We're two #iOS developers and occasional #security researchers on two continents. #CyberSecurity πŸ“mysk.blog πŸ‡¨πŸ‡¦πŸ‡©πŸ‡ͺ Current Project: @psylo_app

Canada - Germany
Psylo is finally available for download today. We can’t wait for you to try it. apps.apple.com/ca/app/psylo-…
πŸš€πŸ€˜Introducing Psylo: A New Kind of Private Browser After 9 months of development, we're super excited to finally launch Psylo, a new kind of private web browser for iOS and iPadOS. In Psylo, each tab is its own β€œsilo” with isolated storage, cookies, and even its own IP address. Psylo introduces advanced anti-tracking and anti-fingerprinting features that go beyond what a VPN can offer, thanks to the deep integration between Psylo and our own Mysk Private Proxy Network. Psylo is backed by years of insights from our privacy research at Mysk. Psylo is available today on the App Store as a monthly or annual subscription with a free 3-day trial. Read the full announcement blog post on our blog: mysk.blog/2025/06/17/introdu…
12
8
91
88,617
We confirm that iOS 16 does communicate with Apple services outside an active VPN tunnel. Worse, it leaks DNS requests. #Apple services that escape the VPN connection include Health, Maps, Wallet. We used @ProtonVPN and #Wireshark. Details in the video: #CyberSecurity #Privacy
408
6,063
19,358
🀯 Instagram is testing new iOS push notifications that include a profile photo. Each time the notification is shown on your screen, it triggers a GET request to fetch that image, letting Meta track every on-screen impression. The app still misuses push notifications to send detailed device analytics about the device (uptime, battery, volume, locale, timezone, memory, CPU, etc.). We detailed this last year and we checked again today. Meta collects everything it needs to track users across apps, a practice strictly prohibited by Apple. Stop using the native app. Use the web app. #privacy #fingerprinting #iOS #PWA
45
499
4,085
429,400
TL;DR: Don't install @signalapp for macOS, it is not secure. I carried out this small experiment: - I wrote a simple Python script that copies the directory of Signal's local storage to another location (to mimic a malicious script or app) - I ran the script in the Terminal and got a copy of my Signal data on my Mac - I booted a fresh macOS installation in a virtual machine - I transferred the copy of Signal's data to the VM and placed it where Signal expects it: ~/Library/Application\ Support/Signal - I installed Signal and started it - Signal started and restored my session with all the chat histories 😳 - I exchanged a couple messages with a contact from the VM and it worked 😳 - Then, I started Signal on the Mac - I got three sessions running in unison: Mac, iPhone, and VM 😳 Messages were either delivered to the Mac or to the VM. The iPhone received all messages. All of the three sessions were live and valid. Signal didn't warn me of the existence of the third session [that I cloned]. Moreover, Signal on the iPhone still shows one linked device. This is particularly dangerous because any malicious script can do the same to seize a session. Perhaps this flaw is what makes some users think that Signal has a "backdoor" as it is easy for sophisticated attackers to target a victim who's using the Mac app and see their chats. (The same may be also true for the Windows app) #privacy #security
130
451
2,759
913,347
Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices. TL;DR: Don't turn it on. The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices. We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user. Why is this bad? Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access to your Google Account, all of your 2FA secrets would be compromised. Also, 2FA QR codes typically contain other information such as account name and the name of the service (e.g. Twitter, Amazon, etc). Since Google can see all this data, it knows which online services you use, and could potentially use this information for personalized ads. Surprisingly, Google data exports do not include the 2FA secrets that are stored in the user's Google Account. We downloaded all the data associated with the Google account we used, and we found no traces of the 2FA secrets. The bottom line: although syncing 2FA secrets across devices is convenient, it comes at the expense of your privacy. Fortunately, Google Authenticator still offers the option to use the app without signing in or syncing secrets. We recommend using the app without the new syncing feature for now. #Privacy #Cybersecurity #InfoSec #2FA #Google #Security
100
1,015
2,494
943,126
🚨 iMessages in iOS 26 leaks the sender's keyboard language when sending reactions to devices with iOS 17 or older, and Android phones via RCS! 😱 #privacy #Apple #iOS26
73
49
1,537
949,950
iOS 16.5.1 still bypasses the VPN. New tests show that Apple Push Notification traffic completely ignores the VPN connection. Apple Maps sends many requests outside the VPN, including unencrypted DNS requests. This also happens in the Lockdown Mode. 🎬 piped.video/tttO_E2STHA
36
340
1,218
247,636
🚨 New Findings: 🧡 1/6 Apple’s analytics data include an ID called β€œdsId”. We were able to verify that β€œdsId” is the β€œDirectory Services Identifier”, an ID that uniquely identifies an iCloud account. Meaning, Apple’s analytics can personally identify you πŸ‘‡
46
472
1,171
Hey @elonmusk, will 𝕏 publish the algorithm that determines which replies are most relevant? The Algorithm's repository on Github hasn't been updated since last year. Thank you!
