The good news is that only that last part is required if you would like to try this, now that the commonly used hostnames are published.
Folks can add the full list to a system such as Pi-Hole, and if they notice any hits for the listed servers, they can then route their device traffic through a tool such as Bettercap or Burp Suite in order to discover the offending app(s) and what information they are sending.
You were involved? Why am I not surprised! Thanks for doing your part my friend.
information security research. ceo @ sudo security group (https://verify.ly).
previously: founder of "Chronic Dev Team" responsible for many years of iOS jailbreaking solutions (24kPwn, absinthe, corona, greenpois0n, etc).
Not to be a smartass (otherwise I’d have used LMGTFY for the URL), but seriously there’s a ton of info simply gathered just by searching his name.
The problem I see with that is that apps could easily start proxying the requests though their own servers.
I could also imagine ways around that. For instance their proprietary SDK could generate the data and cryptographically sign it. Or they could require that app makers set up a special subdomain that points to their ip address. I guess it would only be worth the trouble if enough people care about it.
It is a genuinely tricky challenge from their perspective.
The only app I have found this happen with is Uber:
1. You can inspect HTTPS traffic by installing a trusted MITM cert on your device - no jailbreaking necessary.
2. You can inspect the libraries provided by the owners of tracking endpoints to see what they collect and transfer.
3. Decompiling app bundles is usually pretty effective, and you can download them straight from iTunes.
Then they'll just move to pinned certs in the apps?
1b. Or you can pin the public key and ignore the certificate altogether, new certificates for the same key can be obtained as necessary.
2. The maximum certificate lifetime is currently 825 days, which, unless you're on another planet, is not "yearly".
3. If you're pinning for an application (not a generic website accessible in browsers) you don't need a certificate from the Web PKI at all, you can mint your own, ignore the lifetime rules, write Emoji in the Common Name field, use a different RSA exponent, the world is your oyster.
1b. You should not reuse private keys between certificates and never for intermediate or root.
2. It's yearly or 2 years for the most common suppliers.
3. Have fun getting your certificate accepted from every device and operating system.
Anyway. I am not saying that it can't be done, I'm saying that there are a lot of challenges to doing it properly and any mistake will make the app completely broken.
You have full control in a native iOS app over which certificates you accept or reject. Which is why the author specified that the trick would work if the endpoint is just for apps.
The first suspicion arises when the app uses more bandwidth if you move it a lot, compared to the app on a stationary phone. I guess researchers can emulate the "moving". And they can virtualize the clock as well. So in principle they can send the app around the world in a matter of seconds and see what the app does on the network.
I’ve only done this for apps not using certificate pinning. It gets more complicated from there.
No such thing exists
The built in Apple app is fine for basic information. There are plenty of high-quality third-party apps. Weather Line (my fav) is $2. DarkSky is $4.
Instead people go for these weird free apps covered in ads with terrible UIs. The NOAA one isn’t made by the government, seems like using that name should be some kind of copyright infringement.
Of course WeatherBug on desktops was adware/malware for a very long time. Maybe it still is.
Then you get scareware stuff like the earthquake notification app. You better let us track everything you do otherwise you might die!
There are so many good apps on the store made by good developers. It’s amazing how much better your experience is if you just avoid free apps when possible.
Of course some of these apps, like the ones that you NEED to use for certain parking meters, are especially evil because there is an any choice. If you need that service, you’re giving up your privacy.
I wish Apple would crack down on this stuff. I imagine a lot of these apps are doing things that already violate the App Store guidelines. If they don’t, they probably SHOULD.
The main reason these apps are getting caught is because they are blatantly including the SDKs of the monetization firms in their client apps, and transparently sending data directly to the servers of those firms.
But what's to stop a weather app from just doing it server-side, so it's undetectable to third parties?
For instance, a weather app must send location data to some backend, in order to fetch weather data. That backend could send the location data to these exact same monetization firms. It would be difficult for Apple to detect and block this behavior.
Personally, I could live with a some advertising if that is how it was served and it was slightly relevant.
When they want to try to track me around the web to see what technical and news sites I visit and then serve me ads for dating sites then I'll just turn on ny adblock again ;-)
The reason the apps use those SDKs directly is because there's a hierarchy of resellers. The app developers themselves are lazy and typically want the SDK functionality which is provided free in return for their users' data. They're not always in the business of selling data themselves, they're just ambivalent.
Then the SDK providers abstract their own involvement in any particular app while still getting data.
