Hacker News new | past | comments | ask | show | jobs | submit login

Took a quick look, and this appears to be enabled if [NSLocale.currentLocale.countryCode isEqualToString:@"CN"]:

  char ____ZN7Backend6Google12SSBUtilities24shouldConsultWithTencentEv_block_invoke_2(void * _block) {
      rax = [NSLocale currentLocale];
      rax = [rax retain];
      r14 = [[rax countryCode] retain];
      [rax release];
      rbx = [r14 isEqualToString:@"CN"] != 0x0 ? 0x1 : 0x0;
      [r14 release];
      rax = rbx;
      return rax;
  }
Update: the code for Tencent Safe Browsing seems to be very similar to that which talks to Google, down to it being under a "Google" namespace, the API endpoints being named the same, and performing hashing which seems to match the "Update API" here: https://developers.google.com/safe-browsing/v4/update-api. I think this is just "whatever Google could see before, Tencent can see now, if you're in China". I'm no expert, so I have no idea if that's k-anonymous or whatever if Tencent/Google decide they want to track you, but in either case it's just shifting who's getting your hashes.



> if [NSLocale.currentLocale.countryCode isEqualToString:@"CN"]:

So even for US and EU based users the data is send to Tencent just because they enabled Chinese language support? Who programmed that?


iOS has separate region and language settings. Quick look at Apple docs suggests that this is the former.


No, it's the latter.

In NSLocale, "region" is a subtype of language, as in a regional dialect, not an independent dimension.

https://developer.apple.com/documentation/foundation/nslocal...

https://developer.apple.com/library/archive/documentation/Ma...


Nope, [[NSLocale currentLocale] countryCode] returns Region country code from settings. The same code is also used for language region, so you can end up with something like zh_US.


I wonder if there are similar oversights with the US locale, seeing as a lot of developers prefer English interfaces to the somewhat craptastic localizations.


CN is the country code, not the language code. zh-CN is simplified chinese localized to mainland China. If you want simplified chinese try something like zh-HK or zh-SG.

But there is valid criticism to be had that Apple should be signposting more visibly the differences between its settings for CN and outside CN.


Your data is sent to Google otherwise.


...which is what I strongly prefer (rule of law and all that). Of course, as others have said, on-device processing would be the best.


Not just EU and US based users, but also Hong Kong and Taiwan based users.


Hong Kong, Macao and Taiwan all have their own ISO 3166 codes and users there are unlikely to accidentally set the region to CN, since the difference between simplified and traditional characters is quite obvious.


This sounds like the more dangerous story here. What the heck?


Google is blocked in China so naturally they'd need a Chinese alternative, with everything going on it's easy to fear monger but people need to chill out a bit. Locale is probably one of the least intrusive ways to determine location, using GPS would probably cause an even further problem if people realise that there's a backdoor to avoid location permission

Any company that markets/releases in China and relies on some google service (maps/safe search/safety net/google sign in/firebase/etc) need to find an alternative, not because everyone is on the Chinese payroll but more often than not these services are business critical.


Wouldn't the locale be set to CN for phones which are in non-china countries too?


Language and Locale are separate preferences. You can mix and match however you want on iOS.


Oh I see. That is where I got confused then.


What kind of code am I looking at, it seems pretty cool. I this some automatically 'reverse compiled' assembly?

In any case, I'd love to know how you generated this. Would be very cool to get something similar out of an executable.


It's "decompilation" of a block invoke for Backend::Google::SSBUtilities::shouldConsultWithTencent() taken by opening /System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/SafariSafeBrowsing in Hopper Disassembler.


SafariSafeBrowsing.framework


> ____ZN7Backend6Google12SSBUtilities24shouldConsultWithTencentEv_block_invoke_2

I'm glad I don't use Objective-C... That's some Java level function naming there.

Edit: may have spoke too soon, appears to be possible reverse engineered / decompiled?


  bash$ c++filt <<< ____ZN7Backend6Google12SSBUtilities24shouldConsultWithTencentEv_block_invoke_2
  invocation function for block in Backend::Google::SSBUtilities::shouldConsultWithTencent()
Edit: what are downvotes for? That is the standard way to decipher C++ mangling, using built-in (binutils) tools.


You’re looking at the method name after the compiler got done mangling type information into it for the linker. The human-readable name that (what appears to be an anonymous block) likely appears within in the source code appears to be “shouldConsultWithTencent” in a namespace (class?) “Backend::Google::SSBUtilities”.

The other line noise encodes return and argument types via the process of Name Mangling: https://en.wikipedia.org/wiki/Name_mangling


This is a block invoke for a mangled C++ function. You'd know it as a lambda inside of Backend::Google::SSBUtilities::shouldConsultWithTencent().


It appears to be the symbol in the binary. C++ also does similar things. It's called mangling. https://itanium-cxx-abi.github.io/cxx-abi/abi.html#mangling

It's also the reason you sometimes need to extern c or otherwise mark symbols being exported via a c-abi in c++ so that they don't get mangled.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: