> NEHotspotHelper allows your app to participate in the process of authenticating with hotspot networks, that is, Wi-Fi networks where the user must interact with the network to gain access to the wider Internet.

> NEHotspotHelper is only useful for hotspot integration. There are both technical and business restrictions that prevent it from being used for other tasks, such as accessory integration or Wi-Fi based location. Before using NEHotspotHelper, you must first be granted a special entitlement (com.apple.developer.networking.HotspotHelper) by Apple.

Which makes sense, but then why exactly are apps like WeChat and Alipay granted this entitlement?

Then they can spy on us for our main use case

Entitlements are granted (statically, per developer certificate or maybe app ID, not sure) by Apple, permissions are (optionally) granted by users at runtime.

The only way to not have an app making use of an API gated by (only) an entitlement is to never install it.

Of course there could be permissions that are gated behind entitlements, but in this case it seems to be only an entitlement.

I personally use several different terminal/Unix emulator/SSH client apps on iOS that request the "background location" permission solely because there is no actual "background execution" API.

I always find it funny when people boast about how great certain things are in the US without ever have traveled to HK, Singapore, Tokyo, Beijing etc...

Most people dont realize just how entangled mobile life is in Asia, way more than in the US.

   1. Create app that does 1 thing
   2. Add more features to app
   3. Abuse superset of permissions
   4. Gov leans on app owner
   5. Gov abuses superset of permissions

The fact the State is wholly evil in other ways does not lessen the worry; it multiplies it.

I mean, back when the west had WAP there were articles saying NTT DoCoMo had much more advanced phone technology, sure.

But in terms of making it into the cultural consciousness - you don't see ubiquitous asia-specific mobile super-apps in cultural exports like 'Squid Game' or 'Spy X Family' (admittedly a lot of cultural exports aren't set in the present day)

What's the great certain things of all that?

VPN apps also seem to use it: https://github.com/pia-foss/mobile-ios/blob/4618b55161ec5b8b...

    1. application is using CoreLocation API and has user's authorization to access precise location. [This seems harmless – the app already gets the precise location anyway here.]

    2. application has used NEHotspotConfiguration API to configure the current Wi-Fi network. [This seems to be the scope of the article!]

    3. application has active VPN configurations installed. [This one is quite surprising to me!]

    4. application has active NEDNSSettingsManager configuration installed. [No idea what this is exactly, but it seems similar to the VPN one.]

Many phone manufacturers even automatically grant certain permissions when these apps are installed (the list is sometimes hard-coded into the system), since there are people who do not understand what is "permission", and they blame the phone manufacturer for not being able to use WeChat/Alipay.

I am not sure how it works in practice.

Yes, these are “super-apps” and Wi-Fi hotspot services are probably part of their offerings, but that’s just more reason this should be a user-grantable permission like “local network access”. If I don’t care for the hotspot feature, I don’t want the app to have that capability.

Ex: all the stuff FB has been caught doing over the years

My understanding (no first hand experience) is that WeChat and Alipay are basically required in China. If a phone doesn’t have them, it’s worthless and won’t sell.

So naturally they too can do nonsense that would get the rest of us booted to space.

That's a self-fulfilling property, with cause and effect going as much in the other direction: people who want that capability don't become Apple users. If you want openness, you don't pick Apple.

It’s very similar to political parties: I have yet to find one that I 100% align with in all things, yet I still vote.

I can see the appeal if you don't particularly care about owning a device, but it blows my mind that people become so dedicated to this way of living.

But thought provoking analogy - and thanks for that!

When you own a home, you are 100% liable and responsible. If anything breaks, it’s an unexpected demand on my time and/or an unexpected expense. When you rent, you just call the landlord and say “shit’s broke” and it’s no longer your responsibility. I don’t have the mental bandwidth these days for the unexpected demands the house places on me.

This is _exactly_ the experience I had with Android versus iPhone.

I bought the original Android Dev Phone 1. Still have it somewhere. Moved to a Galaxy Nexus, Nexus 4, couple of OnePlus phones, etc. Used the stock Android, Cyanogenmod, LineageOS, and others. Did all sorts of fun stuff.

Then my life got busier and busier and busier and I found myself sitting up late one night dicking with fixing something on my phone again and just was like nope, this is not how I need or want to be spending my time. My life has only gotten busier since. I don’t have time for suddenly finding out one day that the last update that I installed broke the microphone on my phone and I can no longer use it as a phone.

Using the iPhone is having a landlord. If it breaks, it’s just broken. Not only do I not need to feel responsible for fixing it, I couldn’t if I wanted to. It takes up no space in my head.

So the fact that Apple (1) generally doesn’t release terribly broken software; (2) supports their devices with updates for a long time; and (3) is vaguely respectful of privacy and security makes the iPhone an obvious winner for me.

Even just making sideloading _available_ is going to shift the space my phone sits in my head. It’s no longer going to be “it works or it doesn’t, if it works and you don’t like how it works that sucks nothing to do about it so you may as well forget about it”. It’s going to be a constant “this is vaguely annoying I bet I could find a replacement dialer that _does_ allow you to search your call history…”. I’ll literally pay a premium for someone to take options away from me rather than have yet another place I need to exercise my self control.

I already spend all day with needy computers fixing and improving and such. Having a dumb appliance that lets me not do that is what I _want_.

Nobody needs to be dedicated to a lack of choice/freedom for Apple's business model to work.

Being begrudgingly ok with it works just as well, just like they don’t price their products at “oh wow, that’s a steal, I’ll take one as a spare”, but rather somewhere close to “oh wow, but I guess I don’t buy this every day, and maybe with an installment plan…”

At minimum - even if you're running de-Googled Android - the baseband blob has high levels of access and you have no control over it.

I'm not saying Apple isn't worse with this, but the illusion of phone ownership spreads a lot further.

I do see the value of having autonomy over the devices I conduct my digital life on (whether owned or rented, for that matter!), but I'm not sure if the concept of physical ownership is the right model here.

How my personal data is being processed in other people's and the government's systems is just as relevant to me, and conversely, I'm fine with some opaque blobs of other people running on my hardware, as long as they're properly sandboxed (i.e. can't phone home freely or access any of my data that's none of their business), and I see the mutual benefit in them.

If you need a smartphone, you can choose between a company that has some missteps, or a demonstrably evil spy network. I know who I am choosing.

I don't really trust of those big companies, which is where GrapheneOS really shines. Open source, lots of enhanced privacy controls, but also as much of the Google ecosystem as the user wants. If you maximally distrust everyone, you can roll with pure FOSS. If you're somewhere in the middle like most people, you can pick and choose the pieces that are worth it to you (Google's Pixel Camera app is a common one for example). Graphene OS is also trivial to install now thanks to the web installer, so pretty much anybody who can load a web page, plug in a USB cable, and follow the explicit instructions to unlock the bootloader (which is stuff like, "open settings" -> "click about", etc) can do it.

I’ve done the “just buy unlocked hardware and install this or that” in the past. My phone ended up taking up way more of my time than I’m willing to let it and my life has only gotten busier since.

Needless to say that's not for me and I will probably keep sporting Androids (in my case I am happy with Samsung's top ultra offerings) since I actually use those added features, ie saving 500 bucks on proper expensive variometer for paragliding and instead hooking it up via OTG cable with basic one with good sensor but without display, for 10% of the price... needless to say relevant app isn't on play store neither. And so on.

But we certainly have choice on the market. I just wish Apple would properly focus on user security and shielding them from the worst of internet, and less on milking advertising, what I see so far didn't convince me it isn't just sophisticated marketing and not much more. You already pay premium on the device, its a proper spit in the face to be so visibly milked more and more, thats pure corporate greed.

What I mean - my wife with iphone pops up browser, I pop up mine with firefox and ublock origin. Internet is utterly useless and horrible place on her phone, while completely fine on mine (plus I get youtube ads blocking as a bonus)

Sure it’s $1.99 but we support indie developers here on HN don’t we?

It’s a set it and forget it type of deal, no more ads in Safari.

0: https://apps.apple.com/us/app/wipr/id1030595027

I would be shocked if many of these "surveillance loopholes" aren't silently mandated by government agencies around the world.

If there is an entitlement, it is as of yet unclear whether it means a consent dialog/privacy toggle or not. IIRC an entitlement only means you can ask for this sort of access, not get it automatically, but I may be wrong (I’ve never gotten far in iOS dev).

We can argue that this feature is misnamed, regular users will not understand what it is and would not be giving informed consent, and I can get behind that, but “automatic access to my private data on my device” looks like jumping to conclusions.

Is that what "local network access" means? I thought that was for controlling network connections to LAN ips and/or to send multicast packets (eg. mdns).

It is different from continuously getting a list of all SSIDs within your Wi-Fi range, even those you never connected to. This is what allows shady apps infer location (this, and massive databases of SSID matched to coordinates).

What you described is also a feature of WireGuard iOS, and it needed no permission.

But according to this [1] post (by an Apple employee?), having an enabled VPN profile seems to indeed be opting the app in to receiving the current SSID without the location permission, at least for some time and since iOS 14.

[1] https://developer.apple.com/forums/thread/679038

Either way, being able to get a list of networks user connected to is unrelated to the feature under discussion.

Other things are just available to any developer but have to have a user prompt, for example saving to the photo library.

From looking at https://developer.apple.com/documentation/bundleresources/en... I would say there are many more entitlements than consent screens, the phrasing suggests there is no 1:1 mapping between them and is not clear on whether they reliably come with consent screens (I suspect not).

It is very unfortunate that there is little clarity on that in the docs, and that entitlements are not exposed anywhere in the GUI. Sure, they are too technical, but they could at least be shown in some advanced info pane. I am seriously considering if I can dejail an old iPhone and perhaps inspect some big name apps for what they have been entitled to.

And Apple does generally prompt for location permissions, as does Google on Android.

It’s a great time of year to donate to the EFF.

Edit: I can only find services marketed towards the nonprofit, not for the donor. A service that aggregated and automated all the nonprofits I want to regularly donate small amounts to would be great. I think it would be important to not require the nonprofits direct involvement in order to allow me to donate as diversely as I want.

Database of approved nonprofits, can set up arbitrary amounts as recurring payments, and automatic matching if you do the donations through their site.

It’s not quite “I got $500 this month to give back, scatter it amongst my chosen charities” but you could definitely use a service like that to set up baseline donations.

I don’t do scheduled donations; prefer to spool it up and make a splash when employer offers 2:1 match. Don’t think I’ve seen that in all of ‘23, though, so settling for 1:1 now.

I just did my end of year matching gift donating through the portal at work.

I guess I left out Ukraine, which needs fixing. But did get FSF, EFF, the regional food bank, and a niche human rights org.

Let me tell you, causing my employer donate to the EFF in particular is always one of the high points of my year. Even better when there’s 2:1 matching, which they seem to not offer this year (I dig deep in my own pocket when they do have that because, hey, 2:1!). It’s hilarious and oh so satisfying.

Dunno if these apps do that or not, but I can easily imagine that using them is a Hobson's Choice even in OSS utopia: take the horse offered (app with tracking) or don't have a horse.

You can sit there and stew over the gall of those people to do it, but if you piss them off enough, it will happen.

To the extent that you can't (network effects or legal obligations or whatever) you still won't be able to if the code of those apps is made available under any license of your choice.

I think it's more like a child buying a teams jersey so that he can play on the team, but he can still get kicked off the team if he doesnt follow the rules. You can't argue "but I paid for the uniform with your logo, you must let me play 1st base!"

Sure the child still owns the uniform, and maybe he can get some use out of it or sell it off for spares (parts) to other people, but him paying doesn't make him own the team.

I mean, we just allowed Car Manufactures to pump as much contact data and location data as they can off your phones and sell it to whomever they'd like risk free and legally.

We have laws against physical trespassing, but when it comes to 'data' trespassing on applications that you install or come with your phone we're still in the wild west.

Is there any evidence that car manufacturers are harvesting data from drivers' phones and selling it without consent?

I think.

Legal advice about what is and isn't legal under GDPR (and equivalents) varies a lot.

What makes this any different? It really seems more like an oversight than a conscious decision, similarly to how (I believe) both iOS and Android have retroactively had to bucket some of the Bluetooth LE permissions into "location", since that's what you can effectively do with them.

This is an interesting worldview to have in 2023.

And assuming for a second this is indeed an intentional backdoor in plain sight of the world: What’s in it for Apple?

Hanlon’s razor still cuts in 2023, at least for me.

Perceived is doing a lot of lifting there. The public largely cannot audit Apple's ACTUAL security.

I think it should ask the user's permission.

