mysk

@mysk@defcon.social

We're two #iOS developers and occasional #security researchers on two continents. #CyberSecurity 🇨🇦🇩🇪

This profile is from a federated server and may be incomplete. Browse more on the original instance.

mysk, to privacy

Here's why you should start sharing screenshots instead of links when sharing tweets:
-Tweets can no longer be viewed anonymously
-Twitter links contain tracking tags
-You use up users' reading limits
-Link previews work randomly
-Embeds might be blocked

mysk, to random

RIP

mysk, to random

Goodbye Apollo

@christianselig

Spaceman by Matthew Skiles

mysk, to iOS

iOS Developers will need to apply for access to required reason APIs. These are the APIs that can be used for fingerprinting users across apps. This is what it means when an app is denied access to them:
(Snippet taken from MS Authenticator usage data)

image/png
image/jpeg

mysk, to privacy

At Apple announced that all third-party SDKs are required to specify how they handle user data in a manifest file named PrivacyInfo.xcprivacy. This will be mandatory by Spring 2024. At the moment, only one GitHub project has added this file.

mysk, to privacy

These properties have long been used to fingerprint users. Starting iOS 17, developers must specify why they need to access them before they are made available to their apps. This will be part of the App Review starting in Spring 2024

mysk, to apple

Chris Markiewicz (Senior Program Manager, App Store): There is a trusted place for users to discover apps that meet our high standards for safety, privacy, and performance, and that's the App Store.

Apple's high standards for safety and privacy: (Second part of the video)

From Platforms State of the Union, WWDC23: Chris Markiewicz (Senior Program Manager, App Store): There is a trusted place for users to discover apps that meet our high standards for safety, privacy, and performance, and that's the App Store. Then the video shows a screen capture of the App Store on an iPhone showing that the scam app runs different campaigns to trick users. When users search for "Microsoft Authenticator", the Microsoft campaign kicks in. The scam app is shown as the first search result as an ad with screenshots designed to trick users to think it is a Microsoft app. Similarly, when searching for "Google Authenticator", the app shows screenshots that disguise the app as a Google app.

mysk, to privacy

"Send Me Location"

Just like Meta apps, the first thing they ask about is "location"

mysk, to random

BREAKING: The App Store has taken down the scam #2FA app that steals secrets.

We warned about this app four months ago. This wouldn't have happened without your support to spread the word. Thank you! 🙏🙏✌️

https://defcon.social/@mysk/110573066626397762

mysk, to random

Here we have the same post on both Twitter and Mastodon. The interactions of the post on Mastodon by far exceed the numbers on Twitter 🤯
(Twitter, 11K followers) (Mastodon, 1.5K followers)

Interactions with the post on Mastodon: 1,061 boosts 444 favorites 36 replies Link to the post: https://defcon.social/@mysk/110573066626397762

mysk, (edited ) to privacy

The rogue 2FA app that steals scanned secrets is now ranked 18 on the German App Store for the productivity category. No wonder! The app disguises as a Microsoft app. It is the top hit when you search for "Microsoft Authenticator" and the developer has updated the screenshots in the ad card to highlight the word "Microsoft". Surprisingly, the product page of the app shows different screenshots with the word "Microsoft" removed.
The app now has 1.2K reviews, as opposed to 18 when we first addressed the app.

🙏 Boosting this post will help spread the word. Thank you!

mysk, to random

Some reviews from the US App Store do suggest that users were tricked to download this scam app instead of Microsoft Authenticator:

https://defcon.social/@mysk/110576091858818294

Awesome person 6725, 05/15/2023 FAKE misleading. THIS IS NOT BY MICROSOFT. IT IS NOT SAFE. And why an ad after every scan?? Also, this doesn't even work with Microsoft QR codes! Don't waste your time or money!!! Developer Response, Hi, it's indeed safe and free to generate 2FA/MA and scan code with this app! If you want to add 2FA to your Microsoft account, you can feel free to use our app! Sincerely, it is reliable and safe to use! As a startup, we have to survive by integrating with ads. Some ads could be skipped after watching for 5 seconds. You can feel free to unlock our pro version to enjoy the "No Ads" service, too. In case of any misunderstanding, could you reach us at 2fa(at)easylife.studio? We'll try our best to optimize this app for you! Thanks. - Fiona
The app estimated net revenue in May $25K Source: https://appfigures.com

mysk, to random

Other EU rules you might like:

  • The right to request a copy of your data
  • Allowing 3rd-party app stores and app sideloading
  • Adoption of USB Type-C

https://mastodon.online/@9to5Mac/110572317947839975

mysk, to random

🎬 There is a new option in macOS Sonoma that lets you show desktop items by simply clicking anywhere on the desktop wallpaper. 👍


Demo: 👇

video/mp4

mysk, to macos

🎬 Safari in 14 / 17 removes tracking added to URLs in private browsing. The feature didn't support Twitter links when we tested it earlier. Now it does (unclear if updated it remotely or Safari learned that through its model).

