Mastodawn

Cesare Forelli Jun 6

@mysk It increments when iCloud syncs the pasteboard, I guess

小津 Ozu Jun 6

@mysk why is it a relevant to apps how many time something was cut or copied to the clipboard since the device was setup? What is a legit use case?

@ozu It seems to be an ancient public API. Perhaps it signals to apps that the content of the clipboard has changed without retrieving the content of the clipboard to inspect it.

computerywar Jun 6

@mysk Those are rookie numbers

@computerywar Oh dear clipboard 😳

Virginicus Jun 7

@computerywar @mysk That’s enough copying to make an LLM envious.

https://youtu.be/oRdxUFDoQe0

Alex Jun 7

@mysk He beats it all:

Michael Jackson - Beat It (Official 4K Video)

YouTube

Zak

Jun 5

@mysk Nice! This looks awesome.

Mysk🇨🇦🇩🇪Jun 5

@zak Thank you. We hope it will help raise awareness about what native apps can do under the hood. Appreciate your comment!

Edward Munn Jun 5

@mysk That’s a scary amount of data with each permission, way more than I expected. Thanks for shining a light on this.

Mysk🇨🇦🇩🇪Jun 5

@edmn Thanks a lot. Really appreciate sharing this with us. ✌️

dav

Jun 5

@mysk nice work, thank you for the effort!

Mysk🇨🇦🇩🇪Jun 5

@songbird Thank you. Glad you found it helpful!

Endareth Jun 6

@mysk That “Volume Created Timestamp” is a really nasty one! Along with listing other installed apps… 😞

@endareth Yes! This is why we created Loupe. Users need to be informed.

Buccia Jun 6

@endareth @mysk Volume creation date doesn't seem to have any legitimate use too.

Endareth Jun 6

@BucciaBuccia @mysk Pretty sure it’s just legacy that got forgotten. Hanlon’s razor at work.

⁉️Jun 6

@mysk

nice one! Now the next step, an App to randomize the output 😉.

Elefanten Peter Jun 6

@mysk, actually thought that this was turned off on iPhone. 😕

@elefant_peter If Loupe shows it, then any other app knows it 😉

Dominik Dröscher Jun 7

@elefant_peter @mysk Other apps cannot get a list of all installed apps, but there are simple ways to check for specific apps. You can just ask the device if it supports a specific URL scheme for instance (whatsapp:// or sgnl://).

@dhn @elefant_peter Yes, you need to probe the apps one by one. But thanks to Twitter which abused this some time ago, Apple has restricted apps to probe only 50 apps. The 50 apps must be declared in the Info.plist of the iOS submission. So, Loupe can only probe 50 apps. But as you see, they're enough to develop some trends.

Ali Shah Jun 6

@mysk just got it! Loved testing it! Congrats!

Btw is Psylo coming to Mac?

@ashah Thank you 🙏 Yes, both Psylo and Loupe are coming to the Mac. We are trying to roll them out as soon as possible

Ali Shah Jun 6

@mysk Change the game. I LOOOOVE Psylo

@ashah This makes us really happy. Thank you!

Buccia Jun 6

@mysk @ashah I’m assuming Loupe on Mac is a bloodbath. Would like to know if it is different for Mac App Store apps though

Martin Jun 6

@mysk great! I knew most of that but seeing it so condensed… wow. 😱 Will send a link to your app to friends and family. Maybe that opens eyes… maybe… 🤔

@mysk @zackwhittaker @briankrebs

plaka Jun 6

Stuart Langridge Jun 6

@mysk interestingly, if I _search_ for Loupe in the app store, it doesn't show up in search results, although the name is offered as a search suggestion. I can visit the app store link directly and get it, though. (This might be something to do with it being new, or me being in the UK, or some similar reason; I do not want to jump to conspiracy thinking.)

Moe Lassus Jun 6

@sil @mysk I had to use the direct link shared by Mysk to find it. The App Store did NOT want to show it to me. Funny that.

