Security Bits Logo

Security Bits — 27 November 2022

Feedback & Followups

  • 🇺🇸 The long-running case against Google led by most state Attorneys General over its misleading location settings (turning off location tracking didn’t actually stop Google tracking your location!) has resulted in the largest-ever settlement with the DoJ – Google will pay $391.5M, and improve their interfaces — www.macobserver.com/…
  • We recently discussed 1Password’s acquisition of a Passkey-related company, now 1Password have released a preview of the Passkey support coming to their apps in 2023 (and it looks good 😀) — www.future.1password.com/…
  • Documents Apple is preparing for their ongoing court battle with grey-hat security company Corellium over their sale of a virtualised version of iOS, purportedly for security research, show that Corellium sold their software to repressive regimes, and to other questionable actors, including the infamous NSO group (Pegasus) — appleinsider.com/…
  • At least some of the current Twitter chaos may be coming to an end soon — Elon Musk has promised a detailed announcement next week describing their future account verification system – all verified badges will be human-verified, people will get blue badges, companies gold, and government agencies grey — www.macobserver.com/… & appleinsider.com/…

Deep Dive 1 — More on Apple’s Analytics

In the previous instalment I poured cold water on reports that Apple is violating its own rules with user tracking in the app store. Those reports were based on research showing nothing more than normal analytics tracking in iOS 14. The report tried to claim these was a breach of ATT (App Tracking Transparency), but its evidence pre-dated the introduction of ATT, and even if it hadn’t, there was no evidence presented of cross-app-tracking.

Research has continued and more details have come to light. I don’t see a smoking gun, and I still don’t see a reason to panic, but I do now see a need for Apple to tidy things up, and to communicate clearly to explain what’s going on, and how they’re going to improve things.

So, what’s changed since last time?

Firstly, we now have current information, so reports are not based on iOS 14 anymore! Secondly, we now know that Apple sends only pseudo-anonymized IDs, so in theory, they could convert the IDs back to Apple IDs if they wanted to. There is no evidence they are doing that, but they could.

In my opinion, we shouldn’t have to trust that Apple will do the right thing and not de-anonymise the data later. I’m not sure anything going on here breaches the letter of Apple’s agreements, but to me, it clearly breaches their spirit. I tend to agree with the take I’ve seen elsewhere — this is probably not malicious, but rather a mix of technical debt and carelessness. This is very old code, and it seems it badly needs a 2022 retrofit!

Further Reading:
* Apple’s App Store analytics may be able to identify users — appleinsider.com/…
* Issues with Privacy Continue in iOS as Apple’s Promise of Anonymous Data Analytics Flounder — www.macobserver.com/…
* iOS privacy concerns deepen as Apple’s promises on analytics anonymity appear to be false — 9to5mac.com/…

Worthy Warnings

  • Qatar World Cup apps are privacy nightmares, says EU — appleinsider.com/…
  • Brian Krebs warns of a malware gang (dubbed Disneyland Team) abusing the Punycode standard for adding special characters into URLs and special characters that look like regular letters to create very convincing looking phishing sites pretending to be major banks — krebsonsecurity.com/… (Because computers are not fooled by these look-a-likes, this is yet another reason we want passkeys, and why we should use password managers in the mean time)
  • A report from Pixelate finds that many of the top child-directed apps on both Apple & Google’s app stores violate COPPA (a US online child protection law) in how they do their advertising (they are missing privacy statements, and/or including IP and/or GPS data in calls to ad networks) — www.macobserver.com/…
    • The full body of the report is only available if you give up your own privacy by giving the company your email address, so I have not been prepared to read it!
    • The methodology is available without surrendering your own privacy — www.pixalate.com/…
    • On reading the methodology, it became clear to me that only the app interactions with ad networks were analysed, and this is not obvious from any of the reporting I’ve read!
    • I could not find a freely available or searchable list of affected apps (they may be in the full report I’m not prepared to download)
    • Advertising sets up a strong conflict of interest in apps for kids, the actionable take-away from this would seem to be to avoid letting your kids play ad-supported games.

Notable News

Top Tips

Excellent Explainers

Interesting Insights

  • Elastic Security Labs’ 2022 annual threat report shows that the Mac still suffers very few malware infections in the real world, and of those it does suffer, questionable software like MacKeeper makes up the vast majority of ‘infections’ — appleinsider.com/…
    • Of the malware infections the company found, 54% were on Windows, 39.4% on Linux (servers get attacked a lot because they are valuable!), and just 6.2% on the Mac.
  • We still suck at passwords, see how bad we are in NordPass’s 2022 200 most common passwords list — nordpass.com/…

Palate Cleansers

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top