MacInTouch Amazon link...

Apple security and privacy

Channels
Apple, Security

Ric Ford

MacInTouch
Jefferson Graham writes for USA Today about the obscure procedures for retrieving Apple's dossier of personal data:
USA Today said:
Apple took 8 days to give me the data it had collected on me. It was eye opening.
I use an iPhone, iPad and two Mac computers, and Apple also offers data downloads in the privacy section of its website. It's hard to find, and once you do make the connection, you can expect a hefty wait to get the results.

But don't expect to stay up all night reading what Apple has on you.

The zip file I eventually received from Apple was tiny, only 9 megabytes, compared to 243 MB from Google and 881 MB from Facebook. And there's not much there, because Apple says the information is primarily kept on your device, not its servers. The one sentence highlight: a list of my downloads, purchases and repairs, but not my search histories through the Siri personal assistant or the Safari browser.
 


Refreshing, if true, that Apple collects next to nothing in terms of personal data. The article explains that Apple anonymizes Siri searches and requests.

Apple's file on me took longer [than FB or Google] but was lightweight — a testimony, according to the company, of how little it collects and stores on its individual users.

...
The company says flatly that it doesn’t want your personal information and doesn’t store it.

On the Safari browser on my Macs, my browsing history goes back to July 2017, but Apple says it doesn't track that information.

As a result, the personal download is very different from what I got from competitors Facebook and Google, which both track our moves, likes and queries in order to sell targeted advertising to sponsors...
 


This article supports what Apple has been saying for years - that they only collect what's needed to provide their services and anonymize as much as possible.

None of this really surprises me. Apple makes all their money by selling products. Social media companies make all their money by selling access to their databases. Apple has no financial incentive to spy on everything you do. Google and Facebook do.
 


Ric Ford

MacInTouch
Apple makes all their money by selling products.
Apple does make money from selling ads, actually (and targeting those ads to individuals, who have to jump through hoops to disable the targeting).
Apple said:
Search Ads
... You can also refine your audience by gender, age, and show your ads only to devices located in specific geographic areas.
... Users may also opt out of receiving targeted ads. This prevents the use of App Transaction Data and Developer Data in providing Search Ads.
Apple also sells advertising, and takes commissions on it, with its News platform:
Apple said:
Earn Ad Revenue and Promote Your Content on Apple News
70% of the Revenue: Backfill — Enable Backfill to allow Apple to sell ads in your content and keep 70% of the revenue.
50% of the Revenue: Pooled — Earn additional revenue from ads that appear in between articles in For You or in Apple-curated topic feeds such as Fashion or Technology. Apple will share 50% of the revenue from these ads with Apple News Format channels that have signed up to participate.
Apple previously ran an "iAd" platform:
Apple said:
Over $60 Million in 2010 Commitments from Leading Global Brands
June 7, 2010—Apple® today announced it will debut its iAd mobile advertising network on July 1 on iPhone® and iPod touch® devices running its iOS 4 software platform. iAds combine the emotion of TV advertising with the interactivity of Internet advertising, giving advertisers a dynamic and powerful new way to bring motion and emotion to mobile users. iAd will kick off with mobile ad campaigns from leading global brands including AT&T, Best Buy, Campbell Soup Company, Chanel, Citi, DirecTV, GEICO, GE, JCPenney, Liberty Mutual Group, Nissan, Sears, State Farm, Target, Turner Broadcasting System, Unilever and The Walt Disney Studios. Apple has iAd commitments for 2010 totaling over $60 million, which represents almost 50 percent of the total forecasted US mobile ad spending for the second half of 2010.
Then Apple cancelled the iAd platform and switched to a different, but very big ad business:
Adweek said:
As iAd Shuts Down, Apple May Be About to Get a Shot of Advertising Redemption
App-install ads have long been vital to the revenue streams of Facebook, Twitter, Google, Instagram and Yahoo. They were particularly important to Facebook turning around its post-IPO earnings slump a few years ago. It's now a multibillion-dollar business for CEO Mark Zuckerberg's company. So it's no wonder Apple CEO Tim Cook wants his brand to get a meaningful piece of the market, which represented $3 billion in ad spending last year, per eMarketer, and will generate nearly $7 billion annually by the end of 2019, according to Business Insider's BI Intelligence.
 
Last edited:


Apple makes all their money by selling products. Social media companies make all their money by selling access to their databases.
Apple does make money from selling ads, actually (and targeting those ads to individuals, who have to jump through hoops to disable the targeting).
I should rephrase that. Apple doesn't make all their money from selling product, but it is definitely the core of their business model to sell hardware (Macs, iPhones, iPads) and media (music, apps, movies).

This is in contrast to Google and Facebook (and others) who make the majority of their money from selling ads and selling access to their databases. They give away software and services to consumers, and make money by collecting tremendous amounts of data about you, which they sell to others. (They also charge money for third parties to host server-apps, but I don't think it's the majority of their revenue.)

And it's not just ad placement. They also allow customers to use their database for data-mining research. They don't usually grant access to the raw data, but they do provide a mechanism for customers to submit jobs that run against the database and return results. And these are definitely not free services.

Unfortunately, as much as I'd love to hate these companies, they are also among the few companies performing cutting-edge computer science research in the fields of AI, big-data, networking and network virtualization, cloud services, security and telecommunications. They don't give away everything they invent, but they contribute quite a lot to open source and industry forums.
 


Apple not having access to our personal data is a blessing and may also be why it has taken so long to build more functionality into Siri. I'm sure that it's not a stretch for any of the tech giants to place our info in the cloud to improve their voice assistant, but few people (not talking about us here, of course) seem troubled by trusting their most important info to a corporation that places profit over privacy.

And then there are all those people sending off their DNA to "ancestry" companies. When that data gets hacked, you might find you no longer are who you always have been, legally, as somebody else uses your DNA to prove they are you. Jeez.
 


Ric Ford

MacInTouch
Apple not having access to our personal data is a blessing and may also be why it has taken so long to build more functionality into Siri. I'm sure that it's not a stretch for any of the tech giants to place our info in the cloud to improve their voice assistant, but few people (not talking about us here, of course) seem troubled by trusting their most important info to a corporation that places profit over privacy.
I'm not sure if you've read Apple's terms regarding Siri and privacy....
Apple said:
When you use Siri or Dictation, the things you say will be recorded and sent to Apple in order to convert what you say into text and to process your requests. Your device will also send Apple other information, such as your first name and nickname; the names, nicknames, and relationship with you (e.g., “my dad”) of your address book contacts; and song names in your collection (collectively, your “User Data”). All of this data is used to help Siri and Dictation understand you better and recognize what you say. It is not linked to other data that Apple may have from your use of other Apple services. By using Siri or Dictation, you agree and consent to Apple’s and its subsidiaries’ and agents’ transmission, collection, maintenance, processing, and use of this information, including your voice input and User Data, to provide and improve Siri, Dictation, and dictation functionality in other Apple products and services.

If you have Location Services turned on, the location of your iOS Device at the time you make a request to Siri may also be sent to Apple...
 


Ric Ford

MacInTouch
Apple today updated documentation for a previously-released High Sierra security update:
Apple said:
About the security content of Security Update 2018-001

APPLE-SA-2018-05-08-1 Additional information for
APPLE-SA-2018-04-24-2 Security Update 2018-001
...
Kernel
Available for: macOS High Sierra 10.13.4
Impact: A malicious application may be able to execute arbitrary
code with kernel privileges
Description: In some circumstances, some operating systems may not
expect or properly handle an Intel architecture debug exception
after certain instructions. The issue appears to be from an
undocumented side effect of the instructions. An attacker might
utilize this exception handling to gain access to Ring 0 and access
sensitive memory or control operating system processes.
CVE-2018-8897
...
LinkPresentation
Available for: macOS High Sierra 10.13.4
Impact: Processing a maliciously crafted text message may lead to UI
spoofing
Description: A spoofing issue existed in the handling of URLs. This
issue was addressed with improved input validation.
CVE-2018-4187
 


DFG

Security company Elcomsoft reports today in a blog post that iOS 11.4 will implement a "restricted USB mode."

This means that after seven days during which an iOS device has not transferred data to a computer or been unlocked, the USB (currently Lightning) port will be disabled (for data transfer -- it will still be able to charge the device), therefore rendering unusable forensic tools used e.g. by law enforcement and governments to circumvent password protection.

This is very significant and welcome news: It means Apple is willing to step up the security of their devices in the face of government (FBI) demands.

However, I think that Apple should go much further. Seven days is still too long. I see no reason why this shouldn't be a setting that the user could enable at any time.
 



I think that Apple should go much further. Seven days is still too long. I see no reason why this shouldn't be a setting that the user could enable at any time.
Sounds good in theory. In practice, it could become a major inconvenience for users if pushed too far.

For instance, at one extreme, you might want to disable the USB port whenever the phone is locked. Which seems great until you realize that that's how headphones are attached. You wouldn't want your music playback to get cut off every time the display goes to sleep. You also wouldn't want to have to tap the screen every minute or two while making an iTunes backup in order prevent the backup from getting interrupted.

But I agree that setting other timeouts in between "zero" and seven days might be a good idea.
 


I find the voicemail transcription "feature" to be really annoying, as it delays accessing messages and, as discussed on MacInTouch, there are privacy concerns. What really irks me is that Apple foisted this on users with no option to turn it off.

However, the Internet tells me that I can switch Siri to non-American English to defeat the "feature," as it is still beta and only available for American English. That does work, although now I have a British accented Siri on my phone. I am not sure if this will interfere with some requests (maybe Siri won't understand "potato chip" since it will be expecting "crisp"), but I don't find Siri useful anyway and rarely use it for anything other than initiating an occasional phone call.
 
Last edited by a moderator:


Ric Ford

MacInTouch
Rapidly evolving malware uses some interesting techniques and targets iOS, among other systems, Kaspersky reports:
AO Kaspersky Lab said:
Roaming Mantis dabbles in mining and phishing multilingually
...
Apple phishing site for iOS device

Previously, this criminal group focused on Android devices only. They have apparently changed their monetizing strategy since then. The attackers now target iOS devices as well, using a phishing site to steal user credentials. When a user connects to the landing page via iOS devices, the user is redirected to ‘http://security.apple.com/’:

A legitimate DNS server wouldn’t be able to resolve a domain name like that, because it simply doesn’t exist. However, a user connecting via a compromised router can access the landing page because the rogue DNS service resolves this domain to the IP address 172.247.116[.]155. The final page is a phishing page mimicking the Apple website with the very reassuring domain name ‘security.apple.com’ in the address bar of the browser.

The phishing site steals user ID, password, card number, card expiration date and CVV.
 


What is happening with Apple's security login? Beginning earlier this week, my iOS devices and Mac computers started demanding login info. Then I saw others, including people and [point-of-sale] systems based on Apple, demanding login. Then a series of loops, including "your account has been locked for security reasons," "you must verify your identity," and finally: (after just a few seconds, with no further input) "Cannot verify identity. Your session has timed out." Then: "Forgot password?" (no I didn't!) I was forced to change a password, which caused other associated devices to lose connection. Any attempt to play music triggers this, but other times it appears at random.

So: what on earth is happening? ...
 


Beginning earlier this week, my iOS devices and Mac computers started demanding login info. Then I saw others ...
Something weird is definitely going on. Last night, my iPad (an old iPad 2 that never runs anything other than old games and is never used for web surfing) abruptly switched to an "activation lock" screen, requiring my Apple ID and password to recover.

It doesn't appear that anybody hacked my account (my passwords and 2FA configuration are all intact), I never saw any 2FA login, nor did I receive any e-mail from Apple about having locked a device. (My Apple ID e-mail is working and unchanged - I received alerts when I logged on to icloud.com to investigate.) And none of my other devices were affected.

After some Google searching, I found several different threads from people who encountered spurious lockouts over the years so I'm assuming it was a glitch in Apple's servers, but it definitely bothers me.
 


And just another interesting thing. This morning, I gave my usual "hey siri, what's the weather?" command and got no response after several tries. I then long-pressed the home button on my phone and saw an "enter passcode to use Siri" screen. I've never seen this before (I have "allow Siri when locked" enabled).

I'd love to know what's going on here. If it's a bug or if something happened causing Apple to push extra authentication screens at users.

Interestingly, stuff like this (and worse) is definitely happening to others. I ran across this article today (h/t Michael Tsai blog):
Erica Sadun said:
It appears that it was activated using false answers to security questions (a good practice to avoid people doing research to hack your account) but then lost the answers (extremely bad!), and can't get back into the account without them.

