Tag: Privacy

Multiple active exploits could affect iPhone use of Bluetooth.

Flipper Zero hacker tool could be used to trigger iPhone DDoS attack using Bluetooth signals by AirPods, HomeKit accessories, etc. These signals usually trigger popup on iPhone allowing to connect to headphones or perform other actions. Crafting these signals in a specific way could result in iOS restart.

Newly discovered BLUFFS attack could be used to impersonate devices and trigger disclosure of private information. It is not yet clear, if AirDrop is affected by this attack as it uses more than just Bluetooth to authenticate the device. However, it is still possible to hijack audio or other Bluetooth connection. Fix would require device manufacturers to modify security mechanisms of Bluetooth stack.

References:

• Flipper Zero can still crash iPhones running the latest version of iOS 17
• Bluetooth security flaws allow connections to be hijacked; AirDrop unlikely to be affected [U]

Safari now suffers from new exploit allowing malicious website to render arbitrary webpage and extract information out of it.

As of now, there is a workaround requiring access to developer menu on macOS.

Paste the following command in Terminal: defaults write com.apple.Safari IncludeInternalDebugMenu 1

Open Safari and select "Debug" from the menu bar, select "WebKit Internal Features" then Scroll down and click "Swap Processes on Cross-Site Window Open"

AppleInsider

It is expected that this vulnerability will be fixed by Apple in upcoming software updates.

Disclosure: iLeakage

References:

• iLeakage attack resurrects Spectre with password and website data extraction
• iLeakage flaw could force iPhones and Macs to divulge passwords and more

Apple releases next major release of macOS – Sonoma.

macOS Sonoma brings all‑new capabilities that elevate your productivity and creativity. Discover even more ways to personalize your Mac with stunning screensavers and widgets that you can add to your desktop. Elevate your presence on video calls with a new way to present your work that keeps you a part of the presentation. Safari profiles and web apps help you organize your browsing in all-new ways. Game Mode boosts your gaming performance. Sonoma also brings big updates to Messages, Keyboard, and Accessibility. And when you upgrade, you get the latest security and privacy protections available for Mac.

Screen Savers

• Stunning screen savers of locations from around the world seamlessly become your desktop wallpaper when you log-in
• Shuffle settings for rotating through screensavers by theme including Landscape, Cityscape, Underwater, and Earth

Widgets

• Widgets can be placed anywhere on the desktop and adapt to the color of your wallpaper while working in apps
• iPhone widgets can be added to your Mac when your iPhone is nearby or on the same Wi-Fi network
• Interactive widgets let you take actions directly from the widget such as running a shortcut, pausing media, and more

Video Conferencing

• Presenter Overlay keeps you front and center while sharing your screen in FaceTime or third-party video conferencing apps (Mac with Apple silicon)
• Reactions layer 3D effects like hearts, balloons, confetti, and more around you in video calls and can be triggered with gestures (Mac with Apple silicon, Continuity Camera with iPhone 12 and later)

Safari and Passwords

• Profiles keep your browsing separate for topics like work and personal, separating your history, cookies, extensions, Tab Groups, and favorites
• Web apps let you use any website like an app, complete with an icon in the Dock for faster access and a simplified toolbar for easier browsing
• Enhanced Private Browsing locks your private browsing windows when you're not using them, blocks known trackers from loading, and removes tracking that identifies you from URLs
• Password and passkey sharing allows you to easily share accounts with trusted contacts

Messages

• Live Stickers sync from iOS and iPadOS to macOS, giving you access to the Live Stickers you create on your iPhone and iPad
• Search filters for people, keywords, and content types like photos or links help you more easily find what you are looking for
• Swipe to reply inline on any iMessage bubble

Gaming

Game Mode gives games the highest priority on the CPU and GPU, delivering more consistent frame rates and lower latency to wireless controllers and AirPods (Mac with Apple silicon)

Keyboard

• Improved autocorrect accuracy makes typing even easier by leveraging a more powerful transformer-based language model
• Inline predictive text shows single- and multi-word predictions that you can add by pressing the Space bar
• Improved Dictation experience supports using your voice and keyboard together to enter and edit text