18
33
484
28,008
I know what you're asking yourself and the answer is YES. #Android communicates with #Google services outside an active VPN connection, even with the options "Always-on" and "Block Connections without VPN." I used a #Pixel phone running #Android13, its IP is 192.168.2.14 πŸ‘‡
26
199
845
Speaking of outdated, @MicrosoftEdge is the only browser on macOS that still requires administrative privileges to install. 🫠
You. Yes, you. It's time to leave that outdated browser 🫡
18
45
811
55,533
Since iOS 18 launched, the new Passwords app has been using unencrypted HTTP to download icons for password entriesβ€”a potential #security risk. We reported this bug to #Apple in September, and it’s finally fixed in #iOS 18.2 (CVE-2024-54492). Why does this matter? Watch 🎬 :
20
76
849
156,485
🚨PSA: iOS 17 turns these sensitive location options back on. If you have disabled significant locations as well as adding your location information to your iPhone analytics before upgrading to iOS 17, iOS 17 will turn the options on as shown in the screenshot. While significant locations remain local on your iPhone, they can be abused as they record detailed information about the locations you visit frequently. iPhone analytics, on the other hand, are shared with Apple. Having your location information included in these analytics reports might have privacy implications, even if the reports don't identify you. Security experts have always advised to turn these two options off. Go the Settings app: Privacy & Security ➑️ Location Services ➑️ Scroll down to System Services ➑️ Find these two options and turn them off: πŸ‘‰ Significant Locations πŸ‘‰ iPhone Analytics Re-post and share it with your friends. You're welcome! #Privacy #Apple #iOS17 #CyberSecurity
66
319
777
533,818
I love seeing vestiges of pre-iOS 7 design still exist in iOS 26: the network link conditioner under developer options in settings. Look at that bold font, and the checkmark βœ”οΈ
10
11
911
289,944
iPhone storage is encrypted with the iPhone's passcode. Based on iOS security model, it's impossible to recover data after a factory reset. If this bug is proven to be true, the entire iOS security model is at risk.
21
55
693
165,471
🧡 1/5 The recent changes that Apple has made to App Store ads should raise many #privacy concerns. It seems that the #AppStore app on iOS 14.6 sends every tap you make in the app to Apple.πŸ‘‡This data is sent in one request: (data usage & personalized ads are off) #CyberSecurity
37
285
677
You can easily monitor the network traffic of any device using this simple method. You don't need a custom router for that. You just need a Mac and #Wireshark, and enjoy ✌️
At Mysk we use this simple method to monitor the network activity of a device: β–ΊConnect your Mac to the internet via LAN β–ΊShare the internet from LAN to Wi-Fi β–ΊConnect the device to this Wi-Fi β–ΊStart #Wireshark on your Mac and pick brdige100 β–ΊStart capturing.. #SecurityTips
14
64
601
WhatsApp messages are end-to-end encrypted, but user data is not only about messages. That also includes the metadata such as user location, which contacts the user is communicating with, the patterns of when the user is online, etc. This metadata according to your privacy policy is indeed used for targeted ads across Meta services. So @elonmusk is right.
Many have said this already, but worth repeating: this is not correct. We take security seriously and that's why we end-to-end encrypt your messages. They don't get sent to us every night or exported to us. If you do want to backup your messages, you can use your cloud provider and you can even use end-to-end encryption for that too. Turn it on here: faq.whatsapp.com/12464768728…
31
107
596
189,681
This is the folder structure of Signal's local data on macOS. The encrypted database and encryption key are stored next to each other. The folder is accessible to any app running on the Mac. How could such a blunder be approved by an open-source project reviewed by many experts?
32
95
587
91,644
Our recent encounter with Signal has revealed a new face of Signal as a project and team; one of exclusion, dismissal, and denial. We can no longer recommend Signal as a secure chat app. And we will no longer review, report, or disclose any security bugs related to Signal.
36
70
544
87,701
It's official. iOS will not support Progressive Web Apps in the EU. It would be great if Apple provides the basis of this claim: "We expect this change to affect a small number of users"
56
107
541
707,297
The community note is wrong and @elonmusk is right. Signal's desktop apps encrypt local chat history with a key stored in plain text and made accessible to any process. This leaves users vulnerable to exfiltration. The issue was reported in 2018, but it hasn't been addressedπŸ‘‡
Replying to @christopherrufo
There are known vulnerabilities with Signal that are not being addressed. Seems odd …
Community note
There is no evidence that suggests Signal has "known vulnerabilities that are not being addressed". Due to Signal's open source nature, among other factors, this is easy to verify. nitter.app/mer__edith/sta…
15
54
487
70,792
The top two grossing apps in the Utilities category on the Brazilian App Store are VPN apps:
8
29
478
144,069
This video shows that @signalapp (7.15.0) on macOS stores photos and docs sent through the app locally without encryption. Worse, the files are stored in a location accessible by any app or script. However, text messages are stored locally in an encrypted DB. #privacy #security
31
95
459
168,346
Replying to @mer__edith
Hi Meredith, let me address your points: 1) The issue we highlighted does not require β€œfull” access to the device. Signal desktop stores the chat database in an unprotected area of the file system that’s accessible by any user process. This would allow any program without any special permissions or user prompts to access the database in full. This can be solved by sandboxing, which relies on the OS to prevent any process from accessing data within the sandbox. 2) The issue was reported to Signal by others back in 2018, so we didn’t find anything new. App sandboxing technology had been available for a long time on desktop (Windows AppContainer and macOS App Sandbox). Even if we ignore sandboxing, while Signal encrypts the chat database, it stores the encryption key insecurely in plaintext. 3) We β€œthe posters” didn’t feel the need to reach out to Signal first since the issue had been known to Signal’s developers since 2018. After 6 years without a resolution, we believe it becomes more important to raise awareness than to attempt to directly engage with Signal, or any other vendor. Also, I challenge you to point out any instance of inflammatory language in our posts about Signal. Finally, Signal has a huge responsibility towards your users, many of whom rely on Signal to be the most secure way of communicating in areas of the world where their lives would be in danger if their messages were to be compromised. This is not hyperbole, and Signal needs to continue to live up to that responsibility.