Although it wasn't explicitly stated, I assume the account was secured with the older 2SV system and not 2FA, since 2FA doesn't use security questions. Apple claims they can bypass the lockout, but since the iPad was purchased used (that is, the owner is not the original purchaser), Apple won't do anything without the security questions. All perfectly reasonable, but extremely frustrating.

And the fact that the entire Apple ID appears to be locked out (including iCloud web access), makes the whole shebang even more painful.

I have no clue what they can do now, but let this be a lesson to the rest of us - write down all the security settings and passcodes you created when activating an iOS device or it could end up permanently bricked due to no fault of your own. Keep a paper copy in a safe place in addition to any soft-copies. You absolutely don't want to end up in this situation because the hard drive with your magic code words failed.
 


Core leadership at Apple as forgotten what makes the iPhone great today is what made the Mac great 10 years ago... mature, well tested software frameworks thoroughly QA'd and written to strict Human Interface Guidelines. iOS was spawned/forked from Snow Leopard and much of the iOS user experience is rooted in Snow Leopard and the Avi Tevanian era. Now, new software is written by vertically integrated Agile/Scrum software teams (a la Microsoft) and is beta-tested by customers vs. actual QA. This is great for shareholders (don't have to hire armies of QA engineers) but really bad for customers.

I went through an activation lockout when I (foolishly) did the last major iOS update on both of my devices simultaneously. I was stuck in a 'verification ping-pong' amongst all my iCloud devices that took a half-day to resolve.

I'm so reminded of John Sculley's Apple lately, only, this time, Apple has a seemingly endless reserve of cash to increase shareholder value while cutting corners on customer experience with every passing calendar quarter.
 


Although it wasn't explicitly stated, I assume the account was secured with the older 2SV system and not 2FA, since 2FA doesn't use security questions.
Security questions are only used when neither 2SV nor 2FA are activated. When either of those is activated, all security questions are deleted. When you deactivate 2SV/2FA, you are required to create new security questions.
 


For no good reason, I had to generate a new third-party password for Fantastical yesterday afternoon when the old one stopped working.
 


All odd. I have not experienced any of these problems since the last update. But I'm still on Sierra. Could the problem be OS-specific?
 



Ric Ford

MacInTouch
Perhaps the best news from WWDC today was upcoming improvements in macOS and iOS security and privacy. Dan Goodin has a summary:
Ars Technica said:
A host of new security enhancements is coming to iOS and macOS
Apple on Monday previewed a variety of security and privacy features it plans to add to macOS and iOS operating systems, including encrypted Facetime group calls, password-management tools, and camera and microphone protections. The company also released a beta version of the upcoming iOS 12 that, according to Motherboard, all but kills off two iPhone unlocking tools used by police forces around the world.
 


As far as I care, the only important detail about Mojave is what happens to security updates for El Capitan? If this will force my clients to move up to (at least) Sierra, there will be a great gnashing of teeth as many of those users own Macs that can't be upgraded to Sierra (without that hack).
 


Security questions are only used when neither 2SV nor 2FA are activated. When either of those is activated, all security questions are deleted. When you deactivate 2SV/2FA, you are required to create new security questions.
Having just spent a frustrating hour on the website that Anthem Blue Cross uses to guard your data from you, its customer, by means of the website's user-hostile and brain-dead design, I felt compelled to ask one question about Apple's use of security questions, and then detail a bit of what I endured yesterday. I have 2FA enabled and don't know if Apple still has "security questions" stored for me to answer.

