找出並聯絡 AirPods 的失主

從「Did you lose your AirPods? (alexyancey.com)」這邊看到的,原文是「Did you lose your AirPods?」。

如同標題提到的,作者朋友撿到 AirPods,接上 iPhone 後能得到的資訊除了序號以外只有失主的電話末四碼了,不知道怎麼聯絡失主。

接下來作者開始想辦法,先假設失主是在同一個州,這樣電話的區碼 (前三碼) 就會一樣了,中間三碼的排列組合就只剩下 1000 組 (作者寫 999):

I started with the assumption that the owner lived near me in the Portland metropolitan area. With that, I restricted the search to our local area code*. Sure, they could be from out of town, but hey, let's give it a shot.

接著是透過公開的資料庫查有哪些電話號碼是有效,而且屬於行動網路的,這樣就降到 232 組:

Next, I narrowed it down by central office code (commonly called prefix) (those three digits after the area code). Most of Portland’s are assigned, but only 26% to wireless carriers. Also, 000-199 are reserved codes that aren't available for telcos. I lied earlier, sorry.

再接著,既然是 Apple 生態系的,作者決定用 iMessage Lookup API 去掃,這樣就剩下 84 組:

It's a safe bet that the owner has an iPhone with iMessage turned on. We can use this assumption to narrow down the list further by filtering out any non-iMessage phone numbers. I ran a check using this API. (The API is probably used for shady stuff, but my intentions were pure.)

最後是透過 MacBook 直接打 iMessage 出去問,就不用花錢透過簡訊聯絡:

With the list whittled down, I avoided Twilio entirely by using a script on my MacBook to send iMessages in bulk. Now we wait.

最後真的找到失主並且順利還給對方了:

回頭看裡面用到的兩個小技巧 (公開資料庫的查詢與 iMessage 的查詢),有蠻濃厚的 OSINT 味道,還蠻有趣的...

看起來 Apple 是打算繼續蒐集 OCSP 資訊...

在「Apple memory holed its broken promise for an OCSP opt-out (lapcatsoftware.com)」這邊看到的,原文是「Apple memory holed its broken promise for an OCSP opt-out」。

Apple 的系統機制會在每次啟動應用程式的時候去 Apple 自家的 OCSP 伺服器確認這個應用程式是否被 Apple 註銷了:

When you launch an app, macOS connects to Apple's OCSP service to check whether the app's Developer ID code signing certificate has been revoked by Apple.

本來 Apple 有說要改善,但看起來吃書了...

這有明顯的 privacy 問題,所以我的作法是參考 Apple 自家的「Use Apple products on enterprise networks」這份官方資料,把裡面所有 ocsp 相關的 record 都設到 /etc/hosts 內,目前是:

127.0.0.1 ocsp.apple.com ocsp.digicert.cn ocsp.digicert.com ocsp.entrust.net ocsp2.apple.com

可以重開機確保生效,然後用 ping ocsp.apple.com (或是其他 domain) 看看是不是 127.0.0.1

Apple 拿 Live Caller ID Lookup 當作 Homomorphic Encryption 的範例

上個禮拜 Swift 的 blog 上面發表了 Homomorphic encryption 的 library (其實當作 Apple 發表的比較實際):「Announcing Swift Homomorphic Encryption」。

裡面提到了 Live Caller ID Lookup 這個功能用到了 Homomorphic encryption:

One example of how we’re using this implementation in iOS 18, is the new Live Caller ID Lookup feature, which provides caller ID and spam blocking services. Live Caller ID Lookup uses homomorphic encryption to send an encrypted query to a server that can provide information about a phone number without the server knowing the specific phone number in the request.

傳統實作 Live Caller ID Lookup 的作法是手機將號碼傳回伺服器端,然後伺服器回答相關的資訊,這樣做的缺點是伺服器端的單位就會知道誰打進來。

而以前改善的方式是類似於 k-anonymity 的方式,像是手機端只傳其中幾位數字給伺服器端 (像是收到 0912-345678 的號碼,只傳 0912-345 的部分給伺服器端),然後伺服器端針對符合的 range 給出答案,這樣可以避免伺服器端直接知道哪個號碼打來,但也透漏了比較多的資訊給手機端。

Homomorphic encryption 的重點在於可以對 ciphertext 進行運算,在手機端提供 ciphertext A 給伺服器後,伺服器端拿著 ciphertext A 與資料庫互動,最後也會得到一個 ciphertext B,然後手機端拿回 ciphertext B 後可以解回結果。

不過我沒有很買單就是了,在資料庫是 plaintext 的情況下,是否有機會從 ciphertext A 與資料庫互動的 access pattern 得知更多資訊?畢竟不能是 table scan,不然以 Apple 會拿到的查詢量來說太大了...

算是個嘗試,但是不是 snakeoil 後續可以再看看。

Apple Maps 網頁版開放 Beta 測試

Apple 發表了網頁版的地圖服務:「Apple Maps on the web launches in beta」,網址在 https://beta.maps.apple.com/

我用 Brave 會出現「Your current browser isn't supported」的訊息,但依照 Hacker News 上面的討論「Apple Maps on the web launches in beta (apple.com)」,看起來檢查只放在 root path 上,url 後面隨便加個字串就可以了,像是 https://beta.maps.apple.com/a 這樣。

測了一下土城這邊的情況,看起來資料還算 OK,除了連鎖商店外,一些本地的商家資料也有進去,相比 OpenStreetMap 的資料豐富不少...

Apple 在歐盟 DMA 的法規下被強制開放 App Store 與各種限制

昨天科技圈最熱門的消息應該是 Apple 公開了在歐盟區開放 App Store 限制的計畫:「Apple announces changes to iOS, Safari, and the App Store in the European Union」,Hacker News 上的討論也很熱鬧,也提出了很多蘋果想盡辦法讓你不要換過去所設定的障礙:「Apple announces changes to iOS, Safari, and the App Store in the European Union (apple.com)」。

從文章可以看出 Apple 不斷的用 FUD 在擋,而且從文章裡面就可以看出來 Apple 極度不情願開放這塊肥肉。

除了文章的不情願態度外,Apple 也試著要建立各種機制讓 developer 無法轉移,其中目前最毒的是 Core Technology Fee 的設計,即使 app 後續會透過第三方的 app marketplace 下載,你仍然要付給 Apple 一筆很貴的費用:

Core Technology Fee — iOS apps distributed from the App Store and/or an alternative app marketplace will pay €0.50 for each first annual install per year over a 1 million threshold.

不確定現有的 DMA 是否有阻止的能力,但這個是目前已經看到的重點項目,歐盟應該會有動作...

另外看一些群組討論,Apple 很不願意放 App Store 出來,看起來這個功能是被鎖到 countryd 層級的,無法單純註冊歐盟 App Store 的帳號就能安裝。

反正先坐著等一兩個月看新聞消化...

iCloud 空間計算不準確的問題

記錄一下有這個現象,在 Hacker News 上看到的「Cleaning up my 200GB iCloud with some JavaScript (andykong.org)」,原文是「iCloud Cleanup」。

裡面提到 iCloud Photos 無法依照大小排序的問題,所以自己寫了一段 js code 解決。

想要記錄的是這段,文章後段有提到空間計算很不準確的問題:

So iCloud says the video is 128MB, I download it and the video is actually 48MB, and my free storage increases by ~170MB when I deleted it. Interesting!

以及發現愈舊的檔案吃的空間愈多,甚至到七倍:

It's weird that my storage freed up more than 7x the removed files size, and weirder still that old, big videos appear to have a much larger storage footprint in iCloud than in real life.

這不知道後續會不會跑出訴訟案?

Beeper 宣佈新的手機號碼註冊方式,另外後續應該不會再更新了

Beeper 連續兩篇更新:「iMessage and Phone Registration Are Back - Kinda」、「Beeper - Moving Forward」。

第一篇提到新的手機號碼註冊方式,需要用舊的 iPhone 手機 jailbreak (iPhone 6iPhone X):

📱 Have an old iPhone (6/6s/SE1/7/8/X) and a Mac or Linux computer (Raspberry Pi works) - you’re in luck! Follow our instructions (takes only 10-15 minutes) to jailbreak your iPhone, install a Beeper tool to generate iMessage registration code, then update to the latest Beeper Mini app and enter your code. Phone number registration will now work! Leave the iPhone plugged into power, at home, connected to wifi.

從「How To - Register Phone Number With iMessage」可以看到是用 jailbreak 的方式取得對應的 token (code) 再丟進 Beeper Mini:

第二篇則是提到貓與老鼠的競賽中不太可能贏:

As much as we want to fight for what we believe is a fantastic product that really should exist, the truth is that we can’t win a cat-and-mouse game with the largest company on earth.

然後後續會把力氣放到新的 IM 開發:

In the new year, we’re shifting focus back to our long-term goal of building the best chat app on earth.

故事差不多就到這邊...?

Beeper Mini 恢復,並且先提供免費使用

前幾天提到「蘋果出手幹掉 Beeper Mini 了」,當天就有進度了,不過到了昨天官方的說明才出來:「Beeper Mini Is Back」,Hacerk News 上對應的討論在「Beeper Mini is back (beeper.com)」這邊可以看到。

目前的 iMessage 只剩下 e-mail 的部分,電話號碼的部分目前是掛的,看起來是想辦法繼續繞:

Phone number registration is not working yet. All users must now sign in with an AppleID. Messages will be sent and received via your email address rather than phone number. We’re currently working on a fix for this.

另外值得一提的是,這幾天 iOS 有推更新,但在「About the security content of iOS 17.2 and iPadOS 17.2」與「About the security content of iOS 16.7.3 and iPadOS 16.7.3」裡面沒看到跟 iMessage 有關的說明。(當然也有可能塞進去卻沒有講...)

所以基於現在的情況,他們決定先免費提供使用 (另外一方面是行銷操作,這樣會帶來更多安裝數量):

We’ve made Beeper free to use. Things have been a bit chaotic, and we’re not comfortable subjecting paying users to this. As soon as things stabilize (we hope they will), we’ll look at turning on subscriptions again. If you want to keep supporting us, feel free to leave the subscription on 🙂.

另外後面的這句話有帶出一些額外的訊息,提到他們有聯絡蘋果,但沒有從蘋果那邊收到任何消息,這也代表他們應該還沒收到 C&D 之類的要求:

Despite reaching out, we still have not heard anything directly from Apple.

貓與老鼠還在繼續玩...

話說隔壁棚 GoogleEpic 那邊的戰場可熱鬧了...

蘋果出手幹掉 Beeper Mini 了

前幾天在「Android 上與 Apple 生態系 iMessage 互通的 app」這篇提到的 Beeper Mini 被蘋果幹掉了:「Apple cuts off Beeper Mini’s access after launch of service that brought iMessage to Android」。

目前的 update 看起來要想辦法繞?

所以看起來蘋果的態度沒有要放,然後接下來應該會貓捉老鼠?不過蘋果的機器上面有硬體可以認證,真的把 iMessage 接上資料庫驗證的話應該就繞不過了...

Android 上與 Apple 生態系 iMessage 互通的 app

Hacker News 上兩篇相關的可以一起看,首先是 Beeper Mini,一套在 Android 上直接與 Apple 生態系 iMessage 相通的 app,而且不需要另外的 Apple 設備當作 Proxy:「Show HN: Beeper Mini – iMessage Client for Android (beeper.com)」。

另外先提一下,這是一套付費軟體 ($1.99/mo),考慮到這算是 reverse engineering 後的產品,不確定 Apple 會不會反制,要付錢使用的人心裡先有個底:

We currently offer a 7 day free trial, afterwards there is a $1.99 per month subscription.

另外一篇相關的是「iMessage, explained (jjtech.dev)」,原文是今年八月的文章,應該就是 Beeper Mini 那篇而被貼出來的關係,在「iMessage, explained」這裡。

裡面解釋了他自己實作 pypush 時怎麼處理 iMessage 的部分:

This blog post is going to be a cursory overview of the internals iMessage, as I’ve discovered during my work on pypush, an open source project that reimplements iMessage.

專案裡面有提到 Apple 在這邊有段 obfuscated code,由於只有註冊階段需要用到,他選擇直接跑環境起來執行,產生出對應的 data 後就不用再跑,也就省掉 reverse engineering 這塊功夫:

pypush currently uses the Unicorn CPU emulator and a custom MachO loader to load a framework from an old version of macOS, in order to call some obfuscated functions.

This is only necessary during initial registration, so theoretically you can register on one device, and then copy the config.json to another device that doesn't support the Unicorn emulator. Or you could switch out the emulator for another x86 emulator if you really wanted to.

另外一個先前的消息是 Apple 說要支援 RCS:「Apple announces that RCS support is coming to iPhone next year」,目前大家的猜測是跟歐盟一直在要求 Apple 開放 iMessage 有關。