iMessage BlastDoor security

Over the past three years, security researchers and real-world attackers have found iMessage remote code execution (RCE) bugs and abused them to develop exploits that allowed them to take control over an iPhone just by sending a simple text, photo, or video to someone’s device.

As reported January 28, 2021 by ZDNet “With the release of iOS 14 last fall, Apple has added a new security system to iPhones and iPads to protect users against attacks carried out via the iMessage instant messaging client.”

“Named BlastDoor, this new iOS security feature was discovered by Samuel Groß, a security researcher with Project Zero, a Google security team tasked with finding vulnerabilities in commonly-used software.”

“Groß said the new BlastDoor service is a basic sandbox, a type of security service that executes code separately from the rest of the operating system.”

“While iOS ships with multiple sandbox mechanisms, BlastDoor is a new addition that operates only at the level of the iMessage app.”

“Its role is to take incoming messages and unpack and process their content inside a secure and isolated environment, where any malicious code hidden inside a message can’t interact or harm the underlying operating system or retrieve with user data.”

Many of Apple’s privacy labels are false

I have to say this is disappointing to read. According to a Washington Post article, Apple’s big privacy product is built on a shaky foundation: the honor system. In tiny print on the detail page of each app label, Apple says, “This information has not been verified by Apple.”

Shame on the developers for lying, and double shame on Apple for not verifying.

I checked Apple’s new privacy ‘nutrition labels.’ Many were false.

You can trust Apple … right?

You go to your iPhone’s App Store to download a game. Under a new “App Privacy” label added last month, there’s a blue check mark, signaling that the app won’t share a lick of your data. It says: “Data not collected.”

Not necessarily. I downloaded a de-stressing app called the Satisfying Slime Simulator that gets the App Store’s highest-level label for privacy. It turned out to be the wrong kind of slimy, covertly sending information — including a way to track my iPhone — to Facebook, Google and other companies. Behind the scenes, apps can be data vampires, probing our phones to help target ads or sell information about us to data firms and even governments.

Google apps will stop certain tracking to avoid the iOS “Allow Tracking” prompt

With iOS 14, Apple is requiring app developers to tell users about and have them opt-in to tracking. Google today announced that “when Apple’s policy goes into effect, it will no longer use information (such as IDFA) that falls under ATT for the handful of our iOS apps that currently use it for advertising purposes. As such, we will not show the ATT prompt on those apps, in line with Apple’s guidance.”

I don’t use Google’s apps but for those of you who do this should be a welcome change.

My 2021 Essential iOS Apps

Every year towards the end of December I evaluate the apps that I’ve been using and what I will use for the next year. I find that writing this out helps me better evaluate the apps that best fit my workflows. Once I complete my evaluation, I summarize it in a post on this blog.

Another reason for this post is that visitors are always asking me which apps I use for specific tasks. To keep from repeating myself over and over, here’s the list of apps that I use.

My setup:

  • MacBook Pro early–2015 13” (soon to be replaced with a MacBook Air M1/8gb)
  • iPhone 11
  • iPad 5th Generation (which I rarely use these days)
  • Apple Watch 44 mm Series 4

Table of Contents

Web

Safari – Safari is my browser of choice. I use Wipr with Safari to block ads, trackers, cryptocurrency miners, and other annoyances.

Communication

Fastmail – I’ve been using Fastmail for email ever since I left Gmail over 6 years. I also use it for calendar, and contacts.

Fastmail has an iOS app, that I use.

Messages – Messages is how I communicate with family and friends.

Calendar and Tasks

Fantastical 3 – Fantastical is my calendar and task app. It integrates perfectly with my Fastmail calendar appointments and events and Apple Reminders tasks.

Due – Due is where I keep all my reminders. What I love about Due is that it repeatedly notifies you of overdue reminders until I mark them complete or reschedule them.

Reading

Reeder – Reeder is what I use for my Feedly RSS feeds. Anything that I want to read I save to Instapaper for reading later.

Twitter – Twitter is for news and the feeds for apps that I use.

Writing

Drafts 5 – I’ve been using Drafts for several years. Drafts is a launching-off point for text – use the actions to copy it, share it, or deep link into other apps and services.

1Writer – I don’t write on iOS but I do some proofreading and editing and for that I use 1Writer.

Apple Notes – Notes that I want to keep long-term go in the Notes app.

Day One Journal – I keep a lifelog in Day One.

Utilities / Productivity

Bitwarden – Gotta have a password manager.

Scanner Pro – Scanner Pro is also part of my paperless workflow. I use it to scan paper documents into PDFs with OCR that look clean and professional.

TunnelBear VPN – TunnelBear is my VPN for security on public WiFi and web browsing privacy.

PCalc – PCalc is my stock calculator replacement. I use it for its additional features and customization.

Health and Fitness

Apple Fitness – I use the Workout and Fitness apps with my Apple Watch to track my daily activities.

To keep my mind occupied during workouts I listen to podcasts in Overcast.

My 2021 Essential Mac Apps

Apple doubles down on iOS App Tracking Transparency

According to Craig Federighi, The aim of ATT is “to empower our users to decide when or if they want to allow an app to track them in a way that could be shared across other companies’ apps or websites”.

With Apple requiring developers to share privacy details needed for the new privacy labels on December 8 iOS App Tracking Transparency (ATT) has made its way into the news again thanks to the hysteria of adtech and with particular criticism coming from Facebook-owned WhatsApp.

Apple has used a speech to European lawmakers and privacy regulators to come out jabbing at what SVP Craig Federighi described as dramatic, “outlandish” and “false” claims being made by the adtech industry over a forthcoming change to iOS that will give users the ability to decline app tracking.

It’s good to see Apple standing strong on ATT to protect the privacy of its users.

If you’re interested, here’s a link to Craig Federighi’s speech.

UPDATE: iOS 14 has Zuckerberg/Facebook running scared

I’ve been working on an article about the iOS 14 privacy feature that has Facebook and other advertisers running scared. Facebook acknowledged that Apple’s upcoming iOS 14 could lead to a more than 50% drop in its Audience Network advertising business. (Doesn’t that just break your heart)

Today to my disappointment, Apple is holding off on introducing the default feature until early next year to allow developers more time to make the necessary changes to their apps. I guess this makes everything I’ve written all for naught. Oh, well.

By the way, did you know that you can manually limit targeted advertising and reset your identifier? If you do this an app will still be able to access your IDFA but it makes it much harder to build a profile on you. I reset my identifier once a month.

The advertising identifier on an Apple device does not identify you personally, but it can be used by advertisers to create a profile about you. If it’s never reset, that profile increases in detail, allowing advertisers to target ads to you based on your Internet activity.

iOS and iPadOS 13.6 silently opted me into Automatic OS Updates

Michael Tasi in a blog post today pointed out a change in the toggle for iOS and iPadOS Automatic Updates that I was unaware of. Before 13.6, there was a single toggle to turn Automatic Updates on or off. I always have it turned off.

In 13.6 there are new toggles for Customizing Automatic Updates

Julie Clover

You can now decide whether or not your iPhone or iPad can automatically download iOS updates when connected to WiFi, and when those updates are installed. There’s a Download iOS Updates toggle for turning on automatic downloads over WiFi and an Install iOS Updates toggle for installing software updates overnight as an ‌iPhone‌ charges.

As I mentioned, above I always have automatic OS updates off on all my devices. I like to wait for a few days to make sure there are no issues with the update before I install it. And yes, we all know issues do happen.

Unfortunately for me, I ran into the same problem as Jeff Johnson:

PSA: If you previously had iOS and iPadOS Automatic Updates turned off you’ll want to take a minute and review your Automatic Update setting and adjust it accordingly.

Three finger swipe to undo

I had been writing an article in Ulysses for the last couple of days and was just about done with it. Last evening while lying in bed I was reviewing it on my iPhone and I noticed something that I wanted to change. So I selected the change and deleted it. Unknowingly I had somehow selected the text of the entire article and everything I had written was gone. Ah Shit!

I couldn’t figure out a way to get what I’d written back. I checked for a Ulysses backup but to my surprise, Ulysses doesn’t backup external files and folders and the article was in a Dropbox folder. Next, I tried a google search for a Ulysses undo action and again no luck. So at this point, everything that I’d written was gone.

This morning I was listening to an episode of Accidental Tech Podcast and Casey Liss happened to mention three-finger swipe for undo. I don’t remember in what context he mentioned it but it sure got my attention. I immediately thought I wish I had known this yesterday. It would have saved my ass.

Here’s how it works. Swipe left with three fingers on the active app to undo your last actions. To redo your last action, swipe right with three fingers. This works on iOS and iPadOS.

The Sweet Setup has a good article on text formatting gestures that you can find it here.

An iPad with a mouse and trackpad?

9to5 Mac is reporting that sophisticated mouse cursor support is coming to iOS 14 and that new iPad Smart Keyboard models will have a trackpad.

According to code seen by 9to5Mac, Apple is set to roll out rich system-wide support for mouse cursors with iOS 14. Apple added rudimentary compatibility with external mice in iOS 13 Accessibility settings, but iOS 14 (iPadOS 14) will make it mainstream.

The iOS 14 build also referenced two new Smart Keyboard models in development.

The changes coming to the software will bring most of the cursor features you recognize from a Mac desktop experience to iOS.

I love it and I’m looking forward to it. This seems like something that could get me closer to making an iPad my main computing device.