Email or username:

Password:

Forgot your password?
4 posts total
Mysk🇨🇦🇩🇪

The top two grossing apps in the Utilities category on the Brazilian App Store are VPN apps

#privacy #privacymatters

Screenshot of app rankings on Apple's App Store provided by appfigures.com:

STORE
iOS App Store
COUNTRY
 Brazil
DEVICE
iPhone
CATEGORY
Utilities
Top Utilities Apps
Updated an hour ago
Grossing
1. NordVPN: VPN Fast & Secure
Free • Nordvpn S.A.
2. Proton VPN: Fast & Secure
Free • Proton AG
Mysk🇨🇦🇩🇪

The "marketplace-kit" scheme won't hand off the call to the MarketplaceKit process unless it is triggered from a button's onclick event. This seems to be a "security measure" to prevent automatic invocation. But the call can easily be hidden in a search button, for example.

This whole thing is caused by Apple insisting on inserting themselves between the 3rd-party app marketplaces and users.

#privacy #iOS #DMA #Apple #infosec mastodon.social/@mysk/11231185

Screenshot of Apple Documentation

This installation scheme defines how a
marketplace webpage, or developer app
webpage, request the installation of their
app. For example, assign a URL with the
following scheme to a Download button on
your page:
Mysk🇨🇦🇩🇪

Google Authenticator still syncs two-factor authentication secrets without E2EE. If you enable cloud syncing, this means:

1️⃣ Google can read the secrets and generate one-time passwords for your accounts
2️⃣ Google knows the services you use
3️⃣ #Google knows your usernames
4️⃣ Given a court order, Google is obliged to hand over this data to law enforcement

#Privacy #privacymatters #CyberSecurity #infosec
defcon.social/@mysk/1102623132

Google Authenticator still syncs two-factor authentication secrets without E2EE. If you enable cloud syncing, this means:

1️⃣ Google can read the secrets and generate one-time passwords for your accounts
2️⃣ Google knows the services you use
3️⃣ #Google knows your usernames
4️⃣ Given a court order, Google is obliged to hand over this data to law enforcement

Show previous comments
Molytov

@mysk Aegis and Ente Auth are the only two TOTP apps I'm comfortable vouching for. Have used both and they're good and actually safe to use.

你的雷电型阿喵

@mysk how about Microsoft authenticator? I'm using it

Mysk🇨🇦🇩🇪

This screenshot shows the app analytics data sent by two different #iOS apps: Duolingo and Tinder. What's the likelihood that both apps are installed on the same device? 💯? 🤯

Both apps use Unity Ads. The data in the screenshot is collected by the Unity Ads framework included in these two apps, and any app that uses Unity Ads. The data is sent to the same Unity server. As a result, Unity Ads can easily fingerprint users and track them across different apps.

#privacy #tracking #Apple #infosec

This screenshot shows the app analytics data sent by two different #iOS apps: Duolingo and Tinder. The data collected is very detailed and almost identical. This can accurately indicate that both apps are installed on the same device.
Show previous comments
DELETED

@mysk Do you know if this is still collected, when the user has disabled the option ”Allow apps to ask to track” in settings->privacy->tracking ?

Huriken

@mysk Why would anybody ever need so many precision digits for the battery or brightness level?! Like, except for tracking...

OS manufacturers should not provide so precise (and thus unique) numbers, but just something like 0.35. The end-user cannot see it more precise either (battery level is usually given in %, brightness doesn't even have numbers, but just a slider) and there's no use differentiating more precise numbers...

richh

@mysk What approach are you using for those captures? A proxy/MITM with Wireshark or something on-device? Presumably the apps are using TLS, so having a root certificate installed is necessary to MITM them?

Go Up