
Apps sending users’ data to Facebook without their consent - trigger
https://www.irishtimes.com/business/media-and-marketing/apps-sending-users-data-to-facebook-without-their-consent-1.3744617
======
dang
[https://news.ycombinator.com/item?id=18788658](https://news.ycombinator.com/item?id=18788658)

------
thisacctforreal
According to the 35c3 talk[0] by the authors, both SkyScanner and The Weather
Channel updated their apps to stop the tracking after the authors told them it
was happening.

[0]
[https://media.ccc.de/v/35c3-9941-how_facebook_tracks_you_on_...](https://media.ccc.de/v/35c3-9941-how_facebook_tracks_you_on_android/)

------
JumpCrisscross
When do we expect the first GDPR challenges to land on Facebook?

The law was clearly designed to deal with them. They continue to violate its
principles. GDPR delivered tremendous collateral damage to raise these gates.
But where is the pay-off? Is there preliminary footwork deploying? Or is
Europe distracted by Italy _et al_?

~~~
tjoff
Facebook tries to offload the responsibility to developers. This is shady at
best and I hope the law catch up.

But there is also the problem of developers that just don't care. Or,
developers that think they care but can't even be bothered to research what a
library they include in an application actually does. This is is something
that the death of facebook will not solve.

GDPR has already been paid off, every day for every user both in the online
and offline world is a victory, and examples of it was shown in the talk as
well. How GDPR pushed developers to discover this issue and demand solutions
for their own apps. How facebook improved the ability for developers to be
privacy conscious etc. (hardly by choice, but even they didn't think they
could get away with less)

------
Despegar
Apple needs to ban these SDKs from being included in apps. No one reads the
privacy policies and they leak data to another party that the user doesn't
have a relationship with.

Provide first party services, intermediate between apps and ad networks and/or
white list a handful of companies to provide these services that are audited
and have separate contractual relationships with Apple.

I think a good idea would be to stipulate to Facebook, Google, and every
purveyor of "analytics" SDKs that they need to serve iOS app developers and
their users from EU subsidiaries that are subject to GDPR.

~~~
hedora
The article doesn’t mention Apple. Do these apps also do this on iOS?

~~~
judge2020
Apple has a policy that apps (and their SDKs) must comply with IDFA, so if a
user doesn't want to be tracked across the apps they use they can go to
settings -> privacy -> advertising to turn off the tracking.

~~~
Rjevski
Doesn’t solve the issue of device fingerprinting. There are a lot of data
points that can be used to create a near-unique fingerprint of a device.

------
samstave
Simple question: We have firewall capability on every computer.

I am surprised that we don't have a FW on a phone - or an app that can be
installed which I can force all traffic from the phone to pass through, with
source-app and destination IP/App/Service - and choose to block the traffic we
would like.

Are the devices capable of this?

~~~
Gigamo
Check out NetGuard:
[https://f-droid.org/en/packages/eu.faircode.netguard/](https://f-droid.org/en/packages/eu.faircode.netguard/)

~~~
amoshi
Too bad it works by creating a local VPN - I'm already using "Block This!" to
block ads on my device which also works via a VPN, so you can't use both at
the same time.

~~~
thisacctforreal
I wonder if it's possible to create an app that creates a local VPN that
routes through the other VPNs.

------
warent
So let's see here. There are apps that people download which, in a way,
replicate themselves by enticing other people to download them often using
some form of psychological engineering. These apps then compromise the
person's data by streaming it to a server.

The word "app" is frequently used, but these sound more like computer viruses
with a friendly UI, no?

~~~
CamperBob2
_The word "app" is frequently used, but these sound more like computer viruses
with a friendly UI, no?_

I think that's a pretty profound way to look at it, but under a broader rubric
-- perhaps "User-friendly malware" would be a better euphemism. It's also an
ideal way to describe things like Windows Update.

It's easy to imagine some of history's most notorious virus authors going
straight, working for Facebook and Microsoft. More money, more respect, and
the retirement plan beats going to prison.

~~~
zozbot123
The established name for this sort of "phishing" malware is "Trojan horse
malware"
[https://en.wikipedia.org/wiki/Trojan_horse_(computing)](https://en.wikipedia.org/wiki/Trojan_horse_\(computing\))
\- a malicious computer program which is designed to appear non-suspicious and
mislead users wrt. its malicious activity. The irony is that the complex "app-
specific privileges and permissions" system featured on mobile OSs was
_specifically_ intended to prevent mobile "apps" being used as dangerous
trojan-horses, as was - to a lesser extent - the model of centralized "app
store" repositories. It's not working very well.

In this case, we're specifically dealing with spyware - a common sort of
malware where the malicious activity is invading the user's privacy.

------
philliphaydon
Can add Agoda to that list.

I find it insane how I can visit Agoda in a private tab. Search for hotels.
Visit 2 of the hotels. Then switch to Facebook and almost immediately get
adverts for exactly those 2 hotels...

