FilterHN

Loupe – A iOS app that raises awareness about what native apps can see

209 points

by Cider9986

19 hours ago

| past

| 13 comments

| github.com

| HN

▲

regecks

5 hours ago

[-]

Damn. The "iPhone last setup or erased on ..." is really nasty. What can a user really do about that? I feel like this should be fudged somehow by the OS.

▲

Gigachad

4 hours ago

[-]

Seems like in general the iPhone was not designed to avoid fingerprinting from installed apps. Only protection would be avoid installing apps and use the web browser when possible.

▲

camkego

1 hour ago

[-]

This. This is why everyone who wants to fingerprint and collect tons of data on end users pushes them hard on installing an app. The amount of valuable data is 10x what’s available in the browser

▲

microtonal

13 minutes ago

[-]

And it is not just the fingerprinting, it is also that a good number of people will install an ad/tracker blocker in their browser, but almost nobody knows or cares about the multiple trackers that most apps have.

To make it worse, Apple's naming undermines consciousness about this issue, since they have an option to block cross-app/site tracking (which IIRC blocks access to the advertising identifier), but called it "Allow Apps to Request to Track". A lot of people seem to hold the belief that disabling this option blocks all in-app trackers. It just blocks one way to correlate, but as this app shows, there are other ways to correlate (as well as correlating server-side using IP addresses, etc.).

On this topic, I somehow missed that Apple added a generic URL filtering API to macOS/iOS 26, which extends Safari filtering to the whole OS (well, as long as apps are using Apple's APIs). It's not perfect, but a nice addition to DNS-based blocking:

https://adguard.com/en/blog/apple-url-filter-system-wide-fil...

The author of Wipr added support to Wipr 2 as an extra in-app purchase:

https://kaylees.site/wipr2-whats-new.html#filtr

Aside from technical methods to address this, all this in-app tracking must be a violation of the GDPR, no? I can't imagine this all falls under legitimate interest.

▲

saturn8601

2 hours ago

[-]

Cut your selection of apps and find/build privacy respecting alternatives for the remainder. Im trying to do this. Music is now locally hosted, Youtube is sorta kinda coming along. I've been working on reversing some of my more basic iOS apps to extract the data/endpoints they use and write my own apps. Fable really helped with this and Opus just does not cut the mustard. I hope it comes back. :/

▲

p-e-w

4 hours ago

[-]

The intended “protection” is the ToS, which requires apps to disclose what they are tracking and whether they perform cross-premise tracking.

▲

paytonjjones

3 hours ago

[-]

Often it's not the app itself doing tracking or cross-premise tracking, but data is passed to installed third party SDKs that do.

▲

Barbing

3 hours ago

[-]

Ah, that’s funny. Too bad those privacy nutrition labels are only honor system.

They give that one completely up to businesses, then, to devs. They also thought they should let an app maker prohibit screen recording, which might promote development since it protects revenue of e.g. subtitling apps as one example. But end result is you even end up with a black screen when recording the iPhone Mirroring app from a Mac.

Apple owes us a better balance here. iCloud Private Relay for all apps (why only Safari?! and Mail and HTTP) as a start, and plugging some of the privacy holes Loupe exposes. They don’t want us abusing free trials I suppose.

▲

cute_boi

3 hours ago

[-]

These days many things don't work on browser. Even reddit is very difficult as we get constant nagging.

▲

Gigachad

2 hours ago

[-]

That’s usually a warning the service is malware that wants you to install an app for deeper tracking.

▲

potatoproduct

3 hours ago

[-]

old.reddit.com

▲

brador

1 hour ago

[-]

For now but you know they’re coming for that ass.

▲

dylan604

1 hour ago

[-]

Maybe I'm being really thick, but why is this information that the OS would make available to apps?

▲

UqWBcuFx6NV4r

28 minutes ago

[-]

Maybe it’s derived

▲

LoganDark

2 minutes ago

[-]

It's probably the app checking the last modified timestamp on some filesystem location that's only touched during setup.

Edit: It's not a last modified timestamp, it's a volume creation timestamp: https://github.com/mysk-research/loupe/blob/2262efd4456ecba8...

▲

matthewfcarlson

5 hours ago

[-]

Is the threat model tracking across multiple apps to correlate what you're doing? In that case, a single app wouldn't show you the fudging.

▲

ramses0

5 hours ago

[-]

```Based on a binomial/Poisson distribution and a baseline of 21 million U.S. device sales per release, a fingerprint relying on "seconds since setup" fails to uniquely identify individuals. In the high-density Early Adopter phase, you will share your exact setup second with an average of 1.01 other people (a total matching pool of ~2 people). Six months into the cycle, you will still share that second with an average of 0.68 other people.```

In the U.S., device setup time (to the second) very conservatively gets you clubbed into a single group of 100 individuals as an "advanced persistent threat" tracker. Even compressing activations to "80/20 during business hours" the math kindof maxes out at a pool of ~5 people, and assuming worst case "20x" of that still means you're still pretty darned identifiable.

If you get ~6-8 more bits of entropy (eg: Device Type + Capacity is easily 2-3 bits, and Time Zone is probably another 2-3 bits) you're cooked!

▲

cute_boi

3 hours ago

[-]

Just using IP address, device storage, device name, and similar signals, we can identify a user. It isn’t difficult to correlate these data points. Apps like Facebook also force developers to use their SDKs for even small features.

▲

Cider9986

35 minutes ago

[-]

For anyone without an iPhone or doesn't want to install the app you can see a demo here (same video different platforms):

https://odysee.com/@techlore:3/permission-not-required-the-o...

https://www.youtube.com/watch?v=_n_SpEWtqog

https://inv.nadeko.net/watch?v=_n_SpEWtqog

https://techlore.tv/w/d7dh4P7y4dVngNoL7u7s3B

▲

RedComet

5 hours ago

[-]

Volume creation date is pretty egregious. I don't see any reason that and Pasteboard changeCount should be so granular.

The "Installed Apps Probe" leak also surprised me. It is better than the current state of Android, though.

▲

xenator

4 hours ago

[-]

Pasteboard counter exists to help apps to not ask again about the same item in the buffer.

And nothing stops from using reset it every day.

▲

dylan604

1 hour ago

[-]

Allowing an app to access the pasteboard without the user explicitly pasting into the app is weird to me. Maybe the thing I have in the pasteboard is not for this app but left over from use in another app. Since there's no easy way to clear the pasteboard, this will happen often. Maybe it's because I'm not an app dev that this doesn't make sense to me????

▲

aalimov_

1 hour ago

[-]

iOS will ask for pasteboard permission every time an app wants to read the actual contents.

▲

Barbing

47 minutes ago

[-]

& we can set ask each time, always allow, never allow per app.

▲

Barbing

3 hours ago

[-]

Would you elaborate on both points?

Any way to reset it as an end user? (Not enough awareness of the issue for search engines to find much.)

▲

RedComet

2 hours ago

[-]

I think something like a per boot delta added to a (per app?) random base would preserve such functionality.

▲

coffeecoders

2 hours ago

[-]

This is excellent. Seeing this makes me appreciate how much visual awareness tools like this are needed.

I built something similar, for the web. https://neberej.github.io/exposedbydefault/

Github: https://github.com/neberej/exposedbydefault

▲

lencastre

35 minutes ago

[-]

/me wonders of the privacy label should actually mention that it reads everything and the kitchen sink!!!

▲

Forgeties79

12 minutes ago

[-]

This is neat and interesting, truly, but the classic “what now?” emerges. I guess the only answer is “throw out my iPhone”? Otherwise this kind of seems like a circuitous ad to make people get worried and download Psylo, which I see has in-app purchases. I’m not trying to come at you here, but it’s just hard not to feel suspicious online these days.

▲

Cider9986

4 minutes ago

[-]