In this demo, Safari opens a Twitter link with tracking added to it in this parameter:
t=rpDAfXAHMthyq-L5hTMOIA

Safari identifies and removes the tracking parameter before opening the link. This is shown by copying the link after the website is loaded and pasting it to see that the tracking parameter has been removed from the original link 👍👍🙏

mysk, to privacy

And when it comes to reporting issues, Facebook team is the worst to deal with as a researcher. It's close to impossible to convince them that they shouldn't collect data they harvest. Worse, when you publish the findings, they ask YouTube to take it down!

A meme video about how Facebook treats reports of privacy issues

mysk, to reddit

During our research about how different platforms and apps generate link previews, we discovered a vulnerability in and reached out to their security team. They were quick and cooperative. They treated our work very fairly. One caveat though, they don't allow disclosure of security bugs even after fixing them.

If you're curious how link previews get generated in chats and direct messages, check out our article:

https://www.mysk.blog/2020/10/25/link-previews/

mysk, to apple

Craig Federighi: "The data that's interesting to train these [AI] models is data that is publicly available data, not personal data. We do not need your personal data to make our systems smart. And when we need to get specific data for a specific person, we're not doing that by spying on people we're gonna go out and get it the right way."

Such public statements about respecting users privacy are the reason why is facing 21 class action lawsuits for collecting exhaustive usage data in the App Store app and linking it to the user's identity without providing an option to opt out.

Transcript: No, - uh, - - not at all. » " I mean, - just - not at all. If, - if you look - at everything, - uh, - - that is being done - now, it's, - it's become less - and less the case - over time, " not more and more - that - the data that's - interesting to train these models - is - data that is * publicly available data, « not personal - data, - right? - We do not - need your - personal data - to make - our system - smart. - And when we need to get specific data for a - specific person, - hand - tracking data, - eye - tracking data, - we're not - doing that by - spying on people. - We're, you know, we're gonna go out and get it - the right - way. " Um, " and we can do that. " - You, you know, - being, respecting users' privacy - takes, - - thinking about it carefully, - doing - great - engineering - and design - up front, - but it doesn't - stop you from - building - a great experience. And so that's speaking. Privacy - is a fundamental human right.

mysk, to random

iPadOS has evolved a lot. Sadly, it doesn't offer multi-user support yet.

mysk, to random

There's a new privacy feature in iOS/iPadOS 17 that detects nude photos and videos before they are viewed. Sensitive Content Warning seems to be available to third-party apps, but developers need to add support for it.

mysk, to apple

A last-minute request:

Bulk deletion of contacts

mysk, to infosec

Testing shows that if you block an iCloud account in iMessage, the account can still annoy you by sharing their location with you. Even though the account is blocked, you'll get a FindMy notification and the blocked account is immediately added to your FindMy list and you're one touch away from sharing your location with this blocked contact.
Note that the redacted text in the screenshots can be an email address tied to the sender's iCloud account. If the attacker uses an email familiar to you such as your.friendName@something, you might mistakenly share your location.
Cher Scarlett reported this issue to Apple and got the "it's not an issue" response.

https://twitter.com/cher0x801/status/1665497377032007686

Do you agree with Apple Product Security team?

FindMy notification prompting the user to share their location with a blocked account
The blocked account is immediately added to the user's FindMy list and a prompt to share location is shown.

mysk, to random

should stop apps from harvesting contact details when they have access to contacts and calendars.

This video shows the data that LinkedIn syncs when it has access to contacts and calendars. 🤯

https://youtu.be/NGIfV5ufX14

mysk, to random

"Over a month of standby"
This is how Apple used to market the iPad's battery. Today, the iPad runs several background processes while in standby. My HomeKit experiment clearly shows that. I achieved 20 days of standby on my iPad Pro. Without disabling Home the battery would have died after a week

Steve Jobs on stage introducing facts about the iPad 2 battery. The presentation slide says that the battery has 10 hour battery life and "over a month of standby"

mysk, to random

Meta Hit With Record 1.2-billion-euro Fine Over EU Data Rules

https://www.barrons.com/amp/news/meta-hit-with-record-1-2-billion-euro-fine-over-eu-data-rules-d4e1f53e

  • All
  • Subscribed
  • Moderated
  • Favorites
  • JUstTest
  • ngwrru68w68
  • InstantRegret
  • thenastyranch
  • magazineikmin
  • tacticalgear
  • rosin
  • everett
  • Durango
  • Youngstown
  • slotface
  • cubers
  • kavyap
  • DreamBathrooms
  • megavids
  • ethstaker
  • mdbf
  • Leos
  • GTA5RPClips
  • osvaldo12
  • tester
  • modclub
  • khanakhh
  • cisconetworking
  • provamag3
  • anitta
  • normalnudes
  • lostlight
  • All magazines
    •