iOS 14 with paranoid eyes. How Apple protects the privacy of users in the new version of iOS

iOS 14 with paranoid eyes. How Apple protects the privacy of users in the new version of iOS

For the first time in a long time, the latest version of iOS has been released “by itself”, regardless of the new generation of iPhone. This year the release caught many developers by surprise: they did not expect such a fast release of Gold Master and the official release that followed literally the next day. In this article we will talk about what was done by Apple programmers to protect users’ privacy, as well as what was announced in early betas, but was not included in the final build.

Close Location

.
Let’s start, perhaps, with the most interesting: applications that want to always know your location, now you can slightly slap on the hands without losing functionality. In iOS 14, it is now possible to allow applications to access an approximate location instead of an exact location. How “near”? At WWDC 2020 it was said about an area of about ten square miles, which corresponds to a circle with a radius of about three kilometers.



Why is this important? The vast majority of application developers (especially free applications) are fond of profiling users in order to sell this information for a little money. The profile is happy to include the exact location of the user if the user has agreed to provide access to the location (and access is usually given even to applications such as Microsoft OneDrive, not to mention weather forecasts or ticketing applications). This creates a unique situation: on the one hand, iOS and previous versions limit the frequency of polling location sensors background processes, but on the other – the user can install many applications, and in most of them will be built into several “spy” SDKs of the same manufacturers (from Facebook to companies whose names are not on the public’s radar). As a result, continuous surveys of location sensors with many applications with the same SDK provide a fairly clear and quite detailed picture of the user’s movements.

In marketing materials Apple say that applications with local news or weather such accuracy is enough. From my point of view – even more than enough; data approximate location can be coarsened even stronger without losing the accuracy of the weather forecast or local news.

By the way, in terms of the “spy” SDKs themselves approximate location is only a little better than a complete ban on access to geolocation data: calculate the approximate location of a user by only his IP address Facebook & Co can more than fine.



Stricted access to media library

.
With the new version of iOS, the user will be able to restrict applications from accessing the media library. While previous versions of iOS gave apps access to media files on an all-or-nothing basis, the user can now give the app access to an entire library (for example, for Dropbox, OneDrive, which must sync all photos to the cloud) or only to individual photos. Access to individual photos is useful if all you want to do is send a specific photo to a chat room, create an avatar or edit a photo in a new free editor with the dawning of artificial intelligence.

.
First of all, famous fans of profile users throughout the array of available data – the owners of applications Facebook, Instagram and the like will suffer. This will benefit ordinary users, who will have an extra tool that allows you to control the possible leak channels of private photos and videos.

However, I wouldn’t be too excited about it: Back in the beginning of the year, Apple introduced a practice scanning photos that get into iCloud. To be fair, Microsoft, Google, Verizon, Twitter, Facebook and Yahoo scan photos that hit them in the cloud for compromising content in the same way.

Fixed clipboard privacy problem

On the main page devoted to the new version of iOS, there is not a word about the problem with the clipboard privacy observed in previous versions of the system. Let me remind you that we are talking about a problem, covered early in the year by security researchers Talal Haj Bakry and Tommy Mysk. The study identifies 53 iOS apps, including TikTok, that constantly monitor clipboard content for no apparent reason.

Another interesting point is that nearby (about three meters away) devices using the same Apple ID may have universal clipboard even if one of these devices is a MacOS computer.

.

.
The clipboard may receive data such as one-time passwords for two-factor authentication, links, addresses, search queries, and many other things that a user is not willing to share with Tik Tok owners, LinkedIn and similar apps.

Apple has not recognized the problem: In terms of iOS ideology, a shared clipboard should be available to all apps on the system without any additional permissions. In iOS 14, however, changes have been made, as recommended by security experts. The system now displays a small banner notifying when the application reads the clipboard contents.

.

.
Such a number of banners that pop up at the top of the screen will irritate users, but it is impossible to disable them: iOS does not have a special permission to access the clipboard. This can be done either by refusing to use suspicious applications that constantly read the clipboard content, or by using the new API introduced in iOS 14 by application developers. The new API allows an application to know the type of text data that the clipboard contains without accessing the content. In particular, applications that scan the clipboard for links to websites will be able to find out whether the clipboard contains a URL or not. Thus, the number of triggers (and, accordingly, notification banners) will gradually decrease as developers update their applications.

The emergence of the new mechanism is understandable: it is the company’s reaction to what has already happened. Apple can only be praised here: on the one hand, there is a reaction, on the other hand, in its favorite manner, the company will not let users hide their heads in the sand by providing tools and motivating to fix the problem directly to those who created it – the developers of applications.

Microphone and Camera Indicators

Users of beta versions of iOS 14 have noticed the indicator points that appear at the top of the screen when using a camera or microphone. An orange indicator shows that the microphone is on and a green indicator shows that the camera is on. This works for all applications except Siri, which listens to the airwaves while waiting for the code word constantly.

.

.

.
Such indication is quite in line with the modern trend. Thus, in all relatively fresh Macbook laptops, the microphone power supply physically interrupts when the lid is closed, and manufacturers of smart devices (for example, Google Nest Hub Max or the new Facebook Portal) embed physical switches to cut off the power to the camera and microphones. Unlike pop-up clipboard access banners, colored dots will not annoy users. The ideal solution would be a colored LED, which, unfortunately, does not like Apple so much.

More Active Promotion of Authentication through Apple Login

“Login with Apple” is another attempt to create a unified authorization service similar to the solutions from Google, Facebook or Microsoft. Unlike the latter, the implementation of Apple has both advantages (to login to each site or application, you create your own unique email address, which is simply blocked when deleting your account) and disadvantages (tight connection to the ecosystem of Apple). In iOS 14, Apple once again reminds you of the possibility to use “Login from Apple” instead of login and password and simplifies the implementation of such a transition for application developers. The company points to a higher level of security and privacy compared to using the same email address and the same password.

The new system also has one more pitfall. As part of the fight against Epic Games, Apple decided to block game users the ability to login through “Login from Apple”.

.

.
However, the next day the ban was suspended.

.

.
For users it all looks pretty weird. Not only is it normal to use the authorization service “Login with Apple” you can only within the ecosystem of Apple (changed your phone to Android – register again), but also you risk losing the opportunity to enter the site or the application? I do not know, I do not know…

By the way, some competitors are not doing better. For example, Facebook is known restrictedly free treatment of user data “universal” learning. And to make it more convenient, the company is pushing users under the roof of the Facebook ID with every effort. For example, all users of Oculus virtual reality glasses will have to use Facebook authorization already from October.

Local autofill contacts

.
When filling out standard fields in applications (name, address, and email), iOS 14 users will not have to “share” a contact. Now it is enough just to enter a contact name from the address book, and the system will automatically fill in the remaining fields. The autofill works locally on the device itself.

Voice Input Recognition

.
Voice input recognition at dictation using a standard keyboard is now done locally, on the device itself. Don’t hurry to rejoice: despite the fact that you can dictate text in almost a dozen languages, Russian is not included in this list. By the way, in iOS 13 the offline dictation mode was supported for all devices (but only for English), and the new “recognition on the device” mode, which supports several languages, requires an iPhone Xs or a newer device.

APFS-encrypted media support

.
The Files app, which appeared in iOS 11, has new functionality: now external drives using APFS encryption are supported on iOS devices. To access the encrypted drive, all you have to do is enter a password. The new feature will be more useful for users of iPad models equipped with a USB Type-C port.

Changes-In Safari Browser

The innovations described above apply to all applications running on the system. However, there are a few things that will affect users of Safari’s built-in iOS browser.

Privacy Report

.
In Safari, you can now learn exactly how websites track user behavior. It’s a really interesting tool. You can view information both on a single website and on each specific tracker that tries to create your profile by tracking open pages. This kind of analysis was previously available only in third-party ad blockers, and even not on every platform.

.

.
This innovation is a welcome one: it will allow users to better understand the scale of surveillance.

Check Unsecure Passwords

.
Safari, like many other browsers, allows you to save and synchronize passwords to online resources. Unlike other browsers that use separate databases to store passwords, Safari turns to the system’s secure data repository, Key Link. This is where passwords are stored. The cloud keychain (iCloud Keychain) is responsible for synchronizing passwords.

Safari’s new feature essentially replicates analyze passwords that are stored in Google accounts. In Google’s implementation, passwords are checked for reliability and uniqueness. Based on the verification results, the system will report both compromised specific accounts and problems with too simple or duplicate passwords. Google even reveals the list of leaks on which the analysis is based.

Just like Google, Apple will check user saved passwords against the leak lists. As far as can be understood from the description of the new function, the reconciliation is performed without passing on the passwords themselves – solely by their hash functions.