Which of course makes it a direct violation of GDPR. I hope a group of European citizens take some action
That app's also interesting because they also make forecast.io, which is a great example of a modern web app being competitive with an app on most fronts other than notifications.
Yes. It cannot be emphasized enough. Go pay for apps that are good.
Full disclosure, I formerly worked with the author.
But more interestingly, there are bad paid apps. Take this paid Mac app for instance: https://gizmodo.com/top-apple-mac-app-secretly-sends-your-br...
What I’d really like to know is whether anybody has any evidence whatsoever that paid apps in these same categories don’t do exactly the same things in exactly the same percentages.
The safest assumption to make is that if you give an app permission to access information from your device that the information will be shared with a nefarious actor.
From there, if you want to get benefits from uploading your information, you can make adjustments like "Oh, I know this guy, he's been making apps for a long time and seems trustworthy." or "This is a larger company and isn't likely to be bought just to strip mine their customer data. Additionally they probably have safeguards in place to keep rogue employees from running off with it."
None of those is fail-proof, but it's all about risk.
If an app is paid, there is at least the possibility you aren’t the product. But you still might be.
I'm pretty sure copyright doesn't apply here! It's possible it's a trademark infringement? (No idea if the name or acronym are trademarked though), or possibly impersonation of a government entity? Either way, it's certainly not a copyright issue to use the name.
That includes government agencies themselves:
It’s probably fine legally. They’re showing new NOAA weather data, so calling it a “NOAA weather“ or “NOAA Radar” is correct, just misleading.
"NOAA weather" as the app name implies that the direct source of the _app_ is NOAA, "Weather using NOAA data" and similar wording disambiguates and avoids trademark infringement (and/or passing off ["misappropriation"/misrepresentation in USA] - which is a very weak unregistered version of Trademark which this situation nonetheless appears to fall foul of).
The app is currently listed on Apple's Mac App Store as the company's fourth-highest "Top Paid" software programs, behind Final Cut Pro, Magnet and Logic Pro X. It is also the store's No. 1 paid utility.
The app currently costs $4.99, is validly signed by Apple, and its listing on the Mac App Store is accompanied a majority of lavishly positive five-star reviews.
That case is really odd. I read the article about it. It’s really questionable how it got that high up in the App Store, and it’s from a developer who has ripped off other peoples apps and done questionable things in the past.
It wouldn’t surprise me if the developer had used shady tactics to “buy“ a lot of copies of the app to push it up the rankings so that they could start to lure in real users.
More than anything it just looks like Apple was asleep at the wheel with a sketchy developer.
Privacy policies don't need to be complicated:
"TrueWeather does not collect any personal information."
I view my dedicated home IP as personal, if not all that private, information. Does minimal logging actually require storing personal information? Is there a common, or legal definition of what personal information is?
I'm all for simple policies, but I would also rather they be accurate, and I would hate to see people who are trying to do good by having a simple policy like that end up in trouble because the law doesn't quite agree.
and yes, there is a legal definition of personal information. since im based in canada, that would be as defined by PIPEDA (the Personal Information Protection and Electronic Documents Act)
!!! You're the best. Thank you! Unfortunately not US/Can, otherwise I'd immediately switch to your app just because of that (I'd buy it anyway if it was paid, just to show support).
I wish more devs would have this approach. You don't need telemetry to create good software. You don't need to monitor what the user does with your application, when and how. You don't need to log everything, or listen in on conversations with third-party APIs. You don't have to outsource testing and QA onto your users.
Sentry does a really nice job of restricting the data which is stored, for how long, and scrubbing things which might have been included by mistake. I was just setting up an on-premise server yesterday and it’s pretty easy to configure it server-wide in a privacy-preserving manner.
edit: just realized this comes across like bikeshedding. I do applaud and like your approach to privacy and its simplicity. It wouldn't decrease the appeal of your app at all to mention that you query the environment canada data, which is probably a public service and will not missue the data itself).
I wasn't trying to insinuate your policy was wrong (I actually assumed it was likely correct, a weather app doesn't generally require much in the way of server support from anything except the weather service), but that "Privacy policies don't need to be complicated" might be a bit optimistic for a lot of apps.
The basic weather warning features are free. The whole weather app costs 1,99€.
It's been sued recently by a commercial app company (which also uses their data) for providing the service for free. So normal citizens have now to pay for it (even though they pay for the Office already through their taxes but well...that's capitalism for you). They offer a free version for people who work for fire departments etc. though.
