Share this page!

Maybe Scrolly?
Mysk 🇨🇦🇩🇪 Profile picture
Twitter logo
Jan 28 7 tweets 5 min read
🧵
The App Store on #macOS 13.2 sends detailed usage data and analytics to Apple. All interactions are associated with the user's iCloud ID, or dsid. This happens even when you turn off sharing usage data and analytics.
(1/6) 👇
#Privacy #InfoSec
(2/6)
The App Store on the latest version of macOS (13.2) behaves identically to what we demonstrated on iOS 14.6. This gives a clue that almost certainly the same happens on iOS 16.2. Recap of what iOS 14.6 sends:

(3/6)
Here's an example of the analytics sent when I search for "Holy Moly" on the App Store. Everything is logged and associated with the user's iCloud ID, even when you play a video of an app and click on the unmute button. Data collected can identify a user personally.
(4/6)
During the test, personalized ads as well as sharing analytics with Apple were turned off on the Mac according to Apple's support page. Yet, the App Store has collected as much as 270 KB of rich analytics in a matter of 10 minutes.
(5/6)
The privacy label of the App Store does state that the app collects usage data and links it to the user's identity. However, the description in the Settings of "Share Mac Analytics" gives the impression that usage data will be turned off with that switch. Very vague!
(6/6)
Finally, everyone agrees that you can't be both a privacy company and so obsessed over harvesting first-party analytics. Fortunately for Mac users, there are other ways to install apps on the Mac, a privilege iOS users still don't have.
For more content like this follow us here on Twitter and also on Mastodon: 🙏🙏

defcon.social/@mysk

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Mysk 🇨🇦🇩🇪

Mysk 🇨🇦🇩🇪 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @mysk_co

Mysk 🇨🇦🇩🇪 Profile picture
Jan 22
🚨New 🧵:
(1/9)
No, macOS doesn't send info about your local photos to #Apple
We analyzed mediaanalysisd after an extraordinary claim by Jeffrey Paul that it scans local photos and secretly sends the results to an Apple server.👇
#Cybersecurity #Privacy
sneak.berlin/20230115/macos…
(2/9)
The process indeed scans local photos, as its name suggests. mediaanalysisd starts every time you preview an image file in Finder, then calls an Apple service. The process does not access any suspicious resources. Here is a look at the resources: Image
(3/9)
The content of its framework, MediaAnalysis.framework, clearly shows that the process runs machine learning algorithms to detect objects in photos. Its binaries file show a huge list of objects the model is trained to detect, some sample: ImageImage
Read 10 tweets
Mysk 🇨🇦🇩🇪 Profile picture
Nov 23, 2022
🧵 1/7
We have received a lot of feedback on our recent Apple Analytics findings. Here’s a thread to address some of these comments:
2/7
 Many have pointed out that Apple’s “Device Analytics & Privacy” policy document doesn’t pertain to the analytics in Apple’s apps, but instead there are separate policy documents that cover Apple’s apps and services.
3/7
 While this is technically correct, we believe it’s misleading on Apple’s part, who claim “Privacy is a fundamental human right,” to have very different privacy policies that cover different aspects of their “walled garden”
Read 7 tweets
Mysk 🇨🇦🇩🇪 Profile picture
Nov 21, 2022
🚨 New Findings:
🧵 1/6
Apple’s analytics data include an ID called “dsId”. We were able to verify that “dsId” is the “Directory Services Identifier”, an ID that uniquely identifies an iCloud account. Meaning, Apple’s analytics can personally identify you 👇
2/6
 Apple states in their Device Analytics & Privacy statement that the collected data does not identify you personally. This is inaccurate. We also showed earlier that the #AppStore keeps sending detailed analytics to Apple even when sharing analytics is switched off.
3/6
 Apple uses DSID to uniquely identify Apple ID accounts. DSID is associated with your name, email, and any data in your iCloud account. This is a screenshot of an API call to iCloud, and DSID it can be clearly seen alongside a user's personal data:
Read 6 tweets
Mysk 🇨🇦🇩🇪 Profile picture
Nov 12, 2022
🧵
1/7
 During our research on link previews, we discovered that Instagram servers execute #JS code in links sent in DM. We contacted Facebook security team. They said it was expected behavior, no issue. We published the work. @TeamYouTube took down the video and sent us a warning
2/7
 We appealed @YouTubeCreators decision. We argued that the video we uploaded to @YouTube was the exact video that we shared with Facebook security team. They concluded it was harmless. We discussed the issue with Facebook in a long exchange to convince them it was critical
3/7
 Facebook team was adamant that that issue was harmless and expected behavior. We shared with Facebook that we would publish the video. They didn't stop us. The video was viewed 3300 times before @TeamYouTube took it down and later rejected our appeal
Read 8 tweets
Mysk 🇨🇦🇩🇪 Profile picture
Nov 6, 2022
🧵
1/6
Apple's Data & Privacy statement starts with the calming phrase "Apple believes privacy is a fundamental human right" then goes on to describe how the platform aggressively collects your data. You must accept the statement or stop using your iPhone.
#CyberSecurity ImageImageImageImage
2/6
 It is true that there are options to disable personalized ads, but as this videos shows, usage data is still collected and sent to Apple even when these options are disabled:

3/6
 Before you conclude that Apple is tracking its users, you need to understand how Apple defines tracking. In short, as long as data collected to track you is not shared with 3rd parties, it's not considered tracking. No, Apple is not tracking you, just keeping an eye on you 👀 Image
Read 6 tweets
Mysk 🇨🇦🇩🇪 Profile picture
Nov 3, 2022
🧵
1/5
 The recent changes that Apple has made to App Store ads should raise many #privacy concerns. It seems that the #AppStore app on iOS 14.6 sends every tap you make in the app to Apple.👇This data is sent in one request: (data usage & personalized ads are off)
#CyberSecurity
2/5
 As the user browses the App Store app, detailed usage data is sent to Apple simultaneously. The data contains IDs to map the behavior to a profile (redacted in the video). Data shown in the video is 152KB. Here's a log of the requests while using the app for 10 minutes: Image
3/5
 The strange thing is that Apple introduced strict measures in #iOS 14.5 to prevent developers from fingerprinting users. Image
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(