
iPhone Apps Surreptitiously Communicated with Unknown Servers - hsnewman
https://www.schneier.com/blog/archives/2019/06/iphone_apps_sur.html
======
Anechoic
Previous discussion:
[https://news.ycombinator.com/item?id=20031443](https://news.ycombinator.com/item?id=20031443)

------
newscracker
Not directly related to the apps mentioned in this article, but one key
permission that iOS lacks that Android has is the network access permission.
There are many apps that I just don't want accessing the network or the
Internet at all. I want them to run as local pieces of software with whatever
other permissions I choose to grant them.

Even in our connected world, there is no reason to provide blanket network
access to every app on the device.

~~~
nomel
Doesn’t the “Off” setting for wireless data do this for iOS? With the other
two options being “WLAN” and “WLAN & Cellular”, what’s the alternative network
route?

~~~
dymk
You can't turn off network access for specific apps on iOS.

~~~
nomel
I don’t understand. For each app I have the above mentioned setting. What’s
the network access method that’s outside of WLAN and cellular?

~~~
elygre
On my iPhone, the setting is “mobile data”, I.e. you can stop it from using
cellular data (normally payable), but you can not stop it from using WiFi
(presumably free).

~~~
nomel
Im using 12.3.1, maybe this is a new feature?

~~~
newscracker
Where in Settings do you see a way to disable WiFi access to each app
separately? Please provide the full navigation path. It's always been Cellular
data that one could turn on or off for each app.

~~~
nomel
In the wireless settings for each individual app.

Sure, open settings, scroll to the app you’re interested in, click it to
access its individual settings (location, notifications, background refresh,
etc), click “Wireless Data”, then select “Off”.

------
mrgreenfur
Are there any firewall style apps to block this type of behavior? Something
like uBlock or uMatrix but for apps. I'm not inclined to trust any apps and
would prefer explicit control over what they do.

Also, it's a bit strange to me that we didn't/don't seem to have this
explosion of data leakage for desktop apps despite them having unique ids just
like on mobile (idfa/google ad id).

~~~
Despegar
You can use Will Strafach's new app Guardian that blocks trackers in apps. I
think Apple is going to purge them from iOS apps over time, they've already
started with kids apps.

[https://guardianapp.com/](https://guardianapp.com/)

~~~
reaperducer
_I think Apple is going to purge them from iOS apps over time, they 've
already started with kids apps._

To be clear, Apple isn't purging apps that protect kids in favor of its own
apps.

Its my understanding that Apple is purging apps that take over the phone
entirely (including the ability to remotely control the camera and microphone)
by misusing enterprise certificates. There are plenty of kid protection apps
out there that play by the rules and will continue to work.

~~~
Clent
I believe the parent was referring to a change in Apple's guidelines that was
making the rounds a couple of weeks ago, “Apps intended for kids may not
include third-party advertising or analytics”

This was previously discussed here
[https://news.ycombinator.com/item?id=20108096](https://news.ycombinator.com/item?id=20108096)

------
dep_b
The funny thing is that Safari works really great blocking all this kind of
stuff on websites. So I want what Safari does, in all of my apps _unless I
opt-in_.

------
awinter-py
running software is inherently unsafe -- beyond legit security threats where
an app is getting information you haven't granted it, their use of sensitive
information you _have_ permitted needs to be more carefully audited

of course they're sometimes violating their privacy policy -- no real history
of punishment / legal consequences here except (1) at the highest size scale
(FB / G), and even they get away with minor fines in the US. And (2) sometimes
terms get read by courts in other matters, i.e. zappos.

Plus product probably doesn't know the policy at some small companies; lawyers
don't get involved enough.

the solution here is much stronger OS-level permissions models that can track
the provenance of sensitive information. very big difference between my
location getting uploaded as part of a 'search nearby' (i.e. a click) vs in
the background. sensitive information should audit every read and should be
required to dump communication messages to an audit DB visible to the user.

this is an area where open source can lead because it's easier for us to
_both_ run a policy checker / privacy linter and prove that it's running.

~~~
swiley
I would argue that a far better solution is community maintained software like
what’s used on many open source OSes. Occasionally these end up with backdoors
inserted by large governments but it’s no where near as bad as what happens
with smartphone apps.

~~~
Fnoord
Open source and smartphone apps is not mutually exclusive. I guess you mean
you want open source smartphone apps instead of closed source / proprietary
smartphone apps.

There are some. For example, Marcel Bokhorst developed the following
applications: NetGuard, XPrivacyLua, and FairEmail [1]

[1] [https://github.com/M66B](https://github.com/M66B)

~~~
swiley
Note my phrasing, I'm aware of OSS apps.

I'm sure the development experience is less extreme on android but smartphone
development is nothing like the experience on the PC where dev tools (visual
basic/TCL/python/bash even gcc) are very lightweight and easy to work with. On
the iphone you actually have to send apple money and sometimes even fax them a
copy of your drivers license.

Yes, you can have "open source smartphone apps" (although it's much closer to
source available since the users really have no way to modify it) but you
absolutely can't have community maintained software (again, on the iphone. You
can on android in theory but the tooling really doesn't seem built for sharing
with other people.)

------
wil421
Are these just the 3rd party analytics servers used by a lot of Apps?

My UniFi dashboard always shows spikes around 3-5am. I figured it was mostly
iCloud backups.

------
3xblah
Is there a reason to keep wifi enabled on a mobile phone while one is
sleeping? There are certainly reasons against it. For one, it drains battery
when one is not using the device.

Unless I am downloading something while I sleep, I disable the interfaces on
computers while I am asleep. If I control the gateway that the mobile phone
uses, then I can disable the interface on the gateway.

~~~
heywire
Turn it off and it'll just use the mobile networks instead. Turn that off, and
now you won't get phone calls or text messages. I guess you could go and turn
off mobile data for apps too, but its not like they won't just upload that
data once you flip wifi back on...

~~~
duhi88
This is what I do. If an app doesn't need an internet connection, it can't
access the internet.

~~~
DavideNL
> "but its not like they won't just upload that data once you flip wifi back
> on..."

~~~
3xblah
Only if gateway is up. I can't really control a mobile phone loaded with a
corpotate OS (I guess this is the point the replies are trying to make), but I
can significantly control a router loaded with an OS I edited, compiled and
installed myself. I have found that I can reliably keep a mobile phone from
getting access to the internet when it is relying on me provding the internet
access.

------
dpkonofa
Why is this titled this way? This is not inherent or specific to iPhones. The
title should really be "Apps can do whatever you let them including send your
data to unknown servers". This is the worst kind of piggyback article out
there. It's piggybacking on another, more detailed source and it's using the
term "iPhone" just to be more sensationalized.

~~~
iamnotacrook
"Why is this titled this way? This is not inherent or specific to iPhones."

My guess is that it's because that's what the article is about. Specific,
named apps (for example "DoorDash"), running on an iPhone, and sending
specific, named data ("device name, model, ad identifier and memory size") to
other companies servers. So it's a very accurate title.

It's bizarre to complain about this with whatabout statements. It's like
reading an article about soldiers from a given country killing civilians and
saying that we already knew this, and that soldiers from other countries do it
too. So what? This story is about this _specific instance_ of it.

~~~
dpkonofa
Ok but that entire insinuation is disingenuous. The article is taking a
statement that Tim Cook made about what happens on an iPhone users phone in
terms of Messages, FaceTime, and Apple Pay and is attempting to apply it to
the entire App Store when that's never ever been the argument Apple's making.
If anything, Apple is the only company that's tried to educate users about
their data and isn't actively seeking to make a profit off that data.

And even your "whatabout" complaint seems disingenuous. This is more like
reading an article that says that the US government is killing innocent
civilians and then someone pointing out that the civilians were actually
killed by an individual that worked for a contracting company that the US
government hired. You can't, in good faith, make the connection that the
actions of an individual somehow equate to the actions of the whole
organization just because there was some tangential relationship.

Apple doesn't do this. Full stop. Specific apps do it and they do it
regardless of the platform. This has nothing to do with Apple and the article,
source and re-post, are simply dragging Apple into it for clickbait headlines.

~~~
SomeOldThrow
What's the point of the walled garden to the end user if they don't use it to
stop behavior like this? The entire pitch was that it allowed quality control.
Without that it's just blatantly getting a cut of other people's work.

~~~
dpkonofa
The walled garden isn't some impenetrable fortress, though. It does allow
quality control and that is shown time again and easily seen when you compare
the Apple App Store against the Google Play store, for example. All Apple is
verifying, though, is that the app is coming from who it says it's coming
from. It's these companies themselves that are selling the data to third-party
companies. Unless Apple can someone predict and detect this reliably for every
app, the onus of responsibility should be on the companies and their
developers, not on Apple.

