I think it's high time the host os takes responsibility for the privacy of sensitive things, such as contact lists and personal data.
One way could be to not return any identifiable information about others at all, but just a hash of each contact. (Kudos points if the host os returns a different hash for the same contact in different apps.) If that contact is known to the app, (because they've also installed it) then the app has all the information it needs to set up contact between two parties. The host os will probably need to provide a way to render a contact list for the app.
I'd be much happier with this arrangement. This way my personal data isn't uploaded to third parties simply because an acquaintance of mine wants to install some rubbish app. It's only if I install the same (rubbish) app will that third party finally get my personal info.
Host OS should also give me the power to determine what personal info it's given to any app. For instance, why did WhatsApp ever need my personal phone number while creating an account? It doesn't, and as such, should be regarded as an antitrust requirement.
You mean like Blackberry 10? The Android module would return privacy data to the apps back in 2013... I guess it wasn't that important, because noone bought it.
At least on iOS Apple has an easy solution: just allow users to configure user groups per app! Then the user can create a WhatsApp group in contacts which may be empty or just a few entries.
But oddly enough Apple does not consider full-blown access to the contacts list as needing any kind of privacy settings.
Just as it doesn't consider per-app internet access as needing any privacy settings. I know for sure the flashlight-level app would need an 'always offline' toggle.
I would hesitate to call it a feature. Realistically, nobody that I know would consider "analyzing my contacts to automatically suggest potential connections" an important or even productive feature. Certainly, nobody is switching to ToTok because of it. It is only a feature from the perspective of the platform holders; for a company like Facebook it is used to increase engagement (and thus ad revenue), and for ToTok it (allegedly) is used for surveillance.
The reason why WhatsApp became popular was exactly because it piggybacked on the phone contacts to build a network (using the user's phone number as account id) which made it as easy to use as SMS. The only requirement was to install the app.
Of course the same does not apply for example to LinkedIn or Facebook.
In Europe any app that just reads your contact list and sends it to a remote server is in violation of GDPR. Companies write in their privacy policies "you guarantee that all of your contacts have agreed that you send their personal data to us" which is completely bonkus.
I rarely give out access to my contact list anymore but I do wonder is there any safe way to actually do what the original feature intended.
I'm new to a game. I'd like to play with my friends without having to individually contact every single one of them and ask them if they also play the game.
Analyzing iOS applications is not the most trivial process, as said applications are distributed (via the iOS App Store) in an encrypted format.
I've not done much with mobile but have RE'd a bunch on the PC, and there an application which attempts to obfuscate its code in any way (e.g. classic case being a packed EXE) already warrants suspicion. At least there I always have the ability to open a file in a hex editor or even debugger for further inspection. IMHO this locked-down nature of platforms that makes it difficult for you to analyse the behaviour of the device which you ostensibly own is a huge obstacle to freedom and privacy in general. Ditto for all the other stuff like IoT which often communicates without your knowledge (and the traffic is encrypted, again ostensibly for protection on the Internet --- which it does do --- but with no way to inspect it locally).
It's true that not everyone has the skills to inspect, and that's a classic excuse for locking it down; but by making it harder to even get started and restricting that to "approved" people, there's even fewer motivated to try. The nature of Apple's platform is already disturbingly close to the situation in Stallman's classic story over 20 years ago: https://www.gnu.org/philosophy/right-to-read.en.html
Huh? That doesn't sound like you've done much RE at all. On PC contrary to their Mac counterparts virtually all shareware was PE protected from simple UPX which was often used to just compress the executables to more sophisticated polymorphic code with import obfuscation.
I've been out of the domain for a while but pretty much all shareware licensing was doing interesting things. It was more or less an arms race and a pretty fun one on top of that.
IoT which communicates without your knowledge is one thing but IoT that used alternative encryption because e.g. stock bluetooth was easily sniffable is another. You don't want anyone to be able to just sniff your health monitoring data.
There needs to be serious scrutiny to amount of network traffic that an app can have on iOS/Android. For applications such as WhatsApp/TikTok/Snapchat, etc., there needs to be a new controller/view for accessing private information such as the address book. This view will allow the user to see all of the contacts and select one to call, only then the app has access to that particular contact. Just simply allowing full access to address book is reckless. Ability to screenshot should also be completely disabled. Any other ideas?
It is just a normal thing to accept access to Contacts or Photos, and all of a sudden, all of your data is being siphoned off.
The more I see this kind of stuff, the more terrified I am about the future. Data doesn't just erode away. 40 years later, it is going to bite us.
> For applications such as WhatsApp/TikTok/Snapchat, etc., there needs to be a new controller/view for accessing private information such as the address book. This view will allow the user to see all of the contacts and select one to call, only then the app has access to that particular contact.
This is what Android already does. Without any special permission, an app can ask the user to choose a contact, a photo, a freshly snapped image from the camera, or various other things, and the app gets access to what the user explicitly gives it.
iOS has a similar thing for photos, but apps don’t use it. (The reason that the “give us your entire photo album API” exists is ostensibly so you can show it using your own UI. The number of apps that abuse this reason is very high, including some that absolutely should know better–as in, they’re market towards privacy-conscious users.)
Apps will probably just demand access to the whole contact list to continue. Apple does have a realistic chance of at least reducing this via app store guidelines, though I doubt it would succeed on Android.
The points at the end are nice but it does make me wonder if there was something more to the intelligence community's conclusions about ToTok.
It's terrifying to think just how fast some countries are moving toward full control of the internet and communication means for their citizens. From internet blackouts to intranets (just saw a BBC article on it [0]), it seems like the hot new thing for regimes is to take control of the internet because it's where people go for information.
TL;DR: the app does nothing out of the ordinary for a messaging app, which is why it’s so nefarious. It uploads contact information and location data…but after asking the user’s permission for seemingly legitimate reasons. The danger is that it’s hard to know what they’re doing with the uploaded data.
