mysk

mysk, 4 months ago to iOS

This screenshot shows the app analytics data sent by two different #iOS apps: Duolingo and Tinder. What's the likelihood that both apps are installed on the same device? 💯? 🤯

Both apps use Unity Ads. The data in the screenshot is collected by the Unity Ads framework included in these two apps, and any app that uses Unity Ads. The data is sent to the same Unity server. As a result, Unity Ads can easily fingerprint users and track them across different apps.

#privacy #tracking #Apple #infosec

mysk, 4 months ago to privacy

This statement is from a court document submitted by Apple's lawyers regarding the App Store data privacy class action lawsuit:

"Given Apple’s extensive privacy disclosures, no reasonable user would expect that their actions in Apple’s apps would be private from Apple."

#Privacy #Security #Cybersecurity #Apple #iPhone #InfoSec #dataprivacy

mysk, 5 months ago to iPhone

🚨🎬 🧵 1/4
Here is what happens when you insert an unlocked SIM card into a locked iPhone:

• The #iPhone accepts the SIM card and connects to the internet 😳
• Apple immediately adds the phone number of the SIM card to the Apple ID of the iPhone owner 😲
• #Apple accepts the new phone number as a username to sign in with the Apple ID of the iPhone owner 😱
• iOS activates the new phone number for iMessage 🤯

The video:

https://youtu.be/ln-8KnwtdSw

#privacy #security #iOS #iPhone #cybersecurity #infosec

mysk, 4 months ago to privacy

In ads: Our apps mind their business. Not yours.

In court: Given Apple’s extensive privacy disclosures, no reasonable user would expect that their actions in Apple’s apps would be private from Apple.

#Privacy #Security #Cybersecurity #Apple #iPhone #InfoSec #dataprivacy

mysk, 4 months ago to privacy

🚨🎬 Privacy Concerns about Apple Push Notifications

TL;DR: data-hungry apps use push notifications as a trigger to send app analytics and device information to their remote servers, even if the apps aren't running at all on your iPhone. Such apps include TikTok, Facebook, FB Messenger, Instagram, Threads, X, and many more.

Watch this video to see it in action:
https://youtu.be/4ZPTjGG9t7s

🧵 1/9

#Privacy #Security #Cybersecurity #Apple #iPhone #Facebook #TikTok #InfoSec #iOS

mysk, 1 month ago to privacy

Apple's attempt to prevent fingerprinting through the required reason API seems to be useless. Facebook just updated their iOS app. The app still sends the uptime and disk space information off-device. It declares reasons that prevent the app from sending such data as per Apple documentation:

https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api

#privacy #iOS #tracking #InfoSec #Apple

Screenshot of a request sent by Facebook showing free disk space being sent in the body of the request.
Screenshot of the privacy manifest of the Facebook app listing the following reasons for accessing uptime and disk information: 36F9.1 85F4.1 E174.1
Important If you upload an app to App Store Connect that uses required reason API without describing the reason in its privacy manifest file, Apple sends you an email reminding you to add the reason to the app's privacy manifest. Starting May 1, 2024, apps that don't describe their use of required reason API in their privacy manifest file aren't accepted by App Store Connect.

mysk, 4 months ago to privacy

Security Tip: If you use a VPN to hide your real IP address from an app, say TikTok, make sure the VPN connection is configured to use the "Always on" option. Because if you receive a push notification from TikTok while the VPN is off, Your IP will leak.
More here: 👇

https://mastodon.social/@mysk/111816751385137545

#Privacy #Security #Cybersecurity #Apple #iPhone #TikTok #InfoSec #iOS

mysk, 4 months ago to privacy

Just detected a call made by my iPhone seemingly sending my iOS keyboard data to an iCloud server. The domain name icloud-content[.]com is owned by Apple but not the one normally used for syncing iCloud data. The 316 KB of keyboard data is marked as "UserWords"

The data is encrypted and I couldn't get a clue of its content. The only keyboard data that is synced via iCloud is the text replacement dictionary.....

... 1/2

#privacy #cybersecurity #iOS #Apple #infosec

On-device suggestions When you ask Siri to read or search for information on your device, such as in Messages and Notes, and when Siri provides suggestions, like through widgets and Siri Search, all your personal information is kept on your device rather than being sent to Apple servers. Siri Suggestions in the QuickType keyboard are made possible by an Apple-developed neural network language process that also runs directly on your device.

mysk, 3 months ago to iOS

Apple has already decided to disable Progressive Web Apps (PWAs) in the EU, but PWA developers in the EU should have an option to run and test their PWA apps on an real iPhone for users outside the EU.

A developer mode or Safari feature flag to enable PWAs would suffice.

#iOS #PWA #WebApp #Apple #EU #DMA

Out-of-context screenshot of WebKit feature flags view in the settings of Safari for iOS

mysk, 3 months ago to web

Apple support for Progressive Web Apps has always been minimal. Look no further than searching for "PWA" on Apple Developer website; 0 hits. But Apple's move to support PWA push notifications lured developers into thinking that Apple would empower PWAs more in the future.
.....

🧵
1/2

#Web #PWA #iOS #Apple #iPhone #EU #DMA

Screenshot of searching for "PWA" on Google Developers website. The search resulted in 210 hits.

mysk, 3 months ago to Bulgaria

PWAs won't work on iOS, but only in the EU.
Q: Why is it a big deal?
A: 🧵

Most businesses choose PWA apps because they want to:
1- Avoid app stores
2- Write one code for both iOS and Android

With Apple removing PWA support in iOS for EU users, businesses now have to:
1- Write a PWA app for Android users and iOS users outside the EU
2- Write a native app for iOS users in the EU

🧵
1/X
@owa
#EU #Apple #PWA #DMA #iPhone #iOS #Web

mysk, 3 months ago to apple

Great news: PWAs are back in the EU, albeit only on WebKit.

Thanks a lot for everyone who echoed the concerns of many developers around the world. Your voice matters, and Apple has listened to it.

#Apple #PWA #WebApps #iOS

https://9to5mac.com/2024/03/01/apple-home-screen-web-apps-ios-17-eu/

mysk, 1 month ago to apple

As expected, Safari handles the "marketplace-kit" scheme in the background without user interaction. The scheme triggers an internal process that sends a unique clientID to the alternative marketplace server.

The clientID is unique per marketplace, device, and account combination. Surprisingly, any website can trigger sending the unique clientID to the alternative marketplace server.

🧵 (1/3)
#DMA #Apple #iOS #EU #privacy #infosec

Apple Documentation MarketplaceKitURIScheme A URI scheme that defines an alternative distribution app installation link. This installation scheme defines how a marketplace webpage, or developer app webpage, requests the installation of their app.

mysk, 3 months ago to iOS

Example of PWA disruption in the EU:

Magenta Musik is an entertainment service -part of the German telecom company - offering information about concerts and festivals. In 2022, Magenta Musik shut down their native apps on both #iOS and #Android and replaced them with a single Progressive Web App (PWA).
#PWA #Web

🧵
1/4

https://www.magentamusik.de/faq-neue-bei-magentamusik

mysk, 4 months ago to privacy

We've removed app analytics from all of our apps. No data is collected whatsoever.
No ads, no tracking, no collection of usage data.

TextCrafter
Ctrl
Canvas

Feel free to ping us for promo codes. ✌️
#Privacy #promocode

Screenshot of the product page of Ctrl on the App Store. The privacy nutrition label states that the app doesn't collect any data "Data Not Collected"
Screenshot of the product page of Canvas on the App Store. The privacy nutrition label states that the app doesn't collect any data "Data Not Collected"

mysk, 30 days ago to apple

Holy moly!
iPhone users in the EU: DO NOT delete your alternative marketplace apps

iOS 17.5 breaks alternative marketplace app re-installation. MarketplaceKit now generates a different client_id every time it is called. Now there's no way for alternative marketplace developers to identify users who have already purchased the marketplace app.

Apple fixed a security issue we reported about the way MarketplaceKit handles client_id. Now developers can't estimate CTF they owe #Apple.

Screenshot of a request sent by MarketplaceKit including a client_id generated per request.
Screenshot of Apple documentation about client_id: client_id: A value that iOS randomly generates once per marketplace, device, and account combination.
MarketplaceKit Available for: iPhone XS and later Impact: A maliciously crafted webpage may be able to distribute a script that tracks users on other webpages Description: A privacy issue was addressed with improved client ID handling for alternative app marketplaces. CVE-2024-27852: Talal Haj Bakry and Tommy Mysk of Mysk Inc. (@mysk_co)

mysk, 4 months ago to random

Fun announcement for our longtime followers:

We've brought back TextCrafter from the dead! m

Our plain and simple notes app is now available again after a long hiatus for just 99 cents (no subscriptions, no fuss!)

It's the same classic app that we last updated in 2016 (The world has only changed a tiny bit since then, eh?). We fixed a few glitches here and there and brought it up to speed to work with the latest versions of iOS, iPadOS, and watchOS.

https://apps.apple.com/app/textcrafter-2-craft-share-text/id394912961

mysk, 3 months ago to apple

🎬 The App Store will continue to be the only place to install apps on the iPhone, even in the EU. Users should be aware that the App Store collects exhaustive usage data and sends it to #Apple. This can't be turned off. We made this video to show how tapping an app link gets recorded in details.

After tapping a link posted on X, we requested a copy of the Apple ID data and we found this: (76,779 records in 734 days 🤯)
#iOS #AppStore #Privacy #InfoSec #CyberSecurity #DMA

https://youtu.be/39ZN-PQmDWM

mysk, 4 months ago to Bulgaria

Google started showing prompts related to compliance with #DMA in the EU. Now #EU users can stop #Google from linking their data across Google services. Surprisingly, Google didn't use their ambiguous "Got it" pattern. Instead, they show clear options.

Changes won't take effect immediately, but on March 6, 2024.

#Privacy #InfoSec #dataprivacy #dataprotection #privacymatters

Keep your Google services, like YouTube, linked? New laws in the EU mean that, starting on March 6, 2024, Google needs your consent if you want to keep these services linked. When linked, these services can share data with each other and with all other linked Google services to: • Combine data to help personalize content and ads • Develop and improve our services • Measure and improve the delivery of ads • Perform other purposes described in Google's Privacy Policy at g.co/privacypolicy Things to know Other settings let you control whether you see personalized content or ads. Linking Google services is not about sharing your data with third- party services What data is used All types of personal data described in Google's Privacy Policy can be shared across linked Google services
• Perform other purposes described in Google's Privacy Policy at g.co/privacypolicy Things to know Other settings let you control whether you see personalized content or ads. Linking Google services is not about sharing your data with third- party services What data is used All types of personal data described in Google's Privacy Policy can be shared across linked Google services What's not changing Even if they're not linked, Google services can always share data with each other to prevent fraud and abuse, effectively help you complete tasks, and for certain other purposes You're in control. You can change your choices anytime in your Google Account. Choices will take effect on March 6, 2024. Learn more about linked services Yes, keep linked No, don't keep linked More options

mysk, 1 month ago to privacy

Nice! @brave for iOS just got updated to support the new "marketplace-kit" scheme. Brave only calls the scheme when trackers blocking is disabled. As we reported earlier, Apple implemented the new scheme in a way that allows tracking across websites based on the unique client_id.

Now users in the EU can use Brave to safely install alternative marketplaces. We would like to thank Brave for considering our advice about potential #tracking.

#Privacy #Apple #iOS #DMA #InfoSec #cybersecurity

Screenshot of Brave settings. Trackers & Ads Blocking is set to Standard.
Screenshot of the POST request sent by MarketplaceKit. It shows the client_ID sent in the body of the request to the alternative marketplace backend

mysk, 1 month ago to iOS

The keyboard text replacement entries or shortcuts in #iOS and macOS are synced with iCloud. The data is not end-to-end encrypted and there is no option to turn the syncing off.

Consider reviewing your shortcuts and delete the ones you deem sensitive. We asked Apple about how users can exclude this data from being synced with #Apple servers in January. We haven't received a response yet. Remember that Apple is obliged to hand this data to law enforcement given a court order.
#privacy #infosec

mysk, 1 month ago to privacy

It's May 1. Instagram for iOS just got updated. It still sends the device's system uptime to remote servers. Starting today developers are no longer allowed to access this API without providing a reason. And in no way can the app send the value off-device.
#Privacy #InfoSec #iOS #Apple

Apple Documentation System boot time APls The following APls for accessing the system boot time require reasons for use. Use the string NSPrivacyAccessed APICategorySystemBoot Time as the value for the NSPrivacyAccessedAPIType key in your NSPrivacy AccessedAPITypes dictionary. • systemUptime • mach_absolute_time() In your NSPrivacyAccessedAPITypeReasons array, supply the relevant values from the list below. 35F9.1 Declare this reason to access the system boot time in order to measure the amount of time that has elapsed between events that occurred within the app or to perform calculations to enable timers. Information accessed for this reason, or any derived information, may not be sent off-device. There is an exception for information about the amount of time that has elapsed between events that occurred within the app, which may be sent off-device.

mysk, 26 days ago to random

Just skipped Setapp free trial and started a paid subscription. We'll support all alternative marketplaces. We're lucky that half of our team is located in the EU so we have the chance to experience alternative app stores on the iPhone.