Hacker News new | ask | show | jobs
by raw_anon_1111 199 days ago
> They can "fingerprint" devices more easily. They have access to all kinds of subsystems, like Bluetooth, NFC, gestures (at low level), etc. Many require the user to give permission, but the first thing the app does, is ask for permission

Bluetooth

https://developer.mozilla.org/en-US/docs/Web/API/Web_Bluetoo...

Accelerometer

https://developer.mozilla.org/en-US/docs/Web/API/Acceleromet...

So it’s a great conspiracy that apps have permission to do things after you explicitly give it permission?

No one is claiming that the app review process helps protect your privacy. The challenge is find something a native app can do surreptitiously to track you more than a website without you giving it permission bypassing OS safeguards.

And on iOS an app can’t access your NFC chip without you giving it permission.
1 comments
ChrisMarshallNY 199 days ago
Not just the NFC chip. Almost every I/O system requires explicit permission.

That’s where a “social engineering” approach can be helpful. The permission request can be quite bland, to a non-technical person.

And yes, a native app with the program counter can definitely do stuff a Web site can’t. Run machine code, for instance.

We would hope the app sandbox is good enough to catch it.

link
raw_anon_1111 199 days ago
Which permission is bland on iOS?

“Running machine code” is not a security vulnerability. If your browser isn’t secure all sorts of exploits can happen from a web browser. That’s how a lot of the early iOS jailbreaks worked.

link
ChrisMarshallNY 199 days ago
I think we’re probably not getting anywhere here.

No problem, but we can each do our own thing.

If you are in the US, have a great Thanksgiving holiday. I sincerely hope it’s a warm, loving event.

link
raw_anon_1111 199 days ago
It was a very simple request - show an example?

Everyone commenting here is being hand wavy

link
ChrisMarshallNY 199 days ago
I stated an example. It was not enough.

I used to write machine code, but I don’t, anymore. I am quite aware of how powerful it is, so I have to assume that the very smart people at Apple -who deal with current-day machine code- have a handle on dealing with it.

I guarantee that hackers do.

link
raw_anon_1111 199 days ago
You didn’t state one example where it bypassed the sandbox. All apps on iOS are compiled to assembly. If writing in assembly magically bypasses a well designed OS’s security model, we are in trouble
link