Slashdot Mirror
Apple Yanks Privacy App From the App Store
wiredmikey writes "Back in May of this year, Internet security firm Bitdefender launched 'Clueful,' an iOS App that helps identify potentially intrusive applications and show users what they do behind their back, and giving users an inside look at all the information app developers can gather about a user. Seems legit, right? Apple doesn't think so. Or at least they have an issue with something behind the App that sparked them to pull it from the App Store. After initially reviewing and approving the App that was released on May 22, Apple has had a change of heart and has just removed the App from the AppStore. It's unclear [why it was yanked], and Bitdefender told SecurityWeek that the company is under NDA as far as explanations for the removal. Interestingly, Bitdefender did share some data that they gathered based on Clueful's analysis of more than 65,000 iOS apps so far, including the fact that 41.4 percent of apps were shown to track a user's location unbeknownst to them."
Sounds like Apple wants to be on both sides of their 1984 commercial. Not only do they want to be on the side that "is different" while being on the side that hates freedom and privacy.
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
Somebody doesn't like potential victims to watch back. Wonder if this is really a rotten Apple, a big teleco-ISP, or perhaps NSA.
That the ad library they embed is tracking the user location.
Of course, you understand this has nothing to do with privacy right? The app was pulled because it didn't conform to our freedom respecting terms & conditions.
That is, our freedom to collect all your data.
Hope to see it there soon.
It's unclear [why it was yanked], and Bitdefender told SecurityWeek that the company is under NDA as far as explanations for the removal.
But we're the tech community, dammit! We're going to assume the worst! Argh! Hate! Mbxpz! Grrr! Woof! Howl!
What kind of NDA do they have that keeps them from saying why it was pulled? (or do they have a "fight club" NDA prohibiting them from talking about the NDA?)
Does Apple make every iOS developer sign an NDA, or only the security researchers.
Something doesn't add up here.
including the fact that 41.4 percent of apps were shown to track a user's location unbeknownst to them.
Unless they're doing something shady with private APIs or the like, I don't see how this is possible considering an app has to ask permission to enable location tracking, and the user can both see which applications they've granted it to and which ones have used it in the last 24 hours by going to their general settings.
I think what they really mean is, "We have nothing to lose after having our app pulled, so let's burn bridges by pretending that user's don't explicitly give permission for location tracking and saying that every app that tracks location is doing it behind the user's backs."
Also, what's up with both links in the summary going to the same article?
That's Clueful, he fights for the iUsers.
The problem with this sort of app is it is delivering information based on some probing and some guesses but has no idea what is being done with the information. Not knowing anything about Clueful I can only guess they are looking for API calls that would tend to indicate certain behaviors are present in an app.
The first caution therefore is that because an API call is present in an app there is nothing whatsoever to indicate when or how it is being used, if it is being used at all. Therefore we are talking about possibilities and potentialialities, not facts.
Emphasis mine. There is no problem with this sort of application. This is exactly the reason the application exists, to inform you that you have no idea what is being done with the information.
Seems like you're either a shill, or completely missed the point that such applications and users of such applications have a desire to know more (than apparently 40% of the other applications aren't telling).
Does this mean the difference between Android malware and iOS malware is you know what information the Android malware is stealing?
The problem with this sort of app is it is delivering information based on some probing and some guesses but has no idea what is being done with the information. Not knowing anything about Clueful ...
Not knowing anything about Clueful, you spend 5 paragraphs criticising the developers of that application for presenting information that may not be 100% correct. You need to look up the definition of "irony" and do it fast, because I feel a new one is in the making.
Donate free food here
Even without the app, after I JB-ed my device and started running PMP (Protect My Privacy), and Firewall IP, two apps available from Cydia, it was an eye-opener.
I ran a news app. It connected to an insane amount of ad, behaviorial targeting, monitoring, tracking, and other sites that had zilch to deal with news, and all to deal with obtaining what the user has. Eventually, I just allowed it to connect to its own sites and blacklisted everything else.
I fired up another app. It didn't just want contacts, it wanted in one's music collection, and connected to all kinds of sites, none relevant in any way to what it was doing.
Apple needs to revisit iOS's security model. Because Apple does a damn good job at stopping most stuff before it gets on the App Store, it has kept people safe for a while. However, iOS's security allows an app to do what it wants to except delete pictures once it gets installed on the device. The only time a user would get prompted is if the device was using the GPS or was going to use notifications. Other than that, it could slurp the contact list and use the phone as an outgoing spam machine.
It's a bit harsh to call them that!
I'm not at all unsympathetic, but that's what you get when you develop for a "curated" platform.
"In prison you just have to shut your eyes and take it. Here you have to shut your eyes and give it."
Just asking the obvious.
When all you have is a hammer, every problem starts to look like a thumb.
... however, does an app HAVE to ask permission in order to enable that functionality? Up front, I would imagine that an attempt to access a feature via API call that the info box would automatically pop up to grant permission, but can this be suppressed? And further, if it can be suppressed, can the user input be mimicked or a bit set to say "the user is ok with this"?
This is just my tin-foil hat I-haven't-programmed-anything-since-my-old-Amiga rant, but it seems like it could be plausible.
Fifty watts per channel, baby cakes.
But immediately gets modded to the max. See "rotten apple" above.
