An anonymous reader shares a report: 'Beware in-app browsers' is a good rule of thumb for any privacy conscious mobile app user -- given the potential for an app to leverage its hold on user attention to snoop on what you're looking at via browser software it also controls. But eyebrows are being raised over the behavior of TikTok's in-app browser after independent privacy research by developer Felix Krause found the social network's iOS app injecting code that could enable it to monitor all keyboard inputs and taps. Aka, keylogging.

"TikTok iOS subscribes to every keystroke (text inputs) happening on third party websites rendered inside the TikTok app. This can include passwords, credit card information and other sensitive user data," warns Krause in a blog post detailing the findings. "We can't know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third party websites." [emphasis his]

After publishing a report last week -- focused on the potential for Meta's Facebook and Instagram iOS apps to track users of their in-app browsers -- Krause followed up by launching a tool, called InAppBrowser.com, that lets mobile app users get details of code that's being injected by in-app browsers by listing JavaScript commands executed by the app as it renders the page. (NB: He warns the tool does not necessarily list all JavaScript commands executed nor can it pick up tracking an app might be doing using native code -- so at best it's offering a glimpse of potentially sketchy activities.)

An anonymous reader quotes a report from XDA Developers: While Apple switched to 64-bit-only support with iOS 11 in 2017, Android still supports legacy 32-bit applications. However, Google is in the process of switching to 64-bit-only support, and last year's Android 12 was the first version of the OS to support 64-bit-only builds. While the company did not make the switch with the recently released Android 13, it is reportedly working on a 64-bit-only version of the OS for the upcoming Pixel Tablet. According to Mishaal Rahman, Google is currently testing a 64-bit-only build of Android 13 for a device codenamed 'Tangor.' For the unaware, that codename refers to the upcoming Pixel Tablet, which the company showcased during its I/O keynote earlier this year. If the Pixel Tablet launches with a 64-bit-only version of Android 13, it will be among the first Android devices to drop 32-bit support. "Dropping 32-bit support on the Pixel Tablet will likely reduce RAM usage, but the tablet won't be able to run 32-bit applications," notes the report. "But that shouldn't be a problem for most users, as all recently updated apps on the Google Play Store offer 64-bit support due to the mandate Google put in place in 2019."

A security researcher says that Apple's iOS devices don't fully route all network traffic through VPNs as a user might expect, a potential security issue the device maker has known about for years. From a report: Michael Horowitz, a longtime computer security blogger and researcher, puts it plainly -- if contentiously -- in a continually updated blog post. "VPNs on iOS are broken," he says. Any third-party VPN seems to work at first, giving the device a new IP address, DNS servers, and a tunnel for new traffic, Horowitz writes. But sessions and connections established before a VPN is activated do not terminate and, in Horowitz's findings with advanced router logging, can still send data outside the VPN tunnel while it's active.

In other words, you might expect a VPN client to kill existing connections before establishing a secure connection so they can be re-established inside the tunnel. But iOS VPNs can't seem to do this, Horowitz says, a finding that is backed up by a similar report from May 2020. "Data leaves the iOS device outside of the VPN tunnel," Horowitz writes. "This is not a classic/legacy DNS leak, it is a data leak. I confirmed this using multiple types of VPN and software from multiple VPN providers. The latest version of iOS that I tested with is 15.6."

"Apple is set to expand ads to new areas of your iPhone and iPad in search of its next big revenue driver," reports Bloomberg.

The Verge writes that Apple "could eventually bring ads to more of the apps that come pre-installed on your iPhone and other Apple devices, including Maps, Books, and Podcasts." According to a report from Bloomberg's Mark Gurman, Apple has internally tested search ads in Maps, which could display recommendations when you search for restaurants, stores, or other nearby businesses. Apple already implements a similar advertising model on the App Store, as developers can pay to have their app promoted on a search page for a particular query, like "puzzle games" or "photo editor." As noted by Gurman, ads on Maps could work in the same way, with businesses paying to appear at the top of search results when users enter certain search terms.

