Tag: privacy

Categories
Mobile Syrup

Apple CEO Tim Cook reiterates why iOS app sideloading would be bad

During his keynote speech at the IAPP Global Privacy Summit in Washington D.C., Apple CEO Tim Cook emphasized the tech giant’s focus on privacy and reiterated the company’s stance on the prospect of iOS app sideloading.

“We at Apple are proud to stand alongside all those who are working to advance privacy rights around the world. As a company, we are profoundly inspired by what technology can make possible, but we know too that technology is neither inherently good nor inherently bad. It is what we make of it. It is a mirror that reflects the ambitions of the people who use it, the people who build it, and the people who regulate it,” said Cook.

He also outlined more recent additions to iOS like App Tracking Transparency and emphasized that proposed regulations in certain regions could compromise the security of the iPhone.

“Here in Washington and elsewhere, policymakers are taking steps in the name of competition that would force Apple to let apps onto iPhone that circumvent the App Store through a process called sideloading,” said Cook.

Apple’s CEO said that sideloading would allow “data-hungry companies” to circumvent the tech giant’s privacy rules in order to track users. For example, in the U.S., the Open Markets Act could require Apple to allow sideloading on its iOS and iPadOS devices.

The act was approved by the Senate Judiciary Committee earlier this month and will enter debate in congress shortly. In the European Union, the Digital Marks Act could force Apple to allow sideloading, though the legislation has not been finalized.

While Cook’s speech is a move to protect Apple’s financial interests in the App Store, there’s a lot of truth to his Global Privacy Summit keynote talk.

Cook’s portion of the IAPP Summit 2022 keynote starts at 14:05 (seen above).

Apple’s dominance over the iPhone’s and iPad’s app ecosystem, thanks to its strict grip on the App Store isn’t always great for developers given the roughly 30 percent cut of revenue they’re forced to hand over.

That said, as far as the end-user is concerned, there’s a strong argument that this level of control offers a better user experience in some situations.

It ensures that, for the most part, all apps available to iPhone/iPad users are legitimate, meet a certain standard and mitigate the risk of hackers and scammers.

Categories
Mobile Syrup

Google’s Messages and Phone apps send text and call info to Google

Google’s Messages and Phone apps collect and send user data to the company’s servers without user consent, potentially violating privacy laws like Europe’s GDPR.

The claim comes from Douglas Leith, a computer science professor at Trinity College Dublin. In a paper titled “What Data Do The Google Dialer and Messages Apps On Android Send to Google?” Leith outlined what data these apps send to Google.

The apps collect information about users’ communications, including a SHA256 hash of messages and their timestamp (hashing is a process of scrambling information so it can’t be returned to its original form), phone numbers, incoming and outgoing call logs, call duration, and call length.

The information is sent to Google using Google Play Services’ Clearcut logger service and through Firebase Analytics. Moreover, the data helps Google link the message sender, receiver, or the two participants in a call.

Although Google only receives a 128-bit value of the message hash, Leith says it could be possible to reverse the hash and reveal the contents of short messages.

“I’m told by colleagues that yes, in principle this is likely to be possible,” Leith told The Register in an email.

“The hash includes a hourly timestamp, so it would involve generating hashes for all combinations of timestamps and target messages and comparing these against the observed hash for a match – feasible I think for short messages given modern compute power.”

Leith’s paper also outlines that Google’s Phone and Messages apps don’t feature privacy policies to explain what data they collect, despite Google requiring third-party apps on the Play Store to include privacy policies. Moreover, users who download their data from Google Takeout won’t receive the Messages and Phone information collected by Google.

Considering the Phone and Messages apps are installed by default on millions of Android devices, it’s a massive oversight and significant invasion of privacy by Google.

Google’s response

Leith detailed his findings to Google in November 2021 and detailed nine steps the company should take to rectify the problem. Google has already made (or plans to make) changes, which you can find them below:

Recommendations

  1. The specific data collected by Dialer and Messages apps, and the specific purposes for which it is collected, should be clearly stated in the app privacy policies.
  2. The app privacy policy should be easily accessible to users and be viewable without having to first agree to other terms and conditions (e.g. those of Google Chrome). Viewing of the privacy policy should not be logged/tracked prior to consent to data collection.
  3. Data on user interactions with an app, e.g., app screens viewed, buttons/links clicked, actions such as sending/receiving/viewing messages and phone calls, is different in kind from app telemetry such as battery usage, memory usage, slow operation of the UI. User’s should be able to opt-out of collection of their interaction data.
  4. User interaction data collected by Google should be made available to users on Google’s https://takeout.google.com/ portal (where other data associated with a user’s Google account can already be downloaded).
  5. When collecting app telemetry such as battery usage, memory usage etc., the data should only be tagged with short-lived session identifiers, not long-lived persistent device/user identifiers such as the Android ID.
  6. When collecting data, only coarse time stamps should be used, e.g., rounded to the nearest hour. The current approach of using timestamps with millisecond accuracy risks being too revealing. Better still, use histogram data rather than timestamped event data, e.g., a histogram of the network connection time when initiating a phone call seems sufficient to detect network issues.
  7. Halt the collection of the sender phone number via the CARRIER_SERVICES log source when a message is received, and halt collection of the SIM ICCID by Google Messages when a SIM is inserted. Halt collection of a hash of sent/received message text.
  8. The current spam detection/protection service transmits incoming phone numbers to Google servers. This should be replaced by a more privacy-preserving approach, e.g., one similar to that used by Google’s Safe Browsing antiphishing service, which only uploads partial hashes to Google servers.
  9. A user’s choice to opt-out of “Usage and diagnostics” data collection should be fully respected, i.e., result in a halt to all collection of app usage and telemetry data.

Google’s (planned) fixes

  1. Revising the app onboarding flow so that users are notified they’re using a Google app and are presented with a link to Google’s consumer privacy policy.
  2. Halting the collection of the sender phone number by the CARRIER_SERVICES log source, of the 5 SIM ICCID, and of a hash of sent/received message text by Google Messages.
  3. Halting the logging of call-related events in Firebase Analytics from both Google Dialer and Messages.
  4. Shifting more telemetry data collection to use the least long-lived identifier available where possible, rather than linking it to a user’s persistent Android ID.
  5. Making it clear when caller ID and spam protection is turned on and how it can be disabled, while also looking at ways to use less information or fuzzed information for safety functions.

It’s also worth noting that Google confirmed to The Register that Leith’s paper was accurate and provided explanations for some of the data collection practices. The company said it collects message hashes to detect sequencing bugs, while phone number collection is intended to help improve the automatic recognition of one-time password (OTP) codes sent over SMS. Meanwhile, Firebase Analytics logging is used to measure whether people use the apps after downloading them.

Source: Douglas Leith Via: The Register, Android Police

Categories
Mobile Syrup

A week with GrapheneOS exposed my over-reliance on Google

Last week, I wrote about installing GrapheneOS, an open-source, Android-based privacy operating system, on a Pixel 3. I shared some initial impressions, but now I’m back after using the GrapheneOS Pixel 3 as my daily driver for a week.

As I said in my initial impressions, GrapheneOS offers a low bar for entry from a technical perspective thanks to a straightforward install process (if you follow the guide on their website).

Using GrapheneOS once it’s installed, however, isn’t quite at the “it just works” level. I think that’s something important to keep in mind for anyone interested in trying out GrapheneOS. To be clear, GrapheneOS works, and works quite well (more on that below). But it’s often not a seamless experience like using an unmodified Pixel or an iPhone.

I don’t blame GrapheneOS for this — it’s entirely Google’s fault. Android, in its current form, is a hodgepodge of open-source software and proprietary Google-made software. Often, the Google software forms the backbone of the modern Android experience most people are familiar with.

GrapheneOS is an excellent way to reveal how much of the Android experience is reliant on Google because it takes Google out of the equation entirely. That’s what surprised me the most in my week using GrapheneOS — there are so many things, both big and small, obvious and not so obvious, where Android relies in part (or whole) on Google software.

Google, apps, and sandboxes

In my first impressions post, I mentioned running into an issue with my contacts not syncing. My solution was to manually export my contacts from another phone, upload them to Google Drive, then download that file on my Pixel 3 and import the contacts into the default Contacts app on GrapheneOS.

That small, but significant hurdle became something of a pattern for my week using GrapheneOS. Throughout the week, I kept stumbling across small issues. Many could be resolved by downloading an app or tweaking the way I used the phone. Others were more challenging.

There are no Google apps installed on GrapheneOS when you first boot it up. If you want Google apps, you need to install the Play Store, Play services and the Google Services Framework from an ‘Apps’ app that comes with GrapheneOS. It’s worth noting you don’t need to install these things if you don’t want to use the Play Store, and you can use other sources for apps (for example, F-Droid or Aurora, two open-source app stores). However, some apps need the Play Store and its requisite services to power things like notifications.

The beauty of GrapheneOS is it lets you run these apps with a compatibility layer that sandboxes them (i.e. isolates them from other parts of the system) and makes the Google apps run like normal Android apps with permissions and other restrictions. In other words, those who want to run Google apps can do so while maintaining some privacy (although you are still running Google apps). Plus, you can also use GrapheneOS’ built-in profiles to, for example, divide your apps between ‘Personal’ and ‘Work’ use, adding extra layers of separation between your data.

One of the more interesting consequences of this was I had to give the Play Store permission to install apps on my phone by toggling the option to let it ‘Install unknown apps.’ I also noted seemingly improved standby battery life on the Pixel 3 with GrapheneOS. There was one day where I took the phone off the charger at 100 percent at 8am and after a day of light use, it still had 80 percent left in the tank at 4pm. Using the phone still drains the battery quickly, but the standby time impressed me.

All of this worked without a hitch in my experience, and I had no problem installing and using apps from the Play Store.

Filling a G-shaped hole

With the Play Store set up, you can also download the various Google apps, although it isn’t entirely necessary unless you expect certain things from your Android experience. For example, there’s no voice assistant on GrapheneOS. Instead, I had to download the Google Assistant and Google apps from the Play Store and change a few settings (such as setting Google as the default assistant app) before I could use Assistant like I would on an unmodified phone.

Once I made it through the hurdles, Assistant worked as well as it would on any other Android phone. It’s worth noting that fans of the ‘Hey Google’ wake word can’t use it on GrapheneOS — the feature is flat-out disabled and I couldn’t see a way to enable it. But, if you care about privacy, disabling the wake word is for the best.

Other Google apps worked fine as well once I installed them. That includes Gmail, Google Photos, Drive, Keep, and Google’s Phone and Messages app (Messages did give me some issues until I enabled some permissions for it, then it worked fine). Google Pay also appeared to be present and functional, but since I don’t use Google Pay normally I didn’t test it. On that note, banking apps might be a pain point for some (I was able to install mine, but since GrapheneOS isn’t an official Android release, it may cause problems).

Still, some of the “smart” features I’ve grown used to were still missing. For example, Google’s Phone app didn’t have Call Screen, a feature I’ve come to rely on. The keyboard also threw me for a loop — GrapheneOS includes a default keyboard that looks just like Google’s Gboard, but with worse autocorrect and missing features like swipe typing and surprisingly no emoji.

Likewise, the default camera app is functional, but it felt less intelligent than Google’s Pixel camera app.

Private OS, not so private apps

Of course, if any of these things are deal-breakers, you can work around them by installing the Google versions from the Play Store. But I found myself wondering if my privacy was actually better off for using GrapheneOS if I still frequently used Google software.

Again, you don’t have to use any of these apps or features. Gmail and Keep were the only Google apps I downloaded out of need — the others I grabbed because I wanted to test if they worked.

However, there’s a difference between getting by and flourishing — and I was just getting by with GrapheneOS. I attribute that to my over-reliance on Google apps.

Ultimately, those considering giving GrapheneOS a try need a few things to really make it work. First is a willingness to trade convenience for privacy. Like I wrote in my initial impressions, GrapheneOS works great, but I often found it lacked features I’ve come to rely on, features that make using my smartphone easier and more convenient. These are almost always tied to one Google service or another. Those who don’t care about Google’s apps or who are happy with a more basic smartphone experience will find a lot to like in GrapheneOS.

Basic troubleshooting skills are also a must to make the most out of the mobile OS. It’s not a matter of if, but when you’ll run into a problem. It could be a small hiccup like not having emojis or something more drastic like an app not working because you’re missing some integral Google software it relies on.

I never had to get technical to solve these problems, but I did have to think outside the box. The issue with my contacts is a prime example — instead of relying on Google’s broken sync software, I manually transferred my contacts through Google Drive. It wasn’t difficult, but not everyone would think to try something like that.

Overall, I really liked GrapheneOS, but it was generally incompatible with how I use my phone (and with my job, which generally revolves around writing about the latest tech features). I think I could run GrapheneOS as my daily driver and be perfectly happy in a world where my smartphone wasn’t such an integral part of both my career and my life. I’ll be keeping an eye on GrapheneOS going forward, but my SIM is going back to the Pixel 6 for now.

Categories
Mobile Syrup

Lobbying group backed by Apple, Google pushes for weaker U.S. privacy laws

A lobbying group backed by tech companies including Apple, Google, Meta (Facebook), and Amazon has reportedly backed weaker privacy legislation in the U.S.

According to Axios (via 9to5Mac), tech lobbying group State Privacy and Security Coalition (SPSC) promoted an upcoming state privacy law in Utah as the model that other U.S. states should adopt. However, critics have called Utah’s legislation too weak.

Specifically, Axios reported that consumer groups said the Utah bill wasn’t clear about how much control consumers would have over whether their information was used for targeted advertising. Moreover, the groups said the bill’s enforcement mechanism is weak.

Utah lawmakers considered and passed a state privacy bill in under two weeks. The bill is currently awaiting the governor’s signature. Utah is set to become the fourth state with a privacy law, joining Colorado, Virginia, and California. 9to5 notes that California’s law is more along the lines of Europe’s GDPR.

States have begun stepping up to introduce privacy laws and regulations while the federal government’s attempts to do the same languish in Congress. However, there’s an incentive for a single, federal law over multiple state laws since it’s easier for tech companies to comply with one law instead of 50 individual laws. Moreover, one effective law is easier for people to understand.

Axios says that Iowa is considering a similar bill to Utah, and other states are also weighing their own privacy bills. Although the SPSC told Axios it’s trying to help align state privacy laws in the absence of federal law, it’s concerning that the lobbying group has chosen to promote alignment around weaker regulations.

Also concerning is Apple’s involvement, given the company’s strong messaging about its privacy commitments — commitments that may not actually help consumers that much.

Although U.S. state and federal regulation won’t apply to Canadians, it’s important to follow how the U.S. approaches privacy legislation as it could become a blueprint for other countries. On that note, Canada is in the process of updating some of its own tech legislation, including Bill C-10 and C-11. However, critics say C-11 doesn’t go far enough in curtailing tech companies’ ability to gather data on Canadians.

Source: Axios Via: 9to5Mac

Categories
Mobile Syrup

I replaced Android on a Pixel 3 with an Android-based privacy OS

Some of the more privacy-conscious people out there may be tired of the lack of actually private mobile phones available on the market. There’s the iPhone, which Apple champions as private but isn’t entirely, while Android relies on Google-made software to work well. Ever tried using a pure Android Open Source Project (AOSP) build without Google’s invasive apps?

Yea, it’s not great.

There are, however, options out there. That said, it comes down to a balance of convenience versus privacy. I’ve started trying GrapheneOS, an open-source, free, Android-based mobile operating system focusing on privacy. This will likely be the first of two stories I write about GrapheneOS, focusing on the initial set-up plus some first impressions.

One of the main things that drew me to using GrapheneOS was its built-in compatibility layer that allows users to run Google Play Services, Services Framework, and the Play Store. GrapheneOS has a more in-depth explanation here, but the short version is that unlike many other privacy-focused Android builds, GrapheneOS enables users to install and run apps through the Play Store while also avoiding some of the more invasive behaviours of Google’s software. The compatibility layer effectively coerces Google’s services to run like normal apps that require permissions, preventing them from accessing data in other apps without express user consent.

Installing GrapheneOS on a Pixel 3

You probably shouldn’t do this.

Not because there’s anything wrong with the GrapheneOS installation process — in fact, as long as you follow the step-by-step guide available on the GrapheneOS website, it’s actually effortless. No, the reason you shouldn’t install GrapheneOS on the Pixel 3 is that it’s on the GrapheneOS extended support list now (you can view a complete list of supported devices here). That means Pixel 3 devices will “no longer receive full security updates” and instead get extended support releases “as a stopgap” while users transition to newer devices.

