
Additional Mac App Store apps caught stealing and uploading browser history - tareqak
https://9to5mac.com/2018/09/09/additional-mac-app-store-apps-caught-stealing-and-uploading-browser-history/
======
applecrazy
This is getting scary. I always had the impression that Trend Micro was a
reputed, well-established security company. Why they would sacrifice that
brand for a quick buck is beyond me.

Edit: I don't understand how Apple didn't catch this in their review process:
the exfiltration is clearly visible using a disassembler, as shown in the
original forum report[1].

[1]: [https://forums.malwarebytes.com/topic/217353-get-rid-of-
open...](https://forums.malwarebytes.com/topic/217353-get-rid-of-open-any-
files-rar-support/?tab=comments#comment-1195086)

~~~
api
Surveillance is where the money is. The appetite for data is insatiable, and
since nobody wants to pay for anything there aren't many other business
models.

~~~
danieldk
Ironically, the Adware Doctor tool that was in the news a couple of days ago,
stealing browser history, was $4.99.

[https://www.buzzfeednews.com/article/nicolenguyen/apple-
remo...](https://www.buzzfeednews.com/article/nicolenguyen/apple-removes-
adware-doctor-browsing-history)

------
jakobegger
And now lets think a moment about the fact that Google, Facebook, Twitter,
Microsoft, and thousands of smaller companies do pretty much the same thing.
The only difference is that they collect it differently. Instead of offering
to "clean your Mac" they offer components that developers can integrate into
their websites and apps, for analytics, crash reporting, captchas, etc.

Privacy on our computers and phones is an empty promise, and we need to
radically rethink the way our devices and browsers work if we want to change
that. Legislation like the GDPR is one step, but we need to think about ways
that make it impossible to collect all that data in the first place.

------
ken
"Users do not expect sandboxed apps to get this level of access to their
systems, but it is important to note that when an open file dialog is opened
by a sandboxed app, if you use it to open your home directory, the app can
potentially get access to lots of private information including browsing
history, iMessage conversations, e-mail messages and more."

The macOS sandbox isn't like other sandboxes I've used (JVM, ECMAscript, Tcl,
etc). Even if the user hasn't extended it by explicitly selecting a file, and
even if the app has no entitlements, there seem to be a lot of holes in it --
and they seem to be intentional. The Mac sandbox can be one piece of a
security solution, but you should never count on it to protect you from
untrusted applications.

Of course, if you choose your home directory in a file picker, all bets are
off.

The matter of _user expectations_ is the main reason I wish Apple would revert
the sandbox requirement for the Mac App Store. As a user, it really does seem
like the sandbox should protect me from malicious code, just like Safari
protects me from malicious JS, but it really doesn't. They want the MAS to
seem safe, but it would be better for everyone if they made it clear you still
need to trust the app.

~~~
saagarjha
> "Users do not expect sandboxed apps to get this level of access to their
> systems, but it is important to note that when an open file dialog is opened
> by a sandboxed app, if you use it to open your home directory, the app can
> potentially get access to lots of private information including browsing
> history, iMessage conversations, e-mail messages and more."

This access is going away in macOS Mojave, at least for the built-in system
apps, for precisely this reason.

> The macOS sandbox isn't like other sandboxes I've used (JVM, ECMAscript,
> Tcl, etc). Even if the user hasn't extended it by explicitly selecting a
> file, and even if the app has no entitlements, there seem to be a lot of
> holes in it -- and they seem to be intentional.

> Of course, if you choose your home directory in a file picker, all bets are
> off.

What holes are you talking about? Keep in mind that the examples you mention
and the macOS sandbox solve different problems and have different constraints.
The ones you've mentioned are meant to execute untrusted code and keep it
(almost) completely isolated from the rest of your system. But macOS apps must
have much more access by definition.

> The matter of user expectations is the main reason I wish Apple would revert
> the sandbox requirement for the Mac App Store. As a user, it really does
> seem like the sandbox should protect me from malicious code, just like
> Safari protects me from malicious JS, but it really doesn't.

Just curious: how do you feel about the iOS sandbox situation?

------
makecheck
Hmmm...I remember receiving _daily_ E-mail spam from “Trend Micro”, it was
absurd and I had to block it all. I used to think it might be faked but after
seeing this I’m sure the original company was responsible for all the spam
trash as well.

What I don’t understand about review processes is that _scummy apps and
companies are really not that hard to spot_. Maybe the really crafty ones are
hard to see but I have to wonder how much time Apple really has to spend
(sometimes just from descriptions _alone_ ) to question what an app is doing.

Meanwhile, I once got rejected because I didn’t have a damned minimize button
or something.

------
misterhtmlcss
This is a huge lawsuit. Apple clearly states in the press and in advertising
that the app store is the only way to get apps that are assured to be safe.

I can't imagine it'll take long before there are many and massive class action
lawsuits over this incident. The legal bill will be massive.

I can't wait to see how many precedents get created over the total fallout
from this event. Should be interesting.

~~~
putlake
Such comments are common after every "disaster". When Intel chip
vulnerabilities due to aggressive caching were announced, the fixes reduced
perf for those chips, and these same types of comments were made.

It never happens.

~~~
jacobolus
I can’t see Apple getting seriously nailed, since they probably had no idea
this was happening.

But beyond shutting the companies responsible for selling these applications
down, there should be some criminal liability for the executives. Exfiltrating
users’ browser history without reasonable consent is a huge privacy violation.

I wonder if it falls under CFAA.

------
amarand
I've always enjoyed the Apple App Store because they generally do a decent job
of code review of the apps, and most folks can feel generally safe when
installing applications. But...I've been reading about the apps recently that
have been stealing location data and selling it to third parties. Pretty
scary.

Hopefully Apple will figure this all out before long-time users who have
trusted them completely, start to trust them less.

I'm a fan of the walled-garden, but sometimes the cracks in the facade worry
me a little.

------
userbinator
No doubt the EULA/privacy policy of these apps contains the requisite clause,
but nonetheless they would all be considered spyware. Ostensibly they could
say that recently visited URLs are submitted for better virus scanning...

It's unfortunate that the ongoing trend of opaqueness in computers is making
it easier for things like this to happen. Years ago, blinking network and HDD
lights/sound would have provided at least some sign of unusual activity.

------
forkLding
Once interviewed for a Trend Micro position and had the feeling that they were
a well-reputed transnational company, didn't know that this kind of thing
could have happened. I expect them to code review so this is something that
must have been accepted?

~~~
yread
I once interviewed for AVG and they were quite adamant that their mobile apps
collect all the data they can get their hands on so that they can resell
aggregated statistics.

------
Fnoord
How is this not spyware, and why is this not illegal? Why aren't the makers of
this software getting busted? If I would do this in a shell script on a
machine of my employer I would be toast.

------
bromuro
Apple should integrate Little Snitch with MacOS :)

------
solomatov
Similar behavior is so widespread (browser extensions, mobile apps, and now
desktop apps) that some legislative solution is required. Otherwise, the
companies and individuals doing this will be limited with a light slap on the
wrist like in this case.

~~~
colinjoy
I would think that this kind of data collection is already illegal, at least
with installs in the EU. GDPR mandates that the collected data is either
directly required to render the desired service or explicit and revokable
consent must be given. Clearly neither is the case here.

~~~
solomatov
GDPR works only in EU and I haven't heard of any companies being fined for
similar activity.

