@mysk@mastodon.social
@mysk@mastodon.social avatar

mysk

@mysk@mastodon.social

We're two #iOS developers and occasional #security researchers on two continents. #CyberSecurity 🇨🇦🇩🇪

This profile is from a federated server and may be incomplete. Browse more on the original instance.

mysk, to iOS
@mysk@mastodon.social avatar

This screenshot shows the app analytics data sent by two different apps: Duolingo and Tinder. What's the likelihood that both apps are installed on the same device? 💯? 🤯

Both apps use Unity Ads. The data in the screenshot is collected by the Unity Ads framework included in these two apps, and any app that uses Unity Ads. The data is sent to the same Unity server. As a result, Unity Ads can easily fingerprint users and track them across different apps.

mysk, to iOS
@mysk@mastodon.social avatar

🎬 Finally, iOS treats all browsers equally when it comes to PWAs. Previously, only Safari was able to install and run PWA apps. With iOS 17.4 beta in the EU, no browser can install PWA apps, even Safari. It seems PWAs have been disabled entirely.

Oh yes, when you set a third-party browser as the default browser and then you delete it, iOS sets Safari as the default browser.
Watch this:

https://youtu.be/AST12aDGf0Q

mysk, to random
@mysk@mastodon.social avatar

Fun announcement for our longtime followers:

We've brought back TextCrafter from the dead! m

Our plain and simple notes app is now available again after a long hiatus for just 99 cents (no subscriptions, no fuss!)

It's the same classic app that we last updated in 2016 (The world has only changed a tiny bit since then, eh?). We fixed a few glitches here and there and brought it up to speed to work with the latest versions of iOS, iPadOS, and watchOS.

https://apps.apple.com/app/textcrafter-2-craft-share-text/id394912961

mysk, to privacy
@mysk@mastodon.social avatar

Security Tip: If you use a VPN to hide your real IP address from an app, say TikTok, make sure the VPN connection is configured to use the "Always on" option. Because if you receive a push notification from TikTok while the VPN is off, Your IP will leak.
More here: 👇

https://mastodon.social/@mysk/111816751385137545

mysk, to privacy
@mysk@mastodon.social avatar

🚨🎬 Privacy Concerns about Apple Push Notifications

TL;DR: data-hungry apps use push notifications as a trigger to send app analytics and device information to their remote servers, even if the apps aren't running at all on your iPhone. Such apps include TikTok, Facebook, FB Messenger, Instagram, Threads, X, and many more.

Watch this video to see it in action:
https://youtu.be/4ZPTjGG9t7s

🧵 1/9

mysk,
@mysk@mastodon.social avatar

2/9
iOS apps don't have the luxury of running in the background. For reasons mostly related to privacy and performance, iOS suspends and eventually terminates any app that is not active. This is how iOS is designed. But starting in iOS 10, iOS added a new feature that allows apps to customize their push notifications even if they are not running.
.. 🧵

mysk,
@mysk@mastodon.social avatar

3/9
When an app receives a push notification, iOS wakes the app in the background and allows it a limited time to customize the notification before it is presented to the user. This is very helpful for apps to perform tasks related to the notification such as decrypting the notification payload or downloading additional content to further enrich the notification before iOS presents it to the user. And as soon as the app finishes customizing the notification, iOS terminates it.
.. 🧵

mysk,
@mysk@mastodon.social avatar

4/9
The ability to execute tasks in the background is a gold mine for data-hungry apps. Unsurprisingly, many social apps notorious for their aggressive data harvesting practices are taking advantage of the background execution time enabled by push notifications.
In fact, developers can harness this workaround to run code in the background on demand.
.. 🧵

mysk,
@mysk@mastodon.social avatar

5/9
All they have to do is send push notifications to their users. As a result, iOS would wake their app in the background on every device, then the app runs whatever code the developer has built into the app.

According to Apple documentation, the intended purpose of waking an app in the background is all about allowing the app the chance to customize its notifications.
.. 🧵

mysk,
@mysk@mastodon.social avatar

6/9

However, many apps are using this feature as an opportunity to send detailed device information while running quietly in the background.

This includes: system uptime, locale, keyboard language, available memory, battery status, device model, display brightness, to mention a few. Such signals are commonly used for fingerprinting and tracking users across different apps developed by different developers. Fingerprinting is strictly prohibited on iOS and iPadOS.
.. 🧵

mysk,
@mysk@mastodon.social avatar

7/9
Our tests show that this practice is more common than we expected. The frequency at which many apps send device information after being triggered by a notification is mind-blowing. Some Apps, like Facebook and TikTok, also send data when clearing their notifications in Notification Center.