13
36
409
22,374
First impressions of the iPhone 17 Pro and iPhone Air: - The Air is so strikingly thin and comfortable to hold. Makes you wish all phones are like that. - 17 Pro is even uglier in person. It looks and feels like a cheap knockoff. - Apple’s Paris store is so so beautiful.
11
15
429
42,685
Found another example: iTunes Store Zero Liquid Glass and untouched since the iOS 7 flattening, but still you can get the latest Taylor Swift album The best part: the app still lets you customise the bottom tab bar, a feature that existed when iOS was still called iPhone OS
I love seeing vestiges of pre-iOS 7 design still exist in iOS 26: the network link conditioner under developer options in settings. Look at that bold font, and the checkmark βœ”οΈ
15
11
428
80,651
This is an example of what the App Store app shares with #Apple when you search for an app. Everything you type in the search field is recorded as an event and associated with your Apple ID before it is sent to Apple. When I search for "Google Authenticator," events are recorded as I type character by character. The leap between rows 78 and 79 is when I picked a suggestion. The timestamp of every event is recorded. This means Apple can calculate my typing speed πŸ™ƒ. If I misspell a word, it will be on my record 🫣. Data is sent to Apple in near real-time (the difference between the Event Time and the Post Time). There is no way you can opt out of sending such app Analytics to Apple or request it be anonymous. Visit privacy[.]apple[.]com and request a copy of your data to learn what identifiable data Apple collects about you. ✌️ #Privacy #iOS
20
76
401
41,146
The community note is inaccurate. The claim "Find My is end-to-end encrypted" generally is misleading. Online devices report their location to Apple without end-to-end encryption even with Advanced Data Protection is on. This makes it possible to look up a device’s location through Find My by logging in to icloud[.]com. We intercepted the HTTPS traffic of Find My on icloud[.]com, and it clearly shows that Apple can see the location of every online device. End-to-end encryption only applies when offline devices report their location through the Find My network, which relies on other nearby devices reporting their own location. #Privacy #Cybersecurity #Apple
Replying to @9to5mac @benlovejoy
This feature is super creepy surveillance tech and shouldn’t exist. Years ago, a kid stole a Mac laptop out of my car. Years later, I was checking out Find My and it showed a map with the house where the kid who stole my Mac lived. WTF Apple? How is that okay?!
Community note
Find My is not designed as a surveillance tech. It is designed as a find your misplaced/lost items. en.m.wikipedia.org/wiki/Find_My Apple has explicitly said that Find My and AirTag is not meant for stalking or surveillance. apple.com/newsroom/2022/
15
69
336
50,650
🚨PSA: Just tested the Onion Browser and several Tor browsers for iOS and they all leak the real IP address when tapping on the share option. WORKAROUND: Don't use the share button. Instead, copy URLs manually. #Privacy #InfoSec #Cybersecurity
11
46
402
27,197
It seems it's not allowed to criticize Signal on Reddit. This is the second post that gets removed by the moderators. Users in the comments make wrong claims that physical access is required, others claim that full disk access is required. This is wrong. If you really have the knowledge to make such claims, test before posting misleading information. This issue is very easy to reproduce and verify. Any process or app started by the user can secretly copy your Signal data and send it to any remote server in the internet. Two simple reasons: 1- macOS doesn't block apps from accessing folders that are not sandboxed. Signal local data is NOT sandboxed. Signal developers could easily enable App Sandbox and end this debate. But they don't want to. 2- macOS doesn't prevent apps from sending data to any server in the internet. Enough nonsense about physical access! This is serious stuff and Signal should do better to protect user data. This sloppy implementation might cost lives.
26
47
378
36,813
Apple decided to remove PWAs, then walked back the decision. Apple terminated Epic Games developer account, now they walked back the decision. What's going on with Apple? "Trust is built in drops and lost in buckets" How many buckets has Apple lost so far?
Update - Apple has told us and committed to the European Commission that they will reinstate our developer account. We are moving forward as planned to launch the Epic Games Store and bring Fortnite back to iOS in Europe. More below⬇️ epicgames.com/site/en-US/new…
19
46
364
67,185
On Android, several Google services bypass an active VPN connection. As a result, a VPN connection won't hide your IP address from Google. And since YouTube is a first-party app on Android, it will get your real IP address and roughly determine your location despite using a VPN.
YouTube confirms crackdown on VPN-based cheaper Premium subscriptions androidauthority.com/youtube…
12
116
350
50,866
Well it would be nice to get a little more detail on that β€œdatabase corruption” issue, wouldn’t it?
iOS 17.5.1 is out. Video later…
15
21
329
76,610
In iOS 18.2, EU users will be able to delete the App Store app. You get a warning message before deleting the app. You can re-install the app from the Settings app. A similar but shorter warning message is also shown when deleting an alternative marketplace app. #iOS #DMA #EU
12
36
343
64,702
The security bug about storing the encryption key in plain text wasn't considered a bug by Signal in 2018, wasn't considered a bug by Signal's president today, and even demanded responsible disclosure for it. Well, that not bug thing is getting a fix now: github.com/signalapp/Signal-…
26
43
318
35,734
On macOS, iMessage stores the chat history locally in plain text, but the data is sandboxed and no other process can access it without permission. @Whatsapp also stores the local history in plain text but stores the data in a location accessible by any process/app/script started by the user. The user won't get a permission prompt. @signalapp only stores the text part of the local history in an encrypted file -- the encryption key is stored in Keychain. However, media attachments (such as photos you send and receive) are stored locally without encryption. Like WhatsApp, Signal stores the data in a location accessible by other processes without permission, but only media attachments are at risk. Finally, any app that has full disk access will be able to access any of these sensitive files. Only encrypted files will be safe. Yes, end-to-end encryption is useless if any of the ends gets compromised.