Unfortunately, I didn’t realize this until after I finished the installation. However, I decided to stick with it since the current version of GrapheneOS is based on Android 12 and I wanted to get a feel for whether I liked it before I attempted installing it on another Pixel.

Plus, although I may have written my final farewell to the Google Pixel 3, I wasn’t entirely ready to let it go.

Anyway, the installation process was relatively simple. GrapheneOS put together an excellent guide, and if you use the web-based installation tool, you can effectively do the whole thing by only clicking a few buttons and tweaking a couple settings on your phone. As someone who spent a lot of time rooting Android phones and installing ROMs back in the day, this was a breeze. If you’re not familiar with that process, then installing GrapheneOS might be more challenging. I’d rank it as more difficult than installing an Android beta on a Pixel phone through Google’s Android Beta Program website but easier than manually installing an Android Developer Preview.

All told, the process took maybe 10 minutes total, and I did it while writing some other stories.

First impressions

Once the installation was finished, setting up GrapheneOS was similar to setting up any Android phone. You turn it on, connect to Wi-Fi, etc. One issue I encountered here was that I couldn’t copy data over from another phone (GrapheneOS does let you bring data over from another phone with GrapheneOS, but this was my first time trying it).

Following set-up, GrapheneOS greets users with a basic, Pixel-like Android experience, minus all the Google apps. GrapheneOS includes the staples, like apps for phone, messages, files and the camera. These defaults get the job done, but they feel (and look) like they’re from a past era of Android. Thankfully, with Play Store access, I was able to download whatever apps I wanted to use instead, although not without issue.

So far, I’ve had no issues downloading and using my password manager app, Twitter, Infinity for Reddit, Gmail, and Discord. I’m well aware that most of these apps aren’t privacy-friendly, but I do feel better using them on GrapheneOS, knowing that the omnipresent Google Play Services is sandboxed away. I had a few issues with Google’s Messages app until I enabled some permissions for the restricted Play Services.

I also ran into issues importing my contacts from the Google account (eventually, I worked around this by exporting them from another phone to my Drive storage then downloading that file to import them back into the contacts app on GrapheneOS).

Ultimately, I haven’t encountered any real deal-breakers so far with GrapheneOS. Most of my hiccups in the first few hours came from little conveniences I’ve grown used to. For example, having my contacts sync automatically or using my security key to authenticate myself when signing into accounts (this worked inconsistently and seems like something GrapheneOS is working to improve). I’ve been able to work around these little hiccups so far, but some people may not be able to.

Suffice it to say that GrapheneOS may not need much technical know-how to install, but so far, using it like I would a regular Android phone has required thinking outside the box. Anyone looking for a straightforward experience may want to avoid GrapheneOS or other privacy-oriented Android experiences since the privacy gains often come at the expense of convenience and ease of use. I wish that weren’t the case. However, GrapheneOS has so far been one of the easiest privacy experiences I’ve tried, so maybe it won’t be much longer until people don’t need to make that sacrifice.

I’ll have more thoughts on GrapheneOS soon after spending more time with it.

Categories
Mobile Syrup

RCMP inappropriately shares personal information on thousands of individuals with other federal agencies

VANCOUVER, CANADA – JANUARY 26, 2015: A sign for the Royal Canadian Mounted Police in English and French along with the crest of the RCMP.

The RCMP disclosed the personal information of thousands of foreign individuals based on incomplete information to the Department of Defence – Canadian Armed Forces (DND-CAF).

This was revealed after the National Security and Intelligence Review Agency (NSIRA) and the Office of the Privacy Commissioner (OPC) took part in a joint review examining disclosures federal institutions made under the Security of Canada Information Disclosure Act (SCIDA).

Approved in 2019, SCIDA allows 17 federal institutions to share information with each other to protect security. This includes sharing personal information.

A two-part test, known as the disclosure test, must be satisfied before any information can be shared under this act. The first is the institution sharing the information is satisfied the information they’re sharing will help the institution that’s receiving the information. The second is personal privacy won’t be impacted “more than is reasonably necessary.”

The review examined 215 disclosures from 2020, 212 of which passed both parts of the test. The three that didn’t were all disclosure made by the RCMP.

The specifics

The first part of the test was not satisfied in two of the disclosures. Made on a proactive basis, one went to Global Affairs Canada (GAC) and the other to Immigration, Refugees and Citizenship Canada (IRCC). The review notes the RCMP failed to show they considered how each disclosure would help the recipient deliver on national security.

