mysk

@mysk@defcon.social

We're two #iOS developers and occasional #security researchers on two continents. #CyberSecurity 🇨🇦🇩🇪

This profile is from a federated server and may be incomplete. Browse more on the original instance.

mysk, to random

RIP

mysk, to privacy

Here's why you should start sharing screenshots instead of links when sharing tweets:
-Tweets can no longer be viewed anonymously
-Twitter links contain tracking tags
-You use up users' reading limits
-Link previews work randomly
-Embeds might be blocked
#privacy #TwitterLimit #Infosec

mysk, to random

Goodbye Apollo

@christianselig

Spaceman by Matthew Skiles

mysk,

@danish @christianselig Yes, I think you should get them all no matter which price you pick.

mysk,

@danish @christianselig I'm not gonna disclose it 😉

mysk,

@danish @christianselig Now you have spaceman ✌️

mysk, to iOS

iOS Developers will need to apply for access to required reason APIs. These are the APIs that can be used for fingerprinting #iOS users across apps. This is what it means when an app is denied access to them:
(Snippet taken from MS Authenticator usage data)

#privacy #Apple #iOS17

image/png
image/jpeg

mysk,

@matthew The exact list of APIs hasn't been released yet. Xcode 15 shows the list of categories that require a reason. I roughly mapped them to underlying API to illustrate the difference.
The categories are listed here:

mysk, to Instagram

The name of #Instagram’s upcoming #Twitter competitor seems to be "Threads." Instagram's associated domains file lists an iOS app with the ID: MH9GU9K5PX. com.burbn.threads

This file lets #iOS associate an app with its developer's website.

Link:
instagram.com/.well-known/apple-app-site-association

mysk, to privacy

At #WWDC23 Apple announced that all third-party SDKs are required to specify how they handle user data in a manifest file named PrivacyInfo.xcprivacy. This will be mandatory by Spring 2024. At the moment, only one GitHub project has added this file.

#Privacy #iOS #Apple

mysk,

@runarcn In this case it means third-party libraries that developers include in their apps

mysk, to privacy

iOS 17 will require developers to state why their apps need access to information such as device language, time zone, and active keyboards to stop fingerprinting. Yet, access to the motion sensors is still unrestricted. Here's why Apple should change that:
#privacy #apple #ios #infosec #cybersecurity
https://www.mysk.blog/2021/10/24/accelerometer-ios/

mysk, to privacy

These properties have long been used to fingerprint users. Starting iOS 17, developers must specify why they need to access them before they are made available to their apps. This will be part of the App Review starting in Spring 2024
#Privacy #iOS17

mysk,

@fuomag9 The documentation is very minimal at this point. NSUserDefaults is part of the app sandbox. No idea how this can be used or abused to fingerprint users across apps!

mysk, to apple

Chris Markiewicz (Senior Program Manager, App Store): There is a trusted place for users to discover apps that meet our high standards for safety, privacy, and performance, and that's the App Store.

Apple's high standards for safety and privacy: (Second part of the video)

#Apple #privacy #iOS #appStore #cybersecurity

From Platforms State of the Union, WWDC23: Chris Markiewicz (Senior Program Manager, App Store): There is a trusted place for users to discover apps that meet our high standards for safety, privacy, and performance, and that's the App Store. Then the video shows a screen capture of the App Store on an iPhone showing that the scam app runs different campaigns to trick users. When users search for "Microsoft Authenticator", the Microsoft campaign kicks in. The scam app is shown as the first search result as an ad with screenshots designed to trick users to think it is a Microsoft app. Similarly, when searching for "Google Authenticator", the app shows screenshots that disguise the app as a Google app.

mysk, to apple

Chris Markiewicz (Senior Program Manager, App Store): There is a trusted place for users to discover apps that meet our high standards for safety, privacy, and performance, and that's the App Store.