Like seriously. I had the argument before;

Architect: we're going to fingerprint users. Me: are you going to disclose that? Architect: Of course not. Me: It's their device. You should ask. Architect: That defeats the point. Me: You either don't understand property rights, or clearly have issues with the concept of consent.

The entire IT space has been decades of building while eliding the fact these experiences are fundamentally being driven on someone else's hardware.

But that's just the world we live in I suppose.

Maybe not relevant in this particular case, but again, was more intended in the sense of a BOLO.

Does Apple do any analysis of entitlement usage and withdraw them when abused? A similar thing I remember is the Facebook VPN "scandal" where I think Apple withdrew the Facebook enterprise signing certificate?

Lately I've witnessed a number of apps asking for Local Network permission ("Foo would like to find and connect to devices on your local network") when they have no business doing so in any possible way that I can think of.

This was improved in recent iOS, but I never count on Google updating their SDKs to take advantage of iOS features on any sort of schedule. Even when they do, it will require third party apps to individually update as well.

So only the big apps can spy on you? The poster is Chinese so he cares about those 2, but how about facebook and google?

Well as long as it is just Apple that is deciding who can track me without my permission then that's okay I totally trust my corporate overlords for the wise and great Apple is incorruptible and without fault.

I understand it’s not ubiquitous.

1) It's poorly implemented. Unlike other permissions, there's no way to explicitly trigger the prompt. It just pops up at Apple's discretion. There's no way to give it a "soft landing" for cases where it's necessary for core app features. And there's no way to check if the permission has been granted or not.

2) More importantly: Apple's own apps don't trigger this warning, which makes the playing field unfair. AirPlay etc. work seamlessly, whereas any competitor's tech doesn't. And as a developer, since you can't tell if this permission has been granted or not, you're left with a poor user experience.

I'm particularly fed up of (2). If Apple is going to introduce restrictions, they need to apply to their own apps as well. AirPlay and AirDrop need to each ask for Bluetooth and local network access. The Photos app needs to trigger the "Select photos, Allow All, Deny" prompt on launch. The Camera app shouldn't be able to write to the photo library without triggering the same prompt too.

That gives them an incentive to design the user experience around these restrictions well, and maybe be more creative with how to solve for this too rather than confusing dialogs.

Currently they have a disincentive to design this stuff well. Any iOS developer that's had to work with these APIs knows that they are designed absolutely awfully with arbitrary and unexpected limitations.

But this raises a related point about how frustrating Apple's APIs are here: When an app is granted the "Write to photo library" permission by the user, it can only write. It can't read back what it's written, ever. You might expect that writing to the library might return a token that can be used to read that photo back. Nope.

Android, for all its faults, does a much better job here. The OS keeps track of the app that wrote the photo -- and that app can read that photo indefinitely, unless another app edits that photo (and thus becomes the owner). A much better design.

On iOS, to read back photos from the library, you have to ask for the "All photos" read permission, which few people will grant you. "Why does my camera want to read all the photos on my device?! Deny!".

And just like that, you can't compete with the built-in camera which shows thumbnails of recently taken photos and allows you to swipe through them.

Apple has no incentive to fix this either, because their own apps bypass this permission system.

Edit: AirPlay does not require this permission.

I take this popup to mean that they want to fingerprint and locate my home network or backdoor it somehow. I ALWAYS deny this access unless the app specifically requires it, and that is rare.

WiFi based geolocationing should be a well known privacy threat by now. The popup should really communicate that better and provide tighter controls.

If anything, I usually see this for apps that want to do playback via Chromecast/Miracast. The well-behaved apps wait until the user interacts with Chromecast output, the iffier ones ask on first launch.

So far there doesn't seem to be any traction by Google to migrate to this.

Iirc Android has always asked for location to enable Bluetooth, I wonder if there are similar apis there?

Like most here, I don’t have Wechat or Alipay installed. But I’m interested in e.g. Instagram, Facebook, Whatsapp, Twitter, Tiktok, Snapchat, Chrome, Firefox, Photoshop, Lightroom, etc.

I shouldn’t have to download and install the app just to see what kind of behaviors it is going to attempt.

The app stores know this information and it would be trivially easy to present it in the details of the app prior to down loading.

Beyond what Apple already does? https://imgur.com/a/ouEqiGG

I don't know anything about the ways Apple developers interface with the app store to submit or update or index their apps ... is it through xcode ?

I wonder if there is some function in that toolchain that actually does what I am proposing ...

When permission is requested and you've forgotten to declare that your app asks for it, the permission will be immediately denied without prompting the user.

I think that best describes it? Not sure but I agree the title as-is doesn't really ring true after reading the article.

The key question is whether Apple will play a curator role in trying to reign in the ecosystem. They have in the past (eg Uber was doing shady shit and there was a game of chicken to get them to stop). Of course Alipay and WeChat may be harder especially how Apple China is such a huge market for Apple and critical to their success now. It’ll be interesting to see how Apple adjusts to this over the next few years.

Open platforms also have this problem and also operate on pinky promises (perhaps even worse) so I’m not sure the point you’re trying to make unless it’s that “well if this problem isn’t solved I’d rather have an open platform”. The problem with that argument is that there are many issues and this is only one failure case which may be addressed in the future whereas open platforms have this one and many more that are unadressed.

For what it's worth spyware/malware consistently seems to target Android more than iOS [1]. To be fair Android has more units, but that's just one axis - iOS users should be more valuable to exploit because they're usually in a different socioeconomic bracket. Another data point is that Android developers get paid anywhere from $2k to $20k to add malware to their Google Play store app [2] - I can't find any articles similar for iOS so would be interesting to compare the marketplaces if anyone knows it for iOS.

[1] https://nordvpn.com/blog/ios-vs-android-security/

[2] https://www.bleepingcomputer.com/news/security/cybercriminal...

deep links, they go deeper than you think.

ibeacons provide very precise indoor location, think of all the behavioral data a store app can collect.

apple is not really your friend.

seriously, apple should let you

- know what is running

- know what network traffic happens

- control these thigns

- run your own programs

I would love an ios firewall program or non-neutered little snitch

That said, this maybe shows an incompatibility between Apple’s privacy strategy and “super-apps” like WeChat and AliPay. When a company shoves all functionality into one app, that app suddenly has all the entitlements, and it’s harder to tell when and how any sensitive data is being used.

The West generally doesn’t develop apps this way. For example, Comcast has a separate “WiFi Hotspots” app. Although LOL, they posted 2 days ago that its functionality is being combined into the main Xfinity app. Maybe the West is catching up.

I nope out and if the functionality of the app is trashed, so goes the app....

Google Maps constantly hounding me to turn on precision location services, asking me if I am navigating for a friend and to allow access to my contacts... Wow, no.

Precise location may be from Apple's SSID database or from a GPS system.

Non-precise location may help with getting more appropriate search results but won't help you with turn-by-turn navigation.

Where do you revoke this entitlement on iOS? Settings → Privacy & Security → Local Network? Or is this something else?

Users are asked for permissions and those permissions can be revoked. This entitlement doesn’t correspond with its own unique permission, either it works without permission from the user or it might be bundled into Local Network or Location Permissions.

https://www.theverge.com/2023/7/26/23808796/elon-musks-x-eve...

Increasingly clear that Apple is in charge of what happens on your devices not the users themselves.

If you’re a software developer, you must understand that the user cannot actually understand what any code is doing. Even if you’re using open source, it’s an illusion to think you know what it’s doing. Heck, even the developer doesn’t know what it’s doing a lot of the time (how long does it take to figure out what’s happening with a tricky bug?).

So yes, Apple’s policies do mediate what a developer can do on behalf of the user. That’s how it works.

The history of smartphones is control being tightened further and further over time. With the phones you had, apps could track your location lots of different ways, and over time those data leaks are being bricked shut. Everything is moving in the direction from "Apps can do whatever they feel like" to "Apple controls what apps can do" to "The user controls what apps can do".

This specific leak seems like it's stuck in the "Apple controls what apps can do" stage, so hopefully this post will help get it moving again.

They are checking the environment for stuff that might have known locations, which is different. You can do the same with bluetooth/BLE.

The user must be in control of whether their location is disclosed to an app.

Not anymore you can't. Sometime before 2020 apple, and also google, started treating BLE scanning as an operation needing location permissions. (I had to deal with this transition while submitting an iOS app that connected to a BLE device which actually had a GPS module in it)

As of now, I still have to turn on location on my android phone to connect to some BLE devices.

How? By searching it in https://wigle.net.

That ended the debate quite swiftly.