Feedback & Followups
- πΊπΈ We’ve known, unofficially, that the US government uses commercial data brokers to by-pass the 4th amendment and get geolocation data on US citizens for some time, but now it’s on the record: FBI started buying Americansβ location data again, Kash Patel confirms β arstechnica.com/β¦
- Note that VPNs do not provide any protection from this (sorry to who ever I saw suggest this proved their VPN was a good investment on the NosillaCast Slack π)
- This data is coming from data brokers, so the data is coming from many sources including:
- Ad networks
- Apps that monetise with ads
- Apps that monetise by selling data to data brokers
- Web stores that double-dip and sell you products (probably unrealistically cheap), and make up the difference by selling your data too
- Devices that double-dip by selling surprisingly cheap hardware and then making up the difference by selling your data (unrealistically cheap Smart TVs are among the biggest offenders)
- Pirated software and software designed for pirating content β they didn’t sell you the software or content, so they make their money by selling your data and/or enrolling your devices into anonymous proxy services sold on the dark web
- Some good protections to limit your exposure (you’ll never get it down to zero):
- Avoid all apps that monetise with ads or have no clear revenue stream
- Avoid apps and services that monetise with ads or have no clear source of income, especially:
- Weather apps (must have location access)
- Email apps and services (crown jewels, remember, and why I choose to pay for Office365 + Exchange Online, why Allison uses iCloud+, and why I recommend people consider the Proton suite)
- Search engines (this is why I highly recommend Kagi)
- AI Chatbots (this is why I highly recommend Lumo and the Microsoft CoPilots)
- Related: if you’ve been on the fence about a paid search engine, this news might finally push you over the edge, even the actual titles in the search results now contain hallucinations: Google Search is now using AI to replace headlines β www.theverge.com/β¦ π€¬
- We have some resolution on the botnet Allison asked about some time ago (KimWolf) that had been highlighted by Brian Krebs and introduced us to the concept of residential proxy services and the risks they pose: International joint action disrupts worldβs largest DDoS botnets β www.bleepingcomputer.com/β¦ & krebsonsecurity.com/β¦ (πΊπΈ π©πͺ π¨π¦ United States, Germany & Canada)
- I like to describe email as the crown jewels because access to your inbox allows attackers to reset just about any online password, and to learn enough about you to really convincingly phish you, but remember it’s also the crown jewels for organisations, and while big companies make big headlines when their mail infrastructure gets abuse, it can happen to even the smallest mon-and-pop venture: πΊπΈ Nordstrom’s email system abused to send crypto scams to customers β www.bleepingcomputer.com/β¦ (with a St. Patrick’s Day theme ππ)
Deep Dive β Advanced Flow, Google’s Side-Loading Compromise for Android
Google has been struggling for many years to find the right balance between open and safe when it comes to side-loading apps onto Android. They’ve settled on a very reasonable compromise (in my opinion at least).
TL;DR β Android apps not digitally signed by a registered developer will not install without enabling the new ‘Advanced Flow’ installation process, this requires clicking past very blunt warnings about the danger of scams, followed by a 24 hour cooling off period before side-loading of unsigned apps can be enabled for either a week or permanently.
The issue here is not really about the distribution of the apps, but verifiable authorship. To submit apps to the Google Play Store you need to prove your identity these days, so unless attackers steal a developer’s signing key, Google can in theory report any malicious app authors to the authorities if the app was published on the Play Store.
Google have expanded this identity verification option in a way similar to what Apple does for Mac developers, and any developer who distributes their app via any third-party store or no store at all can register, get a code signing key, and digitally sign their apps. Users will be able to side-load these kinds of signed apps without needing to jump through any of these new hoops.
Where the new rules kick in is when apps are not digitally signed by a verified developer. For those apps, which can’t ever be in the store, so must be side-loaded somehow, Google is now adding a new Advanced Flow for installation.
When a user tries to side-load an un-verified app they will be presented with a warning screen about the dangers of scams, the risks from installing apps from un-verified developers, and an option to continue. If they choose to continue they will then start a 24 hour cooling off period, before they will finally be able to enable the installation of un-verified apps, either permanently, or for a limited time. Once they agree to that, they need to reboot and then install the app.
For commercial app makers this is just not a problem, so the only people affected are:
- Cybercriminals (the intended audience)
- Small volunteer-run open-source projects (collateral damage)
- Developers who fundamentally object to sharing any identifying information with large corporations, perhaps especially American ones, and hence refuse to verify their identity (collateral damage, sorta, depending on your own views and beliefs)
Even with this change, Android remains a lot more open than iOS is, with the resulting tradeoffs between freedom and security. The open source community feared some kind of armageddon, but while some in that community are still cranky, this is nowhere near as catastrophic for the community and many feared it would be.
