PSA: Granting iPhone camera permissions allows apps to secretly take pictures and videos without you knowing

There’s been some buzz this week about a potential privacy issue with apps that you’ve granted access to your iPhone’s camera. They can take pictures and videos without you knowing. This is a privacy loophole discovered by security researcher Felix Krause.

You can read Krause’s technical paper here. Motherboard broke the story which you can read here.

Whenever you give iPhone apps permission to access your camera, the app can surreptitiously take pictures and videos of you as long as the app is in the foreground, a security researcher warned on Wednesday.

​What this means is that even if you don’t see the camera “open” in the form of an on-screen viewfinder, an app can still take photos and videos. It is unknown how many apps currently do this, but Krause created a test app as a proof-of-concept.

Again, this is not a bug or something you should be too worried about. But it’s good to be aware of how much power you’re giving apps when you grant them access to your iPhone’s cameras.

After reading this, I went into my iPhone’s Privacy settings to see what apps I’d granted access to my camera. It turns out I’ve only granted access to 3 which are apps I trust. With this information in mind, you may want to do the same. You’ll want to remove access to apps that don’t need access to your camera or that you don’t trust.

Equifax breach caused by failure to patch two-month-old bug

Negligence! If they would have patched their server(s) the day the patch was released this would have never happened.

This is inexcusable! Heads should roll. Maybe it’s time some people go to jail for this kind of sh^t.

Dan Goodin, writing for Ars Technica 9/13/2017, 8:12 PM

We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.

The flaw in the Apache Struts framework was fixed on March 6. Three days later, the bug was already under mass attack by hackers who were exploiting the flaw to install rogue applications on web servers. Five days after that, the exploits showed few signs of letting up. Equifax has said the breach on its site occurred in mid-May, more than two months after the flaw came to light and a patch was available.

Up to now, Equifax has said only that criminals exploited an unspecified application vulnerability on its US site to gain access to certain files. Now, we know that the flaw was in Apache Struts and had been fixed months before the breach occurred.

Wading Through AccuWeather’s Bullshit Response

The other day a security researcher found that AccuWeather’s iOS app sends private location data without user’s permission to a Reveal Mobile a firm that monetizes user location information.

John Gruber has further investigated the story. You can read John’s post here.

John Gruber, writing on Daring Fireball

The accusation comes from Will Strafach, a respected security researcher who discovered the “actual information” by observing network traffic. He saw the AccuWeather iOS app sending his router’s name and MAC address to Reveal Mobile. This isn’t speculation. They were caught red-handed — go ahead and read Strafach’s original report.

I use the default iOS weather app so I’m sure it’s not doing the same thing. If you’re using AccuWeather delete it now.

iOS 11 has a way to quickly disable Touch ID and require a passcode

As reported, last week, by The Verge iOS 11 has a way to quickly and discreetly disable Touch ID.

According to The Verge:

Apple is adding an easy way to quickly disable Touch ID in iOS 11. A new setting, designed to automate emergency services calls, lets iPhone users tap the power button quickly five times to call 911. This doesn’t automatically dial the emergency services by default, but it brings up the option to and also temporarily disables Touch ID until you enter a passcode. Twitter users discovered the new option in the iOS 11 public beta, and The Verge has verified it works as intended.

This is a handy feature because it allows Touch ID to be disabled in circumstances where someone might be able to force a phone to be unlocked with a fingerprint. With Touch ID disabled in this way, there is no way to physically unlock an iPhone with Touch ID without the device’s passcode.

As a side note. Last week Mashable reported that according to a Virginia judge a cop can force you to unlock your phone with Touch id but not with a passcode.

As pointed out by John Gruber:

Until iOS 11 ships, it’s worth remembering that you’ve always been able to require your iPhone’s passcode to unlock it by powering it off. A freshly powered-on iPhone always requires the passcode to unlock.

TunnelBear completes industry’s first public security audit

TunnelBear has been my VPN service of choice for just over a year. I was excited to read that TunnelBear has undergone a public security audit by Germany-based penetration testing company Cure53. This gives confidence I’ve chosen the right VPN provider and that TunnelBear isn’t scraping and selling my browsing data.

TunnelBear Blog, 07 August 2017

Consumers and experts alike have good reason to question the security claims of the VPN industry. Over the last few years, many less reputable VPN companies have abused users’ trust by selling their bandwidth, their browsing data, offering poor security or even embedding malware.

Being within the industry, it’s been hard to watch. We knew TunnelBear was doing the right things. We were diligent about security. We deeply respected our users’ privacy. While we can’t restore trust in the industry, we realized we could go further in demonstrating to our customers why they can, and should, have trust in TunnelBear.​

Today, we’d like to announce TunnelBear has completed the Consumer VPN industry’s first 3rd party, public security audit. Our auditor, Cure53, has published their findings on their website and we’re content with the results.

However, the recent crisis of trust in the VPN industry showed us we needed to break the silence and share Cure53’s findings publicly. Today we’re sharing a complete public audit which contains both the results from last year and the results from the current audit.

You can read the full report on Cure53’s website.

Tip – How to re-open recently closed tabs in Safari for Mac the easy way

Have you ever accidentally closed a tab in Safari and wanted to get it back? I have. This usually happens when I’m doing research and have several tabs open at the same time. Sometimes I close one thinking I’m done with it and then realize I need it again. Other times I close one by accident.

Safari’s ⌘ + Z to the rescue. From Safari on the Mac, I can simply hit ⌘ + Z and the last closed browser tab or window will reopen. If I hit the ⌘ + Z keystroke again I can open the next most recently closed browser tab or window. If I do it 20 times, the 20 most recently closed browser tabs and windows will reopen.

I can also do it this way. From any active Safari browser window on the Mac, click and hold on the “+” plus button in the Safari tab bar and then select the tab to reopen from the drop down list of recently closed tabs.

Did you hear? Google is going to stop scanning your Gmail for ad personalization

Google has announced in a blog post that later this year the content of free Consumer Gmail will not be used or scanned for any ad personalization.

G Suite’s Gmail is already not used as input for ads personalization, and Google has decided to follow suit later this year in our free consumer Gmail service. Consumer Gmail content will not be used or scanned for any ads personalization after this change. This decision brings Gmail ads in line with how we personalize ads for other Google products. Ads shown are based on users’ settings. Users can change those settings at any time, including disabling ads personalization. G Suite will continue to be ad free.

G Suite customers and free consumer Gmail users can remain confident that Google will keep privacy and security paramount as we continue to innovate. As ever, users can control the information they share with Google at myaccount.google.com.

This is good news for Privacy. Unfortunately Gmail users will still see ads in there Gmail.

Google now knows when its users go to the store and buy stuff

According to an article by the Washington Post, Google has now devised a new way to further violate user privacy. Google now knows when their users go to a brick and mortar store and buy stuff.

Elizabeth Dwoskin and Craig Timberg, Writing for the Washington Post May 23

Google has begun using billions of credit-card transaction records to prove that its online ads are prompting people to make purchases – even when they happen offline in brick-and-mortar stores, the company said Tuesday.

The advance allows Google to determine how many sales have been generated by digital ad campaigns, a goal that industry insiders have long described as “the holy grail” of online advertising. But the announcement also renewed long-standing privacy complaints about how the company uses personal information.

The new credit-card data enables the tech giant to connect these digital trails to real-world purchase records in a far more extensive way than was possible before. But in doing so, Google is yet again treading in territory that consumers may consider too intimate and potentially sensitive. Privacy advocates said few people understand that their purchases are being analyzed in this way and could feel uneasy, despite assurances from Google that it has taken steps to protect the personal information of its users.

What we have learned is that it’s extremely difficult to anonymize data,” he said. “If you care about your privacy, you definitely need to be concerned.”

You can read the full article here.

Related Posts:
Google’s Pixel Phone and other AI enabled devices are a privacy nightmare