Gurman believes that Apple could introduce ads to its native Podcasts and Books apps as well. [Gurman describes this as "likely".] This could potentially allow publishers to place ads in areas within each app, or pay to get their content placed higher in search results. Just like Maps, Podcasts and Books are currently ad-free.... Gurman mentions the potential for advertising on Apple TV Plus, too, and says the company could opt to create a lower-priced ad-supported tier, something both Netflix and Disney Plus plan on doing by the end of this year.
Bloomberg points out that Apple is already displaying ads inside its News app — where some of the money actually goes back to news publishers. ("Apple also lets publishers advertise within their stories and keep the vast majority of that money.")

And while you can disable ad personalization — which 78% of iOS users have done — Bloomberg notes that "Another ironic detail here is that the company's advertising system uses data from its other services and your Apple account to decide which ads to serve. That doesn't feel like a privacy-first policy."

Bloomberg's conclusion? "Now the only question is whether the customers of Apple — a champion of privacy and clean interfaces — are ready to live with a lot more ads."

Thursday Meta published a blog post by their "product management director of Messenger Trust," who emphasized that they've begun at least testing end-to-end encryption by default for Messenger chats. But Meta also announced plans "to test a new secure storage feature for backups of your end-to-end encrypted chats on Messenger...."

"As with end-to-end encrypted chats, secure storage means that we won't have access to your messages, unless you choose to report them to us."

CNBC provides some context: The announcement comes after Facebook turned over Messenger chat histories to Nebraska police as part of an investigation into an alleged illegal abortion. Meta spokesperson Andy Stone said the feature has been in the works for a while and is not related to the Nebraska case...

The feature is rolling out on Android and iOS devices this week, but it isn't yet available on the Messenger website. The company has been discussing full-scale deployment of end-to-end encryption since 2016, but critics have said the security measure would make it much more difficult for law enforcement to catch child predators....Meta said in the release that it is making progress toward the global rollout of default end-to-end encryption for personal messages and calls in 2023.
Other privacy enhancements announced Thursday by Meta:

• "We plan to bring end-to-end encrypted calls to the Calls Tab on Messenger."

• Meta announced that the deleting of messages will start syncing across your other devices "soon."

• Messenger will continue offering the option of "Disappearing" messages, in which viewed messages in an end-to-end encrypted chat automatically then disappear after a pre-specified period of time.

And there's more, according to Meta's announcement:.

"This week, we'll begin testing default end-to-end encrypted chats between some people. If you're in the test group, some of your most frequent chats may be automatically end-to-end encrypted, which means you won't have to opt in to the feature. You'll still have access to your message history, but any new messages or calls with that person will be end-to-end encrypted. You can still report messages to us if you think they violate our policies, and we'll review them and take action as necessary....

"Last year, we started a limited test of opt-in end-to-end encrypted messages and calls on Instagram, and in February we broadened the test to include adults in Ukraine and Russia. Soon, we'll expand the test even further to include people in more countries and add more features like group chats....

"We will continue to provide updates as we make progress toward the global rollout of default end-to-end encryption for personal messages and calls in 2023."

Facebook announced on Thursday it will begin testing end-to-end encryption as the default option for some users of its Messenger app on Android and iOS. The Guardian reports: Facebook messenger users currently have to opt in to make their messages end-to-end encrypted (E2E), a mechanism that theoretically allows only the sender and recipient of a message to access its content. Facebook spokesperson Alex Dziedzan said on Thursday that E2E encryption is a complex feature to implement and that the test is limited to a couple of hundred users for now so that the company can ensure the system is working properly. Dziedzan also said the move was "not a response to any law enforcement requests." Meta, Facebook's parent company, said it had planned to roll out the test for months. The company had previously announced plans to make E2E encryption the default in 2022 but pushed the date back to 2023. "The only way for companies like Facebook to meaningfully protect people is for them to ensure that they do not have access to user data or communications when a law enforcement agency comes knocking," Evan Greer, the director of the digital rights group Fight for the Future, said. "Expanding end-to-end encryption by default is a part of that, but companies like Facebook also need to stop collecting and retaining so much intimate information about us in the first place."

