app stores on the iPhone.

mysk, 5 days ago to random

Just installed @Setapp, a very promising alternative marketplace in the EU. BUT it's unclear if such stores are going to survive a surge of undetected installs due to the lack of device identifiers.

Marketplaces might end up owing Apple loads of unexpected Core Technology Fee. I was able to copy the MarketplaceKit call. And with that, I installed the marketplace app on multiple devices signed in with different Apple IDs. Of course, I will pay for a subscription to cover the CTF costs 🫠

mysk, 6 days ago to apple

Holy moly!
iPhone users in the EU: DO NOT delete your alternative marketplace apps

iOS 17.5 breaks alternative marketplace app re-installation. MarketplaceKit now generates a different client_id every time it is called. Now there's no way for alternative marketplace developers to identify users who have already purchased the marketplace app.

Apple fixed a security issue we reported about the way MarketplaceKit handles client_id. Now developers can't estimate CTF they owe #Apple.

Screenshot of a request sent by MarketplaceKit including a client_id generated per request.
Screenshot of Apple documentation about client_id: client_id: A value that iOS randomly generates once per marketplace, device, and account combination.
MarketplaceKit Available for: iPhone XS and later Impact: A maliciously crafted webpage may be able to distribute a script that tracks users on other webpages Description: A privacy issue was addressed with improved client ID handling for alternative app marketplaces. CVE-2024-27852: Talal Haj Bakry and Tommy Mysk of Mysk Inc. (@mysk_co)

mysk, 6 days ago to privacy

iOS 17.5 fixes the marketplace URI bug that we showed it could result in tracking users across websites:

CVE-2024-27852

#privacy #iOS #Apple #DMA #EU #infosecurity #InfoSec

https://support.apple.com/en-us/HT214101

mysk, 13 days ago to privacy

Apple's attempt to prevent fingerprinting through the required reason API seems to be useless. Facebook just updated their iOS app. The app still sends the uptime and disk space information off-device. It declares reasons that prevent the app from sending such data as per Apple documentation:

https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api

#privacy #iOS #tracking #InfoSec #Apple

Screenshot of a request sent by Facebook showing free disk space being sent in the body of the request.
Screenshot of the privacy manifest of the Facebook app listing the following reasons for accessing uptime and disk information: 36F9.1 85F4.1 E174.1
Important If you upload an app to App Store Connect that uses required reason API without describing the reason in its privacy manifest file, Apple sends you an email reminding you to add the reason to the app's privacy manifest. Starting May 1, 2024, apps that don't describe their use of required reason API in their privacy manifest file aren't accepted by App Store Connect.

stroughtonsmith, 16 days ago to random

I think with Apple's latest changes to the Core Technology Fee, we're starting to see some of the elements that might actually work when all's said and done. Specifically, developers self-reporting company revenue — I think the only way to make the CTF fair is to have a flat fee, per year, that scales based on how much money your company makes. If you make $0, you pay $0. If you're Spotify, you pay $Ms. That takes away Apple's per-install tracking; devs don't need a nanny, they need a partner

mysk, 16 days ago to iOS

Starting May 1, #iOS developers need to describe their use of APIs that can potentially be used for fingerprinting. This is a new App Store #privacy requirement. Chrome, Instagram, Spotify, and Threads don’t adhere to their declared reasons.

Details:

https://www.mysk.blog/2024/05/03/apple-required-reason-api/

mysk, 18 days ago to privacy

It's May 1. Instagram for iOS just got updated. It still sends the device's system uptime to remote servers. Starting today developers are no longer allowed to access this API without providing a reason. And in no way can the app send the value off-device.
#Privacy #InfoSec #iOS #Apple

Apple Documentation System boot time APls The following APls for accessing the system boot time require reasons for use. Use the string NSPrivacyAccessed APICategorySystemBoot Time as the value for the NSPrivacyAccessedAPIType key in your NSPrivacy AccessedAPITypes dictionary. • systemUptime • mach_absolute_time() In your NSPrivacyAccessedAPITypeReasons array, supply the relevant values from the list below. 35F9.1 Declare this reason to access the system boot time in order to measure the amount of time that has elapsed between events that occurred within the app or to perform calculations to enable timers. Information accessed for this reason, or any derived information, may not be sent off-device. There is an exception for information about the amount of time that has elapsed between events that occurred within the app, which may be sent off-device.

mysk, 21 days ago to Bulgaria

Apple's implementation of installing marketplace apps from #Safari is heavily flawed and can allow a malicious marketplace to track #EU users across websites, even in private browsing mode. This blog details our findings:

https://www.mysk.blog/2024/04/28/safari-tracking/

#privacy #security #iOS #iPhone #Apple #InfoSec

mysk, 23 days ago to privacy

Nice! @brave for iOS just got updated to support the new "marketplace-kit" scheme. Brave only calls the scheme when trackers blocking is disabled. As we reported earlier, Apple implemented the new scheme in a way that allows tracking across websites based on the unique client_id.

Now users in the EU can use Brave to safely install alternative marketplaces. We would like to thank Brave for considering our advice about potential #tracking.

