SecureMac, Inc.

Checklist 251: Problems, Revisited

October 14, 2021

iOS updates and research attribution, no E2EE Safari bookmarks after all, and stalkerware company mSpy gets caught!

Checklist 251: Problems, Revisited

On this week’s show, we’ll cover:

Credit where credit is due?

Apple has updated iOS and iPadOS to iOS 15.0.2 and iPadOS 15.0.2, respectively. The security notes on Apple’s site say that the updates address a flaw in “IOMobileFrameBuffer” (a kernel extension that lets developers control the screen display). Apple reports that there was a memory corruption issue which they fixed with improved memory handling.

So how serious was the vulnerability? Pretty serious, it seems, at least according to Apple’s description of the impact. Cupertino says that the bug could have allowed a malicious app to “execute arbitrary code with kernel privileges”. They also note that they’ve received reports of active exploitation, which we typically take to mean “at least one bad actor is actually out there doing this”.

One problematic aspect of this update: Apple credits the vulnerability discovery to “an anonymous researcher”. Slight issue: the researcher wasn’t anonymous. As discussed back on Checklist 249: The Problem with Apple Security, the security researcher was Denis Tokarev, who goes by the handle “illusionofchaos”. Tokarev, as you may remember, disclosed several vulnerabilities ahead of Apple’s patches after he says the company ignored his emails and failed to fix the issues in a timely fashion. Now it seems that Apple has forgotten to credit him for his work (something which has already happened to him once before). The handling of Tokarev’s vulnerability reports appears to confirm what other security researchers have said about Apple’s security bounty program: there is some definite room for improvement!

E2EE bookmarks, we hardly knew ye…

On last week’s Checklist, we told you about an upcoming privacy feature that we thought was pretty cool: end-to-end encryption for Safari bookmarks.

Sadly, it seems that it wasn’t meant to be. Apple Insider reports that “less than two weeks after apparently introducing end-to-end encryption for bookmarks in Safari, Apple has dropped the additional protection”.

The Insider piece notes that E2EE for bookmarks was never officially announced. It simply showed up on Apple’s iCloud Security Overview page, which is what prompted media reports on the feature. In other words, it’s unclear whether Apple has decided to shift course, or whether the original “announcement” was just an error.

Stalkerware company mSpy gets caught

A report from TechCrunch says that several stalkerware companies have been caught circumventing Google’s ban on ads that promote intimate partner surveillance.

You may remember one of the companies, mSpy, from Checklist 48: All About Spyware and Checklist 244: Stalkerware and Kids’ Safety. In those episodes, we introduced you to mSpy, detailed the app’s problematic history of data leaks, and shared our concerns over its misleading advertising.

As the TechCrunch piece makes clear, things were pretty much as bad feared:

Several stalkerware apps used a variety of techniques to successfully evade Google’s ban on advertising apps for partner surveillance and were able to get Google ads approved. In one case, mSpy, a spyware app that had a major security lapse in 2018, ran Google ads that linked to an interstitial web page on an entirely separate domain from mSpy’s website, which tripped up Google from detecting that the app was also being marketed to spy on “your kids, husband or wife, grandma or grandpa.”

While it’s good that Google has pulled the ads, TechCrunch notes that the advertisers are only getting a 3-month suspension barring them from placing new ads. Not exactly a slap on the wrist, but perhaps not enough to deter future bad behavior either.

Do you have questions about security and privacy? Send us an email and ask! We may answer your question on an upcoming episode of The Checklist.

Get the latest security news and deals