Siri privacy and a major years-long iOS weakness exposed

Sept 10 hardware event confirmed, iOS 13.1 hits developer channels

Aug 30, 2019

“This store is very ‘Miami’ to me – its special trees, the light and the new roof. It is also quintessentially Apple, marrying the outdoor lifestyle with a sense of freedom and creativity that is intrinsic to the way we work.” - Jony Ive on Apple’s new Aventura store

Improving Siri’s privacy - Apple

This week Apple announced a series of changes to Siri that directly address the furore created by an expose in The Guardian in late-July. In quick summary: contractors working for Apple were reviewing recordings created when Siri was activated, often with confidential details being heard. But interestingly, the whistleblower also said that as part of the transmission “are accompanied by user data showing location, contact details, and app data.”

So, this week Apple announced three major changes and summarised them in a blog post and a more detailed FAQ.

First, Apple will no longer by default keep audio recordings. But it will, by default, keep transcripts. Secondly, users can opt in to help Siri by transmitting audio recordings, and can choose to opt out at any time. And thirdly, when opted in, only Apple employees will have access to recordings and they will delete recordings that have been created by inadvertent triggers.

So it’s not possible to opt out of transcripts being created, and it’s still not clear how much data is being transmitted about the location, device, app to Apple.

‘Monitoring implants’ have been inserted into iPhones for years - Google

Google’s ‘Project Zero’ has posted a “very deep dive” into a series of exploits that they found in the wild. The exploits allowed thousands of iPhones a week to be hacked, and the exploit was only patched by Apple in February (the same time as the well publicised FaceTime bug).

At the time Apple wrote that the impact was that “An application may be able to gain elevated privileges”, but in reality users were compromised by simply visiting a website with no interaction required. This impacted even the most up-to-date devices.

Once the device was installed with an implant; the users location could have been uploaded; their device’s keychain, containing all their passwords, was uploaded, as were their chat histories on popular apps including WhatsApp, Telegram and iMessage, their address book, and their Gmail database.

Once the device restarted, the implant was removed. Until the user visited that same website, inadvertently.

So far, no official word from Apple—apart from the original security notes.

Apple pushes out iOS 13.1 to developers—before 13.0 even goes live

Twitter was dumbfounded, but based on the narrative leading up to this it seemed obvious that Apple would at some point be forced to make a decision about what would be in, and what would be out, of the first release of iOS 13. The primary driver, if hordes of developers are to be believed, is that the overall quality of iOS and iPadOS 13 were concerningly poor for this point in the beta cycle.

So what’s popped (back) up in iOS 13.1? Shortcuts Animations are back, Share ETA, HEVC has seen some improvements to encoding alpha channels. 9to5 has a good run down.

It’s fair to assume at this point, that WWDC was an occasion from Apple to show us the entire iOS 13 roadmap. Not just the .0 release.

There’s more…

On Twitter: @neilcybart outlines the official trailers for Apple TV+ shows, including the latest trailer for show ‘Dickinson’