🧵
The App Store on #macOS 13.2 sends detailed usage data and analytics to Apple. All interactions are associated with the user's iCloud ID, or dsid. This happens even when you turn off sharing usage data and analytics.
(1/6) 👇 #Privacy#InfoSec
(2/6)
The App Store on the latest version of macOS (13.2) behaves identically to what we demonstrated on iOS 14.6. This gives a clue that almost certainly the same happens on iOS 16.2. Recap of what iOS 14.6 sends:
Jan 22, 2023 • 10 tweets • 5 min read
🚨New 🧵:
(1/9)
No, macOS doesn't send info about your local photos to #Apple
We analyzed mediaanalysisd after an extraordinary claim by Jeffrey Paul that it scans local photos and secretly sends the results to an Apple server.👇 #Cybersecurity#Privacy sneak.berlin/20230115/macos…
(2/9)
The process indeed scans local photos, as its name suggests. mediaanalysisd starts every time you preview an image file in Finder, then calls an Apple service. The process does not access any suspicious resources. Here is a look at the resources:
Nov 23, 2022 • 7 tweets • 3 min read
🧵 1/7
We have received a lot of feedback on our recent Apple Analytics findings. Here’s a thread to address some of these comments:
2/7 Many have pointed out that Apple’s “Device Analytics & Privacy” policy document doesn’t pertain to the analytics in Apple’s apps, but instead there are separate policy documents that cover Apple’s apps and services.
Nov 21, 2022 • 6 tweets • 3 min read
🚨 New Findings:
🧵 1/6
Apple’s analytics data include an ID called “dsId”. We were able to verify that “dsId” is the “Directory Services Identifier”, an ID that uniquely identifies an iCloud account. Meaning, Apple’s analytics can personally identify you 👇 2/6 Apple states in their Device Analytics & Privacy statement that the collected data does not identify you personally. This is inaccurate. We also showed earlier that the #AppStore keeps sending detailed analytics to Apple even when sharing analytics is switched off.
Nov 12, 2022 • 8 tweets • 4 min read
🧵 1/7 During our research on link previews, we discovered that Instagram servers execute #JS code in links sent in DM. We contacted Facebook security team. They said it was expected behavior, no issue. We published the work. @TeamYouTube took down the video and sent us a warning 2/7 We appealed @YouTubeCreators decision. We argued that the video we uploaded to @YouTube was the exact video that we shared with Facebook security team. They concluded it was harmless. We discussed the issue with Facebook in a long exchange to convince them it was critical
Nov 6, 2022 • 6 tweets • 3 min read
🧵 1/6
Apple's Data & Privacy statement starts with the calming phrase "Apple believes privacy is a fundamental human right" then goes on to describe how the platform aggressively collects your data. You must accept the statement or stop using your iPhone. #CyberSecurity2/6 It is true that there are options to disable personalized ads, but as this videos shows, usage data is still collected and sent to Apple even when these options are disabled:
Nov 3, 2022 • 7 tweets • 3 min read
🧵 1/5 The recent changes that Apple has made to App Store ads should raise many #privacy concerns. It seems that the #AppStore app on iOS 14.6 sends every tap you make in the app to Apple.👇This data is sent in one request: (data usage & personalized ads are off) #CyberSecurity2/5 As the user browses the App Store app, detailed usage data is sent to Apple simultaneously. The data contains IDs to map the behavior to a profile (redacted in the video). Data shown in the video is 152KB. Here's a log of the requests while using the app for 10 minutes:
Oct 12, 2022 • 5 tweets • 4 min read
We confirm that iOS 16 does communicate with Apple services outside an active VPN tunnel. Worse, it leaks DNS requests. #Apple services that escape the VPN connection include Health, Maps, Wallet.
We used @ProtonVPN and #Wireshark. Details in the video:
#CyberSecurity#Privacy
You can easily monitor the network traffic of any device using this simple method. You don't need a custom router for that. You just need a Mac and #Wireshark, and enjoy ✌️
We prepared this video to illustrate why access to the accelerometer should get a permission in iOS. Unrestricted access to accelerometer data can breach user privacy. We used Facebook as an example in the video.
It's amazing what algorithms can extract from accelerometer data:
- Detect if you're walking, sitting, cycling.. etc
- Count your steps
- Figure your heart rate
- Find your precise location
- Analyze sound vibrations of your phone speaker and infer what you're listening to