Ancestors

Toot

Written by Mysk🇨🇦🇩🇪 on 2025-01-22 at 21:41

The Passwords app now categorizes the network requests to download the icons as "websites visited in app" and this way the number of requests sent isn't included in the main count in the #privacy report.

This new categorization makes the requests less visible to privacy-conscious as the app won't show spikes of 130+ requests as we demonstrated before in iOS 18 and iOS 18.2. However the app is clearly making those requests directly as shown in the network traffic.

[#]privacy #Apple #iOS

=> View attached media | View attached media | View attached media | View attached media

=> More informations about this toot | More toots from mysk@mastodon.social

Descendants

Written by Mysk🇨🇦🇩🇪 on 2025-01-22 at 21:41

We realized this behavior first on a device running #iOS 18.3. Surprisingly, devices running iOS 18.1.1 and 18.2.1 also showed the new behavior.

iOS still doesn't provide an option to disable downloading the icons, which is the best way to tackle this issue.

[#]Apple

=> More informations about this toot | More toots from mysk@mastodon.social

Written by Entropy on 2025-01-22 at 23:40

@mysk Every password manager I have ever used has had the option to disable remote loading of favicons. Is there some security implication to having the option enabled?

=> More informations about this toot | More toots from ententropy@mastodon.social

Written by Mysk🇨🇦🇩🇪 on 2025-01-22 at 23:56

@ententropy This depends on how the app does it:

• If the app contacts the app server to download the icons, the app developer might be able to infer which services a user uses.

• If the app directly contacts the websites, which is the case with Apple Passwords, the app might be at risk of receiving a malicious payload from remote web servers.

https://youtu.be/1vr2e6YeNuc?feature=shared

=> More informations about this toot | More toots from mysk@mastodon.social

Written by Entropy on 2025-01-23 at 00:12

@mysk Thank you for the response. It is pretty insane that a password manager by one of the biggest tech companies got shipped without HTTPS for any kind of connections to the internet. Hasn't Apple mandated 3rd party apps on their App Store use HTTPS-only for some time now?

=> More informations about this toot | More toots from ententropy@mastodon.social

Written by Mysk🇨🇦🇩🇪 on 2025-01-23 at 07:38

@ententropy Yes, but I think you can still declare domains that the app can communicate with over HTTP in the project's manifest.

=> More informations about this toot | More toots from mysk@mastodon.social

Written by Abimelech B. 🐧🇩🇪| wörk ™️ on 2025-01-23 at 09:48

@ententropy @mysk

Let's be a #nerd and use #pass from https://www.passwordstore.org/ (the standard unix password manager) on a #selfhosted #git instance (or on #github #gitlab #codeberg …) - one and only connection is to the git repo!

[#]privacy #datenschutz #PasswordManager

=> More informations about this toot | More toots from abimelechbeutelbilch@fulda.social