Personal Data in App Store

.
The next two features in iOS 14 have been announced, but in reality they will appear later, if at all. By the end of the year a new section should appear on the page of each application in the App Store, where the user can see what data protection technologies are used in the application. Expressing more precisely, the user will be able to find out what information the application collects, whether it is location data, access to contacts or the use of a unique advertising identifier. The feature is so raw that at the time of writing this article, its interface is not even fully translated into Russian.

.

.
Developers are expected to publish their own privacy policy, including explaining what personal information they collect and use to track user activity in other applications and websites. Thus, this feature is different from automatic scanning of an application for a specific permission request. Presumably, the new functionality will appear in one of the updates to iOS 14 by the end of the year.

Tracking Management and Transparency in Apps

.
If we can say about the previous innovation that it will be implemented, then with the next possibility of such clarity is not. We are talking about tracking management with the help of embedded advertising SDK – for example, the SDK from Facebook.

Apple’s history of fighting Facebook and similar tracking has gone back to iOS 11, with the Intelligent Tracking Prevention. This mechanism has limited the validity of third-party cookies to 24 hours, removing all cookies for sites that the user has not opened for 30 days. A year later, Safari has popup windows that warn users that facebook.com is about to set a cookie when they click the Like button. With the release of iOS 13.4, third party cookies in Safari block by default, thus preventing the tracking method known as login fingerprinting without interfering with sites that use the OAuth 2.0 mechanism to login. What would seem to be worse and how else could Apple annoy Facebook?

It turned out that it can. But “can” is more technical than political. We are talking about a mechanism that was introduced, but not implemented in the final build of iOS 14 and postponed to a better time, which would not only warn the user that a particular application is tracking its activity, but would also require the developers of the application to ask permission in advance. The list of applications that the user has allowed to track his data could be viewed and changed in the settings.

This is what the setup looks like.

.
And this should look like a tracking request.

.
From a technical point of view, it is probably a request for permission to access a unique advertising device identifier (Identifier for Advertisers, or IDFA). It was assumed that in iOS 14 the user could either disable IDFA altogether or, if not, control which applications were allowed to access this ID. However, even beyond IDFA, iOS 14 would require applications to request permission for any kind of user tracking or profiling. And if Facebook did not need to do this in its own application (there are enough other mechanisms), then third-party developers using the Facebook Audience Network SDK were subject to the new rules in full. Not only would they be forced to ask permission to follow the user – so many users would be surprised to learn that they are being followed at all. And even after the second dozen applications would have asked for permission to track the user, the user could have turned off the advertising ID.

On Facebook, users would prefer not to think about such things. Jason Atin of inc.com thinks Facebook’s real problem isn’t the immediate loss of revenue that can arise if people refuse to follow. The real problem, Jason believes, is that Apple has made it clear that it intends to open the veil over the extent to which companies like Facebook collect and monetize everything we do online. “The super-profitable business model of Facebook becomes very shaky when people start to understand what kind of information a company collects and how it monetizes that information. As a result, that’s what bothers Facebook in iOS 14 – the new version of the system gives us an idea of what exactly is going on with the user’s personal data and gives them the opportunity to refuse”.

The reaction of Facebook followed immediately:

The introduction of iOS 14 will affect the ability of advertisers to fine-tune targeting and profile campaigns on the Audience Network and all other advertising networks. As a result, you can expect to see fewer opportunities to effectively monetize the Audience Network. Ultimately, despite all our efforts, Apple’s updates can make the Audience Network so inefficient on iOS 14 that there is no point in offering it on iOS 14.
At the end of their Facebook application, Apple was mildly mistaken for Apple, pointing to the need to consult with major players before infringing on their income.

Facebook other advertisers have joined in, fearing that if users are asked, they may even refuse (literally a high risk of user rejection). The ad industry argument was compelling: Apple postponed the innovation, and now, according to official information, application tracking management will not be a requirement for software updates until early 2021.

Exclusion

As always, a noticeable part of the user protection mechanisms added to iOS is Apple’s response to open circumstances or own implementation of competitors’ analogues. However, there are still new and interesting things in iOS 14 in terms of privacy. It’s a pity that the most significant innovations limiting the ability of applications to follow the user through the advertising SDKs, the official release has not included: progress in this direction, if there will be at all, we will see no sooner than next year.

 

Source



WARNING! All links in the articles may lead to malicious sites or contain viruses. Follow them at your own risk. Those who purposely visit the article know what they are doing. Do not click on everything thoughtlessly.


10 Views

0 0 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments


Do NOT follow this link or you will be banned from the site!
0
Would love your thoughts, please comment.x
()
x

Spelling error report

The following text will be sent to our editors: