Slashdot Mirror
New iOS App Sends Users' Web Traffic Through Its Proxy Servers
New submitter spac writes "AllthingsD has an interesting story about how a startup called Wajam requires users of their service to download a script that sets up a proxy to handle all network requests for the purpose of providing 'Social Recommendations' within built-in apps. The privacy implications of using this profile script isn't clearly presented to users. Are we really to entrust our data to a company founded by a man who comes from the world of browser toolbars? And for social search?!"
The company rushes to counter privacy concerns by pointing out that their service has "received security certifications from TRUSTe, McAfee and Norton."
They already post all of their life details on Facebook anyway.
Those that do care wouldn't use this app in the first place.
This post comes with a double-your-money-back guarantee!
Any offense taken to this post is at your sole discretion.
Pay TRUSTe, et all some money and they will "certify" you. As far as I can tell all it really means is you the consumer know the company paid money to get a logo for their site/app. It's not some rigorous analysis of what is done with your data or how it is secured and seems basically worthless.
You have way more faith in users than I do. It's been shown again and again that you can make a platform as secure as you want, but if you allow a user to do something bad for them, they will do it ... even if you warn them.
The real question is, what are they doing on those servers with your traffic...
Whatever they damn well want.
And if they're not doing it now, they may do so whenever they feel like it.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
A point of technical accuracy; on iOS you could not sell an app that would alter the destination of traffic for all other apps.
Instead, they are using a configuration profile - it's the same mechanism that enables a company to configure iOS devices. The configuration profile can load in mandatory PIN use, or other settings for the phone - including a network proxy as we see here.
As you say, users will not really care... but even so I can't see them tricking many users into doing this.
Still, what happened to the curated garden that Apple is so proud of?
An app that helps singles find others in bars is booted from the App store for fear of stalking, but one that steals ALL your traffic is OK?
90% of IPhone users have no clue what the pop-ups and check boxes mean. Its just some techno-talk-gibberish that you have to click OK
in order to use you cool new app.
Sig Battery depleted. Reverting to safe mode.
What's your interest in defending Apple on this?
What's your interest in attacking Apple on this?
Okay, I'll point out one simple fact: This is not an App. If you go to the iTunes Store and search for Wajam, you find nothing. Nil, Zip, Nada. So it's not an App that Apple is implicitly saying is okay by hosting it in it's App Store.
If you want to "bash" Apple, what this is is a privacy attack vector. If I can get you to download something like this to your phone, I can set up the proxy so that a trip to, oh, bankofamerica.com will end up on a server of my choice. Great for spoofing and pretty dangerous.
Note that it doesn't automatically select the configuration--I have to do this myself. But that can be socially-engineered, so it's not like it's great protection. So Apple is not entirely blameless on this, I'll agree.