Links to News Coverage
- Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams β thehackernews.com/β¦
- Android to add 24-hour cooldown when sideloading apps from unverified devs β cyberinsider.com/β¦
- Google adds βAdvanced Flowβ for safe APK sideloading on Android β www.bleepingcomputer.com/β¦
β Action Alerts
- Important and noteworthy updates for Apple users: Apple pushes first Background Security Improvements update to fix WebKit flaw β www.bleepingcomputer.com/β¦
- In theory these should happen automatically and in the background (hence the name!), but there are at least some caveats
- These updates end with a lower-case letter in parentheses, e.g. iOS 26.3.1 (a)
- This feature is new, so we’ve not had much first-hand experience yet, and there is definitely some confusion
- It should be enabled by default, but check that you have background security updates configured to automatically install in your devices’ settings apps
- The background updates are only available on the very latest point release, but if you are even point release behind, you will not be offered two updates, but a single update that contains both the very latest regular point update and the background update
- Context: A nice explanation of some back-history for this new type of patch β tidbits.com/β¦
- Apple users should be sure to patch all their devices, especially any running on unsupported OSes because a new attack chain affecting not-quite-current versions of iOS has been discovered in use by hostile governments β cyberinsider.com/β¦ (named DarkSword)
- Apple officially recommend all users patch ASAP β cyberinsider.com/β¦
- Notice that these kinds of exploits are very difficult on iOS, and need substantial resources, in this case it required chaining six different vulnerabilities together!
- The cat is now fully out of the bag, with the full source code leaked on GitHub, so the bar to entry is gone β www.macobserver.com/β¦
- β οΈ Ubiquity router owners: Max severity Ubiquiti UniFi flaw may allow account takeover β www.bleepingcomputer.com/β¦ (patch ASAP!)
Worthy Warnings
- β οΈ Anime Fans: CrunchyRoll is investigating what appears to be a major breach that could even include at least some payment data, but no details yet, so if you use the very popular streaming service, monitor how this evolves β www.bleepingcomputer.com/β¦
Notable News
- πΊπΈ The US is banning all future consumer routers not made in the USA (in the name of national security) β cyberinsider.com/β¦
- βUnder the new rules, all newly developed consumer-grade routers produced outside the US are ineligible for FCC equipment authorization, effectively barring them from entering the US market. However, the restriction applies only to new models. Devices already authorized can continue to be sold and used, and consumers are not required to replace existing routers.β
- Firefox is adding a free tier for their browser-specific VPN, starting in 4 countries for now, with plans to roll out more widely later β blog.mozilla.org/β¦
- πΊπΈ π¬π§ π«π· π©πͺ US, UK, France & Germany initially
- βThe VPN will offer over 50 gigabytes of data per month for free.β
- β[The VPN] only protects web traffic viewed through the Firefox browser.β
Excellent Explainers
- π§ We often use the abbreviation CVSS and CVEs in these notes, this podcast explains what they are and where the fit in the whole vulnerability ecosystem: Compiler: Keeping Track Of Vulnerabilities With CVEs β overcast.fm/β¦
Interesting Insights
- Apple’s hardware design is even more secure than I realised β there is not just a secure enclave for protecting private keys in hardware, there are also secure exclaves for adding hardware security to parts of the display, making it possible for the MacBook Neo to have a software camera light and be close to as secure as a hardware light (and the same tech has been protecting the indicators on out iPhones for ages!) β daringfireball.net/β¦
- Whatβs New in Appleβs Platform Security Guide β tidbits.com/β¦ (nothing earth-shattering, but an interesting read)
Palate Cleansers
- From Bart: π§ A touching listener-reported story about a family member who finally opted for a cochlear implant after 35 years of deafness to hear his grandkids sing β Twenty Thousand Hertz: He was deaf for 35 years + Listener Stories kickoff β overcast.fm/β¦
Legend
When the textual description of a link is part of the link, it is the title of the page being linked to, when the text describing a link is not part of the link, it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| π§ | A link to audio content, probably a podcast. |
| β | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| π | A link to graphical content, probably a chart, graph, or diagram. |
| π§― | A story that has been over-hyped in the media, or, “no need to light your hair on fire” π |
| π΅ | A link to an article behind a paywall. |
| π | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| π© | A tip of the hat to thank a member of the community for bringing the story to our attention. |
| π¦ | A link to video content. |