In the latest issue of Mac Format magazine, Adam Banks writes a guide on how to stay safe online. This is a PDF version and on page 66.
Using a Mac makes you safer than average when going online. That’s partly because of Apple’s efforts to secure the operating system; partly because the Mac App Store gives you somewhere to get most of your third-party software safely. It’s also partly because bad actors – in the security industry sense, not the Hollyoaks sense – tend to be less interested in targeting macOS. But that doesn’t mean either you or your Mac can’t get fooled. Know your way around the common risks and basic protections to keep yourself out of harm’s way.
This is part of Andrew’s News+ series, where he shares a magazine every Friday to help people discover good content in Apple News+.
AdGuard is a content blocker for iOS that lets people block trackers and ads in Safari. Its AdGuard Pro app eventually got pulled from the App Store because of new VPN rules. AdGuard 3 brings some of those Pro features to the regular app, and some of them are locked behind a premium subscription. But Pro users can get a free 6-month license key. AdGuard 3 fixes a key issue with Safari. Safari’s maximum limit for content blockers is 50,000 rules. AdGuard now works around this by combining five blocks into one, each separately enabled in Settings and each with 50,000 rules. It also supports DNS-over-TLS and DNS-over-HTTPS. You can read more in the blog post. App Store: Free (Offers In-App Purchases)
Owen Williams writes how Apple wants to “kill advertising” with its newest privacy feature in iOS 13 called Sign In with Apple.
Apple is likely to win consumers over, who think these things sound evil and strange, but without these practices [of using customers’ email addresses] many of our favorite businesses and services simply couldn’t exist or practically reach customers.
I disagree. Apple is trying to kill tracking, not advertising. In Safari, Apple is adding a feature called Privacy Preserving Ad Click Attribution to reduce targeted ads, which only accounts for a small 4% in revenue anyway.
Apple is deprecating SHA-1, an old security standard, in iOS 13 and macOS Catalina. This is good news since we now have the more secure SHA-2 and SHA-3.
A study called “SensorID: Sensor Calibration Fingerprinting for Smartphones” examined sensor fingerprinting techniques against smartphones. It found that Micro Electro Mechanical Systems (MEMS) are inaccurate in small ways that make them unique. But Apple thwarted this technique in iOS 12.2 and used the researchers’ suggestion to add random noise to the analog-to-digital converter output and removing default access to motion sensors in Safari.
We demonstrate that our approach is very likely to produce globally unique fingerprints for iOS devices, with an estimated 67 bits of entropy in the fingerprint for iPhone 6S devices. In addition, we find that the accelerometer of Google Pixel 2 and Pixel 3 devices can also be fingerprinted by our approach.
Charlotte Henry and Andrew Orr join host Kelly Guimont to discuss ad blocking in Safari and the latest report of plaintext password storage.
Google will launch tools limiting the use of tracking cookies on Chrome, however, it would not be as wide-ranging a restriction as on Safari.
Intelligent Tracking Prevention 2.2 is an update that changes the duration of certain cookies created under certain conditions.
In the future, I hope Apple puts restrictions on the kind of app tracking developers use. We already have Safari’s Intelligent Tracking Prevention. I’d like to see that for the App Store.
SDKs present a solution to Apple’s pesky tracking restriction for advertisers. They can connect who you are between apps, provided the developer of each app uses the same SDK and the advertiser is able to use signals to figure out who you are. If we look at the top 200 apps on the iOS App Store, it’s interesting to see how broad the reach of most SDKs actually is.
Andrew Orr and Charlotte Henry join host Kelly Guimont to discuss the latest in Safari security, and a proposed UK law addressing online harm.
Click tracking, a.k.a. hyperlink auditing, is an HTML standard that can be used to track clicks on web sites. Previous versions of Safari used to let you disable this, but Safari 12.1 changes that.
Despite several months notice from me, Apple shipped Safari 12.1 last week to the public with no way to disable hyperlink auditing. I hope to raise awareness about this issue, with the ultimate goal of getting hyperlink auditing disabled by default in Safari. Apple claims that Safari is supposed to protect your privacy and prevent cross-site tracking, but hyperlink auditing is a wide open door to cross-site tracking that still exists.
Zubair Khan put together a list of popular web browsers and tested them to figure out which was the most private and secure.
To decide which browser is the best for privacy and security, we will evaluate them using two criteria: Available security features [and ]embedded Privacy Tools. Each browser will be rated out of five and will be ranked accordingly.
The browsers he tested: Chrome, Internet Explorer (Not Edge?), Safari, Firefox, Chromium, Opera, and Tor browser.
If you’ve updated to iOS 12.2 and/or macOS 14.4, you’ve probably seen a ‘Not Secure’ message in the Safari address bar. OSXDaily explains.
By seeing the ‘Not Secure” Safari message on an iPhone, iPad, or Mac you are simply being informed by Safari that the website or webpage being visited is using HTTP rather than HTTPS, or perhaps that HTTPS is misconfigured at some technical level.
Ironically, as the article points out OSXDaily is itself not secure.
If a website uses HTTPS, Safari will display a green padlock next to the domain in the address bar. But in some cases it could still be insecure.
In analysis of the web’s top 10,000 HTTPS sites—as ranked by Amazon-owned analytics company Alexa—the researchers found that 5.5 percent had potentially exploitable TLS vulnerabilities. These flaws were caused by a combination of issues in how sites implemented TLS encryption schemes and failures to patch known bugs (of which there are many) in TLS and its predecessor Secure Sockets Layer. But the worst thing about these flaws is they are subtle enough that the green padlock will still appear.
Apple plans to remove the Do Not Track setting from iOS and macOS because it doesn’t actually do anything. Websites only have to voluntarily obey it, which means that the majority don’t. But a stronger DNT could be coming.
In January 2017 the European Commission announced an initiative to update the ePrivacy Regulation, a proposal that would revisit a 15-year-old directive dealing with privacy protections and how users consent to being tracked by cookies.
Progressive web apps differ from native apps in that they are web-based, offer local storage, and give you push notifications. They also sidestep the App Store, which is famously family friendly. But you can now get a YouPorn web app for your iPhone. Just go to www.youporn.com/app, tap the share button, and tap Add to Home Screen.
Once installed, users will be able to launch the app right from their smartphone or tablet home screen and enjoy all YouPorn’s unique features including industry-leading content filtering tools and “For You Weekly” (NSFW) custom-tailored playlists, with native-app speed and a full-screen experience.
A flaw in macOS Mojave can expose your Safari browsing history. Developer Jeff Johnson discovered this on February 8.
Dave Hamilton and Andrew Orr discuss iOS apps recording your screen and bid farewell to Safari’s Do Not Track option, with host Kelly Guimont.
In the next update of iOS and macOS Apple will remove the Do Not Track option from Safari. This is okay.
Removed support for the expired Do Not Track standard to prevent potential use as a fingerprinting variable.
Before I see a headline from Forbes titled “iOS 12.2 Has a Nasty Surprise” let me say that removing Do Not Track is good. It never did anything anyway because obeying it was completely voluntary. Which of course means that every website ignored it. And now it can be used to fingerprint your browser. Good riddance.