Mysk🇨🇦🇩🇪Mar 9, 2023

Microsoft Authenticator prompts the user to accept sharing analytics during the first launch. The prompt only dismisses when the user taps on "Accept." In fact, the app starts sending analytics even before accepting the privacy statement.🤦‍♂️

In this video, we downloaded the authenticator app from the App Store and we opened it as we monitored the iPhone network traffic. While the app was showing the permission prompt, we captured at least 3 calls made by the app sending diagnostics to Microsoft. The app sent 14 KB of analytics even before accepting the prompt.

The message on the prompt actually says that Microsoft needs to collect diagnostic data in order to keep Authenticator secure and up to date. 😵‍💫

#Privacy #Cybersecurity #2FA #InfoSec #Security #Microsoft

https://youtu.be/r5456XXG6v0

Privacy: Microsoft Authenticator sends analytics even before accepting the privacy statement

YouTube
Show threadChristophe Le BotMar 10, 2023
@mysk Thanks for sharing! That's why I prefer to use the open--source solution Aegis (https://getaegis.app/).
Aegis Authenticator

Aegis Authenticator is a free, secure and open source app for Android to manage your 2-step verification tokens for your online services.

Show threadAnisseMar 11, 2023
@clebot
It only supports TOTP and not Microsoft 's proprietary push protocol. Which is mandated in some orgs…
@mysk
Show threadChristophe Le Bot
@Aissen @mysk Wow... Thanks for this important detail. It is indeed limiting. In this case, no real choice. However you still can use several solutions to limit the data capture.
Mar 11, 2023 at 10:38amWeb