SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 155: iOS 13 Feature Focus

Posted on September 19, 2019

On this week’s Checklist, we’ll take a look at a disturbing story about period tracking apps that may interest iOS users, talk about the security and privacy implications of Apple’s new video game subscription service, and update you on Facebook’s latest attempts to gather user location data. This week’s Checklist is all about iOS 13:

  • Cycle Tracker in iOS 13
  • Apple Arcade: a safer way to game
  • Facebook: the relentless pursuit of location

Cycle Tracker in iOS 13

iOS 13 is here—and for women concerned about their privacy, that’s a very good thing.

Last week, a story broke which described how many popular period tracking apps were sharing the personal health data of millions of women with (who else) Facebook.

This data included things like monthly timings, mood and symptoms, and even details regarding women’s contraceptive use and sex lives.

So how did this happen?

It turns out that the culprit was Facebook’s software development kit, or SDK, which is used by app developers to build iOS and Android apps. The Facebook SDK enables basic functionality for things like logins and photo uploads, but it also lets developers collect and share information. In this case, the information being shared was sensitive health data.

The apps in question responded to the disclosure by removing the Facebook SDK from their apps immediately, and Facebook issued a public statement reiterating its default position: It’s up to app developers to abide by Facebook’s stated terms prohibiting the sharing of personal information.

Of course, the question on everyone’s mind is whether or not this sharing of personal data was intentional or accidental. While it’s impossible to say for certain, the issue warrants a closer look.

First of all, it’s entirely possible that the apps were accidentally sharing data with Facebook—but that the data was still being transmitted and then stored on Facebook’s servers. That might sound counterintuitive—after all, how can something be stored by Facebook if it’s being sent by an app accidentally? How would there be any place to receive it on Facebook’s end?

But the thing to bear in mind is that the NoSQL databases used by web 2.0 companies are very good at storing unstructured data—for example, user data that was never intended to be shared.

So it’s possible, from a technical point of view, for the developers of a period tracker app to have unwittingly started sharing user data, and for Facebook to have stored such information in its vast data centers—but for nothing to have ever happened with that data.

The other possibility, of course, is that Facebook was using all of that data to build marketing profiles of the women in question. Considering that the company’s raison d’être is to sell ads, it’s not exactly inconceivable. 

All of which brings us back to iOS 13 and its native period tracking app, Cycle Tracker

Apple seems to be making digital privacy into one of its core offerings, if things like Sign in with Apple are any indication. As such, their new period tracking app will come as welcome news to women who want to take care of their health, but who are wary of other apps oversharing their information with third parties.

Apple Arcade: a safer way to game

Also out this week is Apple Arcade, a new video game subscription service from Apple. For $4.99 a month, subscribers will have access to dozens of games and unlimited cross-platform gameplay.

Sounds fun—but there’s a serious upside in terms of privacy and security as well.

That’s because Apple will have complete control over which games get into Arcade—and already has some seriously stringent standards in place that game developers will have to adhere to. 

For one thing, there won’t be any of the sort of surveillance tracking or even in-game advertising—things which pose such a threat to privacy on other platforms. In addition to this, there are no in-app purchases allowed on the service. All of this means that the mechanisms for violating users’ privacy—and the incentives for game developers to do so—just aren’t there in Apple Arcade.

Beyond that, the exclusivity of Arcade means it’s extremely unlikely that subscribers will have to deal with the issue of counterfeit games that Google Play users have seen. But why is this a security issue? Because illegitimate clones of popular games aren’t always about making a quick buck off the hard work of another game developer—they can also be malware delivery vectors. With Apple Arcade, this shouldn’t be an issue.

There’s also the simple fact that all of this is taking place in the Apple ecosystem, which means a safer experience in terms of protecting login and email data, safeguarding payment information, and curbing predatory behavior aimed at young users. Smaller gaming services just can’t offer the same level of security.

Apple Arcade offers a one-month free trial, after which the normal monthly subscription price kicks in. You can read more about the service on Apple’s site. 

Facebook: The relentless pursuit of location

Finally, we take a look back at last week’s Checklist and follow up on a privacy story about Facebook (yes, another one).

As you’ll remember, Facebook went on the defensive after it came out that iOS 13 would be providing users with pop-up notifications about apps trying to access their location data in the background. It was immediately clear that iOS users would soon be hearing a lot more about the Facebook app and what it was up to, and so the social media giant released a public statement.

Facebook’s stance was that they needed location data because they were just plain “better with location”, and that they were only trying to offer users a better, and safer, app experience. Make of that what you will, but toward the end of their statement—after reassuring users that they were, of course, in complete control of their own data—there was an interesting caveat: “We may still understand your location using things like check-ins, events and information about your internet connection.”

Turns out there’s a little more to the story than that.

Early adopters of iOS 13 have been reporting notifications about Facebook wanting to use Bluetooth data as well.

And as security researcher Sam Nato noted, this sets the alarm bells ringing precisely because Bluetooth data can be used by apps to track your location.

That’s because Bluetooth technology is meant to set up connections between devices, and as such, one part of its basic functionality is to automatically detect other nearby devices. So if your phone has given Facebook permission to access its Bluetooth data, and it comes within range of someone else’s device that is sharing both Bluetooth and location data with Facebook, then that person’s device could detect your device via Bluetooth and then report the connection back to Facebook…along with its own location. With those data points together, even if Facebook didn’t have access your location data per se, it could still infer your location based on your device’s Bluetooth connection to another device whose location they did have access to.

So what would they do with this information? Well, say, for example, that you’re in a car dealership. If Facebook infers your location there, they may deduce that you’re in the market for a new car—and you may suddenly find yourself seeing more Toyota ads in your feed.

Clever, yes, but a little bit diabolical as well. We’re put in mind of something Steve Jobs said about privacy years ago:

“Privacy means people know what they’re signing up for, in plain English and repeatedly. I believe people are smart and some people want to share more data than other people do. Ask them. Ask them every time. Make them tell you to stop asking them if they get tired of your asking them. Let them know precisely what you’re going to do with their data.”

It seems that iOS 13 is living up to Jobs’ vision, as it introduces a number of privacy and security enhancements—and not a moment too soon, it would seem.

Do you have a security or privacy question about iOS 13 (or anything else)? Drop us a line at checklist@securemac.com. We’re always happy to answer emails either privately or as a segment on a future Checklist.

Join our mailing list for the latest security news and deals