An ongoing dispute over privacy between Apple and Facebook is roiling the digital economy, leading companies to shift billions in ad spending as users continue to limit the data available to advertisers. The feud took off last year, when Apple rolled out iOS 14.5, a version of its mobile operating system that made it easier than ever for iPhone and iPad users to opt out of letting apps like Facebook track their activity on their devices. The two companies weren't always at odds. In fact, they were almost business partners. From a report: In the years before the change, Apple suggested a series of possible arrangements that would earn the iPhone maker a slice of Facebook's revenue, according to people who either participated in the meetings or were briefed about them. As one person recalled: Apple officials said they wanted to "build businesses together." One idea that was discussed: creating a subscription-based version of Facebook that would be free of ads, according to people familiar with the discussions. Because Apple collects a cut of subscription revenue for apps in its App Store, that product could have generated significant revenue for the Cupertino, Calif., giant.

The companies also haggled over whether Apple was entitled to a piece of Facebook's sales from so-called boosted posts, said people familiar with the matter. A boost allows a user to pay to increase the number of people that see a post on Facebook or Instagram. Facebook, which considers boosts ads, has always contended that boosts are a form of advertising, in part because they are often used by small businesses to reach a bigger audience, said one of the people. Apple, which doesn't take a cut of advertising from developers, argued that Facebook boosts should be considered in-app purchases, according to a person familiar with the matter. Apple's standard terms would entitle it to take a 30% share of those sales.

Meta, the owner of Facebook and Instagram, has been rewriting websites its users visit, letting the company follow them across the web after they click links in its apps, according to new research from an ex-Google engineer. The Guardian reports: The two apps have been taking advantage of the fact that users who click on links are taken to webpages in an "in-app browser," controlled by Facebook or Instagram, rather than sent to the user's web browser of choice, such as Safari or Firefox. "The Instagram app injects their tracking code into every website shown, including when clicking on ads, enabling them [to] monitor all user interactions, like every button and link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers," says Felix Krause, a privacy researcher who founded an app development tool acquired by Google in 2017.

Krause discovered the code injection by building a tool that could list all the extra commands added to a website by the browser. For normal browsers, and most apps, the tool detects no changes, but for Facebook and Instagram it finds up to 18 lines of code added by the app. Those lines of code appear to scan for a particular cross-platform tracking kit and, if not installed, instead call the Meta Pixel, a tracking tool that allows the company to follow a user around the web and build an accurate profile of their interests. The company does not disclose to the user that it is rewriting webpages in this way. No such code is added to the in-app browser of WhatsApp, according to Krause's research. [...] It is unclear when Facebook began injecting code to track users after clicking links. "We intentionally developed this code to honor people's [Ask to track] choices on our platforms," a Meta spokesperson told The Guardian in a statement. "The code allows us to aggregate user data before using it for targeted advertising or measurement purposes. We do not add any pixels. Code is injected so that we can aggregate conversion events from pixels."

They added: "For purchases made through the in-app browser, we seek user consent to save payment information for the purposes of autofill."

DNSFilter, a Washington, D.C.-based provider of DNS-based web content filtering and threat protection, has announced it's acquiring Guardian, a privacy-protecting firewall for iOS. Financial terms of the deal were not disclosed. From a report: Guardian was founded in 2013 by Will Strafach, a security researcher and former iPhone jailbreaker who in 2017 discovered that AccuWeather was secretly sending precise location data to a third-party company without a user's permission. The company's "smart firewall" iPhone app blocks apps from sharing users' personal information with third-parties, such as IP addresses and location data, by funneling data through an encrypted virtual private network (VPN). The startup, which claims to have so far blocked more than 5 billion data trackers and 1 billion location trackers, recently joined forces with Brave to integrate its firewall and VPN functionality into its eponymous non-tracking browser.

