Mastodawn

kallódó egzisztencia, Esq.Apr 23

Mysk🇨🇦🇩🇪

Announcement: we are working on a new #privacy app for iOS that raises awareness about which device signals and data a native app can see once installed on the iPhone even without requesting any permission. The app is going to be free and open-source.
#Apple #iOS #infosec

Mysk🇨🇦🇩🇪Apr 21

For example, there's an API that returns a global counter which increments every time you copy something to the clipboard in any app. In this early prototype, the count is 1349. All installed apps can silently read this value and potentially abuse it for fingerprinting.

Mysk🇨🇦🇩🇪Apr 22

Yes, every app installed on your iPhone can see your local IP address if you're connected to a Wi-Fi. No permission is required for this and a VPN cannot prevent it.

Knowing the local IP address could for example allow an app to infer if you’re at home or visiting a friend if the two networks use different subnet values (e.g. 192.168.x.x and 10.0.x.x)

#privacy #infosec

Mysk🇨🇦🇩🇪Apr 22

🤯 Every app installed on the iPhone can read the iPhone's storage volume creation timestamp (down to the second). No permission required. This value remains the same until the volume is erased. Yikes!!
The UUID seems to be the same for all devices.

Mysk🇨🇦🇩🇪Apr 22

So, every installed app can see your device's local IPs (Wi‑Fi, cellular SIM, VPN). A VPN doesn't prevent that. I tested iVPN, Mullvad VPN, and Proton VPN. I tried several options such as blocking LAN traffic. Nothing worked to hide the IPs🤷‍♂️

pudding_verified

neocat_floof_drowsy_mug

@mysk Huh, maybe I missed something, but why are you censoring the creation timestamp? And not doing the same to the UUID if needed?

🐦‍🔥nemo™🐦‍⬛ 🇺🇦🍉Apr 21

@mysk Great :) what will be the name of the app? 🤔

Mysk🇨🇦🇩🇪Apr 21

@nemo This is the toughest part of the project 😂

🐦‍🔥nemo™🐦‍⬛ 🇺🇦🍉Apr 21

@mysk Hahaha xD oh… oops 😅 🤣 🙏 maybe along the lines of Little Snitch or Snoop Snitch. Something like Privacy Rat or something xD idk

In the animal kingdom, some birds or other animals shout to alert others to predators — maybe something along those lines. 🤔
The behavior is called an alarm call (or more broadly, alarm signalling); when individuals watch for predators and warn the group, it's also called sentinel behaviour. 1/2

🐦‍🔥nemo™🐦‍⬛ 🇺🇦🍉Apr 21

Examples of birds that do this include the black-capped chickadee (its calls encode predator size), various jays and magpies, and many social species like swifts and starlings.

Or maybe lighthouse 🤔

@mysk thank you for this

I know for example that the device accelerometer is accessible.
That means that the app can log this data and know if I’m on a desk, standing up, using my phone in movement, etc
I don’t know why Apple didn’t make a portal for this yet

In fact only an orientation api is required…

Mysk🇨🇦🇩🇪Apr 21

@Atom0 Exactly, the app will cover all these signals and present them to the user in a nice and informative way.

Shouldn’t there be a catalogue somewhere by Apple that tells what data iPhones provide to developers without explicit user consent?
I mean, one would think for end user transparency‘s sake, but also devs kinda need to know to actually utilize it, right?

Great idea btw!

@mysk is number associated with the phone's SIM accessible to any app?

Mysk🇨🇦🇩🇪Apr 23

@knirirr You mean the phone's number? I think there was a way to obtain the phone number, but Apple closed that API a long time ago. It's no longer possible. Apps can't read the phone number.

@mysk thanks. Good news, if so.

Robin Kipp Apr 24

@mysk Please also call out the fact that apps can query which accessibility features are enabled on an iOS device, such as VoiceOver. Not only can this be used for fingerprinting, but it can also be used to make good guesses on which physical disabilities / impairments a user might have.

Mysk🇨🇦🇩🇪Apr 24

@robin This is already covered 😎