AirPods

• Adaptive Audio delivers a new listening mode that dynamically blends Active Noise Cancellation and Transparency to tailor the noise control experience based on the conditions of your environment (AirPods Pro (2nd generation) with the latest firmware)
• Personalized Volume adjusts the volume of your media in response to your environment and listening preferences over time (AirPods Pro (2nd generation) with the latest firmware)
• Conversation Awareness lowers your media volume and enhances the voices of the people in front of the user, all while reducing background noise (AirPods Pro (2nd generation) with the latest firmware)
• Press to mute and unmute your microphone by pressing the AirPods stem or the Digital Crown on AirPods Max when on a call (AirPods (3rd generation), AirPods Pro (1st and 2nd generation), or AirPods Max with the latest firmware)
• Improved AirPods automatic switching now detects Mac up to 2X faster (AirPods (2nd and 3rd generation), AirPods Pro (1st and 2nd generation), AirPods Max with the latest firmware)

Privacy

• Sensitive Content Warnings can be enabled to help prevent users from unexpectedly viewing sensitive images in Messages
• Expanded Communication Safety protections for children now detect videos containing nudity in addition to photos shared through Messages and the system Photos picker
• Improved sharing permissions let you choose which photos to share and add calendar events without providing access to your entire photo library or calendar

Accessibility

• Live Speech lets you type what you want to say and reads it aloud in FaceTime calls or in-person conversations
• Personal Voice helps users at risk of speech loss create a voice that sounds like them in a private and secure way using on-device machine learning
• Made for iPhone compatible hearing devices can be paired and used with Mac (MacBook Pro (2021), Mac Studio (2022), and Mac computers with M2 chip)

This release also includes other features and improvements:

• One-Time verification code AutoFill from Mail helps you quickly sign into sites in Safari, without leaving the browser
• Inline PDFs and document scans in Notes are presented full-width making them easy to view
• Grocery Lists in Reminders automatically group related items into sections as you add them
• Visual Look Up for recipes helps you find similar dishes from photo
• Visual Look Up in video helps you learn about objects that appear in paused video frames
• Pets in the People album in Photos surfaces individual pets just like friends or family members
• Option to say "Siri" in addition to "Hey Siri" for a more natural way to activate Siri (Mac with Apple silicon, AirPods Pro (2nd generation))
• High performance mode in Screen Sharing supports color workflows and improves responsiveness while remotely accessing a Mac (Mac with Apple silicon)
• Item sharing in Find My allows you to share an AirTag with up to five other people
• Activity History in Home displays a recent history of events for door locks, garage doors, security systems, and contact sensors
• Battery health management updated on 13-inch MacBook Air with M2 chip to better optimize long term battery health

Some features may not be available for all regions or on all Apple devices.

macOS Sonoma also includes several important security fixes.

Apple Newsroom: macOS Sonoma is available today

Release notes: macOS Sonoma 14 Release Notes

References:

• Apple Releases macOS Sonoma With New Widget Features, Safari Updates, Screen Sharing Improvements and More
• macOS Sonoma: The MacStories Review
• macOS Sonoma Optimizes Latest 13-Inch MacBook Air's Battery Health
• Apple releases macOS Sonoma with interactive desktop widgets, Game Mode, new wallpapers, much more
• macOS 14 Sonoma
• macOS Sonoma includes these 61 security fixes
• macOS Sonoma Features You Should Check Out First
• Apple Explains How Game Mode Works in macOS Sonoma

Apple will now require developers to declare use of specific APIs with app's privacy manifest.

Starting in fall 2023, when you upload a new app or app update to App Store Connect that uses an API (including from third-party SDKs) that requires a reason, you’ll receive a notice if you haven’t provided an approved reason in your app’s privacy manifest. And starting in spring 2024, in order to upload your new app or app update to App Store Connect, you’ll be required to include an approved reason in the app’s privacy manifest which accurately reflects how your app uses the API.

Apple Developer

Apple Developer:

• List of APIs that require declared reasons now available
• Describing data use in privacy manifests
• Describing use of required reason API

Apple released an advertisement and white-paper highlighting importance of privacy for health and fitness data.

https://www.youtube.com/watch?v=4-7jSoINyq4

Apple: Health Privacy Overview (PDF)

One of the updates coming to upcoming release is availability of iCloud Advanced Data Protection for all users worldwide.

Reference: iOS 16.3 brings iCloud Advanced Data Protection feature to all users worldwide

Following recent RC Apple now releases iOS/iPadOS 16.2, macOS 13.1 Ventura, watchOS 9.2 and tvOS 16.2. Xcode 14.2 is also released.

HomePodOS received corresponding update (which is required for Home updates and Matter support).

Apple also releases security bug fixes for previous OS releases - iOS 15 and macOS 11 Big Sur and macOS 12 Monterey.

This update brings several important updates:

• iCloud Advanced Data Protection;
• Support for Rapid Security Responses;
• Freeform application;
• Apple Music Sing;
• New Apple Watch workout modes;
• Apple Home reliability improvements;
• iPadOS external display support.