Now, let's peek at Anthem Blue Cross's monstrosity of a consumer website:
  1. You are compelled to provide a physical address as the primary point for correspondence. After last October's Sonoma County firestorm, I moved to a wonderful new house "right on Main Street" in the delightful "Census Designated Place" of Penngrove, CA. My address is on a sign at the bottom of a driveway that is shared with two other houses. The address is also on the house itself. The Post Office is about a quarter of a mile away, but the Post Office delivers no mail to our house, because "Main Street" is actually a rural route, and a quarter mile is too close for delivery. Also, our street address is not in the USPS computerized database, which many businesses use to reformat addresses precisely to the format the postal service prefers. Blue Cross's website offers the user a chance to specify an alternate mailing address, and even an option to change your residence address, but the latter doesn't work (the site reports the feature's not been enabled, but only after you go through entering information into every one of the data fields, and there is no way to delete the bright red checkbox labeled "use my residence address for my default address." So, we don't get our bills!
  2. Blue Cross's registration process asks you to input your account number as part of the registration process for online access, but does not tell you that the first 3 alpha characters of your ID on your card are not part of the ID number it wants!
  3. Blue Cross blanks your input when you type your password, meaning that if you make an error while creating a password, you'll defeat your own ability to log in later, and it doesn't allow you copy what you've typed into that field into your favorite password manager.
  4. Even worse, Blue Cross demands that you set up answers to Security Questions, masks your input as you enter those "answers, and requires character-by-character identity between what you type initially and what you answer later, so that "first car" as a question, answered by "VW Beetle" when you created your answer but answered again by "Volkswagen" when you're forced to change your password and CONFIRM your identity by answering those same questions a year later will fail (far better for the website to store your answer among a list of choices that are programmatically easy for them to create; e.g., store "Volkswagen" in a popup among four or five other choices) or store "Lincoln" among a preconfigured list of other answers if you select to answer "name of the elementary school where you attended second grade." It can't even infer the identity between "B St. and B Street"
  5. Once you realize you cannot change your own mailing address, you can turn to the "secure message center" and create a "secure message" asking them to change your mailing address (which you include in the message, because, after all, it IS a secure message), but that won't CHANGE your mailing address because all Blue Cross will do in response to your secure message is reply with a canned message that says you have to effect that change in a voice call to their Customer Support Center, at which you'll enter the call processing queue from hell to speak with someone in the Philippines on a poor quality digital line who is either unable or prohibited from deviating from prepared scripts, so that even if by the end of the call the recorded transcript will yield nothing but a string of invectives on your side, the support person's (a bot would do better) final utterance will be something akin to "and did I provide you with excellent service today?"
  6. Although the site claims to support Safari, the first scripted suggestion made by the live person after you've told them you use the latest browser from the world's biggest company yet cannot gain access is to "close your browser and open your Internet Explorer."
  7. Even if you DO manage to gain access to your Anthem Blue Cross account site, if you want to pay your bill, you're routed to another "BillPayer" website from another company. Anthem Blue Cross's support personnel cannot provide you the telephone number for that other company's support team, and you need to navigate an equally complicated maze to create and maintain access to that separate website.
Members of the unique species profiled in the intro video to the WWDC yesterday ("Developers") might be able to get to level 4 or 5 of this perverse "internet game," but this website is intended for senior citizens on Medicare.

On one occasion in the past year I managed to get routed to an actual US-based, sympathetic, American English-speaking Anthem Blue Cross tech support person. As I detailed my complaints, I could almost feel him smiling through the ether as he responded "hey, I've got job security."

So, where would I find out if Apple still has security questions stored for me to answer?
 



the only important detail about Mojave is what happens to security updates for El Capitan?
There might be one more when Mojave is released (there wasn't one when High Sierra was first released), unless something quite serious is discovered between now and then, but it's almost certain there won't be any additional after that.
 


Computer - MacBook Pro (Retina, Mid 2012)
Boot ROM Version: MBP101.00F6.B00

Apple TV Model A1625 (64GB)
tvOS - 11.4(15L577)

I wanted to use the laptop to view a podcast on the ATV, with headphones connected to laptop so I could watch on the large TV screen but listen without disturbing my wife. It was working, though with lag, until the laptop popped up a message that the application required a code which then displayed on the ATV connected television. Typed in the code on the computer and got this message:

iTunes wants to use your confidential information stored in AirPlay Client Identity: XXXXXXXX in your keychain. To allow this, enter the “login” keychain password.

A blank Password: field was displayed with three buttons underneath; Always Allow, Deny, Allow. Of course I select Deny and of course I cannot continue. The laptop then displayed:

An error occurred while connecting to the AirPlay device “Apple TV”. The network connection failed. Make sure the Airplay device is powered on and the network settings are correct, then try again.

Any attempt to continue produces the following message on the laptop: The AirPlay device “Apple TV ” is currently busy and cannot be used.

