Highly inaccurate marketing for iOS

GrapheneOS

@treenutz68 The forum UI shows we changed the title and that we edited the post. We marked it as such in the post now too.

DeletedUser87

DeletedUser26 Apple has done a lot of work hardening the Messages app over the years.

Excuse me? You mean adding Memoji, stickers, location sharing, Digital Touch, message effects, Apple Pay Cash, contact info sharing, contact posters, 3rd party apps, iMessage for Business and all the other crap is hardening?! iMessage is bordering WeChat with unnecessary bloat that can and will be exploited.

DeletedUser26

DeletedUser87 Was referring to Blastdoor. They have a page about it and Google Project Zero did a blog post about it. BTW Signal has equivalents for a lot of those features. I don’t think that makes it an insecure app.

DeletedUser87

DeletedUser26 "A lot of these features", really? Memoji - nope. Stickers - (just an image, can't place it on messages, no custom stickers either), location sharing - yes, Digital Touch - nope, message effects - nope, Apple Pay Cash - yes (although nobody I know uses that - I have Molly and it's not even in the app), contact info sharing - yes, contact posters - nope, 3rd party apps - nope, iMessage for Business - nope, check in - nope, shared with you - nope. I don't know what version of Signal you are using, but I don't have "a lot" of these features, especially not the fancy ones that are the petri dish for potential bugs.

DeletedUser26

DeletedUser87 I should have said “some” I suppose. Main point is they have been hardening it. I don’t know what’s to even disagree with, it’s just factually true. Read their documentation:

https://support.apple.com/guide/security/blastdoor-for-messages-and-ids-secd3c881cee/web

DeletedUser87

DeletedUser26 that's marketing nonsense. It was introduced in iOS 14 and the exploits I mentioned all occured after that. So that "BlastDoor" is useless. That's not hardening, it's damage control. Apple admitted that iTunes was bloated and split it up, they need to do the same with iMessage to achieve any improvement.

DeletedUser26

DeletedUser87 It’s not hardening? Sorry they should’ve removed Memoji, that would’ve stopped Pegasus in their tracks lol

DeletedUser87

DeletedUser26 it would've stopped Pegasus to not loop GIFs like they did. Probably can exploit Memoji in a similar way.

DeletedUser26

DeletedUser87 https://googleprojectzero.blogspot.com/2021/01/a-look-at-imessage-in-ios-14.html?m=1

Back in 2021 Google Project Zero analyzed the hardening that Apple had done in the Messages app. It’s an interesting read and in the end they congratulate Apple on the work they’ve done:

Overall, these changes are probably very close to the best that could’ve been done given the need for backwards compatibility, and they should have a significant impact on the security of iMessage and the platform as a whole. It’s great to see Apple putting aside the resources for these kinds of large refactorings to improve end users’ security.

And that was all the way back in 2021. I’d love to see an updated post by the Project Zero team to see what other work has been done. If you think this work is truly useless then you’re disagreeing with security researchers on this. Sandboxing and hardening work can never fully eliminate exploits, but it’s important not to hyper focus on counting exploits and more on the architectural improvements they are making.

Furthermore, these changes also highlight the value of offensive security work: not just single bugs were fixed, but instead structural improvements were made based on insights gained from exploit development work.

Chromium gets exploits, but it’s the most secure major browser by a country mile. You’re right that all the features they have are potential attack surface, I personally use a lot of them and I know many others do as well so I’d prefer to keep them. I’d prefer Apple focused more on this type of low level sandboxing and other improvements than removing features that I use.

[deleted]

DeletedUser26

DeletedUser26 ou can absolutely opt out of it, it’s called the Find My Network and there’s a toggle in the settings.

I imagine this would also disable the remote wipe capability.

DeletedUser26

[deleted] No, it’s a separate setting. You don’t have to disable Find My to disable the Find My Network.

[deleted]

DeletedUser26
You can disable Find My Network for a device like Airpods, not an iPhone.

DeletedUser26

[deleted] https://www.macworld.com/article/347243/how-to-opt-out-of-the-find-my-network.html

You can. The setting is there to disable it for your iPhone.

[deleted]

DeletedUser26
Thanks, I've learnt something.

« Previous Page