@moelassus @sil It shows up on the Canadian and German AppStore very normally 🤔

@moelassus @sil Hey, are you still unable to find Loupe in the UK App Store?

Stuart Langridge Jun 7

@mysk @moelassus it is now there when I search, although there’s no data about it: see screenshot.

(I don’t know whether it shows up because I have it installed or because the search finds it now)

@sil @moelassus Yes, that's because you have it. Thanks a lot for confirming it.

Moe Lassus Jun 7

@mysk @sil If I search for Loupe, I don’t see it at all in a long list of magnifier apps. If I spell out the complete app title, it does appear.

@moelassus @sil This is expected. The term "Loupe" is too generic. Thanks a lot for testing.

Moe Lassus Jun 6

@mysk I mean who needs App Tracking when this mountain of uniquely identifying data is freely available.

Kevin Ashworth Jun 6

@mysk
Apple Account >> iCloud token hash

Is it something a privacy-oriented app developer can use? If it’s unique to me, then app developer does not need my email or phone, yet I still have a personal account. So I can keep my Venustokens without Venus developer storing anything private about me in a db, thus spammers can’t get my info when Venus app developer gets hacked.

Guess I’m saying a unique identifier could be useful and increase privacy.

Also, Venustokens are gonna be fire.

@kevinashworth But if you disable iCloud Drive or sign out of your Apple account, this API won't return any token or ID

@mysk
🤦‍♂️

@mysk Thanks, a very important project aimed at raising awareness! Do you happen to know if there’s anything similar available for Android?

https://github.com/trustdecision/trustdevice-android

@pheraph Thank you. We're not very active in Android space, but a follower shared this project with us, we haven't had the time to explore it thoroughly:

GitHub - trustdecision/trustdevice-android: Leading open source version of android device fingerprint, accurate deviceID and risk identification.

Leading open source version of android device fingerprint, accurate deviceID and risk identification. - trustdecision/trustdevice-android

GitHub

@mysk Thank you!

@mysk Good enlightening approach. Thank's a lot for that.

But doesn't this question what should/could be specifically advised to the user? What can he do?

@steinsuppe Thank you. First we raise awareness about this and it's up to the user what to do next. Perhaps shifting to the web and PWAs for some apps is a good start.

Daniele Tricoli Jun 7

@mysk nice, the clipboard stuff really made me think «but why?»

Jyrgen N Jun 8

@mysk Thanks! I knew it was a lot, so I am not as surprised as others, but it is good to see it in full detail.

boink Jun 9

@mysk That’s pretty apocalyptic. I truly hope that my local tracker blocker is zapping most of the attempts to extract the data :-(

FinchHaven sfba Jun 10

@mysk

"Loupe is an iOS and iPadOS app that gives you a hands-on tour of the device fingerprinting surface. It reads real values from public iOS APIs, the same ones any third-party app can call, and shows them to you raw. The point is simple: see what your iPhone quietly exposes, and why each reading helps an app recognize you again."

So your "app" reads all that off *my* phone, and I'm supposed to be thrilled about this?

I remain astonished at the number of people on #Mastodon who seem to think that having an unknown, third-party app read all the data like this off their iOS devices is a good idea

"Oh! But it's #OpenSource"

and

"...the same ones any third-party app can call"

Read:

"Anybody can do this, why shouldn't we?"

Yeah

So everybody performs a source-code audit before installing your "app"?

Yeah, fer sure...

ahahahahaha...

Yeah

Right

Mysk🇨🇦🇩🇪Jun 10

@FinchHaven Agree with your argument except that it is an "unknown" app. Loupe is new. This is true. But we, the developers of Loupe, are known and we constantly publish blogs and privacy research to raise awareness about privacy. Although Apple doesn't provide mechanisms to create reproducible builds to verify that the source code matches the published binaries, security researchers can still analyze the app and check if it sends any data off the device. We're committed to privacy.

Chancerubbage Jun 12

@mysk @doktrock

There is also that website that plainly tells you what you have revealed by merely visiting.

Including all the cookie crumbs and sticktites you’ve been walking through.