Ancestors

Toot

Written by Mysk🇨🇦🇩🇪 on 2024-11-22 at 15:12

This is an example of what the App Store app shares with #Apple when you search for an app. Everything you type in the search field is recorded as an event and associated with your Apple ID before it is sent to Apple. When I search for "Google Authenticator," events are recorded as I type character by character. The leap between rows 78 and 79 is when I picked a suggestion. The timestamp of every event is recorded, i.e. Apple can calculate my typing speed 🙃.

[#]Privacy

[#]infosec #privacymatters

=> View attached media | View attached media | View attached media | View attached media

=> More informations about this toot | More toots from mysk@mastodon.social

Descendants

Written by Mysk🇨🇦🇩🇪 on 2024-11-22 at 15:14

Data is sent to Apple in near real-time (the difference between the Event Time and the Post Time).

There is no way you can opt out of sending such app Analytics to Apple or request it be anonymous. Visit https://privacy.apple.com and request a copy of your data to learn what identifiable data Apple collects about you. ✌️

#Apple #Privacy #infosec #privacymatters

=> More informations about this toot | More toots from mysk@mastodon.social

Written by David on 2024-11-22 at 15:17

@mysk Collecting data a user inputs into a form and never sends is evil, period. There is no excuse for it.

=> More informations about this toot | More toots from freeagent@mastodon.sdf.org

Written by JJTech on 2024-11-22 at 16:09

@freeagent @mysk I mean... "no excuse" is a little harsh, after all, this is a search box. Every modern search with autocomplete does this.

=> More informations about this toot | More toots from jjtech@infosec.exchange

Written by JJTech on 2024-11-22 at 16:12

@freeagent @mysk for example, DuckDuckGo

=> View attached media

=> More informations about this toot | More toots from jjtech@infosec.exchange

Written by Mysk🇨🇦🇩🇪 on 2024-11-22 at 16:15

@jjtech @freeagent

Apple Maps does the same, but it never associates the requests with the user's ID when sending the search requests, and never records them as app analytics. I answered here:

https://mastodon.social/@mysk/113527490874201110

=> More informations about this toot | More toots from mysk@mastodon.social

Written by Mysk🇨🇦🇩🇪 on 2024-11-22 at 16:13

@jjtech @freeagent Oh no, this is not the autocomplete requests you're looking at. This is the app analytics endpoint. The search query is sent to another endpoint. As you see in the screenshot shot, the "Post Time" of all the shown request is the same because they were sent as a batch to the analytics endpoint.

=> More informations about this toot | More toots from mysk@mastodon.social

Written by Gianmarco Gargiulo :tux: :kde: on 2024-11-23 at 18:06

@mysk @jjtech @freeagent can you show that the requests are going to an analytics endpoint?

=> More informations about this toot | More toots from gianmarcogg03@mastodon.uno

Written by Mysk🇨🇦🇩🇪 on 2024-11-23 at 18:18

@gianmarcogg03 @jjtech @freeagent We showed this some time ago, but the data in the screenshot is obtained from Apple when you request a copy of your data.

This video shows the requests:

https://youtu.be/8JxvH80Rrcw?feature=shared

=> More informations about this toot | More toots from mysk@mastodon.social

Written by Ilias 🤓 on 2024-11-22 at 23:01

@mysk but but Apple is privacy right??

=> More informations about this toot | More toots from ilias@discuss.systems

Written by CyberFrog on 2024-11-23 at 13:44

@mysk@mastodon.social the worst part is that this isn't even surprising, it's standard practice, pretty much every app you download on your iPhone is also independently doing this for almost every search box you type into... most analytics SDKs have explicit examples doing exactly this, and Apple doesn't particularly care to do anything about this because it rocks the boat too much lol

Most websites record search inputs this way in their analytics too

=> More informations about this toot | More toots from froge@social.glitched.systems

Written by Mysk🇨🇦🇩🇪 on 2024-11-23 at 14:48

@froge This is true, but none of the other apps or platforms has erected big billboards saying "iPhone, that's privacy." Moreover, if the user isn't happy about an app's practices, they can use an alternative. For the App Store, there's no alternative.

=> More informations about this toot | More toots from mysk@mastodon.social

Written by CaveDave on 2024-11-23 at 16:04

@mysk makes me wonder what legal loopholes they're using to not get fucked over for false advertising tbh

=> More informations about this toot | More toots from engravecavedave@mastodon.social

Written by noëlle :blobbee_flag_nb: on 2024-11-25 at 13:25

@mysk that's to say, it has search suggestions?

=> More informations about this toot | More toots from jannuary@tech.lgbt

Written by Corb_The_Lesser on 2024-11-26 at 09:21

@mysk The internet, of course, isn't magic. Info in a search query must be sent to Apple before it can respond. But... the query can be sent when the user taps a send icon, not character-by-character, and Apple could throw away the info as soon a response was sent.

=> More informations about this toot | More toots from Corb_The_Lesser@mastodon.social

Written by Mysk🇨🇦🇩🇪 on 2024-11-26 at 11:08

@Corb_The_Lesser

https://mastodon.social/@mysk/113527490874201110

=> More informations about this toot | More toots from mysk@mastodon.social

Written by Mare Polaris on 2024-11-26 at 21:51

@mysk it is called auto complete. Nothing to see here, next

=> More informations about this toot | More toots from ph00lt0@mastodon.social

Written by Mysk🇨🇦🇩🇪 on 2024-11-26 at 22:02

@ph00lt0 https://mastodon.social/@mysk/113527490874201110

=> More informations about this toot | More toots from mysk@mastodon.social

Written by Vysogota on 2024-11-27 at 19:35

@mysk not to mention they can make a model that guesses what you type from the timing between keystrokes... And I thought that vuln in openssh was overblown...// @Tanuki

=> More informations about this toot | More toots from petko@petko.me