Security Bits logo - a green padlock with the words Security Bits to the right and in tiny letters below ithat it says 10101010 indicating a digital lock

Security Bits — 4 February 2024

<li>## Feedback & Followups

Deep Dive 1 — Push Notification Abuse on iOS

To understand what ‘freepy’ (free in exchange for your privacy) services (including Facebook/Meta and TikTok) have been discovered doing we need some context.

Apple do a lot to stop apps abusing users security and privacy, which is why iOS is much more secure than desktop OSes, and a big part of that is controlling when apps can run. In early versions of iOS apps ran when they were the one foreground app, and when you switched to another app or the Home Screen they immediately paused. This made some features impossible, so APIs have been added over the years to allow limited background code execution. This is done using app entitlements that have specific purposes, e.g. background audio, background download, and rich notifications.

In the past less scrupulous apps were caught abusing the background audio entitlement and APIs to play silence in order to stay running and retain access to location data. This caused big battery drains and Apple soon cracked down on this kind of API abuse.

Now, a new type of entitlement & API abuse has been discovered — apps have been caught abusing the fact that the rich notifications APIs allow apps to briefly run to react to push notifications. This is intended to allow apps to provide useful functionality as part of push notifications, like replying right from a notification, but Meta and others have been caught using push notifications to trigger their apps to push the user’s current locations to their servers.

It seems likely Apple will update the app review process to detect this dark pattern, but in the meantime, the only fix is to turn off notifications for apps you don’t trust.


Deep Dive 2 — 🇪🇺 What Apple’s EU Digital Markets Act Changes Mean from a Security & Privacy POV

In March the EU’s ‘Digital Markets Act’ will go into effect, which means so-called gatekeepers will need to make changes to better facilitate competition. Apple has been designated a gatekeeper in a number of areas, including Safari on iOS, iOS itself, and the iOS App Store. We’ve known this would require Apple to do something by March, but we had no idea what they would do. Now, thanks to a very long press release, we do!

Much of the detail and discussion focuses on changes to the various contracts and fees for developers, and while that’s important, it’s outside the scope of this segment (Bart dives into detail in Let’s Talk Apple 125. What I want to focus on here is the user-facing security and privacy implications.

First and foremost, all the changes we’ll be discussing will apply in the EU only. And secondly, all of this could easily change if the EU Commission do not consider Apple’s plans sufficient to meet the law’s requirements. Similar to how Apple makes developers do all the work before deciding whether or not they will allow the app, the Commission will not begin their review of Apple’s changes until the law goes into effect.

Apple have been forced to create over 600 new APIs without any kind of pre-approval from the Commission. Should the Commission find issue with some or all of Apple’s approach, the first step is engagement with the Commission, only if that proves unfruitful would things move to the courts. My expectation is that the Commission will negotiate at least some tweaks over the coming year.

3rd-party Browser Engines and Browser Ballots

We have had 3rd-party browsers on iOS for years, but they have all been skins over WebKit, the HTML/CSS/Javascript engine that powers Safari. This gives Apple control over the security and performance of all iOS browsers.

Browsers in the EU App Store will be permitted to use their own browser engine, though it will be confined within a newly developed browser sandbox so Apple can still protect user data and other apps from abuses and vulnerabilities. The biggest risks for users are security and privacy leaks within and between web pages within the browser and performance hits, probably manifest as battery drain.

Realistically, there are likely to be few takers because it’s a lot of work to maintain two different mobile browsers with different brains for iOS. Unless and until Apple open this entitlement up to the whole world, I doubt we’ll see many if any 3rd-party engines.

What all EU users will see is a ‘Browser Ballot’ letting them pick their preferred default browser from and randomly ordered list of the most popular ones in their country the first time they launch Safari. This is basically the same as what Microsoft were ordered to do in IE in Europe back when IE was found to be a monopoly by the Commission.

Choice is great, and many 3rd-party browsers are more privacy-forward than even Safari, but not all, so the user’s choice will affect their privacy.

Portable App Store Data Reports

One of the DMA’s rules requires gatekeepers that operate a store they also sell their own products in to provide additional information to others in the marketplace. This is partly addressed by a worldwide change that gives all developers access to new reports, but it also gives EU users new data in their exportable data privacy report detailing their interaction with the App Store, and it can be shared with 3-rd party app stores.

Third-Party Payment Processors

European apps will have the option of using payment processors other than Apple, regardless of whether they are distributed via Apple’s app store or a third-party App Store. The APIs Apple have built to facilitate this will show users a message telling them they are leaving the walled garden, making it clear that if anything goes wrong, Apple can’t help.

Apple make it easy to do things like family sharing and parental controls, they do a very good job protecting your privacy from developers, and in my experience are good at dealing with disputes, simply refunding the money and un-doing the purchase each time I’ve asked. 3rd party processors can’t support the family features, and they may or may not do a good job protecting your privacy or dealing with disputes.

3rd party payment processors don’t help users, it’s only developers who want them because they would like to save on processing fees. Because Apple will only be charging EU developers 3% credit card processing fees, only extremely large developers with existing in-house payment processing infrastructure are likely to find it economically advantageous to use external payment processing, and they should be big enough to have robust processes in place. 🤞

There is no Sideloading!

Yes, there will be places to get apps outside the App Store, but users will not be able to bypass Apple’s security to run arbitrary apps from anywhere. No iOS app executable files to download and just run!

All apps will need to be ‘notarised’ by Apple, this is an automated and human security review to fight malware and detect apps that attempt to bypass iOS security features, including App Tracking Transparency and app sandboxes, so no new technical capabilities for apps.

By law, noterisation cannot contain any content review — under the DMA app content moderation is 100% the responsibility of the App Store operator. So, adult content, gambling, etc. can get in via 3rd party stores, but technically currently impossible things like an Audio Hijack clone for iOS can’t.

An interesting point is that when an app is submitted for notarisation, its metadata must also be submitted, Apple then verify it, add some screenshots, and include that in the finally digitally signed app bundle, so notarised apps will contain their own description and other metadata, and iOS will be able to show it, regardless of which App Store the app was obtained from.

3rd-Party App Stores

Developers who meet some criteria will be able to apply for a special entitlement to create an App Store app that can install other apps, in other words, 3rd-party app stores will be apps in the iOS App Store.

All apps in these stores will be notarised, and the OS will show the app’s notarised metadata before users confirm the install.

Final Thoughts

This is very far from any kind of wild west security dystopia, Apple have put a lot of work into protecting users from malicious apps, regardless of their source. There are hundreds of new APIs they’ve developed make that very clear.

While we can argue about the motivation (user or profit protection, probably both IMO), it’s equally clear that Apple have opted for a minimalist approach to compliance — as many as possible of Apple’s restrictions remain in place. So, the risk to users is minimised. What is likely to curtail the risks even more is that Apple appear to have made the terms economically un-attractive to most developers, and they have made these new rules entirely optional, allowing developers to choose to continue under the current arrangements, even in Europe. So, realistically, I doubt many app will be deployed under these new arrangements.

Over time, other governments could well require Apple give their developers the same terms, in which case adoption might pick up, but at least for now, I’m not expecting any dramatic changes.


❗ Action Alerts

Worthy Warnings

Notable News

Top Tips

Interesting Insights

Palate Cleansers


When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top