Mysk Blog

Starting May 1, 2024, Apple requires developers to declare reasons if their apps use APIs that can potentially be misused to collect unique device signals. These unique signals enable abusers to derive a device identifier or fingerprint and result in tracking user activities across different apps of different developers. Such APIs are referred to as required reason API. To prevent misuse of these APIs, Apple will reject apps that don’t describe their use of the APIs in their privacy manifest file. However, we found out that apps such as Google Chrome, Instagram, Spotify, and Threads don’t adhere to their declared reasons.

Apple has introduced a new URI scheme in iOS 17.4 to allow EU users to download and install alternative marketplace apps from websites. Once an authorized browser invokes the special URI scheme marketplace-kit, it hands off the installation request to a MarketplaceKit process that starts communicating with the marketplace back-end servers to finally install the app. As part of the installation flow, the MarketplaceKit process sends a unique client_id identifier to the marketplace back-end. Both Safari and the MarketplaceKit process allow any website to make a call to the marketplace-kit URI scheme of a particular marketplace. As a result, multiple websites can trigger the MarketplaceKit process to send the same unique identifier client_id to the same marketplace back-end. This way a malicious marketplace can track users across different websites.

With Tesla’s current design, if an attacker has the email and password of a victim’s Tesla account, they can drive away with the victim’s Tesla, even if two-factor authentication is enabled. Tesla Product Security team has investigated this issue and determined that this is the intended behavior.

Nearly every modern smartphone is equipped with an accelerometer, which, as the name implies, is a sensor that measures acceleration. It’s most commonly used for detecting the device’s orientation. It also has many other uses, whether as a game controller in racing games, as a pedometer for counting daily steps, or to detect falls as seen in the Apple Watch. There also have been some research to develop novel accelerometer applications: estimating heart rate, breathing rate, or even as a rudimentary audio recorder using just the accelerometer. Currently, iOS allows any installed app to access accelerometer data without explicit permission from the user. Curious apps might be able to learn a lot about users through the accelerometer and without their knowledge or permission.

Block Contacts is a new feature in Tinder that lets users avoid certain people on the app, even if they hadn’t matched. Using this feature, a user can share with Tinder the contact information of whoever they would like to block. Tinder will then use this information to prevent blocked contacts from seeing each other on the app. We verified that the app only shares the contact info of the blocked contacts, and not the entire contact list. However, users should be aware that Tinder collects the full name, email addresses, and phone numbers of every blocked contact.

Facebook has recently stopped generating link previews in Messenger and Instagram for users in Europe to comply with Europe’s ePrivacy Directive. In our previous post we showed that Facebook’s servers were downloading data from any link sent through Messenger or Instagram, even gigabytes in size. The change is further evidence that Facebook is using this data for purposes beyond generating link previews, as this change only applies in Europe which has some of the most robust privacy laws.

Link previews in chat apps can cause serious privacy problems if not done properly. We found several cases of apps with vulnerabilities such as: leaking IP addresses, exposing links sent in end-to-end encrypted chats, and unnecessarily downloading gigabytes of data quietly in the background.

We think link previews are a good case study of how a simple feature can have privacy and security risks. We’ll go over some of the bugs we found while investigating how this feature is implemented in the most popular chat apps on iOS and Android.

The TikTok app uses insecure HTTP to download media content. Like all social media apps with a large userbase, TikTok relies on Content Delivery Networks (CDNs) to distribute their massive data geographically. TikTok’s CDN chooses to transfer videos and other media data over HTTP. While this improves the performance of data transfer, it puts user privacy at risk. HTTP traffic can be easily tracked, and even altered by malicious actors. This article explains how an attacker can switch videos published by TikTok users with different ones, including those from verified accounts.

This article provides an investigation of some popular apps that frequently access the pasteboard without user consent. These apps range from popular games and social networking apps, to news apps of major news organizations. We found that many apps quietly read any text found in the pasteboard every time the app is opened. Text left in the pasteboard could be as simple as a shopping list, or could be something more sensitive: passwords, account numbers, etc.

iOS and iPadOS apps have unrestricted access to the systemwide general pasteboard. A user may unwittingly expose their precise location to apps by simply copying a photo taken by the built-in Camera app to the general pasteboard. Through the GPS coordinates contained in the embedded image properties, any app used by the user after copying such a photo to the pasteboard can read the location information stored in the image properties, and accurately infer a user’s precise location. This can happen completely transparently and without user consent.