So does @WhatsApp and @Apple iMessage, and likely many other apps. Open a terminal on a Mac and check: strings ~/Library/Group\ Containers/group.net.whatsapp.WhatsApp.shared/ChatStorage.sqlite strings ~/Library/Messages/chat.db
11
40
316
59,166
The real reason why camera control didn’t live up to the hype: It’s simply too stiff to be practical as a camera shutter button. The pressure required to trigger it almost guarantees you’ll end up with a shaky photo. It’s probably the stiffest button on any Apple product.
I wonder how many more iPhone models we have to wait before Apple ditches the camera control button? It’s terrible.
33
4
330
46,419
🧡 1/6 Apple's Data & Privacy statement starts with the calming phrase "Apple believes privacy is a fundamental human right" then goes on to describe how the platform aggressively collects your data. You must accept the statement or stop using your iPhone. #CyberSecurity
13
103
299
πŸ”” Soon after we published our findings about the App Store collecting exhaustive and identifiable usage data, we were approached by law enforcement in the U.S. to help them navigate through the usage data they obtained from Apple for a suspect. They presented a court order to #Apple. As we showed, there's no way to turn off sharing the App Store usage data with Apple. As every iPhone or iPad user must use the App Store to install apps, Apple maintains this identifiable data about every user. #iOS #Privacy #PrivacyMatters
7
56
298
43,024
🚨 NEW: Private Wi-Fi addresses had been useless ever since they were introduced in iOS 14. When an iPhone joins a network, it sends multicast requests to discover AirPlay devices in the network. In these requests, iOS sends the device's real Wi-Fi MAC address. 🎬 Watch the video for details Exposure of a device's real Wi-Fi MAC address makes it vulnerable to tracking across Wi-Fi networks. It's fixed in iOS 17.1 (CVE-2023-42846) #privacy #cybersecurity #CVE #iOS #PrivacyMatters #cybersecurity #infosec piped.video/T3XABxNogTA
13
55
289
103,934
Apparently reporting on actual longstanding security issues in Signal is considered right-wing πŸ€·β€β™‚οΈ Plus, they will fix the issue, which is good for everybody.
A sudden flood of right-wing attention has pushed Signal to close a vulnerability in its desktop app. gizmodo.com/signal-is-workin…
15
28
283
18,286
🚨 Apple's Passwords app was vulnerable to phishing attacks in iOS versions prior to 18.2. Its functionality to change a password from within the app used to open an account's website via insecure HTTP by default. This allowed an attacker with privileged network access to easily intercept and redirect calls to a phishing website. Although the bug was addressed in iOS 18.2, #Apple only recently closed the report. This is why we couldn't disclose the bug earlier. Here is the demo: #Privacy #InfoSec #Cybersecurity
13
50
293
44,947
Just realized that the Passwords app communicates with 147 websites. It turns out the app calls every website of your added accounts to download its icon. The request has this user-agent: User-Agent: Passwords/8619.1.26.30.5 CFNetwork/1568.100.1 Darwin/24.0.0 #iOS18
16
24
277
35,452
🧡 The App Store on #macOS 13.2 sends detailed usage data and analytics to Apple. All interactions are associated with the user's iCloud ID, or dsid. This happens even when you turn off sharing usage data and analytics. (1/6) πŸ‘‡ #Privacy #InfoSec
5
76
270
104,900
Holy moly! iPhone users in the EU: DO NOT delete your alternative marketplace apps iOS 17.5 breaks alternative marketplace app re-installation. MarketplaceKit now generates a different client_id every time it is called. Now there's no way for alternative marketplace developers to identify users who have already purchased the marketplace app. Apple addressed a security issue we reported about the way MarketplaceKit handles client_id. The issue is fixed. But now developers are left with no option to identify installs and roughly estimate the Core Technology Fee (CTF) they owe #Apple.
12
46
281
192,899
Apple blocked Spotify's update for including a button that emailed a link for purchasing audiobooks. Amazon is doing exactly the same. If you tap on the "I Want This Book" button in the #iOS app, you get a link to purchase the book outside the app. Apple Review Team approved it.
10
39
256
Signal for desktop has been updated twice since we reiterated the known security issues related to storing the database encryption key and media attachments in plaintext, and in a location accessible to any process. None of the release notes mention this issue. The privacy chat app seems more concerned with the "sticker viewer." If the issues haven't been fixed yet, this shows that @signalapp doesn't take privacy seriously. If the issues have indeed been fixed, Signal should have communicated the changes to the users in the release notes and explained why a fix was needed. This is what users expect from an open-source and nonprofit project.
8
44
250
16,478
🚨@signalapp on its website presents both mobile and desktop versions to be equally secure. As we showed, the desktop versions are vulnerable to data exfiltration and session hijacking. This is consistent with early reports from 2018 and results from developers who successfully replicated our findings on all platforms. As per comments on GitHub, Signal developers have been aware of this issue since 2017. We're glad we have been able to bring this issue back to attention and raise awareness about it. Signal developers admit that the desktop apps suffer from the vulnerabilities that we highlighted, according to the comments in the open-source project repository on GitHub. Since GitHub is not the right place to inform average users about the risks of linking a desktop app, we call on @signalapp @mer__edith to inform users about the risks of installing and using Signal's desktop apps either on the official website or a message shown in the apps. Users who trust Signal, especially those who may be at risk of highly sophisticated cyberattacks, are going to appreciate this gesture a lot. Thank you πŸ™ #PrivacyMatters #Privacy #Security #Cybersecurity
TL;DR: Don't install @signalapp for macOS, it is not secure. I carried out this small experiment: - I wrote a simple Python script that copies the directory of Signal's local storage to another location (to mimic a malicious script or app) - I ran the script in the Terminal and got a copy of my Signal data on my Mac - I booted a fresh macOS installation in a virtual machine - I transferred the copy of Signal's data to the VM and placed it where Signal expects it: ~/Library/Application\ Support/Signal - I installed Signal and started it - Signal started and restored my session with all the chat histories 😳 - I exchanged a couple messages with a contact from the VM and it worked 😳 - Then, I started Signal on the Mac - I got three sessions running in unison: Mac, iPhone, and VM 😳 Messages were either delivered to the Mac or to the VM. The iPhone received all messages. All of the three sessions were live and valid. Signal didn't warn me of the existence of the third session [that I cloned]. Moreover, Signal on the iPhone still shows one linked device. This is particularly dangerous because any malicious script can do the same to seize a session. Perhaps this flaw is what makes some users think that Signal has a "backdoor" as it is easy for sophisticated attackers to target a victim who's using the Mac app and see their chats. (The same may be also true for the Windows app) #privacy #security
12
35
251
62,470
To the unknown future dissident, activist, or freedom seeker whose life will be saved as a result of the enhanced security added to Signal Desktop: You're welcome.
Signal is finally tightening its desktop client's security by changing how it stores plain text encryption keys for the data store after downplaying the issue since 2018. bleepingcomputer.com/news/se…
14
23
234
15,813
🚨🎬 Privacy Concerns about Apple Push Notifications TL;DR: data-hungry apps use push notifications as a trigger to send app analytics and device information to their remote servers, even if the apps aren't running at all on your iPhone. Such apps include TikTok, Facebook, FB Messenger, Instagram, Threads, X, and many more. Watch the full video on YouTube: piped.video/4ZPTjGG9t7s iOS apps don't have the luxury of running in the background. For reasons mostly related to privacy and performance, iOS suspends and eventually terminates any app that is not active. This is how iOS is designed. But starting in iOS 10, iOS added a new feature that allows apps to customize their push notifications even if they are not running. It works like this: when an app receives a push notification, iOS wakes the app in the background and allows it a limited time to customize the notification before it is presented to the user. This is very helpful for apps to perform tasks related to the notification such as decrypting the notification payload or downloading additional content to further enrich the notification before iOS presents it to the user. And as soon as the app finishes customizing the notification, iOS terminates it. The ability to execute tasks in the background is a gold mine for data-hungry apps. Unsurprisingly, many social apps notorious for their aggressive data harvesting practices are taking advantage of the background execution time enabled by push notifications. In fact, developers can harness this workaround to run code in the background on demand. All they have to do is send push notifications to their users. As a result, iOS would wake their app in the background on every device, then the app runs whatever code the developer has built into the app. According to Apple documentation, the intended purpose of waking an app in the background is all about allowing the app the chance to customize its notifications. However, many apps are using this feature as an opportunity to send detailed device information while running quietly in the background. This includes: system uptime, locale, keyboard language, available memory, battery status, device model, display brightness, to mention a few. Such signals are commonly used for fingerprinting and tracking users across different apps developed by different developers. Fingerprinting is strictly prohibited on iOS and iPadOS. Our tests show that this practice is more common than we expected. The frequency at which many apps send device information after being triggered by a notification is mind-blowing. Some Apps, like Facebook and TikTok, also send data when clearing their notifications in Notification Center. As far as data handling is concerned, apps take different approaches to send and store the data. The common services that many apps use are Google Analytics and Firebase. But some apps, like Facebook, use their own services. TikTok uses a combination of Firebase and their own services. To stop an app from doing this, you have to disable notifications for the app altogether. Setting the notification alerts to sounds or badges isn't enough. Fortunately, starting Spring 2024, Apple will require developers to declare reasons for using the APIs that return unique device signals, such as the ones commonly used for fingerprinting. Thanks a lot for reaching this far. If you find this content helpful, share it with your contacts, follow us, like us, and we look forward to sharing our next findings with you. ✌️ #Privacy #Security #Cybersecurity #Apple #iPhone #Facebook #TikTok #InfoSec #iOS
8
82
237
43,832
Still can't digest this. At first, #Apple thought it wasn't a bug. After a long exchange we convinced them it was one. They fixed it. Then, they said our report didn't qualify for a bounty. Then, they added an option to disable downloading icons in iOS 26, as per our report. What an epic security bounty program! 🀯
Since iOS 18 launched, the new Passwords app has been using unencrypted HTTP to download icons for password entriesβ€”a potential #security risk. We reported this bug to #Apple in September, and it’s finally fixed in #iOS 18.2 (CVE-2024-54492). Why does this matter? Watch 🎬 :
13
25
254
28,360
Dear #Android users, Chrome shares your motion sensor with all the websites you visit by default. This video shows how you can disable it. Please do it now. You can learn more about this here: mysk.blog/2021/10/24/acceler… #CyberSecurity #Privacy
18
189
232
X has introduced its end-to-end encrypted chat feature for users in the US. This service utilizes the Juicebox protocol, which enables users to secure their encryption keys with a simple, memorable 4-digit PIN. The Juicebox protocol is designed to distribute secrets across various organizations, referred to as realms. The protocol defends against any brute force attack and makes it impossible. The main idea is that there’s no 1) central entity that has all the secrets 2) there’s no offline oracle so it makes brute-forcing impossible. X’s implementation is wrong because they own all the realms (all realms are subdomains of x[.]com). In theory, X could potentially recover the encryption keys and access chat messages. #privacy #cybersecurity #security
11
34
257
19,065
No private browser should handle user location data on its remote servers, even if it is anonymized. The #privacy label of Firefox now includes location. Firefox settings that are on by default make it hard to recommend it as a privacy-focused browser.
13
28
235
18,121
At Mysk we use this simple method to monitor the network activity of a device: β–ΊConnect your Mac to the internet via LAN β–ΊShare the internet from LAN to Wi-Fi β–ΊConnect the device to this Wi-Fi β–ΊStart #Wireshark on your Mac and pick brdige100 β–ΊStart capturing.. #SecurityTips
9
42
235
Still don't understand why Safari does this? It happens on iOS too. Any explanation?
23
4
231
108,926
As @PrivacyMatters speculated, Authy sends too much analytics for an authenticator app. It associates analytics with the user's ID, which is tied to phone number and email. The analytics include the issuer name of each scanned QR code. Try to use a different #2FA app. #Privacy
21
49
232
51,704
Oh, 1Password stores user profile pictures on their servers without authentication. Anyone who has the long URL, which also contains the account identifier, can access the picture. It's not a big deal, but a password manager should definitely be more careful. #privacy
18
19
347
34,456
Signal's message is clear: end-to-end encryption is only about protecting the transmission of chat messages, not protecting the local chat history stored on device. This message is toxic and has a huge impact on our #privacy. @UKZak explains that very well:
9
48
213
17,084
Philips Hue will soon force users to create a Hue account and sign in to continue to use the app and control the smart lights. The best security model to protect smart devices is to keep them disconnected from the internet, or at least keep this option available. #Privacy
22
35
205
40,022
Nothing is circular, they're all long lists. Here is the date picker in Reminders:
the time picker on iphones alarm app isn’t actually circular it’s just a really long list
9
6
217
50,447
An open-source project should embrace an open mindset. Signal has positioned itself as the "secure" communication tool for users in troubled parts of the world. A fix should be pushed forward to make the app more secure for its users, not because a call for the fix "is getting publicity on X." This is not what makes users trust Signal. What makes users trust Signal is that Signal team admits their desktop app has been vulnerable since 2018. A vulnerability that can easily open a backdoor for any party. Users expect transparency and openness from an open-source and nonprofit project. By admitting the vulnerability, Signal should inform its users about the risks of using Signal for desktop. #privacy #privacyMatters #cybersecurity #security
8
19
180
11,868
A lot of accounts promote crypto scams on X and they hardly get suspended. And now this: @ProtonWallet
17
18
183
101,676
Replying to @VeraJourova
The draft mandates providers to perform human oversight of content sent over a private and end-to-end encrypted channel so that they detect false positives. How would employees view such content without breaking encryption and invading one's privacy?
2
10
181
11,050
This screenshot shows the app analytics data sent by two different iOS apps: @duolingo and @Tinder. What's the likelihood that both apps are installed on the same device? πŸ’―? 🀯 Both apps use @unity Ads. The data in the screenshot is collected by the Unity Ads framework included in these two apps, and any app that uses Unity Ads. The data is sent to the same Unity server. As a result, Unity Ads can easily fingerprint users and track them across different apps. #privacy #security #tracking #iOS #Apple
11
69
232
73,636
Just detected a call made by my iPhone seemingly sending my iOS keyboard data to an iCloud server. The domain name icloud-content[.]com is owned by Apple but not the one normally used for syncing iCloud data. The 316 KB of keyboard data is marked as "UserWords" The data is encrypted and I couldn't get a clue of its content. The only keyboard data that is synced via iCloud is the text replacement dictionary. But there's only one entry on the iPhone that sent this data, it can't make 316 KB. Apple promises that the processing of keyboard suggestions takes place on-device. So what's the content of this data? Regardless of whether the data is end-to-end encrypted or server-side encrypted, is there a way to turn this off? (x-apple-mme-owner is actually the iCloud ID) #privacy #cybersecurity #iOS #Apple
19
37
187
47,892
Signal has positioned itself as the secure communication tool that activists and users in troubled regions can trust. In 2021, Signal introduced simple TLS proxy to bypass government censorship. In 2018, Signal knew that their desktop app had security issues regarding protecting chat history stored at rest. Which feature should they prioritize first? A proxy used by people in troubled countries while using a vulnerable client or fixing the vulnerable client?
13
21
180
15,641
It's May 1. Instagram for iOS just got updated. It still sends the device's system uptime to remote servers. Starting today developers are no longer allowed to access this API without providing a reason. And in no way can the app send the value off-device. #Privacy
5
24
181
26,430
Sorry Signal and WhatsApp, you're not getting full access to my contacts. Stop begging. Be grateful you have access to a dummy contact. Both apps now check for the new #iOS18 authorization status "limited" and complain if the user authorizes access to some contacts only.