This is the only app I've ever payed for on a app store.
It's amazing neither iOS nor Android has a location picker/Intent that can be launched by the OS to give an app a one time location. Like the ones that exist for contacts, picking photos or sharing links.
For parking meter apps i only want to give location access when i press the "find closest parking" button, never else.
While we are on the topic, app store reviews should also be much stricter on enforcing usage of standard Intents. Many apps request full contact list, camera and full file system permission when they could use Intents for all their use cases. Maybe enforcing is a bit strict but apps not following the spirit of the OS architecture and requiring more permissions than needed should be ranked lower in app store rating and search results.
It doesn't necessarily follow that because an app is free that it has a higher probability of being malicious. If anything developers will introduce malicious code into paid apps because those types of users typically have money in their iTunes account and are more interesting / have a better list of credentials to steal than 'freeloader' type users.
A bit like calendar or to do lists, aside from the very basics, everyone wants something different. And people don’t like paying in general, but all the more so if they feel their needs are not completely met.
I remember PocketCast founder explaining they started iOS dev with a weather app for Australia because none really worked for their country.
This is also evident in all the local apps in every country. DarskSky you mention isn’t even available internationaly for instance. A flurry if low quality but free and mildly niche apps seems inevitable.
I just dont see the actual need to have one installed for the vast majority of people.
Systems need weather apps/information: ships/boats, planes, etc...
Your phone does not. Nor your desktop.
There was a ship that was getting delayed weather information  and it sank and people died - and so its clearly important to track weather on ships and plans and transport that will be at risk in inclement weather.
Otherwise, look out the window, or read the weather off google.
Never install a weather app...
Also, "read the weather off google" is essentially equivalent to having a very shitty weather app, with crappy UX and which requires you to always be on-line (whereas decent weather apps will cache their forecasts).
Sadly I am too naive at reading the atmosphere to determine what the weather will be like five days from now. I have to rely on people with supercomputers for that.
I like Weather Underground's approach; their app is free-with-ad but if you run a weather station and contribute to their network then you can disable the ads for free. Flightradar 24 has a similar business model.
Chrome actually acknowledges this: "Warning: Google Chrome cannot prevent extensions from recording your browsing history. To disable this extension in incognito mode, unselect this option."
Related question: why can't we restrict the domains that Chrome extensions can read data from?
I’ve seen other people complain about this for chrome. I saw people justifying it by saying that that permission is necessary if you want to interact with the page directly (hide/show content, etc.).
Doesn’t mean the extensions are to be using it, but it may be necessary. Much like GPS data for a weather app.
Although now that I think of it, I have its location locked to my home address because I didn't feel like being tracked :) It generally works well enough within ~3km or so, and I compensate the hit in accuracy by looking at the sky and drops/splashes in puddles/windows/cars (it's much harder to judge the intensity of rain by trying to spot droplets in mid-air).
I don't need the longer term forecast quite as much to have an app for it, for that I just use a bookmark to my local news weather page.
I may be wrong about safari on Mac iOS.
For example, Vimium (which I've worked on in the past) needs access to every page so it can add its key bindings, most browser functionality so it can trigger it when the appropriate key is pressed, and history, tabs, etc. so that commands for opening these work correctly. This combination gives Vimium full permission to harvest data and send it to arbitrary URLs, open tabs to random spammy URLs, and generally invade the user's privacy in any way that an extension possibly could, if it so desired.
As an alternative, it would be nice to have some kind of data source marker (user-provided to extension, user-provided to webpage, webpage data, browser data, hardcoded data) and then flow permissions around these, so you can have permissions like:
- open tabs/make requests/load images/etc. with user-provided URLs
- open tabs/make requests/load images/etc. with URLs found in/derived from webpage URLs (in the same origin)
- open tabs/make requests/load images/etc. to URLs with a hardcoded origin
- include some kind of browser information in a request to one of the above types
- include data a user has provided to a webpage in a request to one of the above types
- include webpage data in a request to one of the above types
- inject browser data into a webpage with a specific/arbitrary URL
By separating permissions for what requests extensions can make, what data can be included in requests, what webpages they can affect, and what behaviours they can trigger, it should be very easy to see what an extension is/could be doing. Sadly, this would be very technically challenging to implement, there doesn't seem to be much appetite for it, and there's a real danger of overcomplicating the permissions model so that it becomes unusable.
Just my €0.02.
The extensions can do this. E.g. a Strava extension would on install say it has access to *.strava.com (and possibly other domains).
