Slashdot Mirror
New iOS App Sends Users' Web Traffic Through Its Proxy Servers
New submitter spac writes "AllthingsD has an interesting story about how a startup called Wajam requires users of their service to download a script that sets up a proxy to handle all network requests for the purpose of providing 'Social Recommendations' within built-in apps. The privacy implications of using this profile script isn't clearly presented to users. Are we really to entrust our data to a company founded by a man who comes from the world of browser toolbars? And for social search?!"
The company rushes to counter privacy concerns by pointing out that their service has "received security certifications from TRUSTe, McAfee and Norton."
They already post all of their life details on Facebook anyway.
Those that do care wouldn't use this app in the first place.
This post comes with a double-your-money-back guarantee!
Any offense taken to this post is at your sole discretion.
Yes, there are "security certifications", but they are more of a nature that the website itself isn't doing overt Web attacks.
Completely different from foisting a proxy setup onto unsuspecting users in order to add a layer of ads and tracking.
Presenting security certifications from Trust, Mcafee and Norton says nothing about how they'll use personal data. It just means that they might be less susceptible to hacking (but I personally doubt it) than companies without similar certifications.
As an iOS developer, if I submitted an app to the app store that does this, I'm certain it would be rejected for not meeting Apple's guidelines. Makes me wonder who had to be friends with who to get this greenlighted.
Pay TRUSTe, et all some money and they will "certify" you. As far as I can tell all it really means is you the consumer know the company paid money to get a logo for their site/app. It's not some rigorous analysis of what is done with your data or how it is secured and seems basically worthless.
After all, it was downloaded from Apple's walled garden. Isn't the entire raison d'etre for that that Apple's intense scrutiny of all apps presented means that users don't have to think when they're installing software? They can just assume it's all safe, and rely on Apple's checking to keep them secure. That's what Apple fans tell me anyway, when they relate how superior iTunes is to Google's service.
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
Those that do care wouldn't use this app in the first place.
A point of technical accuracy; on iOS you could not sell an app that would alter the destination of traffic for all other apps.
Instead, they are using a configuration profile - it's the same mechanism that enables a company to configure iOS devices. The configuration profile can load in mandatory PIN use, or other settings for the phone - including a network proxy as we see here.
As you say, users will not really care... but even so I can't see them tricking many users into doing this.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
How is this an iOS app? It's also available as an extension for Chrome, Firefox and IE.
The summary is wrong.
There is no app on ios, and in fact no way to do this on ios through an app. The 'script' is for fully fledged desktops. On ios they have instructions for how to setup wajam as your proxy.
This is pretty basic stuff. iOS slandering at its best.
Well, since we're already on the Security != Privacy train, I just thought I'd call attention to the pachyderm in the room.
...My grandmas computer was fine while she had scareware and a few rootkits installed. So I told her to stop her whining.
Makes me wonder who had to be friends with who to get this greenlighted.
There was no need to be friends with anyone. I put in a longer post about this elsewhere, but it's not an app that does this but a configuration file that tells the phone to use their server as a proxy.
It's quite easy to build your own iPhone configuration files, anyone can download the iPhone Configuration Utility (They even have a Windows version) to build one. The trick is getting people to install the configuration...
But between building a config and applying to a device, Apple is never involved.
A configuration profile was also a way you could enable tethering at first when AT&T blocked it initially, though Apple/AT&T did fix that eventually...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Wouldn't it be terrible if someone published the details of the proxy connections, and it started getting hammered by thousands of slashdotters?
After all, it was downloaded from Apple's walled garden.
Actually no.
It's amazing how just about every single poster is assuming this was an app.
In fact you could not even build an app like this that would come from the App Store. Not only would Apple not allow it, but technically no app can affect the network traffic of another app unless you jailbreak the phone.
This is simply a configuration profile that users download directly from the company and install themselves. Read my other posts giving more detail.
Are you against people being able to install custom configuration profiles? I have used one myself to route traffic from my phone to a debugging HTTP proxy, very handy...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Three words: "Clinically Studied Ingredient"
"There is more worth loving than we have strength to love." - Brian Jay Stanley
It has been a while, but I've seen some logos that basically say "This site is certified by us... and reserve the right to hand over ever stray bit to any third party they please".
Certified, yes. Does this mean actual protection of the consumer. I'd read into it more closely.
Realistically, the only certifications I'd take seriously would be NIST controls, PCI/DSS2 or something similar that not just allows a company to stick pretty colored logos, but actually have the logos mean something other than paying some cash to a firm for a green bar on the Web browser instead of a white bar.
What would be nice is an accrediting agency that is just plain brutal in enforcement. In return for a logo (with stiff penalties for using the logo incorrectly), the firm would have to be subject to audits, confirm to data retention guidelines, have a baseline of security procedures/policies, and so on. If a firm is not keeping their end of the bargain, the logo gets pulled.
We have that with colleges and universities that if it is accredited, one is assured of a certain education level. Why not a security standard that actually means something and has teeth?
I wonder if consumers would really care though. People reading this on /. might, but Joe Sixpack might not if the service was trendy enough. In fact, I've encountered a number of people who just don't care who spies on them 24/7, provided they get their freebie.
