Apple 在歐盟 DMA 的法規下被強制開放 App Store 與各種限制

昨天科技圈最熱門的消息應該是 Apple 公開了在歐盟區開放 App Store 限制的計畫:「Apple announces changes to iOS, Safari, and the App Store in the European Union」,Hacker News 上的討論也很熱鬧,也提出了很多蘋果想盡辦法讓你不要換過去所設定的障礙:「Apple announces changes to iOS, Safari, and the App Store in the European Union (apple.com)」。

從文章可以看出 Apple 不斷的用 FUD 在擋,而且從文章裡面就可以看出來 Apple 極度不情願開放這塊肥肉。

除了文章的不情願態度外,Apple 也試著要建立各種機制讓 developer 無法轉移,其中目前最毒的是 Core Technology Fee 的設計,即使 app 後續會透過第三方的 app marketplace 下載,你仍然要付給 Apple 一筆很貴的費用:

Core Technology Fee — iOS apps distributed from the App Store and/or an alternative app marketplace will pay €0.50 for each first annual install per year over a 1 million threshold.

不確定現有的 DMA 是否有阻止的能力,但這個是目前已經看到的重點項目,歐盟應該會有動作...

另外看一些群組討論,Apple 很不願意放 App Store 出來,看起來這個功能是被鎖到 countryd 層級的,無法單純註冊歐盟 App Store 的帳號就能安裝。

反正先坐著等一兩個月看新聞消化...

Beeper 宣佈新的手機號碼註冊方式,另外後續應該不會再更新了

Beeper 連續兩篇更新:「iMessage and Phone Registration Are Back - Kinda」、「Beeper - Moving Forward」。

第一篇提到新的手機號碼註冊方式,需要用舊的 iPhone 手機 jailbreak (iPhone 6iPhone X):

📱 Have an old iPhone (6/6s/SE1/7/8/X) and a Mac or Linux computer (Raspberry Pi works) - you’re in luck! Follow our instructions (takes only 10-15 minutes) to jailbreak your iPhone, install a Beeper tool to generate iMessage registration code, then update to the latest Beeper Mini app and enter your code. Phone number registration will now work! Leave the iPhone plugged into power, at home, connected to wifi.

從「How To - Register Phone Number With iMessage」可以看到是用 jailbreak 的方式取得對應的 token (code) 再丟進 Beeper Mini:

第二篇則是提到貓與老鼠的競賽中不太可能贏:

As much as we want to fight for what we believe is a fantastic product that really should exist, the truth is that we can’t win a cat-and-mouse game with the largest company on earth.

然後後續會把力氣放到新的 IM 開發:

In the new year, we’re shifting focus back to our long-term goal of building the best chat app on earth.

故事差不多就到這邊...?

Beeper Mini 恢復,並且先提供免費使用

前幾天提到「蘋果出手幹掉 Beeper Mini 了」,當天就有進度了,不過到了昨天官方的說明才出來:「Beeper Mini Is Back」,Hacerk News 上對應的討論在「Beeper Mini is back (beeper.com)」這邊可以看到。

目前的 iMessage 只剩下 e-mail 的部分,電話號碼的部分目前是掛的,看起來是想辦法繼續繞:

Phone number registration is not working yet. All users must now sign in with an AppleID. Messages will be sent and received via your email address rather than phone number. We’re currently working on a fix for this.

另外值得一提的是,這幾天 iOS 有推更新,但在「About the security content of iOS 17.2 and iPadOS 17.2」與「About the security content of iOS 16.7.3 and iPadOS 16.7.3」裡面沒看到跟 iMessage 有關的說明。(當然也有可能塞進去卻沒有講...)

所以基於現在的情況,他們決定先免費提供使用 (另外一方面是行銷操作,這樣會帶來更多安裝數量):

We’ve made Beeper free to use. Things have been a bit chaotic, and we’re not comfortable subjecting paying users to this. As soon as things stabilize (we hope they will), we’ll look at turning on subscriptions again. If you want to keep supporting us, feel free to leave the subscription on 🙂.

另外後面的這句話有帶出一些額外的訊息,提到他們有聯絡蘋果,但沒有從蘋果那邊收到任何消息,這也代表他們應該還沒收到 C&D 之類的要求:

Despite reaching out, we still have not heard anything directly from Apple.

