| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by blinkingled 3868 days ago

>The data they collected was list of installed apps, serial numbers, and some sort of AppleID numeric identifier. In particular, they did not (could not) collect email addresses.

[Edited for unnecessary stuff]

Oh the article you linked has Apple response that is quoted verbatim below - it references user email addresses. Specifically.

“We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses.."

> Please stop confusing private methods with elevated permissions. You CAN call private methods without elevated permissions, as my code above demonstrates.

What I wrote was you are not going to be able to call an Android API via private invocation and succeed if the API requires a specific permission and your app hasn't declared it.

All of this only goes to prove that Apple's security in iOS is not extraordinary as you claim - it is fallible like every other platform except with the exception of fingerprints which are currently believed to be secure - but that's now the case with Android as well - in M they are using ARM Trust Zone with no app access.

1 comments

millstone 3868 days ago

Maybe there's a private API on iOS that leaks the user's email addresses without the proper permissions. Maybe there's one on Android too. Neither OS has a runtime that will prevent malicious apps from exploiting such an API.

> What I wrote was you are not going to be able to call an Android API via private invocation and succeed if the API requires a specific permission and your app hasn't declared it

Just like on iOS, with the difference that it happens at call time and not installation time.

> All of this only goes to prove that Apple's security in iOS is not extraordinary as you claim

It shows the exact opposite! Notice how ridiculously weak these results are. On one of the most high-profile targets today, an app may (unconfirmed) be able to determine the user's email address and send it to a server. On a trojan app that the user deliberately installed, and then deliberately granted access to Twitter, it can post a tweet without the user's confirmation, if the user has not updated the OS. Fetch the smelling salts!

Meanwhile, millions of Android phones are part of botnets, like NotCompatible.C, at one point reaching 1.5% of mobile devices in the USA. A Chrome 0-day came out last week, allowing full control remotely of fully-patched Android phones. These aren't research papers showing theoretical attacks, this is real life.

Yes, iOS has extraordinary security, and its competition only makes it look better.

blinkingled 3868 days ago

A Safari zero day was just sold to governments (Nov 2nd). But yeah continue to assert otherwise if that makes you feel better. I am sure you have some explanation for that and all the previous jailbreaks for iOS and how they show iOS security being extraordinary! Android phones with botnets? Yeah you can believe that so hard it will make it a fact soon!

/jeez why do I bother with Apple fanboys?