So because I do not wish to give Apple access to my keychain I am not allowed to use my devices in the manner I wish. I think AirPlay2 added this change, which makes absolutely no sense. Entering the 4-digit code should be all that is required as I can either enter the code or not to agree to the terms of use here. Opening my Keychain to anyone is a security risk I am not willing to make.
 



Ric Ford

MacInTouch
There could be various reasons for this (including preserving battery and system life), but Apple is banning cryptocurrency mining in an update to developer rules for its App Stores:
The Verge said:
Apple’s App Store bans on-device cryptocurrency mining on iOS and macOS

Apple has explicitly banned apps that mine cryptocurrency on its devices, according to newly updated Review Guidelines for the App Store. The new ban extends to all Apple platforms.

In March, Apple removed Calendar 2 from the Mac App Store after the app began mining cryptocurrency on people’s devices in exchange for premium features. It was Apple’s first move against cryptocurrency mining apps. Previously, the company had never done anything about them. At the time, Calendar 2’s developer said Apple removed the app because it violated an App Store guideline: “Apps should not rapidly drain battery, generate excessive heat, or put unnecessary strain on device resources.”
 


Not directly Apple's security problem, but their documentation is being cast as partially to blame. (One of the challenges of an OS is getting developers to use the APIs correctly.)
Ars Technica said:
For almost 11 years, hackers could easily bypass 3rd-party macOS signature checks
For almost 11 years, hackers have had an easy way to get macOS malware past the scrutiny of a host of third-party security tools by tricking them into believing the malicious wares were signed by Apple, researchers said Tuesday.
This is a bit of really bad description (or mutated over time semantics):
Apple flag kSecCSCheckAllArchitectures (presumably one of the changes, now under "Discussion") notes: "By default, only the native architecture is validated". By default, it only checks one of "All" architectures.

The only excuse is that "All" is subflavors (e.g., x86 , x86-64, etc.). It's probably some performance enhancement hack that someone threw in that wasn't thought through. Evidently need to couple this with kSecCSCheckNestedCode and another flag to pragmatically mean "All" in the usual sense.
 


There could be various reasons for this (including preserving battery and system life), but Apple is banning cryptocurrency mining in an update to developer rules for its App Stores:
One of the most increasingly common occurrence is rogue mining. For example:

Web browser ads are mining:

This is kind of falling into the same category as ads being used by apps to make money by mining user info. That's relatively allowed by the rules.

The problem is also based in the notion of people claiming "you didn't exhaustively tell me I couldn't, so I will". That's one of the drivers of why the list grows over time. Rule 5 there boils down to: you can't pay off people to boost app ranking stats. Pretty sure that was generally disallowed before ("..If you attempt to cheat the system (for example.... or manipulate ratings) your apps ...")
 


Ric Ford

MacInTouch
Not directly Apple's security problem, but their documentation being cast as partially to blame. (One of the challenges of an OS is getting developers to use the APIs correctly.)
You beat me to it, but here's another article on the vulnerability, for what it's worth:
Motherboard said:
Bugs Allowed Hackers to Make Malware Look Like Apple Software
Hackers could have snuck malware past several popular third-party Mac security tools thanks to a mistake in how the tools were implementing Apple digital certificate APIs.
 


There could be various reasons for this (including preserving battery and system life), but Apple is banning cryptocurrency mining in an update to developer rules for its App Stores:
I wholeheartedly approve of this one.

If you want to set up software to mine Bitcoin or some other cryptocurrency on your Mac, you can go and manually install the software.

But I strongly suspect that most people running mining software are not doing that. Instead, they are downloading some completely unrelated application (like a calendar or a game), and it is running mining software in the background, draining your battery to oblivion and clobbering system performance. These people didn't ask to be a node in the mining network and they would almost certainly object to it if they knew.

By banning mining from all but a small number of situations (where it is clear that the user explicitly wants to use his device for mining), all those people who were (or would be) tricked no longer have to worry about the problem.

I think the only people seriously affected by this are spammers/criminals and power-users. The spammers and criminals can go pound sand. The power users should know enough to manually install the software without the App Store.
 


Ric Ford

MacInTouch
Bloomberg notes a quiet change at Apple to close a hypocritical privacy abuse avenue:
Sarah Frier and Mark Gurman said:
Apple Tries to Stop Developers From Sharing Data on Friends

Apple Inc. changed its App Store rules last week to limit how developers use information about iPhone owners’ friends and other contacts, quietly closing a loophole that let app makers store and share data without many people’s consent.

The move cracks down on a practice that’s been employed for years. Developers ask users for access to their phone contacts, then use it for marketing and sometimes share or sell the information -- without permission from the other people listed on those digital address books. On both Apple’s iOS and Google’s Android, the world’s largest smartphone operating systems, the tactic is sometimes used to juice growth and make money.

Sharing of friends’ data without their consent is what got Facebook Inc. into so much trouble when one of its outside developers gave information on millions of people to Cambridge Analytica, the political consultancy. Apple has criticized the social network for that lapse and other missteps, while announcing new privacy updates to boost its reputation for safeguarding user data.
 


Ric Ford

MacInTouch
Apple says it will close a major security loophole in a future iOS update:
Reuters said:
Apple to undercut popular law-enforcement tool for cracking iPhones
... The privacy standard-bearer of the tech industry said it will change default settings in the iPhone operating system to cut off communication through the USB port when the phone has not been unlocked in the past hour.

That port is how machines made by forensic companies GrayShift, Cellebrite and others connect and get around the security provisions that limit how many password guesses can be made before the device freezes them out or erases data. Now they will be unable to run code on the devices after the hour is up.

These companies have marketed their machines to law enforcement in multiple countries this year, offering the machines themselves for thousands of dollars but also per-phone pricing as low as $50.
 


Ric Ford

MacInTouch
Certain Facebook privacy abuses may run afoul of Apple changes in the future, apparently:
Bloomberg said:
Apple's App Store Privacy Crackdown May Hurt Facebook's Onavo
[Facebook's app] Onavo Protect, when installed on an iPhone or Android device, uses a virtual private network to scan incoming and outgoing internet connectivity. It also gathers information about users’ devices, their location, apps installed on the gadgets and how people use those apps, what websites they visit, and the amount of data used, Facebook wrote in answers to Congressional questions that the social network operator posted online Monday.
 


Dan Goodin (Ars Technica) said:
Reminder: macOS still leaks secrets stored on encrypted drives
Unbeknownst to many people, a macOS feature that caches thumbnail images of files can leak highly sensitive data stored on password-protected drives and encrypted volumes, security experts said Monday. The automatically generated caches can be viewed only by someone who has physical access to a Mac or infects the Mac with malware, and the behavior has existed on Macs for almost a decade. …
 



In addition to the Ars Technica post Simon Wagstaff noted, Bleeping Computer posted the article linked below. Nobody pointed out this succinct take-away: if your boot drive is encrypted, then the Quick Look cache is safe (to be precise, as safe as the rest of the data on the drive).

Every OS caches data. If that cached data is not on an encrypted drive, then it's vulnerable. This is one reason why macOS, Windows, and Linux all offer full-disk encryption.

In all the scenarios, the boot drive did not have full-disk encryption. (The disk or directory containing the files examined with Quick Look were encrypted.)

Michael Tsai made a good point:
From that point of view, Apple should be caching Quick Look on the drive containing the files.
 


Ric Ford

MacInTouch
An Apple press release announces location tracking and reporting changes for 911 emergency calls in the upcoming iOS 12 (after past controversy about Apple not supporting AML in iOS).
Apple PR said:
Apple’s iOS 12 securely and automatically shares emergency location with 911
iPhone users in the United States who call 911 will be able to automatically and securely share their location data with first responders beginning later this year with iOS 12, providing faster and more accurate information to help reduce emergency response times.

Approximately 80 percent of 911 calls today come from mobile devices, but outdated, landline-era infrastructure often makes it difficult for 911 centers to quickly and accurately obtain a mobile caller’s location. To address this challenge, Apple launched HELO (Hybridized Emergency Location) in 2015, which estimates a mobile 911 caller’s location using cell towers and on-device data sources like GPS and WiFi Access Points.

Apple today announced it will also use emergency technology company RapidSOS’s Internet Protocol-based data pipeline to quickly and securely share HELO location data with 911 centers, improving response time when lives and property are at risk. RapidSOS’s system will deliver the emergency location data of iOS users by integrating with many 911 centers’ existing software, which rely on industry-standard protocols. ...
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts