<li>## Feedback & Followups
- Apple have released iOS 17.3, which includes the new Stolen Device Protection mode designed to thwart the recent spike in iPhone thefts by thieves who have observed or socially engineered passcodes allowing them to change iCloud passwords to disable FindMy and activate lock, and in the process, lock people out of their data. The general advice is to enable it (Settings → Face/Touch ID & Passcode → Turn On Stolen Device Mode) — tidbits.com/… & www.cultofmac.com/…
- 🇺🇸 We now know how the SEC’s X account was hacked, and, we get a timely reminder that SMS-based 2FA is the least-good 2FA: SEC confirms X account was hacked in SIM swapping attack — www.bleepingcomputer.com/…
- Related: the SEC now have a better choice: X adds passkeys support for iOS users in the United States — www.bleepingcomputer.com/…
- 🇺🇸 US federal and state agencies continue to crack down on companies shirking their cybersecurity responsibilities:
- FTC orders Blackbaud to boost security after massive data breach — www.bleepingcomputer.com/… (cloud service provider for non-profits, many in the healthcare and education sectors)
- Citibank sued over failure to defend customers against hacks, fraud — www.bleepingcomputer.com/… (by NY State AG Leticia James)
- Related: NSA Admits Secretly Buying Your Internet Browsing Data without Warrants — thehackernews.com/… (more excellent work by Sen. Ron Wyden, triggered by the recent FEC actions against data brokers discussed in the previous Security Bits)
- Related: Just in time for tax session in the US: FTC orders Intuit to stop pushing “free” software that isn’t really free — www.bleepingcomputer.com/…
- Related Podcast Recommendation: 🎧 The Indicator from Planet Money: Why the FTC is cracking down on location data brokers — overcast.fm/…
- More details continue to emerge about the 23andMe hack, and the news does not get any better: 23andMe data breach: Hackers stole raw genotype data, health reports — www.bleepingcomputer.com/… (we also now know it was a password stuffing attack, which went un-noticed for 5 months, which means their monitoring systems and processes were sub-standard)
Deep Dive 1 — Push Notification Abuse on iOS
To understand what ‘freepy’ (free in exchange for your privacy) services (including Facebook/Meta and TikTok) have been discovered doing we need some context.
Apple do a lot to stop apps abusing users security and privacy, which is why iOS is much more secure than desktop OSes, and a big part of that is controlling when apps can run. In early versions of iOS apps ran when they were the one foreground app, and when you switched to another app or the Home Screen they immediately paused. This made some features impossible, so APIs have been added over the years to allow limited background code execution. This is done using app entitlements that have specific purposes, e.g. background audio, background download, and rich notifications.
In the past less scrupulous apps were caught abusing the background audio entitlement and APIs to play silence in order to stay running and retain access to location data. This caused big battery drains and Apple soon cracked down on this kind of API abuse.
Now, a new type of entitlement & API abuse has been discovered — apps have been caught abusing the fact that the rich notifications APIs allow apps to briefly run to react to push notifications. This is intended to allow apps to provide useful functionality as part of push notifications, like replying right from a notification, but Meta and others have been caught using push notifications to trigger their apps to push the user’s current locations to their servers.
It seems likely Apple will update the app review process to detect this dark pattern, but in the meantime, the only fix is to turn off notifications for apps you don’t trust.
Links
Deep Dive 2 — 🇪🇺 What Apple’s EU Digital Markets Act Changes Mean from a Security & Privacy POV
In March the EU’s ‘Digital Markets Act’ will go into effect, which means so-called gatekeepers will need to make changes to better facilitate competition. Apple has been designated a gatekeeper in a number of areas, including Safari on iOS, iOS itself, and the iOS App Store. We’ve known this would require Apple to do something by March, but we had no idea what they would do. Now, thanks to a very long press release, we do!
Much of the detail and discussion focuses on changes to the various contracts and fees for developers, and while that’s important, it’s outside the scope of this segment (Bart dives into detail in Let’s Talk Apple 125. What I want to focus on here is the user-facing security and privacy implications.
First and foremost, all the changes we’ll be discussing will apply in the EU only. And secondly, all of this could easily change if the EU Commission do not consider Apple’s plans sufficient to meet the law’s requirements. Similar to how Apple makes developers do all the work before deciding whether or not they will allow the app, the Commission will not begin their review of Apple’s changes until the law goes into effect.
Apple have been forced to create over 600 new APIs without any kind of pre-approval from the Commission. Should the Commission find issue with some or all of Apple’s approach, the first step is engagement with the Commission, only if that proves unfruitful would things move to the courts. My expectation is that the Commission will negotiate at least some tweaks over the coming year.
3rd-party Browser Engines and Browser Ballots
We have had 3rd-party browsers on iOS for years, but they have all been skins over WebKit, the HTML/CSS/Javascript engine that powers Safari. This gives Apple control over the security and performance of all iOS browsers.
Browsers in the EU App Store will be permitted to use their own browser engine, though it will be confined within a newly developed browser sandbox so Apple can still protect user data and other apps from abuses and vulnerabilities. The biggest risks for users are security and privacy leaks within and between web pages within the browser and performance hits, probably manifest as battery drain.
Realistically, there are likely to be few takers because it’s a lot of work to maintain two different mobile browsers with different brains for iOS. Unless and until Apple open this entitlement up to the whole world, I doubt we’ll see many if any 3rd-party engines.
What all EU users will see is a ‘Browser Ballot’ letting them pick their preferred default browser from and randomly ordered list of the most popular ones in their country the first time they launch Safari. This is basically the same as what Microsoft were ordered to do in IE in Europe back when IE was found to be a monopoly by the Commission.
Choice is great, and many 3rd-party browsers are more privacy-forward than even Safari, but not all, so the user’s choice will affect their privacy.
Portable App Store Data Reports
One of the DMA’s rules requires gatekeepers that operate a store they also sell their own products in to provide additional information to others in the marketplace. This is partly addressed by a worldwide change that gives all developers access to new reports, but it also gives EU users new data in their exportable data privacy report detailing their interaction with the App Store, and it can be shared with 3-rd party app stores.
Third-Party Payment Processors
European apps will have the option of using payment processors other than Apple, regardless of whether they are distributed via Apple’s app store or a third-party App Store. The APIs Apple have built to facilitate this will show users a message telling them they are leaving the walled garden, making it clear that if anything goes wrong, Apple can’t help.
Apple make it easy to do things like family sharing and parental controls, they do a very good job protecting your privacy from developers, and in my experience are good at dealing with disputes, simply refunding the money and un-doing the purchase each time I’ve asked. 3rd party processors can’t support the family features, and they may or may not do a good job protecting your privacy or dealing with disputes.
3rd party payment processors don’t help users, it’s only developers who want them because they would like to save on processing fees. Because Apple will only be charging EU developers 3% credit card processing fees, only extremely large developers with existing in-house payment processing infrastructure are likely to find it economically advantageous to use external payment processing, and they should be big enough to have robust processes in place. 🤞
There is no Sideloading!
Yes, there will be places to get apps outside the App Store, but users will not be able to bypass Apple’s security to run arbitrary apps from anywhere. No iOS app executable files to download and just run!
All apps will need to be ‘notarised’ by Apple, this is an automated and human security review to fight malware and detect apps that attempt to bypass iOS security features, including App Tracking Transparency and app sandboxes, so no new technical capabilities for apps.
By law, noterisation cannot contain any content review — under the DMA app content moderation is 100% the responsibility of the App Store operator. So, adult content, gambling, etc. can get in via 3rd party stores, but technically currently impossible things like an Audio Hijack clone for iOS can’t.
An interesting point is that when an app is submitted for notarisation, its metadata must also be submitted, Apple then verify it, add some screenshots, and include that in the finally digitally signed app bundle, so notarised apps will contain their own description and other metadata, and iOS will be able to show it, regardless of which App Store the app was obtained from.
3rd-Party App Stores
Developers who meet some criteria will be able to apply for a special entitlement to create an App Store app that can install other apps, in other words, 3rd-party app stores will be apps in the iOS App Store.
All apps in these stores will be notarised, and the OS will show the app’s notarised metadata before users confirm the install.
Final Thoughts
This is very far from any kind of wild west security dystopia, Apple have put a lot of work into protecting users from malicious apps, regardless of their source. There are hundreds of new APIs they’ve developed make that very clear.
While we can argue about the motivation (user or profit protection, probably both IMO), it’s equally clear that Apple have opted for a minimalist approach to compliance — as many as possible of Apple’s restrictions remain in place. So, the risk to users is minimised. What is likely to curtail the risks even more is that Apple appear to have made the terms economically un-attractive to most developers, and they have made these new rules entirely optional, allowing developers to choose to continue under the current arrangements, even in Europe. So, realistically, I doubt many app will be deployed under these new arrangements.
Over time, other governments could well require Apple give their developers the same terms, in which case adoption might pick up, but at least for now, I’m not expecting any dramatic changes.
Links
- Apple’s full press release — www.apple.com/…
- A good overview: Apple Details How It Plans to Comply with the EU’s Digital Markets Act — www.macstories.net/…
- Apple’s new App Store rules apply to these 27 countries — appleinsider.com/…
- Browsers like Chrome and Firefox can abandon WebKit in EU with iOS 17.4 — appleinsider.com/…
- Apple is enhancing reports about what it knows about EU users in iOS 17.4 — appleinsider.com/…
- Phil Schiller warns third-party app stores are a risk to iPhone users — appleinsider.com/…
❗ Action Alerts
- Apple Updates Everything – New 0 Day in WebKit — isc.sans.edu/…
- Google Chrome browser patches 1st zero-day of 2024 — www.intego.com/… (the other major Chromium-based browsers like Edge & Brave have been patched too, remember to quit and re-start these browsers to let them patch themselves)
- New Linux glibc flaw lets attackers get root on major distros — www.bleepingcomputer.com/… (local privilege escalation, so attackers need to be able to run code locally, so a much bigger deal for cloud providers than home users, but still important for us all to patch promptly)
- If you’re running your own Mastodon server, patch it ASAP: Mastodon vulnerability allows attackers to take over accounts — www.bleepingcomputer.com/… (why I chose for a SaaS approach to hosting my own server at
social.bartificer.ie, my server got patched for me by my provider Masto.host)
Worthy Warnings
- 🇺🇸 FBI: Tech support scams now use couriers to collect victims’ money — www.bleepingcomputer.com/…
- A timely reminder of why it’s important to stay patched: 🇺🇸 CISA warns of patched iPhone kernel bug now exploited in attacks — www.bleepingcomputer.com/… (U.S. Cybersecurity and Infrastructure Security Agency, and the bug under active exploitation was patched in December 2022)
- Watch out for “I can’t believe he is gone” Facebook phishing posts — www.bleepingcomputer.com/…
- Trello API abused to link email addresses to 15 million accounts — www.bleepingcomputer.com/… (The big danger is automated, credible, targeted phishing attacks, so if you use Trello, be extra suspicious)
Notable News
- 🇬🇧 The very controversial Investigatory Powers Act raises it’s head again, this time a proposed provision would allow the UK government to block OS & software vendors from patching or even disclosing bugs they are using for surveillance/espionage world wide, Apple currently complaining the loudest, but they’re not alone — arstechnica.com/…
- 🇺🇸 🇨🇳 FBI disrupts Chinese botnet by wiping malware from infected routers — www.bleepingcomputer.com/… (this story is notable because the FBI, with court permission, effectively hacked routers owned by private businesses to remove the foreign hackers and then make unauthorised changes to add a ‘fix’ of their own creation that is not supported by the vendor — seems like a good thing IMO, but governments hacking privately owned devices for the good of the internet is a big deal, and it should probably be getting more public debate than it is)
- 🧯Europcar denies data breach of 50 million users, says data is fake — www.bleepingcomputer.com/… (Europcar are saying the fake data was probably AI-generated, general consensus is that the data is indeed fake, but many, including Troy Hunt from Have I Been Pwned disagree that it was AI Generated, but you can easily see how it’s just a matter of time until something like that does happen!)
- A timely reminder not to plugin USB thumb drives you find lying around or are given by strangers: 🇮🇹 Italian Businesses Hit by Weaponized USBs Spreading Cryptojacking Malware — thehackernews.com/…
- An important reminder that modern cars are as much computers as cars, so their cybersecurity matters: Pwn2Own Automotive: $1.3M for 49 zero-days, Tesla hacked twice — www.bleepingcomputer.com/… (This is a good news story, the fact that Pwn-2-Own Automotive exists at all is great progress, and all vendors have been responsibly notified and have 90 days to patch before any details are published)
- Ransomware payments drop to record low as victims refuse to pay — www.bleepingcomputer.com/… (we just might be nearing the end of the ransomeware epidemic — cybercrime is economically motivated, so if the money dries up, so will the attacks)
Top Tips
- How To Avoid AI Voice Impersonation and Similar Scams — tidbits.com/…
- Eight Secure Ways to Share Sensitive Information over the Internet — tidbits.com/…
Interesting Insights
- A good insight into how collections of breach data like the MOAB (‘Mother of all Breaches’) 12TB data set recently added to Have I Been Pwned come into being: The Data Breach “Personal Stash” Ecosystem — www.troyhunt.com/…
- Good insights into how so many malicious software ads have been making their way into Google search results recently: Using Google Search to Find Software Can Be Risky — krebsonsecurity.com/…
- The Mac and iPhone malware of 2023—and what to expect in 2024 — www.intego.com/…
Palate Cleansers
- From Bart:
- 🎧 Unexplainable: The math problem that could break the internet — overcast.fm/… (no, not Quantum Computing, something much more fundamental)
- 🎧 A very interesting new collection of episodes has kicked off: Freakonomics Radio: The Curious Mr. Feynman — overcast.fm/…
Legend
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| 🎧 | A link to audio content, probably a podcast. |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| 📊 | A link to graphical content, probably a chart, graph, or diagram. |
| 🧯 | A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂 |
| 💵 | A link to an article behind a paywall. |
| 📌 | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| 🎩 | A tip of the hat to thank a member of the community for bringing the story to our attention. |