Archive for Privacy

Popular iPhone Apps Secretly Record Your Screen for Analytics Purposes….. With No Way To Detect That It Is Happening

Posted in Commentary with tags , on February 7, 2019 by itnerd

A rather scary report from TechCrunch details that popular iPhone apps may be secretly recording your screen for analytics purposes. As in they captures detailed data like taps, swipes, and even screen recordings without your knowledge. These apps use an API (application programming interface) called Glassbox to do this and details on what they do can be found here. Apps that are known to do this include:

  • Abercrombie & Fitch
  • Hotels.com
  • Air Canada
  • Hollister
  • Expedia
  • Singapore Airlines

So if you have any of those apps on your phone, I’d be wondering if they should stay on your phone. That’s because in the case of the Air Canada app, it doesn’t properly mask data that’s recorded. Which means it is exposing information like passport numbers and credit card information. Which makes this a good time to point out that Air Canada was recently pwned by hackers with their app being the source of the pwnage of passport data among other types of data. So clearly the fact that a company could record your screen secretly has huge ramifications.

What makes this worse is that all of the apps have a privacy policy, but not one makes it clear that they’re recording a user’s screen. Not only that, iOS doesn’t alert you that this is going on with a dialog box that states an app wants control of the screen. Which means if this had not hit the news, nobody would ever know this was going on. But now that this is out there, you can expect a lot of people to start asking questions. And that will likely include Apple as I am going to go out on a limb and say that they’re going to look at what Glassbox does and come up with counter measures to it. In the meantime, these guys aren’t the only ones doing this:

Glassbox is one of many session replay services on the market. Appsee actively markets its “user recording” technology that lets developers “see your app through your user’s eyes,” while UXCam says it lets developers “watch recordings of your users’ sessions, including all their gestures and triggered events.” Most went under the radar until Mixpanel sparked anger for mistakenly harvesting passwords after masking safeguards failed.

It’s not an industry that’s likely to go away any time soon — companies rely on this kind of session replay data to understand why things break, which can be costly in high-revenue situations.

Thus, consider yourself warned. And hopefully someone comes up with a way to identify apps that use this tech so that I can punt them off my phone forever.

UPDATE: Here’s a video that shows what the Air Canada app records:

Advertisements

2.2 billion Unique Account Details Dumped On Torrent Sites Which Makes The Biggest Breach EVER Even Bigger

Posted in Commentary with tags on February 1, 2019 by itnerd

Remember when there was that massive breach happened a little while ago where 773 million records were exposed? Though it later turned out that this breach was out there for a while, it was still huge. It just got bigger as Wired is reporting that even more records are now out there. 2.2 Billion unique records to be precise:

“This is the biggest collection of breaches we’ve ever seen,” says Chris Rouland, a cybersecurity researcher and founder of the IoT security firm Phosphorus.io, who pulled Collections #1–5 in recent days from torrented files.

Much of the stolen information stems from prior breaches of Yahoo, LinkedIn, and Dropbox. But it has just now surfaced with these massive dumps. That’s very very scary. And you need to ensure that you’re not part of that. There are two places that you need to go to ensure that you’re safe:

Happy Friday!

Australia Passes A New Encryption Law That Qualifies As The Worst Idea Ever

Posted in Commentary with tags on December 7, 2018 by itnerd

Australia has passed a new encryption law which the folks down under claim is essential for national security and an important part of law enforcement efforts in fighting terrorism. Essentially, the legislation allows for law enforcement and select government agencies to ask for three different levels of assistance from technology companies in accessing encrypted messages. CNET details those three levels:

  • Technical assistance request: A notice to provide “voluntary assistance” to law enforcement for “safeguarding of national security and the enforcement of the law.”
  • Technical assistance notice: A notice requiring tech companies to offer decryption “they are already capable of providing that is reasonable, proportionate, practicable and technically feasible” where the company already has the “existing means” to decrypt communications (e.g. where messages aren’t end-to-end encrypted).
  • Technical capability notice: A notice issued by the attorney general, requiring tech companies to “build a new capability” to decrypt communications for law enforcement. The bill stipulates this can’t include capabilities that “remove electronic protection, such as encryption.”

This is the dumbest idea ever on a number of levels. First, it sets a dangerous precedent that other countries might be stupid enough to follow. Second, there is almost zero chance that an Apple or Google will willingly go along with this. Finally, you have to trust Australia can keep secrets as what they want is a backdoor. The problem with that is that no government in the history of the universe can keep a secret and you can bet that whatever backdoor access they want will either fall into the wrong hands or get used for something that it was never intended for. That of course is bad.

Australia seriously needs to rethink this because they’re really out to lunch here.

Smartphone Users Might Want To Take Note Of These Legal Related News Items

Posted in Commentary with tags on October 1, 2018 by itnerd

There’s a pair of legal related news items that relates to smartphone users that piqued my interest, and it should pique your interest as well. Let’s start with one aimed at Apple iPhone X users. In what may be a first, the FBI has “forced” a suspect to unlock his iPhone X using Face ID:

Agents in Columbus, Ohio entered the home of 28-year-old Grant Michalski, who was suspected of child abuse, according to court documents spotted by Forbes. With a search warrant in hand, they forced him to put his face on front of the device to unlock it. They were then able to freely search for his photos, chats and any other potential evidence. The FBI started investigating Michalski after discovering his ad on Craigslist titled “taboo.” Later, they discovered emails in which he discussed incest and sex with minors with another defendant, William Weekly.

Once you get past the creep factor, let’s just consider this. This really isn’t any different than cops “forcing” (I put the quotes in as the FBI got a warrant to do this) someone to unlock their phone via a fingerprint. Thus one could argue that there is nothing new here. But it is worth noting if you have Apple’s coolest phone in your possession when the cops pay you a visit.

The next piece of legal news come from New Zealand where travelers who refuse to hand over their phone or laptop passwords to Customs officials can now be slapped with a $5000 fine:

The Customs and Excise Act 2018 — which comes into effect today — sets guidelines around how Customs can carry out “digital strip-searches.” Previously, Customs could stop anyone at the border and demand to see their electronic devices. However, the law did not specify that people had to also provide a password. The updated law makes clear that travelers must provide access — whether that be a password, pin-code or fingerprint — but officials would need to have a reasonable suspicion of wrongdoing. “It is a file-by-file [search] on your phone. We’re not going into ‘the cloud.’ We’ll examine your phone while it’s on flight mode,” Customs spokesperson Terry Brown said. If people refused to comply, they could be fined up to $5000 and their device would be seized and forensically searched. Mr Brown said the law struck the “delicate balance” between a person’s right to privacy and Customs’ law enforcement responsibilities. “I personally have an e-device and it maintains all my records — banking data, et cetera, et cetera — so we understand the importance and significance of it.”

Now I’ve written about New Zealand before on a similar topic. Thus this doesn’t shock me. And realistically customs in any can demand to poke around your suitcase, frisk you or whatever as long as they have reasonable grounds….. Assuming of course you’re going to someplace where that applies. If you’re going to some repressive backwater where due process doesn’t exist then it sucks to be you. But I digress. Assuming that due process is being followed, then this isn’t a big deal as they searched roughly 540 electronic devices at New Zealand airports in 2017. You have to imagine that there are millions of travellers that go to that country which makes that number a drop in the bucket. However, if New Zealand uses this to go “hog wild” to search anything and everything they can get their hands on, that’s a problem. Hopefully someone is keeping an eye on this to see what happens next.

 

If You Get Your Email Via Oath, They May Be Trolling The Contents Of Your Email To Sell To Advertisers

Posted in Commentary with tags , on August 29, 2018 by itnerd

There’s a story (assuming that you can get past the paywall) in the Wall Street Journal that Oath scanned millions of Yahoo/AOL mailboxes for things like receipts, invoices, loan agreements and such which they can then use for customer profiling purposes. Of course then those profiles get sold to advertisers so that Oath can make money. And Oath isn’t apologizing for this. Doug Sharp, VP, Data, Measurement & Insights at Oath had this to say:

Email is an expensive system, I think it’s reasonable and ethical to expect the ‘value exchange,’ if you’ve got this mail service and there is advertising going on.