An anonymous reader quotes a report from Wired: As marketers, data brokers, and tech giants endlessly expand their access to individuals' data and movements across the web, tools like VPNs or cookie blockers can feel increasingly feeble and futile. Short of going totally off the grid forever, there are few options for the average person to meaningfully resist tracking online. Even after coming up with a technical solution last year for how phone carriers could stop automatically collecting users' locations, researchers Barath Raghavan and Paul Schmitt knew it would be challenging to convince telecoms to implement the change. So they decided to be the carrier they wanted to see in the world. The result is a new company, dubbed Invisv, that offers mobile data designed to separate users from specific identifiers so the company can't access or track customers' metadata, location information, or mobile browsing. Launching in beta today for Android, the company's Pretty Good Phone Privacy or PGPP service will replace the mechanism carriers normally use to turn cell phone tower connection data into a trove of information about users' movements. And it will also offer a Relay service that disassociates a user's IP address from their web browsing.

PGPP's ability to mask your phone's identity from cell towers comes from a revelation about why cell towers collect the unique identifiers known as IMSI numbers, which can be tracked by both telecoms and other entities that deploy devices known as IMSI catchers, often called stringrays, which mimic a cell tower for surveillance purposes. Raghavan and Schmitt realized that at its core, the only reason carriers need to track IMSI numbers before allowing devices to connect to cell towers for service is so they can run billing checks and confirm that a given SIM card and device are paid up with their carrier. By acting as a carrier themselves, Invisv can implement their PGPP technology that simply generates a "yes" or "no" about whether a device should get service. On the PGPP "Mobile Pro" plan, which costs $90 per month, users get unlimited mobile data in the US and, at launch, unlimited international data in most European Union countries. Users also get 30 random IMSI number changes per month, and the changes can happen automatically (essentially one per day) or on demand whenever the customer wants them. The system is designed to be blinded so neither INVISV nor the cell towers you connect to know which IMSI is yours at any given time. There's also a "Mobile Core" plan for $40 per month that offers eight IMSI number changes per month and 9 GB of high-speed data per month.

Both of these plans also include PGPP's Relay service. Similar to Apple's iCloud Private Relay, PGPP's Relay is a method for blocking everyone, from your internet provider or carrier to the websites you visit, from knowing both who you are and what you're looking at online at the same time. Such relays send your browsing data through two way stations that allow you to browse the web like normal while shielding your information from the world. When you navigate to a website, your IP address is visible to the first relay -- in this case, Invisv -- but the information about the page you're trying to load is encrypted. Then the second relay generates and connects an alternate IP address to your request, at which point it is able to decrypt and view the website you're trying to load. The content delivery network Fastly is working with Invisv to provide this second relay. Fastly is also one of the third-party providers for iCloud Private Relay. In this way, each relay knows some of the information about your browsing; the first simply knows that you are using the web, and the second sees the sites you connect to, but not who specifically is browsing there. In addition to being included in the two PGPP data plans, customers can also purchase the Relay service on its own for $5 per month and turn it on while connected to mobile data or Wi-Fi. The carrier is still working to bring its services to Apple's iOS. It's also worth noting that Invisv only offers mobile data; there are no voice calling services.

Mark Zuckerberg believes that Apple and his company are in a "very deep, philosophical competition" to build the metaverse, suggesting the two tech giants are ready to butt heads in selling hardware for augmented and virtual reality. The Verge reports: The Meta CEO told employees earlier this month that they were competing with Apple to determine "what direction the internet should go in," according to a recording of his comments during an internal all-hands meeting obtained by The Verge. He said that Meta would position itself as the more open, cheaper alternative to Apple, which is expected to announce its first AR headset as soon as later this year. "This is a competition of philosophies and ideas, where they believe that by doing everything themselves and tightly integrating that they build a better consumer experience," Zuckerberg said of the brooding rivalry. "And we believe that there is a lot to be done in specialization across different companies, and [that] will allow a much larger ecosystem to exist."

