How do researchers find this information? Presumably the apps are using encrypted network connections to submit your location data to surveillance backends. Is guardianapp reversing each application using jail broken devices? Using an iOS emulator to inspect the running app?
A lot of work went into rooting out these trackers, what data they sent, and what apps they were in. We used a combination of static code analysis for each, runtime analysis (eg. Corellium), and network packet capture/analysis.
The good news is that only that last part is required if you would like to try this, now that the commonly used hostnames are published.
Folks can add the full list to a system such as Pi-Hole, and if they notice any hits for the listed servers, they can then route their device traffic through a tool such as Bettercap or Burp Suite in order to discover the offending app(s) and what information they are sending.
I personally believe this is unlikely, because then the firms paying for this data will not be so sure that the information is legitimate, whereas collecting directly from user devices makes fraud more difficult.
Are you sure that that is actually a big problem for them? I imagine it would be quite hard to convincingly fake user data data.
I could also imagine ways around that. For instance their proprietary SDK could generate the data and cryptographically sign it. Or they could require that app makers set up a special subdomain that points to their ip address. I guess it would only be worth the trouble if enough people care about it.
It is most definitely a problem. Detecting fake clicks is hard enough even when the links are pointing to ad-tracking hosts. In fact browser adblocking could be wiped out instantly if ad networks trusted websites to report their own hits.
That day probably someone will write a browser extension that does essentially what trackmenot did against search engines: make noise. That is, as soon as the user loads a page, N threads would crawl the same page in background and start random silent clicking while the user surfs normally. They could even make a memory map of the site and assign the random clicking to any of the active connections just in case on the other side someone tries to filter against the connection order (1st one is the user, from 2 on they're bots).
I mean things like "This app can use location services and access the Internet", like Android has. Why doesn't Apple disclose these sandbox limitations?
You cannot decompile apps without a jailbroken device, as they're encrypted with FairPlay. And iTunes, at least with the latest version, no longer lets you download apps.
1a. You don't have to pin the leaf. You can pin an intermediate
1b. Or you can pin the public key and ignore the certificate altogether, new certificates for the same key can be obtained as necessary.
2. The maximum certificate lifetime is currently 825 days, which, unless you're on another planet, is not "yearly".
3. If you're pinning for an application (not a generic website accessible in browsers) you don't need a certificate from the Web PKI at all, you can mint your own, ignore the lifetime rules, write Emoji in the Common Name field, use a different RSA exponent, the world is your oyster.
1a. You can't control what root/intermediate will be used by your certificate supplier one year from now.
1b. You should not reuse private keys between certificates and never for intermediate or root.
2. It's yearly or 2 years for the most common suppliers.
3. Have fun getting your certificate accepted from every device and operating system.
Anyway. I am not saying that it can't be done, I'm saying that there are a lot of challenges to doing it properly and any mistake will make the app completely broken.
> Have fun getting your certificate accepted from every device and operating system.
You have full control in a native iOS app over which certificates you accept or reject. Which is why the author specified that the trick would work if the endpoint is just for apps.
If you submit an app you have to set a flag indicating what kind of communication you’re going to use. If it’s not a secure connection using valid certificates you have to use the ‘insecure connection’ flag and that will cause extra review steps. If there’s no good reason you’ll be denied.
The first suspicion arises when the app uses more bandwidth if you move it a lot, compared to the app on a stationary phone. I guess researchers can emulate the "moving". And they can virtualize the clock as well. So in principle they can send the app around the world in a matter of seconds and see what the app does on the network.
I’ve reverse engineered ssl encrypted iPhone app traffic before using Charles proxy and a self generate ssl cert to decrypt the requests. From there, you can see which endpoints are receiving what data in plain English.
I’ve only done this for apps not using certificate pinning. It gets more complicated from there.
No surprise to see a number of weather apps on here. Seems to be such an incredibly scummy category.
The built in Apple app is fine for basic information. There are plenty of high-quality third-party apps. Weather Line (my fav) is $2. DarkSky is $4.
Instead people go for these weird free apps covered in ads with terrible UIs. The NOAA one isn’t made by the government, seems like using that name should be some kind of copyright infringement.
Of course WeatherBug on desktops was adware/malware for a very long time. Maybe it still is.
Then you get scareware stuff like the earthquake notification app. You better let us track everything you do otherwise you might die!
There are so many good apps on the store made by good developers. It’s amazing how much better your experience is if you just avoid free apps when possible.
Of course some of these apps, like the ones that you NEED to use for certain parking meters, are especially evil because there is an any choice. If you need that service, you’re giving up your privacy.
I wish Apple would crack down on this stuff. I imagine a lot of these apps are doing things that already violate the App Store guidelines. If they don’t, they probably SHOULD.
I bet Apple will crack down on these location tracking SDKs, but it likely wouldn't eliminate this type of tracking.
The main reason these apps are getting caught is because they are blatantly including the SDKs of the monetization firms in their client apps, and transparently sending data directly to the servers of those firms.
But what's to stop a weather app from just doing it server-side, so it's undetectable to third parties?
