Mastodawn

Mysk🇨🇦🇩🇪

This is an example of what the App Store app shares with #Apple when you search for an app. Everything you type in the search field is recorded as an event and associated with your Apple ID before it is sent to Apple. When I search for "Google Authenticator," events are recorded as I type character by character. The leap between rows 78 and 79 is when I picked a suggestion. The timestamp of every event is recorded, i.e. Apple can calculate my typing speed 🙃.
#Privacy
#infosec #privacymatters

Mysk🇨🇦🇩🇪Nov 22, 2024

Data is sent to Apple in near real-time (the difference between the Event Time and the Post Time).

There is no way you can opt out of sending such app Analytics to Apple or request it be anonymous. Visit https://privacy.apple.com and request a copy of your data to learn what identifiable data Apple collects about you. ✌️

#Apple #Privacy #infosec #privacymatters

Data & Privacy

David Fleetwood - RG Admin Nov 24, 2024

@mysk It's quite the choice for a supposedly privacy focused option. The feature, namely being able to make realtime suggestions, could be accomplished entirely locally with a local cache of app names, but instead they choose to send everything without consent.

David Nov 22, 2024

@mysk Collecting data a user inputs into a form and never sends is evil, period. There is no excuse for it.

JJTech Nov 22, 2024

@freeagent @mysk I mean... "no excuse" is a little harsh, after all, this is a search box. Every modern search with autocomplete does this.

JJTech Nov 22, 2024

@freeagent @mysk for example, DuckDuckGo

Mysk🇨🇦🇩🇪Nov 22, 2024

@jjtech @freeagent
Apple Maps does the same, but it never associates the requests with the user's ID when sending the search requests, and never records them as app analytics. I answered here:

https://mastodon.social/@mysk/113527490874201110

Marek Nov 23, 2024

@jjtech @freeagent @mysk Is it not possible to deactivate this in DuckDuckGo?

Mysk🇨🇦🇩🇪Nov 22, 2024

@jjtech @freeagent Oh no, this is not the autocomplete requests you're looking at. This is the app analytics endpoint. The search query is sent to another endpoint. As you see in the screenshot shot, the "Post Time" of all the shown request is the same because they were sent as a batch to the analytics endpoint.

Gianmarco Gargiulo Nov 23, 2024

@mysk @jjtech @freeagent can you show that the requests are going to an analytics endpoint?

Mysk🇨🇦🇩🇪Nov 23, 2024

@gianmarcogg03 @jjtech @freeagent We showed this some time ago, but the data in the screenshot is obtained from Apple when you request a copy of your data.
This video shows the requests:

https://youtu.be/8JxvH80Rrcw?feature=shared

The App Store on your iPhone is watching your every move

YouTube

David Nov 22, 2024

@jjtech @mysk No, there is no excuse. Are you going to tell me that you've never mistakenly pasted data into a text box that you didn't intend to put there? People might put all sorts of sensitive information into text inputs that should definitely not be logged by a service. This could include passwords, PII, PHI, etc.

kgbvax Nov 22, 2024

@freeagent @mysk it is required for "suggestion/completion" behavior though.

David Nov 22, 2024

@kgbvax @mysk Yeah, which is why I turn that feature off if it's ever present. It seems Apple does not allow it to be turned off.

Ilias 🤓Nov 22, 2024

@mysk but but Apple is privacy right??

CyberFrog Nov 23, 2024

@mysk the worst part is that this isn't even surprising, it's standard practice, pretty much every app you download on your iPhone is also independently doing this for almost every search box you type into... most analytics SDKs have explicit examples doing exactly this, and Apple doesn't particularly care to do anything about this because it rocks the boat too much lol

Most websites record search inputs this way in their analytics too

Mysk🇨🇦🇩🇪Nov 23, 2024

@froge This is true, but none of the other apps or platforms has erected big billboards saying "iPhone, that's privacy." Moreover, if the user isn't happy about an app's practices, they can use an alternative. For the App Store, there's no alternative.

CaveDave Nov 23, 2024

@mysk makes me wonder what legal loopholes they're using to not get fucked over for false advertising tbh

Proxfox Virtual Environment 🦊Nov 23, 2024

so glad johnathandata1 made it over to mastodon

blobfoxheartcute

blobbee_flag_nb

@mysk that's to say, it has search suggestions?

Corb_The_Lesser Nov 26, 2024

@mysk The internet, of course, isn't magic. Info in a search query must be sent to Apple before it can respond. But... the query can be sent when the user taps a send icon, not character-by-character, and Apple could throw away the info as soon a response was sent.

Mysk🇨🇦🇩🇪Nov 26, 2024

@Corb_The_Lesser

https://mastodon.social/@mysk/113527490874201110

Tertle950 - Scrolling WMs da best Nov 26, 2024

@mysk What happens on your iPhone, stays on...our servers.

Vysogota Nov 27, 2024

@mysk not to mention they can make a model that guesses what you type from the timing between keystrokes... And I thought that vuln in openssh was overblown...// @Tanuki