I don't understand why internet access isn't opt-in for apps. Preventing exfiltration would prevent much of this harm, and most apps don't have any need to access the internet in the first place. Why am I creating a GE account to read my blood pressure? At least I know it's taking advantage of me. But this is clearly abusive behavior
show comments
regecks
Damn. The "iPhone last setup or erased on ..." is really nasty. What can a user really do about that? I feel like this should be fudged somehow by the OS.
show comments
aggregator-ios
One correction to some comments here: an iOS app cannot list all apps that are installed. You can only check for specific apps/schemes (LSApplicationQueriesSchemes) by specifying apps you are looking to query for installation status or open. You cannot provide a large list of unrelated applications since Apple rejects that during app review.
Apple added these restrictions because installed app lists can be used for fingerprinting and privacy invasive profiling.
show comments
RedComet
Volume creation date is pretty egregious. I don't see any reason that and Pasteboard changeCount should be so granular.
The "Installed Apps Probe" leak also surprised me. It is better than the current state of Android, though.
show comments
Cider9986
For anyone without an iPhone or doesn't want to install the app you can see a demo here (same video different platforms):
On a tangential point, one thing that should definitely not be possible for apps these days is determining whether you enabled a VPN. AFAIK, it’s possible indirectly in iOS by enumerating network interfaces with specific/telling names.
coffeecoders
This is excellent. Seeing this makes me appreciate how much visual awareness tools like this are needed.
Why does a random app (with no special permissions given to it) get access to so much info, and why doesn't Apple tell users this (important) info? Why can't Apple make a long list of check boxes so users can dis/allow on a per-category and per-app basis?
E.g. I had no idea a random app you install (and give no permissions to) instantly has a list of every app installed on the device (e.g. can infer whether you're dating [or cheating!] from presence of tinder/bumble/hinge). That alone seems instantly monetizable by unscrupulous actors via 'is-my-partner-cheating' as a service: charge $10 to give a probable answer.
show comments
kamyarg
Holy cow, did not know ios lets apps access so many finger printable information such as apps installed, last wipe and number of copy actions.
Installed the browser as I am confident it will be good also.
Thank you!
show comments
jiri
Is something similar already available for Android phones?
show comments
ChrisMarshallNY
I must say, I like the Mysk team, and wish them well; AI or not.
It seems a bit quixotic, but anything that goes against $_BIGCORP is tilting at windmills, anyway.
Of course, the one narrative I almost never hear, no matter who it is, is "Simply don't collect any extra data."
It's that simple. If you don't have the data, your app could be Swiss cheese, and no one can get anything dangerous.
But, in today's tech world, data is money, so every app and Web site out there, goes to any length, to hoover up as much data as possible.
I regularly get prompted to join "teams," and "leaderboards," or do "challenges," on my solitaire games.
hrideshmg
Wonder if there's anything like this for Android? If not, it might make for a pretty fun/interesting side project
amelius
Huh, I was under the impression that Apple protected us against all this through the app store review process.
api
This is why I avoid installing apps and don’t have a lot of them.
Privacy is a real issue! Does the iOS allow an ext dev app to read its system info? If yes, does it easily comply?
lencastre
/me wonders of the privacy label should actually mention that it reads everything and the kitchen sink!!!
cocoto
Today I have simply given up trying not to share my personal information. What I do instead is simply blocking all ads and don’t use apps/websites that can’t be used without ad blocking. They may have many personal details like my favorite ice cream flavor but I get zero ads so I don’t care that much (I would prefer no one having this information but I’m pragmatic in such terrible society).
show comments
paulirish
Would love this for MacOS as well.
show comments
socalgal2
Yea, it's infuriating that most of the HN crowd thinks the apps are better then web. Apps can spy on you way more than web. It's the reason every website says "please download the app". If it was better for them to spy on you via the website they wouldn't ask you to download the app.
show comments
nekusar
Yeah what's worse...
I have a LG modern TV. Smart shit. I also use a Linux install on a NUC. HDMI.
For some godsdamned reason, the TV was able to initiate an IP bridge with the Linux NUC and get an IP address on my network.
Nobody typed it in the TV. And I'm unsure how it did so itself.
What I do know is that Mikrotik allows DHCP-server blocks of wildcard MAC addresses. Blocked the whole fucking 24 bits of their allocation.
AND if it does get back online, I also shitcanned its routing on the IP side based on hostname.
Forgeties79
This is neat and interesting, truly, but the classic “what now?” emerges. I guess the only answer is “throw out my iPhone”? Otherwise this kind of seems like a circuitous ad to make people get worried and download Psylo, which I see has in-app purchases. I’m not trying to come at you here, but it’s just hard not to feel suspicious online these days.
show comments
cute_boi
Apps like TikTok can know which username we logged in with, even if we uninstall and reinstall the app. This is egregious, as many companies like Facebook have SDKs embedded in many apps, allowing them to accurately interconnect user activity.
Apple should be ashamed that they aren't putting effort to randomize these fingerprints....
show comments
lencastre
this is fantastic, just great really, and honestly makes one stick out so easily, reminfs me a lot of that license plate xkcd
show comments
ChrisMarshallNY
It's likely to be trolled by the WPA folks, who will insist that WPAs are just as insecure as native apps, so there's no difference ...
I don't understand why internet access isn't opt-in for apps. Preventing exfiltration would prevent much of this harm, and most apps don't have any need to access the internet in the first place. Why am I creating a GE account to read my blood pressure? At least I know it's taking advantage of me. But this is clearly abusive behavior
Damn. The "iPhone last setup or erased on ..." is really nasty. What can a user really do about that? I feel like this should be fudged somehow by the OS.
One correction to some comments here: an iOS app cannot list all apps that are installed. You can only check for specific apps/schemes (LSApplicationQueriesSchemes) by specifying apps you are looking to query for installation status or open. You cannot provide a large list of unrelated applications since Apple rejects that during app review.
Apple added these restrictions because installed app lists can be used for fingerprinting and privacy invasive profiling.
Volume creation date is pretty egregious. I don't see any reason that and Pasteboard changeCount should be so granular.
The "Installed Apps Probe" leak also surprised me. It is better than the current state of Android, though.
For anyone without an iPhone or doesn't want to install the app you can see a demo here (same video different platforms):
https://odysee.com/@techlore:3/permission-not-required-the-o...
https://www.youtube.com/watch?v=_n_SpEWtqog
https://inv.nadeko.net/watch?v=_n_SpEWtqog
https://techlore.tv/w/d7dh4P7y4dVngNoL7u7s3B
On a tangential point, one thing that should definitely not be possible for apps these days is determining whether you enabled a VPN. AFAIK, it’s possible indirectly in iOS by enumerating network interfaces with specific/telling names.
This is excellent. Seeing this makes me appreciate how much visual awareness tools like this are needed.
I built something similar, for the web. https://neberej.github.io/exposedbydefault/
Github: https://github.com/neberej/exposedbydefault
Why does a random app (with no special permissions given to it) get access to so much info, and why doesn't Apple tell users this (important) info? Why can't Apple make a long list of check boxes so users can dis/allow on a per-category and per-app basis?
E.g. I had no idea a random app you install (and give no permissions to) instantly has a list of every app installed on the device (e.g. can infer whether you're dating [or cheating!] from presence of tinder/bumble/hinge). That alone seems instantly monetizable by unscrupulous actors via 'is-my-partner-cheating' as a service: charge $10 to give a probable answer.
Holy cow, did not know ios lets apps access so many finger printable information such as apps installed, last wipe and number of copy actions. Installed the browser as I am confident it will be good also.
Thank you!
Is something similar already available for Android phones?
I must say, I like the Mysk team, and wish them well; AI or not.
It seems a bit quixotic, but anything that goes against $_BIGCORP is tilting at windmills, anyway.
Of course, the one narrative I almost never hear, no matter who it is, is "Simply don't collect any extra data."
It's that simple. If you don't have the data, your app could be Swiss cheese, and no one can get anything dangerous.
But, in today's tech world, data is money, so every app and Web site out there, goes to any length, to hoover up as much data as possible.
I regularly get prompted to join "teams," and "leaderboards," or do "challenges," on my solitaire games.
Wonder if there's anything like this for Android? If not, it might make for a pretty fun/interesting side project
Huh, I was under the impression that Apple protected us against all this through the app store review process.
This is why I avoid installing apps and don’t have a lot of them.
Sweet, been wanting this a while. Just mentioned last month and here it is! https://news.ycombinator.com/item?id=48187972
Privacy is a real issue! Does the iOS allow an ext dev app to read its system info? If yes, does it easily comply?
/me wonders of the privacy label should actually mention that it reads everything and the kitchen sink!!!
Today I have simply given up trying not to share my personal information. What I do instead is simply blocking all ads and don’t use apps/websites that can’t be used without ad blocking. They may have many personal details like my favorite ice cream flavor but I get zero ads so I don’t care that much (I would prefer no one having this information but I’m pragmatic in such terrible society).
Would love this for MacOS as well.
Yea, it's infuriating that most of the HN crowd thinks the apps are better then web. Apps can spy on you way more than web. It's the reason every website says "please download the app". If it was better for them to spy on you via the website they wouldn't ask you to download the app.
Yeah what's worse...
I have a LG modern TV. Smart shit. I also use a Linux install on a NUC. HDMI.
For some godsdamned reason, the TV was able to initiate an IP bridge with the Linux NUC and get an IP address on my network.
Nobody typed it in the TV. And I'm unsure how it did so itself.
What I do know is that Mikrotik allows DHCP-server blocks of wildcard MAC addresses. Blocked the whole fucking 24 bits of their allocation.
AND if it does get back online, I also shitcanned its routing on the IP side based on hostname.
This is neat and interesting, truly, but the classic “what now?” emerges. I guess the only answer is “throw out my iPhone”? Otherwise this kind of seems like a circuitous ad to make people get worried and download Psylo, which I see has in-app purchases. I’m not trying to come at you here, but it’s just hard not to feel suspicious online these days.
Apps like TikTok can know which username we logged in with, even if we uninstall and reinstall the app. This is egregious, as many companies like Facebook have SDKs embedded in many apps, allowing them to accurately interconnect user activity.
Apple should be ashamed that they aren't putting effort to randomize these fingerprints....
this is fantastic, just great really, and honestly makes one stick out so easily, reminfs me a lot of that license plate xkcd
It's likely to be trolled by the WPA folks, who will insist that WPAs are just as insecure as native apps, so there's no difference ...
But very cool.