For instance, a weather app must send location data to some backend, in order to fetch weather data. That backend could send the location data to these exact same monetization firms. It would be difficult for Apple to detect and block this behavior.
The firms would then have a much harder time knowing if the information is genuinely from end users, if they no longer collect directly from user devices.
Basically, the scoundrels don't trust other scoundrels. That's what's saving us from getting server-rendered first-party ads on most websites, that would make adblocking much more difficult.
Actually server side rendered ads would be a whole lot more acceptable to me compared to what we have today: less bloat, less risk of malware injection.
Personally, I could live with a some advertising if that is how it was served and it was slightly relevant.
When they want to try to track me around the web to see what technical and news sites I visit and then serve me ads for dating sites then I'll just turn on ny adblock again ;-)
What you're describing already happens. The only way to defeat that is with client-side mitigations like uBlock. DNS-level mitigations like Pi-Hole will stop the content from loading if the ads aren't loaded.
A lot of firms (maybe most?) which buy this data actually don't care about that much as long as you can otherwise demonstrate the data is valid. If the data is predictive over time, it's valid, and most firms will happily accept that demonstration (with the proviso that they cease working with you once the data loses predictive value).
The reason the apps use those SDKs directly is because there's a hierarchy of resellers. The app developers themselves are lazy and typically want the SDK functionality which is provided free in return for their users' data. They're not always in the business of selling data themselves, they're just ambivalent.
Then the SDK providers abstract their own involvement in any particular app while still getting data.
> Of course some of these apps, like the ones that you NEED to use for certain parking meters, are especially evil because there is an any choice. If you need that service, you’re giving up your privacy.
Which of course makes it a direct violation of GDPR. I hope a group of European citizens take some action
Actually you don't need to give location. Parking meters have a four digit code written on them that you can use instead. Location is just for convenience.
In the US, high quality weather data and forecasts can be bookmarked as a web page/icon for your zip code, https://www.weather.gov. Works well and no data leakage.
I never understood why one needs seperate apps for all these basic informations. I just use homescreen bookmarks to my trusted weather/news/sports sites. Not only are they more secure and ad-free, they load faster too.
It depends on where you live. In Southern California I really didn’t care but on the east coast Dark Sky’s push notifications for imminent rain are handy.
That app's also interesting because they also make forecast.io, which is a great example of a modern web app being competitive with an app on most fronts other than notifications.
>There are so many good apps on the store made by good developers. It’s amazing how much better your experience is if you just avoid free apps when possible.
Yes. It cannot be emphasized enough. Go pay for apps that are good.
So I have to settle with an environment that doesn't value privacy or security on a hardware or software level because of some vague ideal of free choice. Okay.
No, it's not unless you're already biased. Android and iOS have the issue of ad-infested apps doing bad things with your data (and I'd even assume Android is in a worse situation), but this doesn't apply to most paid or trustworthy apps. It's not solely an iOS issue.
It also doesn't say anything about Apple's behavior regarding private data or the lengths they go to to secure iOS devices, compared to most Android manufacturers or Google.
The best free apps I've found are just business moats to point you to another money maker. As callous as I'm phrasing it, those free apps tend to be leagues better than the population of paid apps.
generally a good rule of thumb, though ive also seen a few cases of a good open source app having a bunch of scummy forks that end up being more popular on the app store (eg shuttle vs phonograph). i wonder if google promotes apps with advertising more than their ad-free counterparts? the conflict of interest is so obvious but i digress..
Generally I trust the Fdroid repository much more than I trust Google's repository. Though if Fdroid became very popular with the masses I don't think that could continue to be the case, unfortunately. It's a difficult problem to weed out the bad apps...
What I’d really like to know is whether anybody has any evidence whatsoever that paid apps in these same categories don’t do exactly the same things in exactly the same percentages.
It is a simple rule and there are definitely exceptions in both directions. (Good free apps, bad paid apps)
The safest assumption to make is that if you give an app permission to access information from your device that the information will be shared with a nefarious actor.
From there, if you want to get benefits from uploading your information, you can make adjustments like "Oh, I know this guy, he's been making apps for a long time and seems trustworthy." or "This is a larger company and isn't likely to be bought just to strip mine their customer data. Additionally they probably have safeguards in place to keep rogue employees from running off with it."
None of those is fail-proof, but it's all about risk.
The more I think about it, the more I think it is appropriate to say if an app is free, you are the product and can assume they will extract every bit of value from you that they can.
If an app is paid, there is at least the possibility you aren’t the product. But you still might be.
> The NOAA one isn’t made by the government, seems like using that name should be some kind of copyright infringement.
I'm pretty sure copyright doesn't apply here! It's possible it's a trademark infringement? (No idea if the name or acronym are trademarked though), or possibly impersonation of a government entity? Either way, it's certainly not a copyright issue to use the name.
The Lanham Act prevents anyone from registering trademarks that "Consists of or comprises the flag or coat of arms or other insignia of the United States, or of any State or municipality, or of any foreign nation, or any simulation thereof":
Usually "misleading" is what Trademarks are intended to prevent. If it's misleading (in the EU at least) then it's most likely an infringement.