The information was shared “based on a mistaken belief that disclosed information fell within the recipient’s jurisdiction.” The review notes the RCMP acknowledged to the NSIRA the information they shared was not compliant under SCIDA. The RCMP said it was also in the process of updating its SCIDA policy.

In its third disclosure, the RCMP failed to meet the second part of the disclosure test.

According to the review, the RCMP received information on thousands of men, women, and children who an unknown third party detained for their alleged involvement in terrorist organizations. The information was sent by a “trusted foreign partner,” along with detailed notes indicating how the information was obtained.

The RCMP shared the initial data set with the DND – CAF because of its counter-terrorism mandate and their operations in the regions where the named individuals were detained. But the RCMP failed to share the additional detailed information on how the information was collected. It also didn’t have any record of receiving this information.

DND – CAF said the information was not integrated into its system but the information has to be held onto for “force protection and to rapidly identify threats.”

Recommendations

The review led to two recommendations relevant to this case. The first asks the RCMP to finish updating its SCIDA policy, update decision-makers on the requirements of the disclosure test, and make sure all information is appropriately documented.

The second is that the RCMP provides the remaining information to the armed forces, and DND-CAF assesses whether or not keeping the personal information they have on hand is necessary.

Image credit: Shutterstock

Source: National Security and Intelligence Review Agency/Office of the Privacy Commissioner of Canada

Categories
Mobile Syrup

Privacy must continue to be considered in the Competition Act, Privacy Commissioner says

Daniel Therrien says data and privacy will play an essential role in future discussions on Canada’s competition policy.

Canada’s Privacy Commissioner made the comments in a submission to Senator Howard Wetston’s consultation on what the Competition Act will mean in a world that continues to digitize. The Act focuses on competition and anti-competitive practices in various industries across Canada.

Therrien says the relationship between privacy, competition, and consumer protection continues to grow with the digital transformation of Canada’s economy.

He says it’s not hard to imagine how organizations could engage in anti-competitive behaviour when it comes to privacy, given it’s a “non-price factor,” meaning it’s something that will alter the demand for a specific service but only to a certain extent.

“If a reduction in the number of competitors in a market is likely to lead to increased prices, the inverse can be true with respect to privacy protection as an element of product quality,” he says. There’s less incentive to enhance privacy with fewer competitors, leaving customers with limited options.

For example, if a company were to track and monetize customers’ online habits in a market with limited competition, customers would have little choice. They could accept the tracking of their information or stop using the service, a hard sell given it may not be practical, Therrien notes.

He further says there needs to be continued support for collaboration across different regulatory branches. Therrien points to the Competition and Consumer Commission of Singapore as an example. The regulatory body has stated that data protection will be an essential factor.

“I would encourage you to consider, where appropriate, amendments to the Competition Act that would enable, or strengthen, cooperation with all regulators who share responsibility for overseeing digital markets,” Therrien says in closing.

The privacy commissioner’s office also serves as a co-chair for the Global Privacy Assembly’s Digital Citizen and Consumer Working Group, which examines the intersection of privacy and competition.

Source: Office of the Privacy Commissioner of Canada

Categories
Mobile Syrup

Mozilla added its VPN to the excellent Multi-Account Containers add-on for Firefox

Mozilla is making its ‘Multi-Account Containers’ add-on for Firefox more powerful by allowing users to combine containers with a virtual private network (VPN).

Multi-Account Containers, for those unfamiliar with the add-on, allows Firefox users to “contain” different online accounts into separate spaces, all within a single browser window. Containers also isolate browsing history, cookies, tracking information, and more, making them great for privacy.

For example, if you have multiple accounts for an online service like email, Multi-Account Containers would let you log in to those accounts without having to deal with annoying account switching or other issues.

Multi-Account Containers have been available as a Firefox add-on since 2017, but there are several other extensions that leverage the capability as well. I’ve used Firefox containers for a while now, but I haven’t installed that specific extension. Instead, a combo of Mozilla’s ‘Facebook Container‘ add-on and the ‘Temporary Container‘ add-on has worked fine for me.