Oh am I? Neat!
For location in particular, we see which location collection permissions the app has, as well as indirect methods like Bluetooth and Wifi. We also see the commercial integrations, like the companies named in the article.
Please feel free to send a message at any time, even if you would just like to compare notes on all this (firstname.lastname@example.org).
The initial default will be to simply offer a button called “Protect” and app handles all the rest.
So after all this complaining over the years, they became kinda immune to my concerns, and when the Chinese handed down their blob they merrily went on with it.
Don't have to answer, I'm just curious as it seems your morals are at odds with your companies.
I don’t want any of them, ever.
I am happy to pay for apps that do not contain adverts or unnecessary tracking, but I have no way of obtaining this information on iOS. For Android, I can look at the store listing, try F-Droid, or scan with Exodus. For iOS, I'm not aware of any user tools at all. Is this information available anywhere?
Also, we will either provide a searchable app index, or freely share findings/info with parties such as Exodus (This has not been fully decided as of yet).
Any suggestions on how to fix this? I do love how pihole blocks so many trackers on all my networked devices!
See here https://pi-hole.net/2018/02/02/why-some-pages-load-slow-when...
But you’re probably right about the sites waiting for some lib to finish. I’ve only seen it happen on news sites where their video player stalls waiting for the ad to load.
Surely this is legally actionable activity, right?
Some of these developers have:
- making misleading and knowingly false statements
- profiting from these actions
- people were fooled by these statements
The tricky part might be demonstrating ‘harm’, but at least some jurisdictions have enshrined a legal right to privacy, violation of which could be grounds for legal action.
The apps aren't even using their own bandwidth. This is a disgrace that Apple is allowing this and doesn't provide a control to monitor or stop it.
If you only want to block malware, or other more serious badness, you can opt for others servers such as Quad9 or OpenDNS .
Edit: AdGuard is also (partially?) opensource - https://github.com/AdguardTeam
Systemic problems are where everybody is acting in good faith, trying to do the right thing, yet the system overall is in a state that's unacceptable. And the harder they work at their little piece, the worse the system gets.
Governments aren't at fault. They clearly are working on enacting privacy laws. OS vendors aren't at fault. They clearly are working on making sure apps behave within some defined behaviors set by the user. Walled Gardens aren't at fault, they are working on rooting out bad actors. App makers might not be at fault. They simply might be monetizing traffic using generic services that only take what the user has already agreed to. Even the services themselves can claim to be working on solutions. After all, didn't the user approve this? And aren't the rest of the food chain approving of this kind of thing? That's the thing: certification systems, whether they mean to or not, end up being a kind of blanket approval. They passed the tests, aren't they okay?
When news breaks, the public immediately wants to find a bad actor and bash them over the head, not wanting to admit or think about the fact that the entire system is at work. So controls are tightened on one bunch and the rest of them make statements (and efforts) about trying harder.
At root is probably something simple like "Don't track user's locations. Ever." I don't know. But I know the desire to simplify the story can lead to a lot of heat and noise -- and not much progress. Any certification system that says that a particular piece of code passes some kind of test can be construed that it passes all kinds of other tests -- and you can never lock up code, no matter how hard you try. This faith in certification systems is misplaced and very well may be a multi-billion-dollar fool's errand.
And then I read in the comments that it might be virtually impossible for Apple to detect malicious/privacy breaking behavior, or consumers should go pay for apps that are good. Right.
This is indeed what we (originators of this location tracking research) do.
That said, in the future, lists will be published for folks with the ability and time to operate a Pi-Hole for themselves, if preferred.
I think maybe what's being implied is that some ISPs might sell that data...
I have no idea why Apple allows this (the whole point of making Apple maps was to stop google tracking iOS users and here a service is getting everything).
(And Android - try to find an android phone where a default always on weather widget isn't preloaded on homescreen.)
> Deep Thunder combines big data and machine-learning tools from IBM Research with The Weather Company’s global forecasting model ... the tool will help companies with critical decision making. The data will be able to show how minor changes to weather, such as temperature, might affect things like consumer buying behavior, helping retailers to adjust their supply chains and shelve stock
This is a good thing for any apps who do things right.
How are these apps getting around that?
From the article:
> Almost all require access to a user’s location data to work properly, like weather and fitness apps, but share that data often as a way to generate revenue for free-to-download apps.
Never was possible on iOS.
