CP
cyberpings
PrivacyHIGH

Apple OHTTP Relay - Exposes User Data Through Third-Party Endpoints

Featured image for Apple OHTTP Relay - Exposes User Data Through Third-Party Endpoints
FDFull Disclosure
Summary by CyberPings EditorialΒ·AI-assistedΒ·Reviewed by Rohit Rana
Ingested:
🎯

Basically, Apple routes your caller ID data through many unknown companies without telling you.

Quick Summary

Apple's OHTTP relay for Live Caller ID Lookup routes user data through 14 third-party endpoints across six countries. This lack of transparency affects all iPhones running iOS 18+, raising serious privacy concerns. Users deserve to know how their data is being handled.

What Changed

Apple's new Oblivious HTTP (OHTTP) relay for Live Caller ID Lookup in iOS 18+ has sparked significant privacy concerns. The system routes user data through 14 third-party endpoints located in six different countries. This setup raises questions about data transparency and user consent, as Apple has not disclosed this information to its users.

How This Affects Your Data

The OHTTP relay connects devices to various third-party services, including an anonymous Delaware LLC sharing data with OpenAI, a Russian endpoint operated by Yandex, and a Swiss company whose privacy policy is vague about its data handling practices. This means that sensitive user data, such as caller ID information, may be exposed to entities without the users' knowledge or consent.

Who's Responsible

Apple is at the center of this controversy, as it has implemented this system without adequately informing its users. The networkserviceproxy daemon on iPhones executes numerous background tasks that facilitate these connections, which appear inconsistent with the stated function of the service. Users expect privacy and security, yet this infrastructure raises serious red flags.

How to Protect Your Privacy

  • Review Your Settings: Check if the Live Caller ID Lookup feature is enabled on your device and consider disabling it if privacy is a concern.
  • Stay Informed: Keep up with updates from Apple regarding privacy policies and any changes to the OHTTP system.
  • Use Alternative Services: Consider using third-party caller ID services that prioritize user privacy and transparency.
  • Advocate for Transparency: Encourage Apple to provide clearer information about data handling practices and to improve user consent mechanisms.

Technical Details

The endpoints identified include:

  1. Taiwan Mobile Co., Ltd.
  2. StopScam LLC
  3. Yandex
  4. Truecaller
  5. Google APIs

These endpoints have been confirmed through various technical methods, including sysdiagnose captures from production iPhones. This shared infrastructure means that all devices using the Live Caller ID Lookup feature are potentially affected.

Conclusion

Apple's OHTTP relay system for Live Caller ID Lookup has raised serious privacy concerns due to the involvement of multiple third-party endpoints. Users are left in the dark about how their data is being handled and shared. Immediate action is required to ensure user privacy and transparency in data handling practices.

πŸ”’ Pro insight: This incident highlights the need for stricter regulations on data transparency and user consent in tech ecosystems.

Original article from

FDFull Disclosure
Read Full Article

Share

Related Pings

MEDIUMPrivacy

Inconsistent Privacy Labels - Users Left in the Dark

Data privacy labels for mobile apps are intended to inform users, but they're currently inconsistent and unclear. This leaves users unsure about how their data is being handled. It's crucial for developers to improve these labels to enhance user trust and security.

Dark ReadingΒ·
HIGHPrivacy

LinkedIn - Secretly Scans 6,000+ Chrome Extensions

LinkedIn is scanning over 6,000 Chrome extensions to collect user data, raising significant privacy concerns. This could expose sensitive information about users and their corporate affiliations. Stay informed and protect your privacy.

BleepingComputerΒ·
MEDIUMPrivacy

Blocking Children from Social Media - A Misguided Approach

Governments are trying to protect children from social media with bans. However, these age-based restrictions may cause more privacy issues than they solve. The focus should shift to open conversations and responsible platform design.

Malwarebytes LabsΒ·
HIGHPrivacy

WebinarTV - Secretly Recording Public Zoom Meetings

WebinarTV is recording and publishing public Zoom meetings without consent. This raises serious privacy concerns for participants. Users must be aware of their digital footprint.

Schneier on SecurityΒ·
MEDIUMPrivacy

Messaging Apps - Analyzing Permissions on Android Devices

A new analysis compares Messenger, Signal, and Telegram's permission requests on Android. Telegram has the least permissions, while Messenger has the most. This impacts user privacy significantly.

Help Net SecurityΒ·
MEDIUMPrivacy

Digital Trust Erosion - How Logins Impact User Confidence

Sign-up forms and login processes are causing digital trust to erode. With 68% of users reporting issues, understanding these challenges is vital for improving security and user experience. Organizations must address these concerns to build lasting trust.

Help Net SecurityΒ·