"NOAA weather" as the app name implies that the direct source of the _app_ is NOAA, "Weather using NOAA data" and similar wording disambiguates and avoids trademark infringement (and/or passing off ["misappropriation"/misrepresentation in USA] - which is a very weak unregistered version of Trademark which this situation nonetheless appears to fall foul of).
Adware Doctor, the number one paid utility in the Mac App Store, is secretly logging the browser history of users, and sending it to a server in China.
The app is currently listed on Apple's Mac App Store as the company's fourth-highest "Top Paid" software programs, behind Final Cut Pro, Magnet and Logic Pro X. It is also the store's No. 1 paid utility.
The app currently costs $4.99, is validly signed by Apple, and its listing on the Mac App Store is accompanied a majority of lavishly positive five-star reviews.
That case is really odd. I read the article about it. It’s really questionable how it got that high up in the App Store, and it’s from a developer who has ripped off other peoples apps and done questionable things in the past.
It wouldn’t surprise me if the developer had used shady tactics to “buy“ a lot of copies of the app to push it up the rankings so that they could start to lure in real users.
More than anything it just looks like Apple was asleep at the wheel with a sketchy developer.
The problem is when not being complicated means they are aren't truthful. Do you track crashes? Do you have any logging that tracks an IP address?
I view my dedicated home IP as personal, if not all that private, information. Does minimal logging actually require storing personal information? Is there a common, or legal definition of what personal information is?
I'm all for simple policies, but I would also rather they be accurate, and I would hate to see people who are trying to do good by having a simple policy like that end up in trouble because the law doesn't quite agree.
the app collects no data whatsoever. i have no idea what your IP address is (the app connects directly to environment canada to retrieve the raw radar data). no crash data/telemetry is collected automatically, but bug reports are welcome on the github repo. so please don't insinuate that this policy is not true.
and yes, there is a legal definition of personal information. since im based in canada, that would be as defined by PIPEDA (the Personal Information Protection and Electronic Documents Act)
> the app collects no data whatsoever. i have no idea what your IP address is (the app connects directly to environment canada to retrieve the raw radar data). no crash data/telemetry is collected automatically
!!! You're the best. Thank you! Unfortunately not US/Can, otherwise I'd immediately switch to your app just because of that (I'd buy it anyway if it was paid, just to show support).
I wish more devs would have this approach. You don't need telemetry to create good software. You don't need to monitor what the user does with your application, when and how. You don't need to log everything, or listen in on conversations with third-party APIs. You don't have to outsource testing and QA onto your users.
Crash logging is extremely useful for catching edge cases or third party failures so I wouldn’t give that up but there’s no reason why it can’t involve the user with a Firefox-style “is it okay to report this? Here’s what gets sent…” prompt and aggressive data scrubbing.
Sentry does a really nice job of restricting the data which is stored, for how long, and scrubbing things which might have been included by mistake. I was just setting up an on-premise server yesterday and it’s pretty easy to configure it server-wide in a privacy-preserving manner.
RE crash-logging Firefox-style, apps that do it this way gain a lot of respect from me, especially if they let me see the contents of the report before sending. I've even seen one or two Android apps that would handle bug reports by firing up an intent for sending e-mail, which when directed to the mail app, resulted with a new message, already filled in with all details, just waiting for you to press Send.
But you are sending personal data (ip address) to a third party by directly connecting to their service. Not sure about canadian privacy law, but eu company would need to list this third party in their policy.
edit: just realized this comes across like bikeshedding. I do applaud and like your approach to privacy and its simplicity. It wouldn't decrease the appeal of your app at all to mention that you query the environment canada data, which is probably a public service and will not missue the data itself).
It is totally awesome that you are not doing anything creepy, but I hope you can understand that some folks are going to be more wary nowadays and that is not a bad thing IMO.
I'm not trying to insinuate your policy isn't true, but to note that a simple policy isn't always applicable, and it might be a little complicated. All the "you"'s in my original comment can be taken as the "general you", not you specifically.
I wasn't trying to insinuate your policy was wrong (I actually assumed it was likely correct, a weather app doesn't generally require much in the way of server support from anything except the weather service), but that "Privacy policies don't need to be complicated" might be a bit optimistic for a lot of apps.
This may not apply to TrueWeather in particular, but other apps could have the same policy and send the app requests to other services that do collect personal information... so, for the policy to be clear it would have to say "At time of publishing TrueWeather nor any of the services used by TrueWeather collect any personal information"... just my humble opinion on this complex topic.
The basic weather warning features are free. The whole weather app costs 1,99€.
It's been sued recently by a commercial app company (which also uses their data) for providing the service for free. So normal citizens have now to pay for it (even though they pay for the Office already through their taxes but well...that's capitalism for you). They offer a free version for people who work for fire departments etc. though.
This is the only app I've ever payed for on a app store.
> Of course some of these apps, like the ones that you NEED to use for certain parking meters, are especially evil because there is an any choice. If you need that service, you’re giving up your privacy.