The former automatically opens Facebook pages in a separate container to help prevent the company from tracking you across the web, while the latter lets me create temporary containers with the click of a button that gets deleted when I’m done with them. Beyond that, I use a ‘Work’ container and a ‘Personal’ container to help keep my various work and personal accounts separate.

Image credit: Mozilla

Anyway, the new VPN capability only adds to the already excellent capabilities of Multi-Account Containers by allowing users to set specific VPN settings for each container. For example, you could set your ‘Banking’ container to always open using a VPN located in your home country while you use a different container tab using a VPN located in the U.S. to browse the American Netflix catalogue. It’s worth noting that if you don’t use Mozilla’s VPN service, you can click the ‘Advanced Proxy Settings’ button in Multi-Account Containers to set any proxy you want.

Alongside the Multi-Account Containers and VPN crossover, Mozilla announced that its VPN ‘multi-hop’ feature, which lets users route traffic through two different servers, is now available on Android and iOS.

You can learn more about using Multi-Account Containers with VPNs here.

Source: Mozilla Via: The Verge

Categories
Mobile Syrup

You should download iOS 15.3 to fix a bug that could reveal your browsing data

Apple dropped a series of updates on January 26th that fix a previously reported WebKit bug that could allow websites to see other sites you accessed on your Apple device.

If you use an iPhone or iPad, you’ll want to update to iOS or iPadOS 15.3 as soon as possible to fix the bug. There’s less of a rush for Mac users to update since they can mitigate the bug by using other web browsers — however, if you regularly use Safari on your Mac, you should download the Safari 15.3 update right away.

The bug, first reported to Apple in late November by FingerprintJS, affects web browsers that use WebKit, the open-source foundation for Apple’s Safari browser. Apple also mandates the use of WebKit on iOS and iPadOS, meaning any browser made for Apple’s mobile OS (including Chrome, Firefox, et al.) is also impacted by the bug.

A short explanation is that WebKit’s implementation of a commonly-used JavaScriptAPI for storing web data on devices allowed websites to view the names of other sites that had stored data on a given device. Typically, browsers apply same-origin policy to prevent this. You can learn more about the bug and how it works here.

The iOS 15.3, iPadOS 15.3, and Safari 15.3 updates all include a fix for the issue. It’s good to see the fix applied, especially after FingerprintJS highlighted Apple’s lack of response earlier this month.

9to5Mac confirmed that a beta version of the update fixed the problem using a demo tool provided by FingerprintJS on its website.

If you use an Apple device, you’ll want to install the update right away. Here’s how:

  • iPhone/iPad – Open Settings > General > Software Update.
  • macOS – Click the ‘Apple’ menu in the top-left corner > System Preferences > Software Update > Update Now (You can also click ‘More info’ to view a list of available updates and specifically install the Safari update).

Source: Apple (iOS/iPadOS | Safari) Via: The Verge

Categories
Mobile Syrup

Millions in recent funding make 1Password one of Canada’s most valuable tech companies

Stuttgart, Germany – 08-01-2021: Person holding smartphone with logo of password manager company AgileBits Inc. (1Password) on screen in front of website. Focus on phone display. Unmodified photo.

Toronto-based cyber security company 1Password has grown its net worth into billions.

A statement from the company shows it raised $620 million USD (roughly $774 million CAD) in recent rounds of funding. This is the largest amount raised by a Canadian company.

1Password is now valued at $6.8 billion USD (roughly $8.4 billion CAD).

The company creates technology that helps businesses keep their information safe and focuses its products around human actions. It allows companies to keep track of what apps employees are downloading without permission, breaching possible security guidelines.

“Our mission has always been to ease the tension between security and convenience, and the opportunity to deliver on this has never been bigger for 1Password,” Jeff Shiner, CEO of 1Password, said in a statement.

Investments came from a barrage of people, including celebrities and CEOs. Executives at LinkedIn, General Motors, and Snowflake Computing are also investing.

Over the past 24 months, the company’s customer base grew past 100,000, leading to the hiring of 570 employees.

The company will use the additional funds to develop security solutions that will help companies protect private data and other information. This will focus on improving the company’s existing security measures and creating better habits for employees.

“That way, we can tackle the biggest security threats facing the modern workforce and deliver on the promise of providing a safer life online for families and businesses around the world,” Shiner said.

Image credit: ShutterStock

Source: 1Password