Since rebranding Facebook's company name to Meta, Zuckerberg has been pushing for the concept of interoperability for the metaverse, or what he sees as the next major chapter of computing after mobile phones. Meta recently helped stand up the Metaverse Open Standards Group with Microsoft, Epic Games, and others. The idea is to spur the creation of open protocols that will let people easily move through future immersive, 3D worlds with their virtual goods. Apple is absent from the group, which Zuckerberg called out as not surprising in his comments to employees. He explained how Apple's approach of building hardware and software it tightly controls had worked well with the iPhone, but that for the metaverse, "it's not really clear upfront whether an open or closed ecosystem is going to be better."

[...] If VR and AR do take off like Zuckerberg hopes, it seems he wants to position Meta as the Android to Apple's iOS. There is a parallel to draw already: Meta's Quest headset already allows the side loading of apps that are not approved by Meta's VR app store, similar to how Google's Android allows for sideloading. And even though it just increased the price of the Quest by $100, Meta's hardware is still mostly sold at a loss or breakeven. [...] Zuckerberg's remarks suggest that even as he tries to invent his way out of being under Apple's thumb on mobile, the two tech giants are going to be battling for years to come.

iPhone and iPad users looking to subscribe to Netflix via the streaming platform's iOS app are being redirected to an external website which removes the need to pay the App Store tax. From a report: As 9To5Mac reports, the redirection looks to be rolling out globally and takes advantage of a new iOS API that allows apps classed as "reader apps" to sign-up new users and manage their accounts outside of the App Store.

Reader apps, as described by Apple, provide one or more digital content types -- including magazines, newspapers, books, audio, music, or video -- as its primary function. That includes popular services such as Spotify, Zinio, Amazon Kindle, and YouTube. In the case of Netflix, new customers are diverted to a separate website at the tap of a button in the app to enter personal data, choose a payment method, and select a streaming plan. This update ensures transactions are no longer Apple's responsibility and all subscription management is therefore completed by Netflix. Once signed up, the Netflix iOS app should provide full content access.

In an upcoming update, Chromebooks equipped with mobile data will be able to serve as a Wi-Fi hotspot for other devices, just like Android and iOS devices can today. 9to5Google reports: The work-in-progress feature has made its first appearance in ChromeOS code in the form of a new flag coming to chrome://flags. The details are quite slim at the moment, with little more than the flag description available today. That said, it's easy to imagine how a mobile hotspot would work on ChromeOS, based on how the same feature works on Android phones today.

Presumably, you would be able to choose the name and password for your Chromebook's hotspot through the Settings app in ChromeOS, where you can also toggle the hotspot on and off. If it truly follows the example of Android, there would also be an easy way to turn on your hotspot through a Quick Settings toggle.

After trying, and failing, to acquire the popular chat platform Discord for $10 billion, Microsoft has opted for the next-best thing: directly integrating Discord's voice-chat capabilities into Xbox consoles. Ars Technica reports: The news arrived on Wednesday on Xbox Blog, and it clarified that for the time being, Discord access would be exclusive to the optional "Xbox Insider" tier of early, beta, and preview console OS updates. That update is already going live in waves to Xbox Insiders today, and it adds a new tooltip to the system's "chat" sidebar: "Try Discord Voice on Xbox today!"

