Hacker News new | past | comments | ask | show | jobs | submit login

I wrote a little MobileSubstrate (Jailbroken iPhone) shim to intercept the most common API used to access this data, block its use, and alert the user when it's happening.


It should be available in the BigBoss repository as "Address Book Privacy" sometime tomorrow.

My tweak catches and displays the use of address book data as it happens, and based on my observations I think the Hipster version of address book theft is a lot less egregious than the Path one. Hipster accesses your address book only when you ask it to "Find Friends" - "Contacts" is selected by default. While this certainly shouldn't be the case, it's nowhere near as bad as Path, which sends all your contacts without asking every time you log in (along with again if you select "Find Friends").

ABAddressBookCopyArrayOfAllPeople is implemented as a direct branch to ABCCopyArrayOfAllPeople. Right after that are the ABAddressBookGetPersonWithRecordID and ABAddressBookGetPersonCountShowingLinks functions and they will be wiped out by the closure generated by MSHookFunction. The proper function to hook is ABCCopyArrayOfAllPeopleInSourceWithSortOrdering. See my similar package for an example: https://github.com/rpetrich/ContactPrivacy

Kudos to beating me to a release.

This version is substantially better than mine - in addition to the correct hook mentioned in the parent comment, ryanpetrich's code uses a private CoreFoundation API rather than UIAlert which is both safe to access from non-main threads and blocking, making the tweak both simpler (no dispatch or blocks) and allowing it to pop up a "yes/no" dialog.

I've updated the README in my GitHub repo to point here and I'm considering ContactPrivacy a better replacement for AddressBookPrivacy at this time.

Here's to hoping Apple does something like this in a future release of iOS.

I think the Hipster version of address book theft is a lot less egregious than the Path one.

At least Path did it over https. There's no excuse for sending private information over http.

Random observation from reading the source: your tweak is going to cause issues (possibly crashes) if the application is accessing the address book on a non-main thread. You should dispatch_async() that alert over to the main thread.

It actually just causes CoreAnimation fence issues and messy animations as far as I can tell, but you're entirely right. Fixing in my next commit (which also fixes some other brokenness). Even had a note in the TODO about it.

This is the first time I've used MobileSubstrate and Logos, so I'm having a lot of fun :)

update: fixed.

Since you seem to be enjoying the experience, feel free to join #theos on irc.saurik.com, it's all we discuss!

You may only be seeing CoreAnimation fencing issues, but the fact is, you're accessing main-thread-only classes from a background thread, and it has the potential to corrupt data structures which can lead to crashes and other bad behavior.

Glad to see you fixed it though.

This is an awesome little tweak. I'm really glad to see more competent people using Theos and Logos to implement useful things!

I've got one minor nit to pick, and that's that you're using Logos, but only for its %ctor directive! Not that that's a bad thing, it gets more language coverage!

You could possibly extend this to hook those parts of those apps individually or on a case-by-case basis, and present a different/better UI for them in particular.

Great to hear you like the tweak. Theos and Logos made the whole process a lot easier, so thank you!

I plan to use Logos to add a delegate class for the UIAlert such that I can pop up an "allow/deny" dialog, to start, and then to move on to a more full-featured preference system. I'm just thinking about how to block the thread requesting the address book information while I wait for the user to dismiss the alert.

I've been poking around at various Logos + Theos projects on GitHub and I'm impressed at what a little Perl magic can do - I'm definitely excited to dive deeper as I add features.

Cool. Too bad about the jailbreak requirement :).

Hipster doesn't leak as much information, but it is almost just as persistent. You can uncheck the "Contacts" button when you enter that preference, but only after the app sends your data. Also, if you come back to the screen, it reverts to checked. They are really filter buttons, and not stateful, apparently.

But yes, it doesn't happen every time.

"Too bad about the jailbreak requirement :)" :(

Jailbreaking means so many different things to different people. I know it causes issues with Apple-sanctioned updates, but sometimes those issues are just plain worth it.

All the stability issues, all the battery life issues, and all of the downsides apart from a more complicated update process are first and foremost effectively made-up. There's no solid data to back those things.

Jailbreaking has time and time again patched vulnerabilities that Apple didn't (in a timely manner), and proven that it is a valuable part of the ecosystem.

I only meant that it wouldn't improve the lives of the vast majority of iPhone users. No complaints about jailbreaking from me! :)

Nice work! However, you seemed to have forgotten to add theos as a submodule. Without it, people cannot build this on their own if they chose to do so..

Good point, although most of the tweaks I've seen on GitHub seem to omit theos and assume the user can find and install it.

I'm not a tremendous fan of submodules but this is a good use case for one; I'll add theos as a submodule and push a commit in a second.

Edit: Done, but users have to manually download ldid (presumably due to licensing issues) anyway.

Thank you for the feedback and advice!

Users have to manually download ldid only because I aspire to keep Theos a binary-free distribution: it's totally cross-platform where you have GNU make and bash (and, for Logos, perl).

I guess it is a matter of personal preference, but I see it as "why not?", especially because the THEOS environment variable is respected.

This is huge. Thanks bri3d.

Applications are open for YC Winter 2021

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact