uroshnor

So for a Greykey (or Cellebrite UFED) to extract data;

- the users passcode needs to be short
- if the device is A12 or later, USB restricted mode needs to be disabled previously

Basically, if you have a long passcode, these device won’t get to your data.

So it’s totally possible that the FBI can unlock one device, because it had a short passcode, and not be able to unlock another, because it does.

Peza said:

I must say I’ve noticed the little arrow appear at the top of the screen a lot these days. I was suspecting iOS sending data, glad to see it confirmed, also not glad as it makes a complete mockery of privacy and security settings in iOS, and makes Apples ‘what’s on your iPhone stays on your iPhone’ advertising campaign seem incredibly hypocritical. I’ve noticed the gps arrow on my iPhone XR and iPad Pro.

Apple has recently proved it is no different, indeed in some cases worst, then Amazon or Google or even Facebook with data collection recently. And appears to only be offering solutions once caught red handed with its hand in the cookie jar!. It really should be the polar opposite. Particularly considering all the health information the company gathers on you if you wear an Apple Watch.

Perhaps as suggested, it would be far better for Apple to be completely upfront and honest about it’s data collecting and tracking features, in plain English and not buried in cleverly worded text in a multi page end user agreement. Change it’s wording.
That way they won’t appear as the bad guys, and everyone knows where they stand. Location services are useful, just be up front with how they work.

So there's a few things in this that don't quite add up, but I'll bite.

Perhaps you could articulate how Apple is "worse" than Amazon, Google or FaceBook with respect to data collection ? That is an extraordinary claim that warrants extraordinary evidence to support it (given Amazon, Google and Facebook are 3 of the world's largest collectors of personal information, and all of them actively generate income from the personal information they collect, and two of them own two of the largest data brokerages in the world)

Second the arrows don't mean Apple has collected ANY data about location at all. Words have meaning to lets get specific - if Apple "collects" data then its sent from your device to Apple centrally, and in a form Apple can decrypt or read - ie it leaves your device in some form, and Apple itself can do something with the data. eg A lot of the "Find My" service data passes through Apple servers, but Apple can't decrypt it, as its encrypted with asymmetric keys that only exist on a users devices. So its not "collection". How "Find my" works was explained in a talk by Apple at BlackHat 2019 this year.

If a process or App running on the device does something that is requests location-related information, that does not automatically mean that Apple "collected" it. Even if data is sent to Apple, it doesn't mean Apple can read it. Saying any process triggering an arrow in the UI constitutes collection of data is wrong from both a technical and legal perspective. 

Thirdly, the way that location services work, is things like monitoring for iBeacon region entry/exit, or "awareness of what country am I in" will by definition access location information. 

Fourthly the arrow may not have anything to do with GPS, and the AppleInsider commentary is wrong in framing things that way. Apple devices use GPS, GLONASS, Baidu, Galileo and QZSS satellite systems, but they also use cell towers, Bluetooth and Wi-fi network mapping. All of that underlying location stuff has different levels of accuracy, and some of it works indoors, some of it only outdoors. Software doesn't access almost any of that directly - a developer usually has to set up a Core Location Manager instance to get called back when the device knows the location to the requested accuracy. eg Apple knowing what set of transit directions to supply in Maps, only requires a resolution to the city level - typically 10's of km, and wouldn't generally be considered a sensitive level of location, but it would totally trigger an arrow.

sflocal said:

Fortunately, Android has a far, far larger market share so these developers can simply go and mooch whatever personal data they want from Android users.  

A major reason why I use an iPhone is precisely due to Apple's privacy policies.  If those developers feel the need to base part of their business models in tracking my whereabouts - most likely without my explicit permission - then cry me a river.

That’s the thing. It doesn’t, in the markets that matter to these vendors. Android’s global share is largely propped up by its high penetration at low price points in developing countries.

in places like the US/UK/Australia iOS is often around 50% (or higher)  of installed base, due to the useful longevity of devices (even when Android sells more new devices they drop out of usage faster, and under-index in installed base).

So I get why they are worried - it will hurt them from a product standpoint.

I think Apple is doing the right thing, and not anti-competitive because it does not compete with these SW vendors.

So a few things.

This is a SERVICE from Cellbrite, not simply a matter of buying one of their forensics devices - ie you have to send them the iOS device.

They almost certainly have a boot loader exploit that allows booting to a custom SW image, that uses the device itself to brute force the passcode.

That approach is going to be rate limited by the Secure Enclave. That means that long/complex passcodes will defeat it, and its really only ~6 digits that will be impacted.

Now they can claim "any" without caveats like "only really works for standard length passcodes or shorter" or "you have to plug in our dongle within 30 minutes of the phone locking", and not technically be lying. (it really comes down to your interpretation of "any" vs "all".

MisterKit said:

I’m an Apple fan with about 10 active devices. I like the security and elegance of the Apple way, however, I think Apple is walking a tightrope here. Their 30% commission is not chump change. I don’t have numbers to quote but it is hard to imagine that the App Store is not profitable for Apple. I can imagine there are developers who would love to sell their apps on an open market. That’s pretty much how our system works.

I don’t know how this will play out. It could be that Apple would have to offer an option to run your iPhone “in the wild” and enjoy the benefits as well as the pitfalls. It’s not a pretty picture.

If I were a betting person I would not be putting my money on Apple in this case.

This already exists in 2 forms. There are several pirate App Stores that host Apps signed with Enterprise Developer Program certificates.

Malware is rampant on these, with many of them being pirated App Store Apps with malware added, and re-signed and the enterprise certs are either stolen, or being used outside the programs terms & conditions.

The other one is stores like Cydia that rely on devices being jailbroken. Cydia has arguably been the more ethical of the two options, with much less piracy , and as a consequence is not that financially viable for 5the store owners.

The situation on Android is similar - malware & IP theft & piracy on non Google Play stores is rampant.