Translation: If you’re not paying for the service, you are the product.

Now, frequent readers may be saying “Wait…. That sounds familiar.” And it should. This was the chief reason that Canadian telco Rogers faced an epic backlash earlier this year when the terms of service changed for Rogers customers to allow Oath who serves up email for Rogers to scan the inboxes of those who used Rogers e-mail addresses. Now while this blowback was addressed in Canada (Mostly… The Privacy Commissioner of Canada is still looking into this and a further smackdown may yet inbound), the rest of world now has to deal with this. That’s why when this issue flared up in Canada, I offered up this option and this option in terms of email providers that don’t demand that you become the product. Thus if this whole idea of Oath reading your email bothers you, and you don’t want to be bothered with turning off the scanning on the relevant AOL or Yahoo Privacy pages, you can go elsewhere and deprive Oath of some money. .

Polar Exposed Locations of Spies and Military Personnel…. Oops

Posted in Commentary with tags on July 9, 2018 by itnerd

Polar is a company that makes fitness gear like fitness trackers, heart rate monitors and the like. They also make an app that allows you to compile the data from their gear called Polar Flow. But Polar Flow has one extra feature” that is likely to make a lot of people nervous right now, the location data of people such as spies and military personnel was accidentally exposed to the planet. Here’s the details:

For most users who set their activity tracking records to public, posting their workouts on Polar’s so-called Explore map is a feature and not a privacy issue. But even with profiles set to private, a user’s fitness activity can reveal where a person lives.

An exposed location of anyone working at a government or military installation can quickly become a national security risk.

Well, that’s an oops moment. This is pretty similar to what happened to Strava not too long ago. And it’s not just GPS info. It’s info that could also allow someone to identify you. Which of course isn’t good. After the company was told about this, the company took the relevant functionality off line. Then they put out this statement…. Which was kind of strange to me when I first read it:

In a statement sent by Polar chief strategy officer Marco Suvilaakso, the company said it “recently learned that public location data shared by customers via the Explore feature in Flow could provide insight into potentially sensitive locations.”

The company denied a leak or a breach of its systems.

“Currently the vast majority of Polar customers maintain the default private profiles and private sessions data settings, and are not affected in any way by this case,” said the statement. “While the decision to opt-in and share training sessions and GPS location data is the choice and responsibility of the customer, we are aware that potentially sensitive locations are appearing in public data, and have made the decision to temporarily suspend the Explore API.”

Well, if this isn’t a leak of some sort, I don’t know what qualifies. Thus this is a strange response from the company.

This is the bottom line that you have to keep in mind when you use these sorts of apps. They collect a ton of data on you. Thus you have to be 100% comfortable with the fact that this data could get exposed at some point and someone could learn a lot about you.

#PSA: Do You Have A Browser Extension Called Stylish Installed In Chrome Or Firefox? Uninstall It NOW!

Posted in Commentary with tags on July 5, 2018 by itnerd

There’s a popular extension called Stylish which was once a great way to remove annoying features from websites—trending topics on Facebook, say, or that annoying bar that follows you as you scroll on Medium. To do this Stylish, the browser extension, needs access to every website you visit. But it also trolls and steals your browser history. In short, it’s spyware. And here’s what  Robert Heaton has to say about it on his personal blog:

Unfortunately, since January 2017, Stylish has been augmented with bonus spyware that records every single website that I and its 2 million other users visit. Stylish sends our complete browsing activity back to its servers, together with a unique identifier. This allows it’s new owner, SimilarWeb, to connect all of an individual’s actions into a single profile. And for users like me who have created a Stylish account on userstyles.org, this unique identifier can easily be linked to a login cookie. This means that not only does SimilarWeb own a copy of our complete browsing histories, they also own enough other data to theoretically tie these histories to email addresses and real-world identities.

As a result, Firefox has taken steps to ban the extension from its addons site and prompt all users to disable it. Google has done the same thing. Now the data that this addon shares is anonymized, but that’s still scary.

I try not to use browser add ons as I am always afraid of this sort of thing happening. Now it looks like my paranoia isn’t paranoia after all.