Long-term, things might boil down to having a web of trust infrastructure tied to domain names, with people giving up/down recommendations having various reputations (that way, some bought shill can't trash the entire system with a CAPTCHA breaker and some good script-fu.) That way, if someone reliable pointed out that a site wants to install a proxy in order to use it, other people would see it and be leery, while a shill saying that something is 100% happyland is completely ignored.
Problem is that there are no immediate consequences to info being spread around to the 4 winds. I remember in the past, when MS-DOS viruses started zapping BIOSes or trying to fry older multisync monitors with bogus resolutions, that even the most brain-dead users started doing basic computer sanitation.
It isn't an app.
Apparently the submitter and the editor both failed to actually RTFA.
So what happens to their proxy site when all Slashdotters decide to use it all at once for all their iPhone web traffic from now until forever? Sure, they say it's based on Amazon's web services, but what happens when they can't afford to pay Amazon for the bill when 1,000,000 iPhone users indiscriminately use it for all their http communications...
These ideas work well if they are implemented at a small scale or at a network level where all users are physically or at least network-level co-located, but they don't scale arbitrarily well. Amazon won't foot the bill for their bandwidth, and who generates the revenue then? It's a nice idea, but the implementation requires too big of an internet footprint as a service. You don't want all the traffic, just relevant traffic -- plenty of online video games, for example use http / https to connect to their services, and now you redirect these. Want to watch a youtube video? How does that work through this proxy? How about facetime?
If only there was a way for them to embed their proxy filter into the iPhone OS itself they'd have something that would work without this mega hack. Did it say if and how they work around https searches on Google?
It isn't an app. Apparently the submitter and the editor both failed to actually RTFA.
What, and you did?
Phukin' fanboi...
lolz
An enigma, wrapped in a riddle, shrouded in bacon and cheese
The company rushed to point out that security certifications from TRUSTe, McAfee and Norton are worthless in this situation.
With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
After the Real Networks unethical privacy violation, TRUSTe clarified that the TRUSTe certification only extends to actions taken directly be the website the TRUSTe seal is provided on. Even if an application authored by the same company maintaining the website and available from download from the website does not follow the privacy statement, the actions of the application are only *indirectly* related to the website and are not covered.
Based on the TRUSTe clarification, the Wajam proxy service is technically different than the website and not actually covered by TRUSTe certification. Hence, the Wajam is just using the TRUSTe seal to mislead customers.
I have those same certifications. It doesn't mean anything other him having paid a few dollars.
Mind you, they do actually test some things, but after bitching about false positives the test results were ignored and I was certified.
The Opera Mini Browser does that - send all mobile user web traffic through their proxy servers. By doing that, they can reduce by a large factor the amount of data sent over the wire to/from the phone, hence reducing significantly (up to 80%) the amount of data used by the phone for web browsing. Nokia's mobile phone browser does that also. This results in lower costs for users by reducing the probability that they will exceed their data plan caps.
FWIW, I do performance engineering for the mobile browser division of one of those two companies. We do a lot to protect user information including data compression, encryption, etc. In fact, most of the data returning to the phone are simply paint instructions (compressed and encrypted) so that even if someone were to intercept the in-bound traffic, it would not mean much to them.
This is not an App. It is a "profile", and has more in common with a .reg file for windows than it does an Application. An important distinction, because there is no approval process for profiles. (Imagine as a corporation having to have your configuration profiles approved? Obviously unacceptable.) You can read more about profiles here - http://developer.apple.com/library/ios/#featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html
CEASE THE LIES APPLE HATERS. THE TRUTH SHALL FREE YOU.
P.S. The Linux desktop experience has been downhill for the last 4 years. (And I have been using Linux since kernel 1.2.13.)
What's your interest in defending Apple on this?
My interest is in people getting technical facts right.
The fact is that Apple has no control over people making and distributing these profiles. That is simple fact; there is no App involved, another fact.
In FACT I even stated that I thought APple at some point might have to put some additional controls around installing profiles so naive users cannot do so easily. That's not defending Apple, that's saying they have an issue they may want to address if rogue profiles become a problem.
Nothing however will stop novice users from going into settings and manually entering a proxy, which you can also do. That is such a basic requirement of networking you cannot remove it as an option from smartphones.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Sorry about blowing the tags in the last post. Hope you can parse it OK.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
"Are we really to entrust our data to a company founded by a man who comes from the world of browser toolbars?"
:)
Why, you trust your data to random apps developed by random people, and suddenly this one poked your eye because the guy made browser bars? Now at least you know he's getting the data, not with some other crap which just uses it, leaks it, etc. Also, if you know what this app does, and you don't agree with it, instead of not using it, you start complaining about it. Yeah, nice
I'd never use such an app, or any other app that I know wants any data I don't want to share. But then I just don't use it, and move along, geez.
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
Martin-Luc Archambault is the same person who owned companies that did outright browser highjacking inserting search results into major search engine search pages via DOM modification.
Their business model was turning a blind eye to shady folks doing drive-by installation of their 'toolbar' via malware and viruses. Just google 'CDT Inc.' and 'blazefind'. They made millions before selling the company...
Truly, these folks are completely without scruples continuing to try to exploit systems with these types of underhanded techniques.