貓與老鼠還在繼續玩...

話說隔壁棚 GoogleEpic 那邊的戰場可熱鬧了...

蘋果出手幹掉 Beeper Mini 了

前幾天在「Android 上與 Apple 生態系 iMessage 互通的 app」這篇提到的 Beeper Mini 被蘋果幹掉了:「Apple cuts off Beeper Mini’s access after launch of service that brought iMessage to Android」。

目前的 update 看起來要想辦法繞?

所以看起來蘋果的態度沒有要放,然後接下來應該會貓捉老鼠?不過蘋果的機器上面有硬體可以認證,真的把 iMessage 接上資料庫驗證的話應該就繞不過了...

iPhone 5S 又拿到安全性更新了:iOS 12.5.7 (2023/01/23)

Apple 又針對 iOS 12 釋出安全性更新了:「About the security content of iOS 12.5.7」。

Available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1.

Description: A type confusion issue was addressed with improved state handling.

這次的更新是 backport 去年十二月在 Safari 16.2 上修正的 CVE-2022-42856

A type confusion issue was addressed with improved state handling. This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.1.2. Processing maliciously crafted web content may lead to arbitrary code execution.

所以這包跟上次一樣 (參考先前寫的 「iOS 12.5.6」這篇),也是在修正 RCE 類的漏洞,這樣對於 iPhone 5S 等於是進入第九年的支援了。

之前在網路上有看到有人在猜是因為海外有很多異議人士拿這隻手機,所以美國政府「希望」Apple 能夠針對一些高危險性的安全漏洞提供更新?

iOS 12.5.6

早上發現 iPhone 6 Plus 被自動更新到 iOS 12.5.6,查了一下發現是八月底的時候 Apple 推了一版 WebKitACECVE-2022-32893:「About the security content of iOS 12.5.6」。

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: An out-of-bounds write issue was addressed with improved bounds checking.

上個更新的版本 12.5.5 是 2021/09/23 出的,本來大家都以為已經沒有任何更新了,沒想到居然回過頭來發了一包,照蘋果的敘述看起來是因為這個洞被廣泛使用的關係?

iPhone 5S (目前 iOS 12 支援列表裡最早出的手機) 是 2013 下半年出的,到現在也九年了...

iOS Safari 擋 "Open in App" 的付費套件 Banish

在「New iOS App Blocks Those Annoying 'Open in App' Pop-Ups in Safari」這邊看到 John Gruber 的介紹文章「Banish: New Safari Extension to Block 'Open in App' Dickpanels」,裡面提到的 extension 在「Banish for Safari」這邊,一次性的費用,在台灣是 NT$70。

裡面的 screenshot 給了還蠻清楚的說明:

設定上面因為會牽扯到 privacy 的關係,會有點麻煩,需要開好幾個地方。

順道一提,桌面上的話可以透過 Annoyances 系列的 list 在 uBlock Origin 上擋。

Apple 在 iOS 16、iPadOS 16 與 macOS Ventura 上推出 Lockdown Mode

AppleiOS 16、iPadOS 16 與 macOS Ventura 上推出了 Lockdown Mode:「Apple expands industry-leading commitment to protect users from highly targeted mercenary spyware」。

Lockdown Mode 主要是透過降低被攻擊的面積以提昇安全性,依照 Apple 的預想,主要是針對被政府單位盯上的族群:

Apple is previewing a groundbreaking security capability that offers specialized additional protection to users who may be at risk of highly targeted cyberattacks from private companies developing state-sponsored mercenary spyware.

在 Lockdown Mode 下目前列出來的限制:

  • Messages: Most message attachment types other than images are blocked. Some features, like link previews, are disabled.
  • Web browsing: Certain complex web technologies, like just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode.
  • Apple services: Incoming invitations and service requests, including FaceTime calls, are blocked if the user has not previously sent the initiator a call or request.
  • Wired connections with a computer or accessory are blocked when iPhone is locked.
  • Configuration profiles cannot be installed, and the device cannot enroll into mobile device management (MDM), while Lockdown Mode is turned on.

列出來的這些的確都是之前 0-day 常被拿來打的東西,把攻擊面積縮小的確會有不少幫助。

這應該是業界第一個大咖跳進來做這個 (也就兩個大咖?),第一次搞未必會完美,但算是個開始,後面應該會有更多的面積被考慮進去...

由美國參議院提出的 Open App Markets Act

以為之前有寫過亞利桑那州的法律,結果沒找到... (有可能寫一寫就刪掉了)

三月初的時候亞利桑那州推動修正法案,強制夠大的 OS 必須開放其他的 App Store 以及 Payment 系統 (以當時,或是現在來看,應該只有 AppleiOSGoogleAndroid 這兩個系統):「Arizona advances bill forcing Apple and Google to allow Fortnite-style alternative payment options」,不過這個法案在同月月底的時候就被沒收了:「It’s game over for Arizona’s controversial App Store bill」。

這次則是由美國參議院 (上議院) 跨黨派的三位參議員提出來的 Open App Markets Act 也是類似的事情,只是拉到全國的層級:「Blumenthal, Blackburn & Klobuchar Introduce Bipartisan Antitrust Legislation to Promote App Store Competition」。在 Hacker News 上有討論:「Senators introduce bipartisan antitrust bill to promote app store competition (senate.gov)」。

第一關應該是要先讓參議院通過,在這個階段 Apple 與 Google 兩家應該就會有各種檯面上的遊說與檯面下的動作,另外像是 EpicSpotify 這些公司應該也會進去推一把...

居然在安全性漏洞的 PoC 上面看到拿 Bad Apple!! 當作範例

人在日本的資安專家 Hector Martin 找到了 Apple M1 的安全漏洞,可以不用透過 macOS Big Sur 提供的界面,直接透過 M1 的漏洞跨使用者權限傳輸資料,這可以用在突破 sandbox 的限制。而也如同目前的流行,他取了一個好記的名字:「M1RACLES: M1ssing Register Access Controls Leak EL0 State」,對應的 CVECVE-2021-30747

先講比較特別的點,PoC 的影片放在 YouTube 上,作者拿 Bad Apple!! 當作示範,這很明顯是個雙關的點:

這應該是當年的影繪版本,看了好懷念啊... 當年看到的時候有種「浪費才能」的感覺,但不得不說是個經典。

Hacker News 上有討論可以翻翻:「M1racles: An Apple M1 covert channel vulnerability (m1racles.com)」。

依照作者的說明,Apple A14 因為架構類似,也有類似的問題,不過作者沒有 iPhone,沒辦法實際測試:

Are other Apple CPUs affected?

Maybe, but I don't have an iPhone or a DTK to test it. Feel free to report back if you try it. The A14 has been confirmed as also affected, which is expected, as it is a close relative of the M1.

另外作者覺得這個安全漏洞在 macOS 上還好,主要是你系統都已經被打穿可以操控 s3_5_c15_c10_1 register 了,應該會有更好的方式可以用:

So you're telling me I shouldn't worry?

Yes.

What, really?

Really, nobody's going to actually find a nefarious use for this flaw in practical circumstances. Besides, there are already a million side channels you can use for cooperative cross-process communication (e.g. cache stuff), on every system. Covert channels can't leak data from uncooperative apps or systems.

Actually, that one's worth repeating: Covert channels are completely useless unless your system is already compromised.

比較明顯的問題應該是 iOS 這邊的 privacy issue,不過 iOS 上的 app store 有基本的保護機制:(不過想到作者可以故意寫成 RCE 漏洞...)

What about iOS?

iOS is affected, like all other OSes. There are unique privacy implications to this vulnerability on iOS, as it could be used to bypass some of its stricter privacy protections. For example, keyboard apps are not allowed to access the internet, for privacy reasons. A malicious keyboard app could use this vulnerability to send text that the user types to another malicious app, which could then send it to the internet.

However, since iOS apps distributed through the App Store are not allowed to build code at runtime (JIT), Apple can automatically scan them at submission time and reliably detect any attempts to exploit this vulnerability using static analysis (which they already use). We do not have further information on whether Apple is planning to deploy these checks (or whether they have already done so), but they are aware of the potential issue and it would be reasonable to expect they will. It is even possible that the existing automated analysis already rejects any attempts to use system registers directly.