Apple's high standards for safety and privacy: (Second part of the video)

#Apple #privacy #iOS #appStore #cybersecurity

From Platforms State of the Union, WWDC23: Chris Markiewicz (Senior Program Manager, App Store): There is a trusted place for users to discover apps that meet our high standards for safety, privacy, and performance, and that's the App Store. Then the video shows a screen capture of the App Store on an iPhone showing that the scam app runs different campaigns to trick users. When users search for "Microsoft Authenticator", the Microsoft campaign kicks in. The scam app is shown as the first search result as an ad with screenshots designed to trick users to think it is a Microsoft app. Similarly, when searching for "Google Authenticator", the app shows screenshots that disguise the app as a Google app.

mysk, to apple

The first three search results on Google Play are ads whereas the first search result on the App Store is an ad. Either way good luck finding the app you're searching for.

Screenshot of searching for "authenticator app" on the App Store. The first search result is an ad

mysk, to privacy

"Send Me Location"

Just like Meta apps, the first thing they ask about is "location"

mysk, to random

BREAKING: The App Store has taken down the scam #2FA app that steals secrets.

We warned about this app four months ago. This wouldn't have happened without your support to spread the word. Thank you! 🙏🙏✌️

https://defcon.social/@mysk/110573066626397762

mysk,

And @GooglePlay seems to have taken down the version of the app. It's unclear if it is a coincidence or a coordinated act by and .

Awareness ✌️

mysk,

@fennix In the case of this app, Apple has suspended the developer account altogether. This means all running subscriptions will be canceled. If you delete the app, you won't be able to re-install it as you won't find the app in the store or in your purchased list. Never heard of alerts or anything like that. As per Google, I'm not familiar with their store.

mysk,

@fennix It would be great if they do, but I never heard of that.

mysk, to random

Here we have the same post on both Twitter and Mastodon. The interactions of the post on Mastodon by far exceed the numbers on Twitter 🤯
(Twitter, 11K followers) (Mastodon, 1.5K followers)

Interactions with the post on Mastodon: 1,061 boosts 444 favorites 36 replies Link to the post: https://defcon.social/@mysk/110573066626397762

mysk, to random

Some reviews from the US App Store do suggest that users were tricked to download this scam app instead of Microsoft Authenticator:

https://defcon.social/@mysk/110576091858818294

Awesome person 6725, 05/15/2023 FAKE misleading. THIS IS NOT BY MICROSOFT. IT IS NOT SAFE. And why an ad after every scan?? Also, this doesn't even work with Microsoft QR codes! Don't waste your time or money!!! Developer Response, Hi, it's indeed safe and free to generate 2FA/MA and scan code with this app! If you want to add 2FA to your Microsoft account, you can feel free to use our app! Sincerely, it is reliable and safe to use! As a startup, we have to survive by integrating with ads. Some ads could be skipped after watching for 5 seconds. You can feel free to unlock our pro version to enjoy the "No Ads" service, too. In case of any misunderstanding, could you reach us at 2fa(at)easylife.studio? We'll try our best to optimize this app for you! Thanks. - Fiona
The app estimated net revenue in May $25K Source: https://appfigures.com

mysk, (edited ) to privacy

The rogue 2FA app that steals scanned secrets is now ranked 18 on the German App Store for the productivity category. No wonder! The app disguises as a Microsoft app. It is the top hit when you search for "Microsoft Authenticator" and the developer has updated the screenshots in the ad card to highlight the word "Microsoft". Surprisingly, the product page of the app shows different screenshots with the word "Microsoft" removed.
The app now has 1.2K reviews, as opposed to 18 when we first addressed the app.

🙏 Boosting this post will help spread the word. Thank you!

mysk,

Just tested the latest version and it still sends scanned secrets to the developer's remote server (Version 1.10.1). Meanwhile, the app has climbed to no. 13 on the German App Store 😳

  • All
  • Subscribed
  • Moderated
  • Favorites
  • JUstTest
  • rosin
  • thenastyranch
  • ethstaker
  • DreamBathrooms
  • osvaldo12
  • magazineikmin
  • tacticalgear
  • Youngstown
  • everett
  • mdbf
  • slotface
  • ngwrru68w68
  • kavyap
  • provamag3
  • Durango
  • InstantRegret
  • GTA5RPClips
  • tester
  • cubers
  • cisconetworking
  • normalnudes
  • khanakhh
  • modclub
  • anitta
  • Leos
  • megavids
  • lostlight
  • All magazines
    •