#Privacy #Apple #iOS #DMA #InfoSec #cybersecurity

Screenshot of Brave settings. Trackers & Ads Blocking is set to Standard.
Screenshot of the POST request sent by MarketplaceKit. It shows the client_ID sent in the body of the request to the alternative marketplace backend

mysk, 24 days ago to apple

Apple Music has such a poor recommendation system, even though #Apple apps collect loads of identifiable data about me.

Apple knows what music I like, which podcasts I watch, which books I read, and how I exercise. What are they doing with all this identifiable data?

In contrast, I use a throwaway account to sign in with #Spotify, I pay with gift cards. They don't know who I am. I listen to a couple of tracks, skip a few, and then almost all the recommendations that follow match my taste. 🤯

Screenshot of the privacy nutrition label of Apple Podcasts
Screenshot of the privacy nutrition label of Books
Screenshot of the privacy nutrition label of Fitness

mysk, 26 days ago to random

Holy moly! Apple doesn't seem to provide a way to alternative marketplaces so they can tell if multiple iPhones are signed with to the same Apple ID. The closest is client_id, but it is unique per device. This makes it impossible to calculate the CTF a developer owes Apple. Interesting how @altstore will solve it without incurring more CTF.
https://fosstodon.org/@altstore/112316617554743986

From Apple Documentation about Core Technology Fee "The fee aims to meet the needs of both users and developers. Since a first annual install is only counted once per account, developers can deliver unlimited feature updates, bug fixes, and security patches to users for 12 months with no additional fee, regardless of how many devices the user has. "

mysk, 27 days ago to iOS

The keyboard text replacement entries or shortcuts in #iOS and macOS are synced with iCloud. The data is not end-to-end encrypted and there is no option to turn the syncing off.

Consider reviewing your shortcuts and delete the ones you deem sensitive. We asked Apple about how users can exclude this data from being synced with #Apple servers in January. We haven't received a response yet. Remember that Apple is obliged to hand this data to law enforcement given a court order.
#privacy #infosec

mysk, 27 days ago to privacy

The "marketplace-kit" scheme won't hand off the call to the MarketplaceKit process unless it is triggered from a button's onclick event. This seems to be a "security measure" to prevent automatic invocation. But the call can easily be hidden in a search button, for example.

This whole thing is caused by Apple insisting on inserting themselves between the 3rd-party app marketplaces and users.

#privacy #iOS #DMA #Apple #infosec https://mastodon.social/@mysk/112311850389865286

mysk, 28 days ago to apple

As expected, Safari handles the "marketplace-kit" scheme in the background without user interaction. The scheme triggers an internal process that sends a unique clientID to the alternative marketplace server.

The clientID is unique per marketplace, device, and account combination. Surprisingly, any website can trigger sending the unique clientID to the alternative marketplace server.

🧵 (1/3)
#DMA #Apple #iOS #EU #privacy #infosec

Apple Documentation MarketplaceKitURIScheme A URI scheme that defines an alternative distribution app installation link. This installation scheme defines how a marketplace webpage, or developer app webpage, requests the installation of their app.

mysk, 1 month ago to random

I was able to install the AltStore app after all. The process in total is too complicated. It's very likely to fail to attract users. It's evident the solution in place is delivered sloppily just to comply with the DMA rules. For example, often times iOS fails to present system prompts (aka scare screens) so the user proceeds with the flow. Instead, the app store app stalls while waiting for that prompt. Watch this embarrassing glitch that Apple would never miss had they done the job willingly:

Screen capture showing that sharing an app downloaded from AltStore would get a link pointing to Apple's App Store. When opening the link, Apple's App Store opens and shows a message that the app is not available.

mysk, 1 month ago to privacy

Woow! A verified YouTube account is impersonating SpaceX's account and broadcasting a livestream about the solar eclipse. The stream shows a deepfake of Elon Musk asking users to scan a QR code on the screen and deposit cryptocurrencies to have them doubled. 95K users are watching it. The domain name seems to be registered in Russia

#PrivacyMatters #privacy #infosec #eclipse

A screenshot of the livestream showing a QR code on the screen as the deepfake of Musk is playing. The QR code is redacted
Screenshot of the scam website. It has onscreen instructions to participate in the fake offer

mysk, 1 month ago to iPhone

Cool ideas for an alternative app store in the EU:
-Privacy focused, real privacy not the "We believe privacy is a fundamental human right" nonsense
-An option to remove ads, even if paid
-An option to disable subscription auto-renewals by default

List yours 👇

#iPhone #DMA #Privacy #InfoSec #PrivacyMatters

mysk, 1 month ago to privacy

While @signalapp works to hide phone numbers, Telegram adds a new OTP feature that exposes phone numbers to strangers.

#PrivacyMatters #Privacy #infoSec

https://www.theverge.com/2024/3/25/24111818/telegram-peer-to-peer-login-otp-two-factor-volunteer

mysk, 1 month ago to apple

From DOJ v Apple:

"In the end, Apple deploys privacy and security justifications as an elastic shield that can stretch or contract to serve Apple's financial and business interests."

#Apple #Privacy #PrivacyMatters #iOS #iPhone #infoSec

https://www.justice.gov/opa/media/1344546/dl?inline