Apple does not care :D

Hey folks, I found this video about how apple spys on any app you open on your mac os, sure it’s not iphone but it’s same company so they can do it on desktops i’m sure they can on iphones too! so for people who say iphone is more good than android i really don’t agree, android got more apps and foss ones like if you searched on android about pgp apps you will find a lot but if you searched on iphone store you will just find one and it’s not even foss or even free!

The vid: https://invidious.snopyta.org/watch?v=aS2lJNQn3NA

But what if i don’t use custom rom?

We say this, too. There is a simple reason for this: Long-term security updates.

For most Android devices, you only get security updates for one, two, or three years. Some manufacturers only update Android itself while never updating the firmware of the other chips in your smartphone, leaving them vulnerable. If you buy very cheap Android smartphones, you may get a vulnerable smartphone from day one without every receiving security updates. Unfortunately, even the once-praised Android One program didn’t change this.

There are mostly four options:

  1. You buy a new smartphone every other year to get continuous security support → good for smartphone manufacturers; bad for the environment and for your account balance.
  2. You buy a Google Pixel smartphone that directly gets updates from Google → good for Google; likely not the best option for someone who wants to avoid Google.
  3. You use an older Google Pixel with GrapheneOS → limits you to specific devices and supports Google.
  4. You try to find a custom ROM for your smartphone that likely doesn’t update anything aside from Android itself, leaving other chips in your smartphone vulnerable → some custom ROMs may become unsupported overnight; others originate from unknown sources.

On the contrary, Apple still updates six- or seven-year-old iPhones, including the underlying firmware.

3 Likes

I agree here. I just purchased the recent iphone SE because i dislike the rate of security and feature updates my Lineage OS maintainers provides me, not to mention the frozen firmware status of my Lineage OS. The manufacturer simply wont release one once i have Lineage and I am not about to do multiple reflashes every firmware update. It is simply too bothersome.

But to OP, i do agree as well. Apple is one huge pile of manure.

Linux phones cant come sooner.

EDIT: Technically, the Apple business model is overpricing and gouging customers with their devices, not harvesting data and metadata for analytics. Apple does this too but not primarily to sell to advertisers. I would like to buy Fairphone but it is not available to my country. If it breaks, i may not be able to source parts.

2 Likes

at least you got a literally whole app store of FOSS apps unlike iphone. so little change (using protonmail instead of gmail) is a good move

Welp, i talk about privacy point and you talk about security point. and to be honest i don’t think because they are secure that means they STILL collect my data. and it’s about point of views, for me i would select privacy and maybe you select security so yes!
Also if i’m right i heard about apple gonna roll out the cert system that you can not run any apps on your mac os without blessing from apple’s certs which means FOSS apps on mac os are fucked! so is that the security you talk about?

1 Like

i heard about calyx and graphen os (not sure but i heard good stuff about them) maybe u try it?

More apps doesn’t mean the situation is better. Having 100 times more apps in the app store (just a random factor here) isn’t better if most of these apps are either useless or duplicates/clones of others.

If your smartphone contains dozens of critical security vulnerabilities that can be exploited remotely, you may not have any privacy left.

As written before: These ROMs limit you to Google Pixel smartphones.

it is, because if that app does not work or you hate it you can just delete it and use “its clone”

Well, the point where you already got your costume ROMs makes me think you aware enough of critical security vulnerabilities and if you locked yourself just for apps from fdroid and aurora (in some cases) you are fine and ready to go :slight_smile:

i did not knew that but thanks for pointing it out

1 Like

After watching the video on YouTube (because the linked video doesn’t load for us):

The content is at least misleading.

The trustd service is there since macOS 10.12 Sierra. Its purpose is to check if digital certificates are still valid or revoked. Apps for macOS are digitally signed; hence they have a digital certificate (the same is true for Android apps). For this, Apple uses the Online Certificate Status Protocol (OCSP).

OCSP is an entirely legitimate protocol that you find on the “normal” internet. Firefox supports it, for example. When you go to a website that supports OCSP, your Firefox might ask the defined OCSP server if the server certificate is still valid. The problem: What happens if Firefox tries to check the validity, but the OCSP server isn’t available for unknown reasons?

For this, web servers may support OCSP stapling. OCSP stapling preloads a signed response from the OCSP server to the web server. Now, Firefox gets the signed answer directly from the web server. There is no connection between Firefox and the OCSP server. However, it can still fail if the web server doesn’t get the signed OCSP message in advance. In this case, Firefox either shows a warning message or ignores it (depending on your configuration).

In the case of Apple, macOS (the client) asks the OCSP servers of Apple. When Apple launched Big Sur, some technical issues occurred so that the client couldn’t get the OCSP response from the server.

macOS doesn’t send a hash to Apple. It sends encoded information about the digital certificate that should be checked by the OCSP server. Apple already knows the digital certificate.


Edit (2020-11-16):
For the record:

  • Apple reacted by announcing encryption for the OCSP checks and a possibility to opt-out of these checks in 2021.
  • Unfortunately, many tech websites (and obviously YouTubers) shared the original story of “macOS sending application hashes on each app start to Apple,” which is still inaccurate and doesn’t cover what actually happens.
  • Some tech blogs explain the technical background of the OCSP checks.

In summary, the story again highlights the importance of checking the message that you include in a blog post, especially when you claim to be a “hacker” and “know what OCSP is.” The confused end user might now block OCSP traffic to a single Apple subdomain without knowing what they do.

Besides, contacting Apple in the first place would have been a more responsible approach instead of posting for fame. (And yes, we wrote about related problems before: https://infosec-handbook.eu/blog/discussion-security-blogs/)

2 Likes

well, as i’m not sure yet (until i search more about it) if your words right then it’s kinda acceptable but if it was wrong, that means we are fucked

edit: hmm, https://youtu.be/gUzDbWADbfs?t=295

peertube link

1 Like

im not sure if you can share timestamps within the video link like yt at peertube, but thanks :D!

You can share timestamps i just forgot to do that EDIT: added timestamps

1 Like

Here you mean Canary mail, right?

i mean, try search on “PGP” on iphone and search on “PGP” on google play or fdroid.

first result on iPhone is: protonmail (but oh we want the pgp client) and maybe second result is PGP everywhere
on android(did not search but i think there is some pgp clients on fdroid or even on google play) and all are FOSS in other hand pgp everywhere is not so that what i mean!

1 Like

I trust Apple as much as I trust Google/Android. Which is not much.

I know I read somewhere, that Apple monitors the screen to look for child abuse material. I am not saying that that’s a bad thing, child abuse is terrible, but if they can do it looking for that, who’s to say what else they can or can not also monitor and log your screen for. They probably do it on OSX as well.

There is a bill going through the US congress that is trying to use child/sex abuse to erode digital privacy by giving them the power to hold companies liable for the content if they “don’t do enough” to prevent it. Which could very easily turn into “You aren’t doing enough if you use encryption, or at least don’t have a back door in built in.”

Blockquote
The Senate judiciary committee voted on Thursday to advance the Earn It Act, legislation that on paper is intended to address sexual exploitation. However, privacy experts say the act would give the Department of Justice unprecedented power over the internet and potentially threaten the privacy of messages sent online.

Source: https://www.theguardian.com/technology/2020/jul/02/earn-it-act-online-privacy-surveillance

Once again, I DO NOT support child abuse, endangerment, or sex trafficking. I’m just mentioning it to point out one of the ways “they” try to pull the wool over our eyes. If Android doesn’t already do the same, it would surprise me if they didn’t have it in the works already.

EDIT: I tried finding the “iphone screen scanning” article to post the url, but all I found in my (brief) search was referencing to checking email and icloud accounts for the material. My memory may be wrong, so if somebody here read the article I think I did, please let me know.

1 Like

Just our opinion:

We neither say Apple (or any other company) is good or bad. However, one always needs to hear both sides and, more importantly, focus on the facts.

In the case of the original story in this thread, some YouTuber just repeated a misleading story by some blogger who calls himself a "hacker."¹ Of course, the misleading story (Apple uses unique application hashes to track you) perfectly matched the mindset of Apple’s opponents. We saw some tech news websites that also repeated the story without checking what actually happens. It needed several counter statements until the tech news websites revised their original reports.

What is the problem? Some people just reshare stories that fit their mindset without checking the facts. It is all about appealing to the emotions instead of dealing with the boring facts. If you debunk their myths, people block you and call you “fanboys.” If you publish some unfavorable facts about products/services these people promote, people block you and call you “haters.”

Again: One always needs to hear both sides and, more importantly, focus on the facts.


¹ Even worse: This individual complained about news websites that checked and reported the facts instead of reporting the original misleading story to get on the anti-Apple bandwagon.

1 Like

All use the child thing to allow spy. ugh! i hate those people like the ones who kept say “vote no on number one” the right to repair because the man who repair your car will get your real time location and kill you or whatever, i hate those arguments because you know it’s wrong but you cant just prove it’s wrong like spy for bad people to stop terrorists

Again: One always needs to hear both sides and, more importantly, focus on the facts.

Yes, the one side that Apple is secure right? i dont want it, i want it to be private (at least it’s my point of view) because no matter how much its secure your data would be leaked anyway by apple or it’s partners or the unencrypted channel that apple used to check certfs but at least private it would be your data and everything open source so you see what happens!


also if you talk about me, i just shared: https://youtu.be/gUzDbWADbfs?t=295 which kinda does not support my words at the first (Because they said we still not sure but it’s likely did not happening) so yeah i think the days is the only thing would tell us the truth…

1 Like