It's amazing neither iOS nor Android has a location picker/Intent that can be launched by the OS to give an app a one time location. Like the ones that exist for contacts, picking photos or sharing links[1].
For parking meter apps i only want to give location access when i press the "find closest parking" button, never else.
While we are on the topic, app store reviews should also be much stricter on enforcing usage of standard Intents. Many apps request full contact list, camera and full file system permission when they could use Intents for all their use cases. Maybe enforcing is a bit strict but apps not following the spirit of the OS architecture and requiring more permissions than needed should be ranked lower in app store rating and search results.
> It’s amazing how much better your experience is if you just avoid free apps when possible.
It doesn't necessarily follow that because an app is free that it has a higher probability of being malicious. If anything developers will introduce malicious code into paid apps because those types of users typically have money in their iTunes account and are more interesting / have a better list of credentials to steal than 'freeloader' type users.
On the flip side, the market prices for most of these tracked data are not very high. It's only lucrative to sell this data if you have a very large user base. For paid apps with smaller user bases, the incremental revenue is likely negligible.
A bit like calendar or to do lists, aside from the very basics, everyone wants something different. And people don’t like paying in general, but all the more so if they feel their needs are not completely met.
I remember PocketCast founder explaining they started iOS dev with a weather app for Australia because none really worked for their country.
This is also evident in all the local apps in every country. DarskSky you mention isn’t even available internationaly for instance. A flurry if low quality but free and mildly niche apps seems inevitable.
I just think that installing a weather app in general is stupid.
I just dont see the actual need to have one installed for the vast majority of people.
Systems need weather apps/information: ships/boats, planes, etc...
Your phone does not. Nor your desktop.
There was a ship that was getting delayed weather information [0] and it sank and people died - and so its clearly important to track weather on ships and plans and transport that will be at risk in inclement weather.
Otherwise, look out the window, or read the weather off google.
Do you live in SF? I honestly can't tell if that is porposedly facetious or simply ignorant of the vast divesity of weather and weather reporting needs outside of SF..
Also, "read the weather off google" is essentially equivalent to having a very shitty weather app, with crappy UX and which requires you to always be on-line (whereas decent weather apps will cache their forecasts).
Sadly I am too naive at reading the atmosphere to determine what the weather will be like five days from now. I have to rely on people with supercomputers for that.
I like Weather Underground's approach; their app is free-with-ad but if you run a weather station and contribute to their network then you can disable the ads for free. Flightradar 24 has a similar business model.
Why does it seem like browser extensions are ignored in all of these discussions? For example, right now the Honey Chrome extension has permission to "Read and change all your data on the websites you visit". They could be doing anything with that, I'm just crossing my fingers that they find me good deals and don't abuse my data.
Chrome actually acknowledges this: "Warning: Google Chrome cannot prevent extensions from recording your browsing history. To disable this extension in incognito mode, unselect this option."
Related question: why can't we restrict the domains that Chrome extensions can read data from?
I have developed Chrome extensions. You can specify the domains that your extension runs on (via regex like syntax). However, I am not sure if Chrome surfaces this information to its users.
That’s not an issue in iOS/Safari because extensions can’t do that kind of thing.
I’ve seen other people complain about this for chrome. I saw people justifying it by saying that that permission is necessary if you want to interact with the page directly (hide/show content, etc.).
Doesn’t mean the extensions are to be using it, but it may be necessary. Much like GPS data for a weather app.
GPS data for a weather app is not necessary, because it's way to precise for its purpose. Most of the time I need to know how the weather is elsewhere, or how the weather is going to be today. How does precise (to a meter) GPS data help me there exactly?
I use a precipitation radar app that tells me with fair amount of accuracy whether/how heavily it's going to rain 15-90 minutes from now. It often does matter what part of the city you're on. Since we bike everywhere to get around, it's kind of nice to get an idea whether waiting another 10 minutes to leave avoids the heaviest part of a shower, or better just bite the bullet because it's only getting worse in the next hour.
Although now that I think of it, I have its location locked to my home address because I didn't feel like being tracked :) It generally works well enough within ~3km or so, and I compensate the hit in accuracy by looking at the sky and drops/splashes in puddles/windows/cars (it's much harder to judge the intensity of rain by trying to spot droplets in mid-air).
I don't need the longer term forecast quite as much to have an app for it, for that I just use a bookmark to my local news weather page.
Not to the meter but we get plenty of rainstorms where a half mile makes the difference between wet and dry, and Dark Sky’s push alerts are surprisingly useful.
They use radar and software to predict storm growth and trajectories. Next time you look at a radar map ask yourself the physical size represented by one pixel: in much of the United States it should be something like 150m.
My understanding was you couldn’t even have extensions on iOS, except for ad blocker style things which are explicitly limited by API to prevent blocker from knowing what it was blocking due to tracking concerns.
No, there are extensions for both macOS and iOS. For iOS the user needs to explicitly tap the extension for each page they want it work on, while on macOS it can run on every page once it’s been approved.
Ya I think an option to ask permission per website should be there..it could be subtle like an orange icon that you need to manually click the first time to give permission to that domain
I've always thought the permissions model of Chrome/Firefox/Edge extensions is a bit upside-down: extensions need permissions to access data, perform actions in the browser, and modify/contact specific or arbitrary URLs, but there are no permissions to prevent them from being abused in combination. A data-flow permissions model would go a long way to improving privacy when using extensions.
For example, Vimium (which I've worked on in the past) needs access to every page so it can add its key bindings, most browser functionality so it can trigger it when the appropriate key is pressed, and history, tabs, etc. so that commands for opening these work correctly. This combination gives Vimium full permission to harvest data and send it to arbitrary URLs, open tabs to random spammy URLs, and generally invade the user's privacy in any way that an extension possibly could, if it so desired.
As an alternative, it would be nice to have some kind of data source marker (user-provided to extension, user-provided to webpage, webpage data, browser data, hardcoded data) and then flow permissions around these, so you can have permissions like:
- open tabs/make requests/load images/etc. with user-provided URLs
- open tabs/make requests/load images/etc. with URLs found in/derived from webpage URLs (in the same origin)
- open tabs/make requests/load images/etc. to URLs with a hardcoded origin
- include some kind of browser information in a request to one of the above types
- include data a user has provided to a webpage in a request to one of the above types
- include webpage data in a request to one of the above types
- inject browser data into a webpage with a specific/arbitrary URL
- etc.
By separating permissions for what requests extensions can make, what data can be included in requests, what webpages they can affect, and what behaviours they can trigger, it should be very easy to see what an extension is/could be doing. Sadly, this would be very technically challenging to implement, there doesn't seem to be much appetite for it, and there's a real danger of overcomplicating the permissions model so that it becomes unusable.
that's hardly practical, the point of most extensions is that they stay with you as you browse the web to enhance the functionality of websites. a coupon tracker like honey that only works on amazon.com would obviously be superceded by a coupon tracker that worked everywhere on the web. users would just keep adding permissions to access websites until the whole thing became an exercise in frustration
To be somewhat fair in this case, the TC author got an advance copy of the reporting and data in order to get some company responses included, so I suppose there is a value-add in that respect.
My company analyzes iOS and Android apps en mass, using static and dynamic analysis. We've partnered with several major universities to provide data like this about apps. If any reseachers are interested in this data, please feel free to reach out.
For location in particular, we see which location collection permissions the app has, as well as indirect methods like Bluetooth and Wifi. We also see the commercial integrations, like the companies named in the article.
Ours (guardianapp) does exactly this as well, although exclusively for iOS. We are using the data we glean from the static + runtime analysis for an upcoming mobile firewall app but are open to other interesting opportunities.
Please feel free to send a message at any time, even if you would just like to compare notes on all this (hello@sudosecuritygroup.com).
From the article:
"[ASKfm] asks for access to a user’s location that “won’t be shared with anyone.” But the app sends that location data to two data firms, AreaMetrics and Huq. When reached, the app maker said it believes its location collection practices “fit industry standards, and are therefore acceptable for our users.”
Surely this is legally actionable activity, right?
Data collection fits "Industry standards" because the industry is inherently corrupt -- Adtech requires immense user data because they chose to target users rather than content.
I wonder if some of what these developers are engaged in could legally be interpreted as fraud? Civil fraud is a thing.
Some of these developers have:
- making misleading and knowingly false statements
- profiting from these actions
- people were fooled by these statements
The tricky part might be demonstrating ‘harm’, but at least some jurisdictions have enshrined a legal right to privacy, violation of which could be grounds for legal action.
In the case of Gas Buddy (and larger, Cuebiq), I've seen two family members have their entire data plan used up on their behalf by the location services being overused. I'm guessing a bug in a recent version of their library. It might be possible to argue at least a phone bill out of them as harm.
My wife recently was at a certain chain store for books and paper accessories. She did not interact with Amazon in the store, and does not have the Amazon app installed.
And yet, just minutes later, she started receiving Amazon recommendations for exactly the kind of items you would expect at the store she had been. I told her that this a coincidence, but other apps sending her location could actually explain it.
Hopefully someone will add the tracking domains to a pihole list. Doesn't help when you're on the go through unless you vpn to a network you own with a pihole installed.
This might be a good time to remind folks what systemic problems are.
Systemic problems are where everybody is acting in good faith, trying to do the right thing, yet the system overall is in a state that's unacceptable. And the harder they work at their little piece, the worse the system gets.
Governments aren't at fault. They clearly are working on enacting privacy laws. OS vendors aren't at fault. They clearly are working on making sure apps behave within some defined behaviors set by the user. Walled Gardens aren't at fault, they are working on rooting out bad actors. App makers might not be at fault. They simply might be monetizing traffic using generic services that only take what the user has already agreed to. Even the services themselves can claim to be working on solutions. After all, didn't the user approve this? And aren't the rest of the food chain approving of this kind of thing? That's the thing: certification systems, whether they mean to or not, end up being a kind of blanket approval. They passed the tests, aren't they okay?
