Email or username:

Password:

Forgot your password?
Mysk🇨🇦🇩🇪's posts Back to profile
4 posts total
Mysk🇨🇦🇩🇪

The top two grossing apps in the Utilities category on the Brazilian App Store are VPN apps

#privacy #privacymatters
31 August at 19:42 | Open on mastodon.social
Mysk🇨🇦🇩🇪

The "marketplace-kit" scheme won't hand off the call to the MarketplaceKit process unless it is triggered from a button's onclick event. This seems to be a "security measure" to prevent automatic invocation. But the call can easily be hidden in a search button, for example.

This whole thing is caused by Apple insisting on inserting themselves between the 3rd-party app marketplaces and users.

#privacy #iOS #DMA #Apple #infosec mastodon.social/@mysk/11231185
22 April at 17:33 | Open on mastodon.social
Mysk🇨🇦🇩🇪

Google Authenticator still syncs two-factor authentication secrets without E2EE. If you enable cloud syncing, this means:

1️⃣ Google can read the secrets and generate one-time passwords for your accounts
2️⃣ Google knows the services you use
3️⃣ #Google knows your usernames
4️⃣ Given a court order, Google is obliged to hand over this data to law enforcement

#Privacy #privacymatters #CyberSecurity #infosec
defcon.social/@mysk/1102623132

Google Authenticator still syncs two-factor authentication secrets without E2EE. If you enable cloud syncing, this means:

1️⃣ Google can read the secrets and generate one-time passwords for your accounts
2️⃣ Google knows the services you use
3️⃣ #Google knows your usernames
4️⃣ Given a court order, Google is obliged to hand over this data to law enforcement

4 March at 10:07 | Open on mastodon.social
Show previous comments
Molytov

@mysk Aegis and Ente Auth are the only two TOTP apps I'm comfortable vouching for. Have used both and they're good and actually safe to use.

4 March at 14:05 | Open on infosec.exchange
你的雷电型阿喵

@mysk how about Microsoft authenticator? I'm using it

4 March at 14:18 | Open on social.kryta.app
DELETED
Mysk🇨🇦🇩🇪

This screenshot shows the app analytics data sent by two different #iOS apps: Duolingo and Tinder. What's the likelihood that both apps are installed on the same device? 💯? 🤯

Both apps use Unity Ads. The data in the screenshot is collected by the Unity Ads framework included in these two apps, and any app that uses Unity Ads. The data is sent to the same Unity server. As a result, Unity Ads can easily fingerprint users and track them across different apps.

#privacy #tracking #Apple #infosec
4 February at 1:57 | Open on mastodon.social
Show previous comments
DELETED

@mysk Do you know if this is still collected, when the user has disabled the option ”Allow apps to ask to track” in settings->privacy->tracking ?

4 February at 9:49 | Open on social.sinnesro.se
Huriken

@mysk Why would anybody ever need so many precision digits for the battery or brightness level?! Like, except for tracking...

OS manufacturers should not provide so precise (and thus unique) numbers, but just something like 0.35. The end-user cannot see it more precise either (battery level is usually given in %, brightness doesn't even have numbers, but just a slider) and there's no use differentiating more precise numbers...

4 February at 10:27 | Open on mas.to
richh

@mysk What approach are you using for those captures? A proxy/MITM with Wireshark or something on-device? Presumably the apps are using TLS, so having a root certificate installed is necessary to MITM them?

4 February at 10:35 | Open on mastodon.cloud
Go Up