The only way to prevent this right now is to avoid installing apps that are doing this.

▲

Barbing

3 hours ago

[-]

Sweet, been wanting this a while. Just mentioned last month and here it is! https://news.ycombinator.com/item?id=48187972

▲

api

4 hours ago

[-]

This is why I avoid installing apps and don’t have a lot of them.

▲

iririririr

3 hours ago

[-]

...wouldn't it be better to have a pocket computer you own?

▲

dylan604

1 hour ago

[-]

It would be even better if app devs weren't pieces of shit making apps whose sole purpose is to gather all of this data to sell to other pieces of shits while skinning their app as a game or other app to trick users into thinking it's worth installing.

Fighting devs being able to make money in this manner is not dissimilar to getting made a drug dealers. As long as users want their product, they will sell the product.

▲

downrightmike

58 minutes ago

[-]

Most people don't know and we are seeing that things get slipped in at a later date

▲

throawayonthe

40 minutes ago

[-]

if you think "desktop" operating systems aren't even worse on this, you're very mistaken

▲

normie3000

2 hours ago

[-]

Phones are quite useful.

▲

lencastre

47 minutes ago

[-]

this is fantastic, just great really, and honestly makes one stick out so easily, reminfs me a lot of that license plate xkcd

▲

socalgal2

2 hours ago

[-]

Yea, it's infuriating that most of the HN crowd thinks the apps are better then web. Apps can spy on you way more than web. It's the reason every website says "please download the app". If it was better for them to spy on you via the website they wouldn't ask you to download the app.

▲

yreg

1 hour ago

[-]

There are plenty of other (better?) reasons why developers might want to push apps.

More APIs, less friction selling stuff, business presence right on the homescreen.

▲

paulirish

7 hours ago

[-]

Would love this for MacOS as well.

▲

weikju

7 hours ago

[-]

Fortunately, if you read the README (and decide to go past the “this was mostly built by AI” part,

> Loupe also builds for macOS. The Mac version is mostly complete, but a few things still need work before it's polished.

▲

heavensteeth

5 hours ago

[-]

> and decide to go past the “this was mostly built by AI” part

I got that feeling just seeing the title use "native" as a synonym of "not a website".

▲

bethekidyouwant

7 hours ago

[-]

What “apps” do you use on a mac?

▲

VertanaNinjai

6 hours ago

[-]

Probably a ton since macOS apps are literally distributed as .app bundles.

▲

winstonwinston

6 hours ago

[-]

Though there is a difference what store apps and non-store apps can do. I think is about store apps which are “sandboxed” and have to use public api to request then access information which non-store apps can access without.

▲

internet2000

6 hours ago

[-]

Google Chrome, VS Code, among others

▲

bethekidyouwant

5 hours ago

[-]

Well “they” can technically “read” anything your user can.

▲

iancarroll

5 hours ago

[-]

Apps installed via the MAS have sandboxing applied to them, so this isn't really true.

▲

winstonwinston

5 hours ago

[-]

Yes but chrome is not from MAS. I have none MAS apps installed because they are simply not available via MAS.

▲

cute_boi

3 hours ago

[-]

Apps like TikTok can know which username we logged in with, even if we uninstall and reinstall the app. This is egregious, as many companies like Facebook have SDKs embedded in many apps, allowing them to accurately interconnect user activity.

Apple should be ashamed that they aren't putting effort to randomize these fingerprints....

▲

gene91

38 minutes ago

[-]

That’s just keychain. It’s not even fingerprinting.

▲

diebeforei485

2 hours ago

[-]

This is probably Keychain, right?

▲

ChrisMarshallNY

5 hours ago

[-]

It's likely to be trolled by the WPA folks, who will insist that WPAs are just as insecure as native apps, so there's no difference ...

But very cool.

▲

njsubedi

5 hours ago

[-]

You mean PWA?

▲

ChrisMarshallNY

5 hours ago

[-]

Yes. Got my ps and ws mixed up. I was just reading about the Mt. Rushmore project (I was curious whether or not it was a WPA project -it wasn’t, officially).