39 comments

[ 3.4 ms ] story [ 69.3 ms ] thread
Would love this for MacOS as well.
Damn. The "iPhone last setup or erased on ..." is really nasty. What can a user really do about that? I feel like this should be fudged somehow by the OS.
It's likely to be trolled by the WPA folks, who will insist that WPAs are just as insecure as native apps, so there's no difference ...

But very cool.

Volume creation date is pretty egregious. I don't see any reason that and Pasteboard changeCount should be so granular.

The "Installed Apps Probe" leak also surprised me. It is better than the current state of Android, though.

This is why I avoid installing apps and don’t have a lot of them.
Apps like TikTok can know which username we logged in with, even if we uninstall and reinstall the app. This is egregious, as many companies like Facebook have SDKs embedded in many apps, allowing them to accurately interconnect user activity.

Apple should be ashamed that they aren't putting effort to randomize these fingerprints....

Yea, it's infuriating that most of the HN crowd thinks the apps are better then web. Apps can spy on you way more than web. It's the reason every website says "please download the app". If it was better for them to spy on you via the website they wouldn't ask you to download the app.
this is fantastic, just great really, and honestly makes one stick out so easily, reminfs me a lot of that license plate xkcd
/me wonders of the privacy label should actually mention that it reads everything and the kitchen sink!!!
This is neat and interesting, truly, but the classic “what now?” emerges. I guess the only answer is “throw out my iPhone”? Otherwise this kind of seems like a circuitous ad to make people get worried and download Psylo, which I see has in-app purchases. I’m not trying to come at you here, but it’s just hard not to feel suspicious online these days.
Why does a random app (with no special permissions given to it) get access to so much info, and why doesn't Apple tell users this (important) info? Why can't Apple make a long list of check boxes so users can dis/allow on a per-category and per-app basis?

E.g. I had no idea a random app you install (and give no permissions to) instantly has a list of every app installed on the device (e.g. can infer whether you're dating [or cheating!] from presence of tinder/bumble/hinge). That alone seems instantly monetizable by unscrupulous actors via 'is-my-partner-cheating' as a service: charge $10 to give a probable answer.

I'm in that camp of has a dating app installed but have no partner so the is-my-partner-cheating admittedly doesn't resonate with me. I've had to do some of this fingerprinting myself before for non-data-selling reasons so a lot of the system-level statistics didn't quite impress me [1], but that one was a gut-punch when I saw it pop up. It makes me wonder what apps out there have leveraged that as a signal for ads or other behavior modifications to exploit my search for a partner -- without at least having to spend a few pennies querying a data broker!

It makes sense that there's some discovery mechanism - since Google loves to use it to prefer Chrome, GMail, etc when you're in one of their apps. I wish that there were more restrictions though where you only get implicit permission to query from apps that have the same developer ID. Maybe a mutual allowlist that has to be formed, or some sort of privileged intent where you at least have to tell Apple what's going on and that gives them some contractual right to sanction you if you're using it for nefarious purposes instead.

[1] excluding the clipboard copy count, that was novel!

Privacy is a real issue! Does the iOS allow an ext dev app to read its system info? If yes, does it easily comply?
I don't understand why internet access isn't opt-in for apps. Preventing exfiltration would prevent much of this harm, and most apps don't have any need to access the internet in the first place. Why am I creating a GE account to read my blood pressure? At least I know it's taking advantage of me. But this is clearly abusive behavior
> most apps don't have any need to access the internet in the first place

Citation needed.

Looking through my phone the vast majority of third party apps I have installed obviously require internet access:

- Social media

- Travel (rideshare/airlines/hotels)

- Streaming

- Finance (credit cards/banks)

- Shopping

Not counting built-in apps like the calculator I'd estimate 80-90% of the apps I have installed require internet access.

iPhones sold in China have that in settings, you can block both WLAN(Wi-Fi) and Cellular data per app. Why that turned out to be a nightmare is a different story
>most apps don't have any need to access the internet in the first place.

It would severely depend on how you categorize "most apps" because I would say I pretty much only use apps that need the Internet, barring Calculator, Camera, and a PDF reader (only because I prefer how it zooms books vs browser. Everything else implicitly needs the Internet as that app is just a better UI to using their mobile web site, if they even offer one.

It is opt-in on iOS for Applications. Applications have to declare upfront what sites they will communicate with.

It is called app transport security. if you don't set it up your app boots in a sandbox with no network.

Settings -> Privacy Security -> App Privacy Report

Unfortunately 1 - as a _user_ you cannot opt-in or out. I wish Apple would take the next step and let us select which sites an app is not allowed to communicate with. Or ideally even globally for all apps.

Unfortunately 2 - the list of sites the app wants to communicate with is not clearly communicated upfront like before you install.

Unfortunately 3 - the list can also contain wildcard domains

Small steps - they really need to push this to the next phase IMO.

(comment deleted)
One correction to some comments here: an iOS app cannot list all apps that are installed. You can only check for specific apps/schemes (LSApplicationQueriesSchemes) by specifying apps you are looking to query for installation status or open. You cannot provide a large list of unrelated applications since Apple rejects that during app review.

Apple added these restrictions because installed app lists can be used for fingerprinting and privacy invasive profiling.

Is something similar already available for Android phones?
Today I have simply given up trying not to share my personal information. What I do instead is simply blocking all ads and don’t use apps/websites that can’t be used without ad blocking. They may have many personal details like my favorite ice cream flavor but I get zero ads so I don’t care that much (I would prefer no one having this information but I’m pragmatic in such terrible society).
I must say, I like the Mysk team, and wish them well; AI or not.

It seems a bit quixotic, but anything that goes against $_BIGCORP is tilting at windmills, anyway.

Of course, the one narrative I almost never hear, no matter who it is, is "Simply don't collect any extra data."

It's that simple. If you don't have the data, your app could be Swiss cheese, and no one can get anything dangerous.

But, in today's tech world, data is money, so every app and Web site out there, goes to any length, to hoover up as much data as possible.

I regularly get prompted to join "teams," and "leaderboards," or do "challenges," on my solitaire games.

Yeah what's worse...

I have a LG modern TV. Smart shit. I also use a Linux install on a NUC. HDMI.

For some godsdamned reason, the TV was able to initiate an IP bridge with the Linux NUC and get an IP address on my network.

Nobody typed it in the TV. And I'm unsure how it did so itself.

What I do know is that Mikrotik allows DHCP-server blocks of wildcard MAC addresses. Blocked the whole fucking 24 bits of their allocation.

AND if it does get back online, I also shitcanned its routing on the IP side based on hostname.

This would be quite the scandal if you can substantiate/document it.

People always say, "jUsT dO nOt CoNnEcT your TV to you WiFi" which is asinine.

People say that theoretically TVs can get an internet connection through HDMI, but apparently none are actually doing so.

The only solution I suggest is physically removing WiFi cards from the guts before turning on.

HDMI ethernet channel is a thing, though semi-obsolete. It's unusual for a PC graphics card to support it. Intel website suggests they don't support it: https://www.intel.com/content/www/us/en/support/articles/000...

Why is not connecting your TV to wifi asinine? Generally works fine but I suppose there are rumors that some TVs scan for open networks and connect to them automatically.

> The only solution I suggest is physically removing WiFi cards from the guts before turning on.

It's going to be very unusual to find a TV using removable PC components like wifi cards. Another option is to connect it to your network but block it from the internet

Because it doesn't prevent anyone else from connecting your TV to any other WiFi (and apparently that actually happened to someone according to their comment in another HN thread).