[...] Sadly, this week's rollout of Discord on Xbox is a bit limited. The biggest issue is that there is no formal Discord app or interface on Xbox. You will need to keep a smartphone handy to initiate a "handoff" of your Discord session. Get ready for an annoying first-time setup process. Should you have an updated Xbox on the Insider OS track, its new "Try Discord Voice" prompt will initiate an account-sync process, which requires using a mobile Discord app to take a photo of a QR code displayed by your Xbox. (You'll need to re-do this if you've done so before, due to it adding a new level of credential for voice chat.) With this in place, when you are about to join a voice channel on Discord, a new "try voice chat on console" prompt will appear. Tapping through this will then, ugh, create another handover to Microsoft's dedicated Xbox app on either iOS or Android. Yes, if you want this to work, you need to install the Xbox app on your mobile device (and Discord will suggest you do so, if you haven't yet). This facilitates the key technical aspect of forwarding all Discord audio to your Xbox hardware.

With all that in place, presto: You can now talk to any participants in the Discord voice channel you chose directly on your Xbox. Its menu interface supports either muting or changing the volume level of every other user in the voice chat channel you chose, which is appreciated as a quickly accessible option during frantic gameplay. A one-button toggle in the menu allows chatters to switch between Discord voice chat and a particular game's dedicated voice-chat channel. (This is useful when you're talking to friends while in the midst of random online matchmaking, then need to turn on in-game voice chat for a second to confirm a strategy to your current teammates before going back to discussing souffle recipes with buddies.) All greater Discord control, sadly, goes back to your smartphone...

"The lock screen is about to change," writes CNET — both for iOS and Android devices. Apple's iOS 16 update, which launched in public beta on Monday, will bring more customization options and new widgets to the iPhone's lock screen when it arrives this fall. You'll be able to see more information quickly and apply stylistic effects to lock screen photos similar to the iPhone's Portrait Mode photography feature.... Like the Apple Watch, the new lock screen should make it easier to see crucial pieces of information without having to dig into apps or even unlock your phone.
And for Android phones: Glance, a Google-backed subsidiary of mobile ad tech company InMobi, also reiterated its plans to bring its lock screen platform to the U.S. [though the company also says there's "no definitive timeline."] And Google is reportedly planning to incorporate more bits of information into its own lock screen widget for Pixel phones.... Glance's lock screen will appear in the form of what it calls "spaces," which are essentially curated lock screens designed to fit specific themes. A fitness-oriented lock screen, for example, would show statistics such as calories burned and exercise goals alongside a music player. A news "space" would show headlines and the weather, while a music version could surface live concerts....

The TechCrunch report about Glance's US arrival sparked concerns that advertisements would be coming to the lock screen, too. Glance's business page shows examples of advertisers that have used its platform to reach potential customers on the very first screen they see when picking up their phone. Intel, Zomato and Garnier are among the listed case studies. But Rohan Choudhary, vice president and general manager of the Glance feed, told CNET the US version would be ad-free. "We are very clear that in the US, we will not have ads on the lock screen at all," he said....

The company says it plans to monetize its service through news subscriptions and commerce links from shopping platforms that are surfaced through Glance.
Glance's motto? "Transforming lock screens into smart surfaces."

An anonymous reader quotes a report from Ars Technica: Google's developer deadline for the Play Store's new "Data Safety" section is next week (July 20), and we're starting to see what the future of Google Play privacy will look like. The actual Data Safety section started rolling out in April, but now that the developer deadline is approaching... Google is turning off the separate "app permissions" section? That doesn't sound like a great move for privacy at all.

The Play Store's new Data Safety section is Google's answer to a similar feature in iOS 14, which displays a list of developer-provided privacy considerations, like what data an app collects, how that data is stored, and who the data is shared with. At first blush, the Data Safety entries might seem pretty similar to the old list of app permissions. You get items like "location," and in some ways, it's better than a plain list of permissions since developers can explain how and why each bit of data is collected.

The difference is in how that data ends up in Google's system. The old list of app permissions was guaranteed to be factual because it was built by Google, automatically, by scanning the app. The Data Safety system, meanwhile, runs on the honor system. Here's Google's explanation to developers of how the new section works: "You alone are responsible for making complete and accurate declarations in your app's store listing on Google Play. Google Play reviews apps across all policy requirements; however, we cannot make determinations on behalf of the developers of how they handle user data. Only you possess all the information required to complete the Data safety form. When Google becomes aware of a discrepancy between your app behavior and your declaration, we may take appropriate action, including enforcement action."

We're a couple of months out from Apple officially rolling out the next major versions of its various operating systems. However, you can try out iOS 16, iPadOS 16, watchOS 9, macOS Ventura and tvOS 16 right now. Apple has released a public beta, a few weeks after it offered up the first developer betas. To access them, you'll need to sign up for the Apple Beta Software Program and follow the directions.

Google today announced an update to its password manager that will finally introduce a consistent look-and-feel across the service's Chrome and Android implementations. From a report: Users will soon see a new unified user experience that will automatically group multiple passwords for the same sites or apps together, as well as a new shortcut on the Android home screen to get access to these passwords. In addition to this, Google is also now adding a new password-related feature to Chrome on iOS, which can now generate strong passwords for you (once you set Chrome as an autofill provider). Meanwhile, on Android, Google's password check can now also flag weak and re-used passwords and help you to automatically change them, while Chrome users across platforms will now see compromised password warnings.

Google is warning of a sophisticated new spyware campaign that has seen malicious actors steal sensitive data from Android and iOS users in Italy and Kazakhstan. Engadget reports: On Thursday, the company's Threat Analysis Group (TAG) shared its findings on RCS Labs, a commercial spyware vendor based out of Italy. On June 16th, security researchers at Lookout linked the firm to Hermit, a spyware program believed to have been first deployed in 2019 by Italian authorities as part of an anti-corruption operation. Lookout describes RCS Labs as an NSO Group-like entity. The firm markets itself as a "lawful intercept" business and claims it only works with government agencies. However, commercial spyware vendors have come under intense scrutiny in recent years, largely thanks to governments using the Pegasus spyware to target activists and journalists.

According to Google, Hermit can infect both Android and iOS devices. In some instances, the company's researchers observed malicious actors work with their target's internet service provider to disable their data connection. They would then send the target an SMS message with a prompt to download the linked software to restore their internet connection. If that wasn't an option, the bad actors attempted to disguise the spyware as a legitimate messaging app like WhatsApp or Instagram.

What makes Hermit particularly dangerous is that it can gain additional capabilities by downloading modules from a command and control server. Some of the addons Lookout observed allowed the program to steal data from the target's calendar and address book apps, as well as take pictures with their phone's camera. One module even gave the spyware the capability to root an Android device. Google believes Hermit never made its way to the Play or App stores. However, the company found evidence that bad actors were able to distribute the spyware on iOS by enrolling in Apple's Developer Enterprise Program. Apple told The Verge that it has since blocked any accounts or certificates associated with the threat. Meanwhile, Google has notified affected users and rolled out an update to Google Play Protect.

T-Mobile has just officially launched its new ad platform, known as T-Mobile Advertising Solutions. That innocuous name hides a rather sketchy business model -- it aggregates your mobile application usage and sells it to advertisers. Android Police reports: The specifics of the program will sound familiar to anyone who has followed the ebb and flow of browser tracking. T-Mobile uses network-level tools to track the apps that people use on their phones, and it then anonymizes and aggregates that data to lump you into various "personas," or "cohorts" as other platforms would call it. For example, if you regularly use Expensify and airline apps on your phone, T-Mobile could identify you as a business traveler for advertising purposes. This program has been in testing for the past year as "T-Mobile Marketing Solutions," according to The Verge, but it is now live with its new name.

There is some good news (but less of it for Android fans). T-Mobile does not currently collect app data on iOS users, fearing it could run afoul of Apple's privacy rules. But we Android users are fair game, apparently. However, you can opt-out of T-Mobile's program using its official "Magenta Marketing Platform Choices" app. Alternatively, the Digital Advertising Alliance offers an app that lets you opt-out of numerous trackers, including T-Mobile Advertising Solutions, which is listed under its old name of T-Mobile Marketing Solutions.