When news breaks, the public immediately wants to find a bad actor and bash them over the head, not wanting to admit or think about the fact that the entire system is at work. So controls are tightened on one bunch and the rest of them make statements (and efforts) about trying harder.
At root is probably something simple like "Don't track user's locations. Ever." I don't know. But I know the desire to simplify the story can lead to a lot of heat and noise -- and not much progress. Any certification system that says that a particular piece of code passes some kind of test can be construed that it passes all kinds of other tests -- and you can never lock up code, no matter how hard you try. This faith in certification systems is misplaced and very well may be a multi-billion-dollar fool's errand.
I asked a network info app developer why it's not possible to at least track and control network connections on iOS, like Little Snitch does (or did) for MacOS. "iOS doesn't support that". Well, duh? I don't even know what to think. Knowing where the iOS device connects to will be a huge help "cracking down" on BS apps!
And then I read in the comments that it might be virtually impossible for Apple to detect malicious/privacy breaking behavior, or consumers should go pay for apps that are good. Right.
It's easy to figure out what an iOS device is connecting to: use a network extension that inspects network traffic. And given that Apple has none of the restrictions they impose on third party developers, they can essentially do what Little Snitch does on macOS.
There is no way to control the iOS firewall via extensions in iOS. Meaning, it's still not supported, and what you see as "essentially" the same misses the point. I want to block connections of specific apps. What iOS can do is reveal connections made by the network device to the outside. Duh. Set up Wireshark on some AP and get the same info.
Niche startup idea, VPN for your mobile device that can analyze and block traffic. Block entire countries, 3rd parties, etc. Give realtime feedback on their dashboard as applications are loaded. Could also be useful as a developer application profiling tool.
Facebook attempted such a thing already, and was caught exploiting it. VPN apps for the purpose of traffic control and monitoring are dangerous as they rely on some other party. I could do the same thing without ever needing a service for that. Setting up a monitored VPN gateway is no rocket science for me, I could do that, but the folks using crappy apps couldn't. And I would still need a way to map traffic to specific apps to identify unnecessary/malicious traffic. There is no other way as only via the internal iOS firewall. I wonder how the team behind that report managed to do that what they claim they did.
Using a clean installed of the OS, removing network access for almost everything and installing a single app, and baselining background network traffic, I don't think it would be difficult or too noisy to see application specific network activity.
Do you have it as a service, or a set of OpenVPN scripts I can install? I could see a nice Grafana dashboard of my outbound traffic. Install your cert on my device, break into sessions and then further analyze traffic.
This will be a commercial service, in order to fund ongoing research efforts allowing us to quickly discover and block all possible forms of tracking, phishing, and other malicious traffic.
That said, in the future, lists will be published for folks with the ability and time to operate a Pi-Hole for themselves, if preferred.
One thing to keep in mind is that ip addresses provide a pretty good location too. Even without GPS data, they at worst know what city you are in, probably down to the house depending on the ISP
The data has been mapped and correlated over the years along with IP's. On many ISPs, the ip is fairly static. May not be the ISP's. Fill out a web form to buy something and now that ip->location is linked, use a cell phone app that collects the SSID's and location and ip...
I don't think it even needs to be the ISP, if you buy something from a online shop that then sells your information on then that information has leaked.
Weather channel. Powers iOS built-in weather, and fetching actual weather data = sending exact user location every hour.
I have no idea why Apple allows this (the whole point of making Apple maps was to stop google tracking iOS users and here a service is getting everything).
(And Android - try to find an android phone where a default always on weather widget isn't preloaded on homescreen.)
> Deep Thunder combines big data and machine-learning tools from IBM Research with The Weather Company’s global forecasting model ... the tool will help companies with critical decision making. The data will be able to show how minor changes to weather, such as temperature, might affect things like consumer buying behavior, helping retailers to adjust their supply chains and shelve stock
(this was meant to be snarky. i'm just a developer with a calendar app that requests location data to humbly provide location place recommendations... no monetization, no sharing of this data, and it's essential to being able to fill out the "location" field accurately. this constant stream of negative attacks against apps not built by FAANG is destroying trust in independent apps, due to the actions of a few bad actors. ironically, this is just driving people back to a handful of monopolies who monetize user data in-house. the winner here is google (and, let's be honest, they are probably already doing something with the location data we're sending them to get the nearest place ids).)
Respectfully, one goal of doing this research was to shine a light on those who are engaging in these practices, so that users who dislike it can potentially find alternatives.
This is a good thing for any apps who do things right.
They're not getting around that, users are giving them permissions to location data.
From the article:
> Almost all require access to a user’s location data to work properly, like weather and fitness apps, but share that data often as a way to generate revenue for free-to-download apps.
Because users are authorizing the app, for a seemingly legit purpose, but they are not intentionally authorizing the bundled third party SDK that came along for the ride to exfiltrate all of the data that it can.
I don't know if it's possible anymore, but one way used to be that the app would send a list of every wifi network it could see. This can be used to calculate your position surprisingly accurately, in most places in the world.
The article says these are apps that have asked for location permission for other purposes (like homes.com, which presumably uses location services guide you to real estate?).
Are you guys aware that major corporations i.e. T-Mobile and Sprint are selling app usage data to hedge funds? Forget the popular apps recording this, major telecommunications companies are selling it.
Well maybe apps like Facebook (=Instagram), Apple Weather, Gmaps will "only" use your data internally, but they also make most of their money from ads. So yes, all our data is always used to target ads, political campaigns and "viral" marketing campaigns at us. Where is the surprise in that? If you asked 2007 software engineering student me, I would've told you back then. That was the point in time where this work started. Nowadays everybody is doing it themselves or selling the data one way or another.
Don't you know that also this very post will be grabbed by multiple people and companies and analysed to death by their algorithms to maybe squeeze out another bit of information that they then try to link to me as a person in some way?
So if you sit there wondering "does the app X that I'm using does that?" then the answer is yes, because everybody is doing it.
I think the larger issue is to be competitive in the app market you need to be free, and to generate revenue they have to resort to shady ways, monetizing using data or manipulating user's behavior.
I think that the business model needs to be changed starting all the up at places like Facebook and Google. At some point these products are going to be perhaps even under our skin and if they are still 'free' and needing to resort to dirty methods to turn a profit by invading our privacy, it will just be the inevitability of the way things are now.
"researchers found 24 popular iPhone apps that were collecting location data — like Bluetooth beacons to Wi-Fi network names... and cell network names."
A point of note - finding the names of wireless routers, or cell network - requires calling private APIs, so those apps should be banned from the store on that basis alone.
No, not that I’m aware of. And I think that would be meaningless to 99.8% of users. It’s not like you can filter your searches anyway.
If people DID start thinking of it as some kind of sealer quality, unscrupulous actors would simply open source their apps and leave all the garbage in. So it would become meaningless.
Further, what does it being open source help? They could publish the app source without the tracking SDKs (especially as some of them are big enough now that you have to hassle with git-lfs even if you wanted to commit it) and then build it with the tracking SDKs before submitting to the App Store.
Other people could build these apps at build farm and publish under trusted vendor name like linux distributions do. You don’t trust vim.deb from anyone, but e.g. vim.org and ftp.??.debian.org/debian have at least strictly no intent to abuse you.
The lack of any real business model besides gambling on mobile apps sends the market from professional firms like Autodesk and Adobe to solo developers overseas. They have much lower accountability which makes this entirely predictable.
It has nothing to do with where people are. Developers want money. Duh.
But the App Store has gone to “ basically everything is free“. The only two ways to accomplish that for most developers are in app purchases, which don’t work every app, and ad/data sales.
As new people find new ways to monetize data that they can get their hands on, they’ll approach developers and that data will get sold.
Isn’t having no privacy laws great?
Of course people could just pay for high-quality apps. Sadly that train sailed. I feel like IAP made it worse.
That's not racism - as fipple mentions, there are significant differences in legal accountability. And even if there weren't, pretty sure that would be considered slight xenophobia rather than racism.
The company I work for was acquired by a Chinese giant. Recently they sent us a static lib (i.e. no source available) to include in our app for “fraud detection”. We complied.
I’ve asked, but my concerns were taken as a joke, because in the past I’ve constantly been complaining about our data collection practices. I was objecting when the marketig team pushed in the AppsFlyer SDK, then the Branch.io SDK, then the Google AdMob SDK, then the MoPub SDK, then the ComScore SDK, then the Saasquatch SDK, then the Kahuna SDK. The Facebook SDK is included too, of course.
So after all this complaining over the years, they became kinda immune to my concerns, and when the Chinese handed down their blob they merrily went on with it.
I really wish there was a reliable way to just shitlist all of these affiliate/analytics/tracking/ad SDKs device-wide. Third party SDKs sending who-knows-what to who-knows-where is such a plague in the app ecosystem, and even the developers including them seem to have no idea what the implications are.
A reasonable compromise would be to have some way of determining which apps don't do this prior to installing them, such as a paid app that does not need to rely on ads and proactively declares this in the app description. Google Play clearly labels adware and I am genuinely surprised that Apple's App Store does not.
I am happy to pay for apps that do not contain adverts or unnecessary tracking, but I have no way of obtaining this information on iOS. For Android, I can look at the store listing, try F-Droid, or scan with Exodus[0]. For iOS, I'm not aware of any user tools at all. Is this information available anywhere?
Also, we will either provide a searchable app index, or freely share findings/info with parties such as Exodus (This has not been fully decided as of yet).
I've found that my pihole seems to slow down a non-trivial number of websites. It's as if the sites are waiting for a response to something before sending the next chunk of info, and so it has to wait 20-30 seconds for a timeout before the next chunk is sent.
Any suggestions on how to fix this? I do love how pihole blocks so many trackers on all my networked devices!
Its probably because the site is trying to make a https connection and your pihole server must not have explicitly closed that port. You can resolve this by either closing that port so that a RST sent back to the client straight away when the https attempt is made OR install a HTTPS cert and open up that port so that pihole can serve you its page.
