If you've ever worked on an online service, you might realize that what you ship for the client is almost irrelevant -- it can all be reverse engineered and an unofficial client can _always_ be created. This happens for all online services, even if it's just someone's data-mining app running on a local machine. The number one rule is "never trust what comes from the client", because it's trivial to create carefully-crafted network calls to basically do whatever the API allows (and sometimes more than what was supposed to be allowed).
So, obviously 3rd party clients are thus able to perform malicious acts, but existing laws already forbid this.
My suggestion to ensure 3rd party clients are always legally permitted isn't mutually exclusive with existing laws protecting the creators of services and software. :)
I haven't read it thoroughly, but given the App Attest service runs on the OS, why can't someone just find the certificate for it hidden somewhere and use that to sign fake attests in userland? This is just an extra layer of obfuscation. It doesn't prevent someone from faking api calls with no app (or phone) involved.
Given that this only runs on certain Apple hardware, I wouldn’t be surprised if the Secure Enclave holds that certificate and can confirm at an extremely low level that it is being used only to sign a hash of of the app code itself and a shared secret with the app developer.
Brilliant, in a scary way. In a way it makes data portability regulations all the more important.
It generates a public-private key pair that is stored in the secure enclave, then it sends that public key (or the hash maybe) to Apple for them to sign. The rest of the stuff is as you expect.
One could simply figure out how the request to apple is made to get them to sign a key, and that's that. Get them to sign a key and pretend to be the app from now on.
I guess this prevents spam from someone signing thousands of keys using a specific phone's serial number, though. Assuming there's an unique public-private key for each phone apple makes, one can't simply get them to sign keys with random serial numbers.
The way these schemes usually work is that the pairing is done at the factory. Apple switch the iPhone on for the first time as it's being made, it generates a private key that never leaves the secure chip and then presents the public key. The public key is then signed to create a certificate chain and the certs handed back to the device for storage.
So, there's no way to beat it except by extracting a private key, or by using some software exploit to confuse it into signing the wrong thing.
You don't need to extract the private key though, just use it to sign things. So if you have shell access on the phone, you can tell the SE to sign the request you want.
Only to some extent. Apple work very hard to prevent that from being possible, and it's not necessarily signing just anything the app processor sends. Usually this stuff is integrated with the bootup process.
It isn't true for iOS devices, perhaps. I refuse to run an OS that supports such nonsense. Right now a custom Android rom is sufficient. In the future I expect I'll be moving to one of the Linux distros once they have better support for mobile.
"Never trust the client" is true, but in practice, some control over the client still helps reduce abuse if you make third party clients a lot harder (eg remote attestation.)
back when MechWarrior Online was still pretty new, I reversed the login app (100% .Net, very little obfuscation) which allowed me to access test servers that were testing an unreleased map. Fun times
This seems a bit unrelated but I'll chime in with my opinion.
Unfortunately for some types of games (first person shooters), a modified client can be game ruining for other players. For me, as long as it's only running while the client is running, and doesn't send private data remotely, I'm okay with it.
At least on Windows there's not much difference in terms of privacy of something running in the kernel vs userland in the same user as your important documents. It can read your entire filesystem and attach to running apps anyway without needing kernel access. So the "in your OS kernel" part is only concerning if their anti-cheat is coded poorly enough to cause a BSoD.
It prevents the more amateurish cheats, which by itself reduces cheating in the community by a lot. Obviously in these kind of games, active policing is the only way to find the most sophisticated cheaters. But the anti-cheat does help.
Well, if valid uses for clients are outlawed then the only people buying clients will be the ones trying to abuse the system. So really all the policy does is change the market.
> Meta isn't some utility people can't live without.
This is not true for large parts of society.
There are many institutions which force you to communicate via facebook, so not having access to it means you're locked out of parts of your real life.
This is horribly wrong by those institutions, of course, but here we are. It should be illegal, but isn't yet.
Ask them to use something else, or get an exception by explaining that you were banned. It isn’t endemic and there are always options. After the Cambridge analytica scandal, Facebook no longer has unbreakable mindshare. This is especially true the younger the generation
>Ask them to use something else, or get an exception by explaining that you were banned. It isn’t endemic and there are always options
Good luck if it's a business or public org. Why change their process for what amounts to a minority of customers? It's not worth the cost. Whether these people can't do business with them despite these services being essential to everyday life... well tough luck for them I guess?
Own example: in $COUNTRY almost all banks use either their app or Viber to send 2FA. I refuse to use Viber out of principle, and also their app refuses to work on phones that don't use Google services.
Should I be locked out of my banking because of me refusing to support the practices of other, unrelated services that happen to be 'popular'? Note that there is no other way to get the codes - other banks may use SMS but that is expected to be sunset next year and they will switch to the same methods.
IMHO it's disingenuous to say that there are options, when most of the time there aren't any.
It’s not as endemic as you make it out to be or there would be a public outcry.
Banking and social media are also two very different industries. One is essential while the other is mainly bread and circus with a myriad of alternatives
> It’s not as endemic as you make it out to be or there would be a public outcry.
It's a matter of time. Even if it's not endemic in the US (which I severely doubt) it's endemic elsewhere. Don't underestimate the public's ability to put up with things, especially if they are mostly kept in the dark about the most sinister effects.
> Banking and social media are also two very different industries. One is essential while the other is mainly bread and circus with a myriad of alternatives
Both are essential. Social media is what you make of it. It can be bread and circus, yes, but it is also an invaluable tool for communication. Losing access to them can stifle your communication efforts by a lot. Why, you may ask? Because network effect is in full swing: "Phone call? Who still does that? Just use messenger like a normal person". No one's gonna bother to call you or SMS you cause 1) you're not on messenger or whatever app they use and 2) can't be bothered to contact you at your preferred non-app way, when the whole friend group has a group chat from which every single interaction and update is broadcasted to everyone. In the end, keeping you in the loop is too much work, and then you start missing out on outings etc. And even if you somehow persuaded all of your friends to use alternative methods of communication, 99.999% of the planet just can't be bothered, especially when they have friends that are reachable over 5-6 different apps, one on each friend.
Facebook’s brand has been all but destroyed. The Quest 2 is prime evidence for that. It’s an amazing device at an amazing price that didn’t have as many adopters due to meta’s past reputation.
Social networks are not an essential service. There are other social networks and there are other forms of communication including SMS which is standard on all phones. If you’re not willing to pay for a better service like iMessage instead of an ad supported one, that is your problem
Doesn't meta have an obligation to product users that do want to use their product? This is like saying people should be free to pee wherever they want, if you're worried about the smell, don't walk there.
Actually, the pee analogy fits better with your argument. You’re arguing that people can siphon electricity and use meta’s servers without paying (via ads).
As I’ve already mentioned, meta isn’t a utility that people can’t live without like a phone. If they don’t like it, they should use something else. There are many alternatives