When all you have is a hammer, every problem starts to look like a thumb.
Ignorance is no excuse for sloppy programming. If you're an App Developer, it's your responsibility to make a solid and secure app.
If you cannot make your app solid and secure (i.e. by eliminating random location checks) then the users deserve to know of your incompetence.
This signature is false.
The first caution therefore is that because an API call is present in an app there is nothing whatsoever to indicate when or how it is being used, if it is being used at all. Therefore we are talking about possibilities and potentialialities, not facts.
Indeed. That is why this app is a good thing. If there are API calls in there that don't have any apparent relation to the app's purported function, then the developer had better be prepared to explain exactly why that call is in there, and what it is doing with the information. If they aren't doing anything with it, then they'd still better have an extremely good reason for pulling it, not "well, we might need it for future planned features". If they need the info in the future, then they adjust their permissions requests with the user's consent before pulling the info.
Transparency, it's not just for Saran Wrap anymore. (was going to say 'windows', but the irony in that statement just almost knocked me over...)
"I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
It doesn't matter. Perhaps this tool doesn't go far enough. DTrace provides you direct insight into what's going on, and you have access to enough syscalls to actually figure out what's being done with information, too. I'd love a full DTrace on my iPhone and an app that's set up to periodically watch apps to see if they're doing anything weird. I audit software like this on my Linux and Windows systems ALL the time. I've even made basic binary instrumentation tools to automatically instrument binary libraries (imports/exports) to get more application-specific information. It's amazing to see what some applications do with your information. Unless we require software vendors to disclose every I/O action that a piece of software can possibly make (and what the purpose of such an action is) truthfully, which will never be a requirement, we need tools like this. The certainty is a non-factor. It simply shows you that an application accesses something.
For instance, if my instant messaging program is accessing my recent internet history from Internet Explorer or Chrome, I'm going to get really, REALLY skeptical that it has any business whatsoever looking at that. It doesn't matter if there's a legitimate reason for it.
Access to contacts actually requires explicit authorisation too now. In the next software release anyway.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Has anyone considered that Apple might be pulling a Siri here and acquiring it?
Not entirely. iAds can get your location without permission because it has a completely separate pre-approved entry under System Services to do it. So if the app uses iAds, it will appear to get your location without asking for it (even though only iAds has access to it).
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
all over again?
There's probably more one than write up in Slashdot, but I couldn't find the one I was looking for
“He’s not deformed, he’s just drunk!”
Apple don't typically allow you to snoop on what other applications are doing. Applications are supposed to be sandboxed to prevent this. I would assume that there's a far more mundane reason for banning this application - that it was doing things it wasn't supposed to be doing.
Bogtha Bogtha Bogtha
"The fact that 41.4 percent of apps were shown to track a user's location unbeknownst to them."
...because iOS always asks on the first location look-up and it always shows the arrow/gps icon in the upper right. Also, you can shut off GPS app-by-app or for all in the prefs. If apps are somehow going around Apple's only way to access the GPS, they wouldn't be approved; this is impossible. Obviously, if BitDefender's app can tell that easily, Apple's screening process would detect a private API GPS call, and flag the app. A few falling through the cracks is one thing, but 41.1% is some type of sensationalism or scare-mongering (i.e. a lie). The only possibility of any truth is that "bad" apps send-out the wifi base station name or IP address and get a general location from that. They're not accessing the GPS without permission.
Gee and I thought I was the only person this paranoid. I've been using instrumentation of my systems since mi Amigas.
"[I]t is a wise man who admits the limits of his knowledge or skill, and that pretending either causes harm." --Terry Go
Your completely unable to copy and paste? Guess the *tards are out in force tonight.
"[I]t is a wise man who admits the limits of his knowledge or skill, and that pretending either causes harm." --Terry Go
Your completely unable to copy and paste? Guess the *tards are out in force tonight.
*you're.
Ah, irony. Not just a method of getting creases out of clothes.
...to Cydia where sympathy for Apple's banhammer is found in the dictionary between shit and syphilis.
Chewbacon
The Bible is like Wikipedia: written by a bunch of people and verifiable by questionable sources.
The only plausible explanation I see is that they were either hired by or are in negotiations with Apple. There is no other way Apple could force an NDA on them. The reason for pulling the app is probably the same as for pulling the original Siri app. Makes perfect sense for Apple to hire these people to help them screen apps, considering that they've both proven to be better at it than Apple themselves and that they're motivated.
I find this kind of application of the verb "to support" as wrong outside of charity as I find the use of the term "to steal" when applied to copying. I'm not supporting anyone or anything by buying a product, I am paying money IN EXCHANGE for something I want.
Regarding your last remark, don't all companies do that? Can you name a single IT company that is truly transparent about the ways in which the data that they collect about you is used? If not, then what would you suggest as an alternative? And if your alternative is to simply disconnect from the system, can't you see that such a retarded martyr mentality is giving you even less freedom than the average Joe's mentality?
Fair enough.
But I like to think of it as two farmers selling peaches off their trucks along the road. One occasionally gives his dog a hard kick in the ribs for no good reason, while the other one occasionally reaches down and scratches his dog behind the ear and says, "good dog".
It's easy for me to decide which one gets my business.
You are welcome on my lawn.