I’d look at your browsers network tab to see what’s pending and check the domain using the pihole blocklist search. I’ve had some blocklists be a little too aggressive and block thinks that are not really trackers or anything bad.
But you’re probably right about the sites waiting for some lib to finish. I’ve only seen it happen on news sites where their video player stalls waiting for the ad to load.
Stories like this, the Uber story, and the recent one about Google tracking location even when you opt out, are why I'm looking forward to Purism 5 with PureOS and kill switches.
How does having some kill switch solve the issue of an app that needs geolocation selling the data or otherwise using it in a way other than you intended?
Having an OS and apps I can trust to not send location data solves that problem. The kill switches ensures no roving bugs, modem AT commands, and passive tower triangulation when I'm not using the radio. Pretty simple really.
That argument is so tired. Just because there's no perfect privacy, doesn't mean you can't significantly increase it. At some point you also have to trust that the chair you're sitting on will hold you and the one that isn't visibly weak has the best chance of doing that.
Only using “app you can trust” seriously limits what you can do on your device. This might be a solution for you, but it’s really not a solution to the privacy problem, it’s duct-tape on something that needs to be fixed on a larger scale.
>A solution for a few outliers doesn’t really influence the big picture.
There's nothing stopping anyone from buying a Purism 5. If someone doesn't care about their privacy, they don't deserve it. Freedom isn't free, and all that.
> it’s going to need to know where I am to provide me the forecast
Why would you think that? I don't need to give a weather app my location. It only needs to have one or more locations of interest to me. My weather widget pulls multiple locations for me, and has no access to my location data.
Not sure what kind of strawman you're building here but there's quite a big difference between giving location to a map app that will help you if you're lost, and a weather app. Having to use location data to get weather seems like the pinnacle of laziness to me, if you don't know where you are than you have bigger problems than the weather.
>There's nothing stopping anyone from buying a Purism 5
Apart from the fact that it doesn't actually exist yet.
Not to mention it's already a badly specced phone commanding top dollar being made by a small company that could easily go broke in a year.
I'm all for what they are trying to achieve and really hope they succeed, but history is full of privacy phones that have failed spectacularly.
For half the price I could get a flagship Xiaomi, flash LineageOS on it and have a completely degoogled high quality Android phone likely supported for most of the next decade.
>Apart from the fact that it doesn't actually exist yet.
Well, sure, I'll give you that point, but it's going to happen.
>it's already a badly specced phone commanding top dollar
The selling point isn't the specs. It's the RYF certification and kill switches. Even if they can't get the RYF, it's still a better option than anything else out there.
>being made by a small company that could easily go broke in a year
I really doubt that. They have a laptop business already. They've been doing hardware for a while. This one might ship months late, but I'm confident it will happen.
>For half the price I could get a flagship Xiaomi, flash LineageOS on it and have a completely degoogled high quality Android phone likely supported for most of the next decade.
Yep, and you still have a sealed battery, a backdoored baseband, and binary blobs. The iMX.8 is pretty sweet. It has open source GPU. Can't say that for mali or powervr. I can consider making Librem 5 my convergence device.
If an app is useful and not costing you any money, you have to assume it sharing private information with a third party. There is no business plan or strategy where giving something away keeps you business.
There are plenty of counterexamples to that. People making small games they want to give away for free, utilities that are too small to be able to charge for, free apps that have additional features behind an IAP or subscription.
Just because an app it’s free doesn’t mean it has to be something incredibly scummy.
#1 source of malware on the Android ecosystem was flashlight apps. I don't disagree that there are examples of apps or code that people have written and given away for free just because, my comment was more along the lines of "companies" giving away a free app.
No, it won’t many of the problematic apps that exist in the App Store have “paid“ versions that remove ads but probably continue to do all the other scummy stuff.
I think it’s a ratio thing. When it comes to good:scummy i’m guessing you’re more likely to end up on the good side of the scale by quite a bit for paid apps than free.
Most of the code I write for the App Store is free and open source, which I can do because I am financially supported through other means. So it's not impossible to do.
Because there's no way to get apps any other way, there's no "open-source" app store for example. Therefore they hold more responsibility in what they let in.
Anecdotal evidence I’ve heard from developers is that there are a HUGE number of people who think that Apple makes all the software for the iPhone. It’s an Apple phone, you go to Apple’s App Store, so whatever you buy is Apple software.
It’s blatantly false, but it’s out there. Just like people thinking of Google as “the Internet“ because it’s the thing they see when they open their web browser. Someone recently said to me “did you know you they added image search to the Internet?“ because they noticed the tab in Google.
The other side of course would be the lawyers. If someone came to you and wanted to sue and you thought you had any chance in hell… would you sue the little one man operation that doesn’t have a lot of money? Or would you try and wrangle $1.07 trillion Apple into it? “They should have protected me.” Chances are Apple giving you $10,000 to go away would be far more than you could ever get out of the individual developer even with a full trial.
Apple could implement iOS-wide measures to prevent unnecessary network connections or data streams from sensors. They failed to do that. "Offending applications" exploit that incompetence Apple displays in the recent years.