10
14
185
16,349
🎬 The App Store will continue to be the only place to install apps on the iPhone, even in the EU. Users should be aware that the App Store collects exhaustive usage data and sends it to #Apple. This can't be turned off. We made this video to show how tapping an app link gets recorded in details. After tapping a link posted on X, we requested a copy of the Apple ID data and we found this: (76,779 records in 734 days 🀯) #iOS #AppStore #Privacy #InfoSec #CyberSecurity #DMA piped.video/39ZN-PQmDWM
4
44
176
104,524
You need to be careful when you search for an authenticator app. This app sends the scanned QR codes to the developer's #Google analytics service. You won't miss it. It's running an ad campaign on the #AppStore #Privacy #CyberSecurity #2FA
13
54
165
67,384
FaceTime is designed so that after answering a call, it tries to establish a peer-to-peer connection between devices. This reveals the IP addresses of participants to each other. #WhatsApp and #Signal provide options to conceal your IP. #Privacy
did you know that you can IP grab someone by just FaceTime calling them (so having their phone number or iCloud email) with the built-in privacy report feature this leaks public and private IPs, apple's "private relay" is not affected (but that's an iCloud+ feature)
5
22
178
22,437
More context:
This video shows that @signalapp (7.15.0) on macOS stores photos and docs sent through the app locally without encryption. Worse, the files are stored in a location accessible by any app or script. However, text messages are stored locally in an encrypted DB. #privacy #security
6
10
172
84,763
Nice! @brave for iOS just got updated to support the new "marketplace-kit" scheme. Brave only calls the scheme when trackers blocking is disabled. As we reported earlier, Apple implemented the new scheme in a way that allows tracking across websites based on the unique client_id. Now users in the EU can use Brave to safely install alternative marketplaces. We would like to thank Brave for considering our advice about potential tracking. Moreover, Brave doesn't invoke the scheme if it's called from a website different than the store's website. Great job. πŸ‘ The client_id is created by MarketplaceKit. It is unique per device, Apple ID account, and marketplace combination. At the moment Apple allows any website to trigger sending client_id to the alternative store backend. This allows a malicious app store to track users across websites. The third screenshot shows the call that MarketplaceKit sends. #Privacy #Apple #iOS #DMA #InfoSec #cybersecuritytips #cybersecurity
3
25
166
110,619
BREAKING: The App Store has taken down the scam #2FA app that steals secrets We warned about this app four months ago. This wouldn't have happened without your support to spread the word. Thank you! πŸ™πŸ™βœŒοΈ
🎬 So this scam #2FA app is using custom product pages of Apple Search Ads to trick users. It has different campaigns per search keywords. When searching for "Microsoft Authenticator", it shows screenshots highlighting "Microsoft". and when searching for "Google Authenticator", it highlights "Google". Watch the video 🀯 It's worth noting that custom product pages need to be approved by @AppStore Connect and Apple Search Ads. This app steals 2FA secrets and its model is very suspicious as noted below. #Privacy #Apple #iOS #cybersecuritytips
11
26
172
44,415
The title should be clearer. Apple didn't do this willingly. This is a more accurate title: "EU Regulators finally force Apple to allow Spotify to show pricing info to EU users on iOS"
Apple finally allows Spotify to show pricing info to EU users on iOS tcrn.ch/4fMuT64
4
20
175
32,470
This old thread by @signalapp's president addresses a report by johnjhacking about the same desktop app vulnerability we highlighted. The response downplays the risks on the basis that the level of access required to hijack a session is "only available if the device is already completely compromised." This claim is wrong as confirmed by 100% of the devs who reproduced the case and shared their results with us. All agree that the desktop app keeps the data in a directory accessible to any process. No elevated access is required, no password, no sudo. This sloppy implementation definitely is a problem with Signal.
The report by johnjhacking is confused. What they propose requires a level of access that's only available if the device is already completely compromised: β€œFirst and foremost, you need access to the device.” TLDR someone compromising your device is not a problem with Signal. 1/
12
24
172
31,289
🧡 1/7 During our research on link previews, we discovered that Instagram servers execute #JS code in links sent in DM. We contacted Facebook security team. They said it was expected behavior, no issue. We published the work. @TeamYouTube took down the video and sent us a warning
10
60
174
We’ve been a little quiet recently, and not just because it’s the holiday season πŸŽ„β„οΈ Over the last several months we’ve been working on a brand new privacy-focused app for iOS. We plan on launching this app soon and we can’t wait to share more details with you.
13
7
166
16,873
Google Authenticator still syncs two-factor authentication secrets without E2EE. If you enable cloud syncing, this means: 1️⃣ Google can read the secrets and generate one-time passwords for your accounts 2️⃣ Google knows the services you use 3️⃣ #Google knows your usernames #Privacy
Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices. TL;DR: Don't turn it on. The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices. We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user. Why is this bad? Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access to your Google Account, all of your 2FA secrets would be compromised. Also, 2FA QR codes typically contain other information such as account name and the name of the service (e.g. Twitter, Amazon, etc). Since Google can see all this data, it knows which online services you use, and could potentially use this information for personalized ads. Surprisingly, Google data exports do not include the 2FA secrets that are stored in the user's Google Account. We downloaded all the data associated with the Google account we used, and we found no traces of the 2FA secrets. The bottom line: although syncing 2FA secrets across devices is convenient, it comes at the expense of your privacy. Fortunately, Google Authenticator still offers the option to use the app without signing in or syncing secrets. We recommend using the app without the new syncing feature for now. #Privacy #Cybersecurity #InfoSec #2FA #Google #Security
10
58
169
19,889
Just got the "ad free" subscription of Prime Video in the iOS app and paid with my credit card directly to Amazon. I didn't see an option to pay with the App Store's in-app purchase, neither did I see a "scare screen." Digital content? Yes. Can other apps do this? 🫠
6
10
172
360,269
Apple "pressures" ByteDance and Tencent, but immediately suspended Epic Games' Apple Developer account and removed their apps from the App Store.
Apple Pressures ByteDance and Tencent Over App Fee Loopholes in China macrumors.com/2024/08/02/app…
8
15
156
20,683
Thank you @Apple! We were rewarded a bounty of $5,000 for reporting this bug. πŸ™ CVE-2023-42846
🚨 NEW: Private Wi-Fi addresses had been useless ever since they were introduced in iOS 14. When an iPhone joins a network, it sends multicast requests to discover AirPlay devices in the network. In these requests, iOS sends the device's real Wi-Fi MAC address. 🎬 Watch the video for details Exposure of a device's real Wi-Fi MAC address makes it vulnerable to tracking across Wi-Fi networks. It's fixed in iOS 17.1 (CVE-2023-42846) #privacy #cybersecurity #CVE #iOS #PrivacyMatters #cybersecurity #infosec piped.video/T3XABxNogTA
16
13
165
26,910
6/6 It is worth noting that the DSID is also sent by other Apple apps for analytics purposes. You just need to know three things: 1- The App Store sends detailed analytics about you to Apple 2- There's no way to stop it 3- Analytics data are directly linked to you
7
33
157
It still doesn't sound right that a password manager app communicates with 130 different websites (for downloading icons). That's more than X on my device 🀯. Thanks to our report, all these connections now use HTTPS, but 130....😩
16
15
160
26,186
This statement is from a court document submitted by Apple's lawyers regarding the App Store data privacy class action lawsuit: "Given Apple’s extensive privacy disclosures, no reasonable user would expect that their actions in Apple’s apps would be private from Apple."
8
48
158
55,747
The "Advanced Tracking and Fingerprinting Protection" introduced in Safari in iOS 17 leaks DNS queries to Apple DNS server. Users who rely on custom DNS to block malware domains will be unprotected. We reported this bug to Apple, but Apple says it is not an issue. In our example, we configured the internet connection to use a DNS server from cleanbrowsing[.]org that blocks malware domains. With Advanced Tracking and Fingerprinting Protection enabled, we opened a website that should be blocked by the DNS server. Surprisingly, the page loaded. The nslookup command verifies that the custom DNS server does not resolve the domain name of this malware website. Network traffic shows that Apple's DoH DNS server resolved the website instead. In fact, only websites blocked by the custom DNS server are resolved by Apple's DNS. The same applies when you use a family DNS server that blocks adults websites such as 1.1.1.3. Adult websites will open when "Advanced Tracking and Fingerprinting Protection" is active. When the new privacy feature is disabled, DNS resolution works as expected. Finally this unexpected behavior or bug affects Safari in iOS 17 iPadOS 17 and macOS 14. #privacy #security #cybersecurity #infosec #cybersecuritytips #iOS #macOS #Apple
8
36
147
39,781
We prepared this video to illustrate why access to the accelerometer should get a permission in iOS. Unrestricted access to accelerometer data can breach user privacy. We used Facebook as an example in the video. #Cybersecurity #Privacy #iOS piped.video/Gh2eykOHyOE
10
85
160
2/6 Apple states in their Device Analytics & Privacy statement that the collected data does not identify you personally. This is inaccurate. We also showed earlier that the #AppStore keeps sending detailed analytics to Apple even when sharing analytics is switched off.
4
33
161
Now playing with the toggle. Maybe it is also a long list of alternating 0s and 1s and it will stop flipping after some time.
Nothing is circular, they're all long lists. Here is the date picker in Reminders:
3
2
174
10,825
So does @WhatsApp and @Apple iMessage, and likely many other apps. Open a terminal on a Mac and check: strings ~/Library/Group\ Containers/group.net.whatsapp.WhatsApp.shared/ChatStorage.sqlite strings ~/Library/Messages/chat.db
ChatGPT Mac App Stored User Chats in Plain Text Prior to Latest Update macrumors.com/2024/07/04/cha…
4
22
151
64,900
Why do all browsers in iOS 26 communicate with this Google service? Has Apple changed how safe websites are downloaded? Psylo tunnels all connections via our proxy servers to prevent IP leaks. How are these calls made? Does Google see the real IP? #Privacy #Apple #iOS26
7
18
161
17,956
A new mysterious location permission option has been added in iOS 18.2: Privacy & Security ➑️ Location Services ➑️ System Services ➑️ "In-App Web Browsing" It's on by default. Still figuring out what it's for πŸ€” #Apple #Privacy
11
14
155
18,419
Five years ago, during our research on link previews, we discovered that Meta servers download every shared file in Facebook Messenger and Instagram DM in fullβ€”even if it’s gigabytes in size. Now, looking back, it would be interesting to know if Meta used these files to train their AI models. Meta insisted it wasn’t a bug. When we published videos demonstrating the issue, they asked YouTube to take them down. YouTube removed one video and gave us a strike. #Privacy #LLM #AI #Security
5
31
156
11,517
Apple just released iOS 18.3 Video will drop soon.
6
4
158
12,594
iOS 18.4 introduced a new option in System Location Services called "Improve Location Accuracy" and it is enabled by default. You can find it under: Settings > Privacy& Security > Location Services > System Services #Privacy
9
25
152
23,533
VPNs cannot truly hide your location since browsers and apps reveal your phone’s language and timezone settings, so websites can infer where you’re from and if you might be travelling somewhere. Try out your VPN on this website and see for yourself psylo.app/location
Does your VPN truly hide your location? You’d be surprised that the answer is often no. Try your VPN on this website and let me know what you see 😬 psylo.app/location
6
20
153
13,819
Many comments suggest that if you don't want Apple to collect this private data about you, don't buy an iPhone. Well, many users already bought iPhones based on Apple's privacy promises. What should they do? Moreover, Apple has its own definition of the term "tracking" πŸ‘‡
🎬 The App Store will continue to be the only place to install apps on the iPhone, even in the EU. Users should be aware that the App Store collects exhaustive usage data and sends it to #Apple. This can't be turned off. We made this video to show how tapping an app link gets recorded in details. After tapping a link posted on X, we requested a copy of the Apple ID data and we found this: (76,779 records in 734 days 🀯) #iOS #AppStore #Privacy #InfoSec #CyberSecurity #DMA piped.video/39ZN-PQmDWM
10
32
153
68,003