I don't think the researchers were the ones outed
Don't you know that also this very post will be grabbed by multiple people and companies and analysed to death by their algorithms to maybe squeeze out another bit of information that they then try to link to me as a person in some way?
So if you sit there wondering "does the app X that I'm using does that?" then the answer is yes, because everybody is doing it.
I think that the business model needs to be changed starting all the up at places like Facebook and Google. At some point these products are going to be perhaps even under our skin and if they are still 'free' and needing to resort to dirty methods to turn a profit by invading our privacy, it will just be the inevitability of the way things are now.
A point of note - finding the names of wireless routers, or cell network - requires calling private APIs, so those apps should be banned from the store on that basis alone.
I know that is not at all a guarantee that an app would be more respectful of the user's privacy, but I'd bet that it would save a chunk of guesswork.
If people DID start thinking of it as some kind of sealer quality, unscrupulous actors would simply open source their apps and leave all the garbage in. So it would become meaningless.
Why is that kind of racism necessary at all?
It has nothing to do with where people are. Developers want money. Duh.
But the App Store has gone to “ basically everything is free“. The only two ways to accomplish that for most developers are in app purchases, which don’t work every app, and ad/data sales.
As new people find new ways to monetize data that they can get their hands on, they’ll approach developers and that data will get sold.
Isn’t having no privacy laws great?
Of course people could just pay for high-quality apps. Sadly that train sailed. I feel like IAP made it worse.
The legal issue seems like a red herring. Selling an app in the American App Store makes you subject to American law.
This is the business model of the industry. Every app is loaded with this stuff. Assume hostile behaviour.
At some level, you have to trust or decide what is tolerable for you.
A solution for a few outliers doesn’t really influence the big picture.
I am very interested in what individuals/institutions support privacy at scale.
I am aware of the EFF. Who else?
>A solution for a few outliers doesn’t really influence the big picture.
There's nothing stopping anyone from buying a Purism 5. If someone doesn't care about their privacy, they don't deserve it. Freedom isn't free, and all that.
And once I give it that permission, how does the phone/OS prevent them from selling the data that I gave them permission to have?
Why would you think that? I don't need to give a weather app my location. It only needs to have one or more locations of interest to me. My weather widget pulls multiple locations for me, and has no access to my location data.
Apart from the fact that it doesn't actually exist yet.
Not to mention it's already a badly specced phone commanding top dollar being made by a small company that could easily go broke in a year.
I'm all for what they are trying to achieve and really hope they succeed, but history is full of privacy phones that have failed spectacularly.
For half the price I could get a flagship Xiaomi, flash LineageOS on it and have a completely degoogled high quality Android phone likely supported for most of the next decade.
Well, sure, I'll give you that point, but it's going to happen.
>it's already a badly specced phone commanding top dollar
The selling point isn't the specs. It's the RYF certification and kill switches. Even if they can't get the RYF, it's still a better option than anything else out there.
>being made by a small company that could easily go broke in a year
I really doubt that. They have a laptop business already. They've been doing hardware for a while. This one might ship months late, but I'm confident it will happen.
>For half the price I could get a flagship Xiaomi, flash LineageOS on it and have a completely degoogled high quality Android phone likely supported for most of the next decade.
Yep, and you still have a sealed battery, a backdoored baseband, and binary blobs. The iMX.8 is pretty sweet. It has open source GPU. Can't say that for mali or powervr. I can consider making Librem 5 my convergence device.
A fair call, but I'm of no importance to China and am betting on lineage lasting.
Time will tell. As snarky as my comment came across, I'm entirely keen for purism to win this uphill battle, but I won't be pre-ordering.
Just because an app it’s free doesn’t mean it has to be something incredibly scummy.
I think it’s a ratio thing. When it comes to good:scummy i’m guessing you’re more likely to end up on the good side of the scale by quite a bit for paid apps than free.
It’s blatantly false, but it’s out there. Just like people thinking of Google as “the Internet“ because it’s the thing they see when they open their web browser. Someone recently said to me “did you know you they added image search to the Internet?“ because they noticed the tab in Google.
The other side of course would be the lawyers. If someone came to you and wanted to sue and you thought you had any chance in hell… would you sue the little one man operation that doesn’t have a lot of money? Or would you try and wrangle $1.07 trillion Apple into it? “They should have protected me.” Chances are Apple giving you $10,000 to go away would be far more than you could ever get out of the individual developer even with a full trial.
Chances are Apple is going to ignore you unless 'you' are big enough to induce bad PR.