Apple Newsroom: Apple launches Freeform: a powerful new app designed for creative collaboration

References:

• iOS 16.2 rolling out today with Apple Music Sing, Freeform app, much more
• Apple Releases New HomePod 16.2 Software
• Apple Releases iOS 16.2 and iPadOS 16.2 With Freeform, Apple Music Sing, Advanced Data Protection and More
• Apple Releases watchOS 9.2 With Outdoor Workout Improvements, Crash Detection Optimizations, Noise App Tweaks and More
• Apple Releases tvOS 16.2 with Apple Music Sing, TV App Tweaks and More
• iPadOS 16.2 and Stage Manager for External Displays: Work in Progress, But Worth the Wait
• Apple Releases macOS Ventura 13.1 With Freeform, Advanced Data Protection, Find My Improvements and More
• Freeform Leverages the Freedom and Flexibility of a Blank Canvas
• Apple's Advanced Data Protection feature is here - what you need to know
• iPadOS 16.2 brings these improvements for Stage Manager, plus AirTag tracking alerts
• Hands on with Apple's Freeform collaborative brainstorming app
• watchOS 9.2 now available for Apple Watch; here’s everything new
• iOS 16.2 patches over a dozen security vulnerabilities, iOS 15.7.2 also available with fixes
• Apple Music launches collection of playlists with songs perfect for ‘Sing’ karaoke feature
• iOS 16.2 and iPadOS 16.2
• macOS 13.1
• iOS 16.2 and iPadOS 16.2 Fix Over 30 Security Vulnerabilities
• Xcode 14.2 released with support for iOS 16.2, macOS Ventura 13.1
• Xcode 14.2 Release
• Apple Watch Ultra gains battery improvement with watchOS 9.2 and Multisport workouts
• New Apple Music Sing Playlists Now Available in iOS 16.2
• 9to5Mac Daily: December 13, 2022 – Everything new in iOS 16.2, macOS 13.1, and more
• iOS 16.2 Features: Everything New in iOS 16.2

In an interview to Joanna Stern, Craig Federighi confirms that Apple stopped development of previously announced CSAM detection features.

In this interview Craig Federighi discussed new privacy and security features added by Apple to iCloud and their effect on law enforcement ability to extract data from iCloud.

One of the nixed features is Photos CSAM detection which was criticized by many privacy-focused groups and organizations.

https://www.youtube.com/watch?v=M4ZOkWaDxfw

The Wall Street Journal: Apple Plans New Encryption System to Ward Off Hackers and Protect iCloud Data (Apple News+)

References:

• Apple confirms that it has stopped plans to roll out CSAM detection system
• Apple Abandons Plans to Detect Known CSAM Stored in iCloud Photos
• Apple Has Stopped Development of System to Identify Child Sexual-Abuse Material
• Joanna Stern Interviews Craig Federighi Regarding New iCloud Security Features
• Apple's Craig Federighi Discusses Expanded iCloud End-to-End Encryption

Felix Krause published a tool to review how in-app browsers are hijacking user's actions in the web. Tools follows report made by the same developer.

TikTok's browser even captures every key stroke (including passwords) and reports those back to app owner.

Tool provides report on injected JavaScript code that could intercept user's data.

Tool: InAppBrowser

References:

• In-app browsers like those in Facebook and Instagram are a big privacy risk, developer shows
• Developer creates tool that shows injected JavaScript commands through an in-app browser
• TikTok's In-App Browser Reportedly Capable of Monitoring Anything You Type

Apple made an announcement on ability to increase device safety by sacrificing some of the capabilities:

• Most of attachments in Messages are blocked;
• Certain Web technologies are disabled (JavaScript JIT compilation, for example);
• Some of Apple services (such as FaceTime) are blocked unless user explicitly communicated with the initiator previously;
• Wired connection to computer is disabled when device is locked;
• MDM and configuration profiles could not be installed.

Lockdown mode will be in active development, new restrictions and safeguards might be added soon.

Lockdown mode will be available for iOS 16, iPadOS 16 and macOS 13 Ventura.

It is expected that this mode will be used by small number of people who are potentially in risk of targeted cyberattacks, however, feature itself will be available to all users within settings later this year. As of now beta 3 is shipped with Lockdown mode settings available.

Apple Newsroom: Apple expands industry-leading commitment to protect users from highly targeted mercenary spyware

References:

• Apple Announces New Lockdown Mode on iOS 16 With 'Extreme' Level of Security
• Apple Announces Lockdown Mode to Counter Digital Threats and Details $10 Million Cybersecurity Grant
• Lockdown Mode