Search This Blog

Showing posts with label Tech Giant. Show all posts

Apple is Tracking Your Every Move, Here's All You Need to Know

 

Tech giant Apple projects itself as a privacy-focused firm, but according to the latest research, the company might be contradicting its own practices when it comes to collecting App Store data. 

According to a Twitter thread published by an iOS developer and security researcher Tommy Mysk, Apple tracks customers' activity via 'Directory Services Identifier' or DSLD which is linked to the customer’s iCloud and is able to collect private data like name, email address, and contacts. 

What’s more worrying is that the revelations reported in the thread state that even if customers switch off device analytics in the ‘Settings menu, the company deploys this dsId to other apps too. 

“Apple’s analytics data include an ID called “dsId”. We were able to verify that “dsId” is the “Directory Services Identifier”, an ID that uniquely identifies an iCloud account. Meaning, Apple’s analytics can personally identify you,” Mysk tweeted. 

However, the tech giant’s Device Analytics & Privacy document says that none of the user information collected is linked to that individual, suggesting that as a user, you would appear anonymous.

“None of the collected information identifies you personally. Personal data is either not logged at all, is subject to privacy preserving techniques such as differential privacy, or is removed from any reports before they’re sent to Apple. You can review this information on your iOS device by going to Settings > Privacy & Security > Analytics & Improvements and tapping Analytics Data,” the document reads.

Even though Apple continues to prattle that it is a privacy-oriented firm that values customers’ privacy and focuses to give them more control over what data they want to share or not share with advertisers and app designers, it can still employ DSLD for its own personal benefits, whatever those may be. 

Earlier this month, Gizmodo reported that a lawsuit was filed against Apple, with the plaintiff stating that Apple illegally siphons user data even when the firm's own privacy settings promise not to. The lawsuit was filed based on Mysk’s research; however, the researcher was unable to analyze the data in iOS 16 due to its encryption.

A Constant Battle Between Apple and Zero-Day Security Vulnerabilities

 


Recently, there has been a noticeable increase in the number of attackers targeting Apple, especially by using zero-day exploits. Among the main reasons why hackers like zero-day exploits so much are because they might just become the most valuable asset in a hacker's portfolio. As of 2022, Apple has discovered seven zero-day vulnerabilities in its products and has followed up on these discoveries with relevant updates to address these issues. Even so, it seems as though there will not be an end to this classic cat-and-mouse game anytime soon.

During 2021, there were more than double the amount of zero-days recorded, compared to the same year in 2020. This is the highest level since tracking began in 2014, with the number of zero-days increasing every year since then – the trend has been demonstrated by the repository maintained by Project Zero. 

As described by the MIT Technology Review, the increase in hacking over the past few years has been attributed to the rapid proliferation of hacking tools globally and the willingness of powerful state and non-state groups to invest handsomely in discovering and infiltrating these operating systems. Threat actors actively search for vulnerabilities and then sell the information about those vulnerabilities to the highest bidder.

Apple has repeatedly been compromised by these attackers. In 2022, Apple, one of the four most dominating IT companies in the world, is advancing into a year where it is welcoming a new year with two zero-day bugs in its operating systems, a WebKit flaw that could have left users' browsing data vulnerable and after recovering from 12 recorded exploits and remediations in 2021, they have been hit by two zero-day bugs in their operating systems. 

The company released 23 security patches less than one month after it discovered these issues. A new flaw was discovered that could be exploited by attackers to exploit a user's device if certain malicious websites are loaded onto a user's device, leading to an infection of their device.

Keeping this in mind, if we fast forward to August 17 of this year, we learn Apple has discovered two new vulnerabilities in its operating system  CVE-2022-32893 and CVE-2022-32894. The first vulnerability is a remote code execution (RCE) vulnerability in Apple's Safari Web browser kit, which is used by all browsers that are iOS-enabled and macOS-enabled. As for the second vulnerability, another RCE vulnerability, it gives attackers complete access to the user's software and hardware without any limitations. 

In the past couple of weeks, two major vulnerabilities have been found that affect a wide variety of Apple devices  especially the iPhone 6 and later models, the iPad Pro, iPad Air 2 onwards, iPad 5th generation and newer models, iPad mini 4 and newer versions, iPod touch (7th generation), and macOS Monterey. The officials updated the security systems to create a protected environment against “actively exploited” vulnerabilities.

The research team at Digital Shadows prepared a report which included that the Zero-day exploits sell for up to $10 million, which is the most expensive commodity in a rather wide array of cybercrime. The report further added that these exploits in the market are bound to expand and provoke more cyber threats.