Domain: zdziarski.com
Stories and comments across the archive that link to zdziarski.com.
Stories · 11
-
WhatsApp Isn't Fully Deleting Its 'Deleted' Chats (theverge.com)
Facebook-owned messaging app WhatsApp retains and stores chat logs even after those messages have been deleted, according to iOS researcher Jonathan Zdziarski. The Verge reports: Examining disk images taken from the most recent version of the app, Zdziarski found that the software retains and stores a forensic trace of the chat logs even after the chats have been deleted, creating a potential treasure trove of information for anyone with physical access to the device. The same data could also be recoverable through any remote backup systems in place. In most cases, the data is marked as deleted by the app itself -- but because it has not been overwritten, it is still recoverable through forensic tools. Zdziarski attributed the problem to the SQLite library used in coding the app, which does not overwrite by default. WhatsApp was applauded by many privacy advocates for switching to default end-to-end encryption through the Signal protocol, a process that completed this April. But that system only protects data in transit, preventing carriers and other intermediaries from spying on conversations as they travel across the network. -
Private Data On iOS Devices Not So Private After All
theshowmecanuck (703852) writes with this excerpt from Reuters summarizing the upshot of a talk that Jonathan Zdziarski gave at last weekend's HOPE conference: Personal data including text messages, contact lists and photos can be extracted from iPhones through previously unpublicized techniques by Apple Inc employees, the company acknowledged this week. The same techniques to circumvent backup encryption could be used by law enforcement or others with access to the 'trusted' computers to which the devices have been connected, according to the security expert who prompted Apple's admission. Users are not notified that the services are running and cannot disable them, Zdziarski said. There is no way for iPhone users to know what computers have previously been granted trusted status via the backup process or block future connections. If you'd rather watch and listen, Zdziarski has posted a video showing how it's done. -
Researcher Finds Hidden Data-Dumping Services In iOS
Trailrunner7 writes There are a number of undocumented and hidden features and services in Apple iOS that can be used to bypass the backup encryption on iOS devices and remove large amounts of users' personal data. Several of these features began as benign services but have evolved in recent years to become powerful tools for acquiring user data.
Jonathan Zdziarski, a forensic scientist and researcher who has worked extensively with law enforcement and intelligence agencies, has spent quite a bit of time looking at the capabilities and services available in iOS for data acquisition and found that some of the services have no real reason to be on these devices and that several have the ability to bypass the iOS backup encryption. One of the services in iOS, called mobile file_relay, can be accessed remotely or through a USB connection can be used to bypass the backup encryption. If the device has not been rebooted since the last time the user entered the PIN, all of the data encrypted via data protection can be accessed, whether by an attacker or law enforcement, Zdziarski said. Update: 07/21 22:15 GMT by U L : Slides. -
Open Source Brings High-End Canon Camera Dynamic Range Closer To Nikon's
PainMeds writes "Magic Lantern is an open source 'free software add-on' that 'adds a host of new features to Canon EOS cameras that weren't included from the factory by Canon.' One of ML's newest features is a module named Dual ISO, which takes advantage of the sensor in some of Canon's high-end cameras (such as the 5D MK II and MK III) to allow the camera to capture an image in two different ISOs, greatly expanding the dynamic range of the camera, and bringing its dynamic range closer to Nikon's popular D800 and D4." -
OnStar Terms and Conditions Update Raises Privacy Concerns
PainMeds writes "An article by author Jonathan Zdziarski reveals that OnStar has recently updated their terms and conditions to allow the company to sell customer GPS coordinates, vehicle speed, and other information to third party marketers and analytics companies, where it could be used for a number of nefarious purposes. He says, 'To add insult to a slap in the face, the company insists they will continue collecting and selling this personal information even after you cancel your service, unless you specifically shut down the data connection to the vehicle after canceling. ... It sounds as though OnStar is poising part of their analytics department to be purchased by a large data warehousing company, such as a Google, or perhaps even an Apple. Do you trust such companies with unfettered access to the entire GPS history of your vehicle?" -
Web Bugs the New Norm For Businesses?
An anonymous reader writes "What ever happened to the good old days, when underhanded email practices were only used by shady email marketing companies and spammers? Today, it seems, the mainstream corporate world has begun to employ the same tactics as spammers to track their customers' email. Jonathan Zdziarski noted in a blog entry that AT&T is using web bugs to track email sent to customers. Could this be used for nefarious purposes?" -
Apple Attempts to Patent Pre-Existing Display Software Idea
Nuclear Elephant writes "Apple appears to be taking ideas from commercial software already being sold and is attempting to patent the concepts as their own. According to Apple Insider, Apple has recently filed a patent application for a notification screen on the iPhone. The only problem with this is that Intellisync has been using this concept in their popular iPhone notification screen software for over a year now, and it doesn't take a rocket scientist to see that this is a clear rip-off. Apple recently became famous (or infamous) for stealing other people's ideas when they rolled out their Dashboard in Mac OS X, which had many similarities to a desktop widget program named the Konfabulator, which later became Yahoo widgets. The case here isn't a simple hijacking of an idea, however — Apple is applying for a patent on Intelliscreen's concept, which could be detrimental to the original manufacturer of the software, who is actively selling it for Jailbroken iPhones" -
IPhone 3G Jailbreak Released, Paves Way For Open Source Apps
PainMeds writes "iPhone Atlas is reporting that the first jailbreak for the iPhone 3G has been released, and includes the popular Cydia community installer for distributing free games and applications. Since Apple's SDK was released, web sites have criticized Apple for the restrictions placed on both what developers could write and what APIs they were allowed to use. Others have noted the SDK's incompatibility with the GPL. The Cydia installer has provided a distribution channel for both open source software and software that would otherwise be impossible to build using the restricted SDK. A few applications are already out, including MobileTerminal and NES.app, a Nintendo game console emulator. In just over a week, open development is finally here for the iPhone 3G!" -
Full Disclosure and Why Vendors Hate It
An anonymous reader writes "Well known iPhone hacker Jonathan Zdziarski gave a talk at O'Reilly's Ignite Boston 3 this week in which he called for the iPhone hacking community to embrace full disclosure and stop keeping secrets that were leading to the iPhone's demise. He has followed up with an article about full disclosure and why vendors hate it. He argues that vendor-only disclosure protects the vendors and not the consumer, and that vendors easily abuse this to downplay privacy concerns while continuing to sell insecure products. In contrast, he paints full disclosure as a capitalist means to keep the vendor accountable, and describes how public outcry can be one of the best motivating factors to get a vulnerability addressed." -
Jail-Breaking iPhones at the Apple Store
An anonymous reader writes "According to an article in Xconomy, iPhone hacker and author Jonathan Zdziarski was invited to speak at an Apple Store in Cambridge, MA last week where he talked about the history of iPhone hacking, jail-breaking, and limitations of the official SDK. From the article, "Zdziarski was one of the first software engineers to figure out how to hack the iPhone, and he's the author of a forthcoming O'Reilly Media book called iPhone Open Application Development, which gives readers explicit instructions on jail-breaking iPhones. So for Apple to give Zdziarski the podium at an Apple retail location is a little like Steve Ballmer inviting Linus Torvalds to speak at a Windows product launch." Zdziarski reports in his own blog how the open source community was on the iPhone developer scene as early as 2007, long before enterprises got there, and estimates that nearly 40% of all iPhones have been jail-broken to run the third-party community software installer. Finally, this story from Top Tech News suggests that open source software might actually create competition for Apple's "official" developers, because applications using the open source iPhone compiler are not subject to the same limitations as official Apple SDK programs are." -
Dell Laptop Burns House Down
Nuclear Elephant writes "The Consumerist is running a story about a house burned down by a Dell laptop. 'My 130-year-old former farm house was engulfed in flames, with thick dark smoke pouring out of the windows and roof... Hours later, after investigation the fire marshal investigator took me aside asked me if I had a laptop computer. Yes — I told him I had a Dell Inspiron 1200.' It was determined that the laptop, battery, or cord malfunctioned after its owner left for work, leaving the fire to spread through the entire house. All attempts to contact Dell have failed. 'I have tried to call Dell to at least notify them of my problems, but each time I have called I get transferred into an endless loop of "Joe" or "Alan" all speaking a delectable version of English I presume emanates from Bangalore. I have been outright hung up on each time I get someone who speaks a reasonable version of English, or sounds like they might be in charge of something. Promises of call backs have gone, of course, unreturned.'"