As far as data handling is concerned, apps take different approaches to send and store the data.
.. 🧵

mysk, to privacy
@mysk@mastodon.social avatar

App sideloading can open the door for invasive apps. But the App Store app itself has become one of these apps.
Every iPhone user is invited to do the following:

  • Open https://privacy.apple.com
  • Sign in and request a copy of your data
  • When you get the data, open the file highlighted in the screenshot.
    Skim through the activities that the App Store app has collected about you. Worse, you can't disable this massive data harvesting. Is this ok?
mysk, to privacy
@mysk@mastodon.social avatar

Just detected a call made by my iPhone seemingly sending my iOS keyboard data to an iCloud server. The domain name icloud-content[.]com is owned by Apple but not the one normally used for syncing iCloud data. The 316 KB of keyboard data is marked as "UserWords"

The data is encrypted and I couldn't get a clue of its content. The only keyboard data that is synced via iCloud is the text replacement dictionary.....

... 1/2

On-device suggestions When you ask Siri to read or search for information on your device, such as in Messages and Notes, and when Siri provides suggestions, like through widgets and Siri Search, all your personal information is kept on your device rather than being sent to Apple servers. Siri Suggestions in the QuickType keyboard are made possible by an Apple-developed neural network language process that also runs directly on your device.

mysk,
@mysk@mastodon.social avatar

2/2

...But there's only one entry on the iPhone that sent this data, it can't make 316 KB.
Apple promises that the processing of keyboard suggestions takes place on-device. So what's the content of this data? Regardless of whether the data is end-to-end encrypted or server-side encrypted, is there a way to turn this off?

(x-apple-mme-owner is actually the iCloud ID)

mysk,
@mysk@mastodon.social avatar

iCloud syncs QuickType Keyboard learned vocabulary across devices. The data is end-to-end encrypted. There doesn't seem to be an option to disable it. If you find a way to disable it, share it with us.

It is worth noting that the Text Replacement dictionary is synced without end-to-end encryption. Because when you request a copy of your data, you'll find the dictionary.

This Apple support document explains it:

https://support.apple.com/en-us/102651

mysk, to iOS
@mysk@mastodon.social avatar

🎬: X for has an option to disable sending crash reports. Well, it is useless. The app continues to send crash reports even if you opt out. The Nutrition Label of X says that diagnostics are linked to you.


https://youtu.be/bka29DsZx7E

mysk, to iPhone
@mysk@mastodon.social avatar

🚨🎬 🧵 1/4
Here is what happens when you insert an unlocked SIM card into a locked iPhone:

  • The accepts the SIM card and connects to the internet 😳
  • Apple immediately adds the phone number of the SIM card to the Apple ID of the iPhone owner 😲
  • accepts the new phone number as a username to sign in with the Apple ID of the iPhone owner 😱
  • iOS activates the new phone number for iMessage 🤯

The video:

https://youtu.be/ln-8KnwtdSw

mysk,
@mysk@mastodon.social avatar

…🧵 2/4
All this happens immediately while the iPhone is still locked and without the owner performing any action. When unlocking the iPhone, iOS doesn't show any notification to the user indicating that the SIM card has been changed.
Thankfully the new number isn't added as a trusted number to the Apple ID -- for receiving two-factor codes.
We couldn't stage an attack to exploit this behavior. But just because we couldn't, that doesn't mean the behavior is safe.

mysk,
@mysk@mastodon.social avatar

…🧵 3/4
An attacker with a stolen iPhone shouldn't be able to perform these actions. We reported this issue to Apple in October, 2023. Apple Product Security Team couldn't reproduce the behavior despite our assistance. Reproducing the behavior is straightforward. We have been able to reproduce the behavior reliably during our tests. We tested multiple Apple IDs and used multiple iPhones running iOS 17, including iOS 17.2. The behavior is also reproducible in the Lockdown Mode.

mysk,
@mysk@mastodon.social avatar

…🧵 4/4

We think an iPhone should not accept any SIM card inserted while locked. Moreover, iOS should notify the user if a new SIM card is detected after unlocking the iPhone.

Thanks a lot for reading this. Let us know what you think in the comments. And follow us for more content like this.

mysk, to privacy
@mysk@mastodon.social avatar

We relocated to this instance. ✌️
Hopefully, all followers and following accounts are restored and no one is left behind.

Also, a new video is going to drop soon. 😎

  • All
  • Subscribed
  • Moderated
  • Favorites
  • JUstTest
  • mdbf
  • cubers
  • thenastyranch
  • InstantRegret
  • Youngstown
  • rosin
  • slotface
  • Durango
  • ngwrru68w68
  • khanakhh
  • kavyap
  • everett
  • DreamBathrooms
  • anitta
  • magazineikmin
  • cisconetworking
  • GTA5RPClips
  • osvaldo12
  • tacticalgear
  • ethstaker
  • modclub
  • tester
  • Leos
  • normalnudes
  • provamag3
  • megavids
  • lostlight
  • All magazines
    •