New iOS App Sends Users' Web Traffic Through Its Proxy Servers

← Back to Stories (view on slashdot.org)

New iOS App Sends Users' Web Traffic Through Its Proxy Servers

Posted by Soulskill on Wednesday August 29, 2012 @10:06AM from the you-can-trust-us dept.

New submitter spac writes "AllthingsD has an interesting story about how a startup called Wajam requires users of their service to download a script that sets up a proxy to handle all network requests for the purpose of providing 'Social Recommendations' within built-in apps. The privacy implications of using this profile script isn't clearly presented to users. Are we really to entrust our data to a company founded by a man who comes from the world of browser toolbars? And for social search?!" The company rushes to counter privacy concerns by pointing out that their service has "received security certifications from TRUSTe, McAfee and Norton."

27 of 83 comments (clear)

Min score:

Reason:

Sort:

Most users don't care by mr1911 · 2012-08-29 10:08 · Score: 4, Insightful

They already post all of their life details on Facebook anyway.

Those that do care wouldn't use this app in the first place.

--
This post comes with a double-your-money-back guarantee!
Any offense taken to this post is at your sole discretion.
security certification != privacy by realitycheckplease · 2012-08-29 10:11 · Score: 5, Informative

Presenting security certifications from Trust, Mcafee and Norton says nothing about how they'll use personal data. It just means that they might be less susceptible to hacking (but I personally doubt it) than companies without similar certifications.
1. Re:security certification != privacy by Tackhead · 2012-08-29 10:31 · Score: 4, Informative
  
  Presenting security certifications from Trust, Mcafee and Norton says nothing about how they'll use personal data. It just means that they might be less susceptible to hacking (but I personally doubt it) than companies without similar certifications.
  
  It means you're not reading it like a lawyer.
  "The company rushes to counter privacy concerns by pointing out that their service has "received security certifications from TRUSTe, McAfee and Norton."
  "The company's concerns are counter-privacy" and/or "they're rushing to counter your privacy" seem pretty consistent with "TRUSTe, McAfee and Norton."
  Remember, A TrustE is still a con. (Attr. to Agent 01413 of the Lumber Cartel (TINLC), and to Socks the Cat, ca. 1999 or earlier - the earliest I could find was in a .sig quote from 1999 - and scattered around the web, off and on, for at least ten years .)
Privileged app submitter by Bovius · 2012-08-29 10:14 · Score: 4, Interesting

As an iOS developer, if I submitted an app to the app store that does this, I'm certain it would be rejected for not meeting Apple's guidelines. Makes me wonder who had to be friends with who to get this greenlighted.
Who actually cares about certification branding? by Anonymous Coward · 2012-08-29 10:14 · Score: 4, Insightful

Pay TRUSTe, et all some money and they will "certify" you. As far as I can tell all it really means is you the consumer know the company paid money to get a logo for their site/app. It's not some rigorous analysis of what is done with your data or how it is secured and seems basically worthless.
Not an app, a configuration by SuperKendall · 2012-08-29 10:18 · Score: 5, Informative

Those that do care wouldn't use this app in the first place.
A point of technical accuracy; on iOS you could not sell an app that would alter the destination of traffic for all other apps.
Instead, they are using a configuration profile - it's the same mechanism that enables a company to configure iOS devices. The configuration profile can load in mandatory PIN use, or other settings for the phone - including a network proxy as we see here.
As you say, users will not really care... but even so I can't see them tricking many users into doing this.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
1. Re:Not an app, a configuration by Nerdfest · 2012-08-29 10:30 · Score: 4, Insightful
  
  You have way more faith in users than I do. It's been shown again and again that you can make a platform as secure as you want, but if you allow a user to do something bad for them, they will do it ... even if you warn them.
2. Re:Not an app, a configuration by SuperKendall · 2012-08-29 10:37 · Score: 2
  
  I agree with you, it could be that perhaps Apple will do something to make it more difficult to install configuration profiles going forward...
  If they felt this action was improper they could issue an OS update that would just block any attempt to use those servers as a proxy.
  The real question is, what are they doing on those servers with your traffic...
  
  --
  "There is more worth loving than we have strength to love." - Brian Jay Stanley
3. Re:Not an app, a configuration by mwvdlee · 2012-08-29 10:40 · Score: 4, Insightful
  
  The real question is, what are they doing on those servers with your traffic...
  Whatever they damn well want.
  And if they're not doing it now, they may do so whenever they feel like it.
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
4. Re:Not an app, a configuration by PopeRatzo · 2012-08-29 10:44 · Score: 3, Funny
  
  As you say, users will not really care... but even so I can't see them tricking many users into doing this.
  Why not? Those users were tricked into buying iPhones in the first place, so there's a pretty good likelihood that they're gullible.
  
  --
  You are welcome on my lawn.
5. Re:Not an app, a configuration by icebike · 2012-08-29 11:31 · Score: 4, Insightful
  
  A point of technical accuracy; on iOS you could not sell an app that would alter the destination of traffic for all other apps.
  Instead, they are using a configuration profile - it's the same mechanism that enables a company to configure iOS devices. The configuration profile can load in mandatory PIN use, or other settings for the phone - including a network proxy as we see here.
  As you say, users will not really care... but even so I can't see them tricking many users into doing this.
  Still, what happened to the curated garden that Apple is so proud of?
  An app that helps singles find others in bars is booted from the App store for fear of stalking, but one that steals ALL your traffic is OK?
  90% of IPhone users have no clue what the pop-ups and check boxes mean. Its just some techno-talk-gibberish that you have to click OK
  in order to use you cool new app.
  
  --
  Sig Battery depleted. Reverting to safe mode.
6. Re:Not an app, a configuration by scdeimos · 2012-08-29 12:29 · Score: 2, Informative
  
  A point of technical accuracy; on iOS you could not sell an app that would alter the destination of traffic for all other apps.
  Instead, they are using a configuration profile - it's the same mechanism that enables a company to configure iOS devices. The configuration profile can load in mandatory PIN use, or other settings for the phone - including a network proxy as we see here.
  As you say, users will not really care... but even so I can't see them tricking many users into doing this.
  Still, what happened to the curated garden that Apple is so proud of?
  An app that helps singles find others in bars is booted from the App store for fear of stalking, but one that steals ALL your traffic is OK?
  90% of IPhone users have no clue what the pop-ups and check boxes mean. Its just some techno-talk-gibberish that you have to click OK in order to use you cool new app.
  Did you even read TFA? This is /. so I guess not.
  Ignoring that Apple are dicktards when it comes to consistent enforcement of their own App Store policies, the Wajam app doesn't even touch your traffic. Users are encouraged to download and install a separate Configuration Profile that tells the iDevice to use a proxy server at Wajam's DC for internet traffic. Carrier Settings/Configuration Profiles are not new... for a number of years web sites like http://www.unlockit.co.nz/ have enabled users to define their own APN configurations so they can do things like disable 2G/3G data access to prevent carriers from generating massive bills.
7. Re:Not an app, a configuration by icebike · 2012-08-29 12:42 · Score: 4, Interesting
  
  You make a huge distinction for very little difference.
  Regardless of HOW they get the user to use a proxy server, they still systematically socially engineering them to do so.
  That they use methods that were designed for corporate phones and apply them to public subscribers is simply more evidence of misbehavior.
  That you accepted my gift of a wall clock does not excuse the presence of my listening device embedded therein, even if the fine print in the
  clock's user manual mentioned it.
  
  --
  Sig Battery depleted. Reverting to safe mode.
The summary is wrong by digitallife · 2012-08-29 10:24 · Score: 5, Informative

The summary is wrong.
There is no app on ios, and in fact no way to do this on ios through an app. The 'script' is for fully fledged desktops. On ios they have instructions for how to setup wajam as your proxy.
This is pretty basic stuff. iOS slandering at its best.
1. Re:The summary is wrong by R3d+M3rcury · 2012-08-29 10:47 · Score: 2
  
  I gotta admit, I was wondering how a script could change your proxy on iOS when, in theory, the only "script" you can run is JavaScript.
  The neat question, of course, is did Apple vet what they're doing in any way before allowing them on their store. Or is this one of those cases where Apple looks out for the safety and security of their users until something goes wrong and then it's, "Hey, we're not responsible for third-parties."
Re:TFA must be wrong by Anonymous Coward · 2012-08-29 10:28 · Score: 2, Informative

After all, it was downloaded from Apple's walled garden. Isn't the entire raison d'etre for that that Apple's intense scrutiny of all apps presented means that users don't have to think when they're installing software? They can just assume it's all safe, and rely on Apple's checking to keep them secure. That's what Apple fans tell me anyway, when they relate how superior iTunes is to Google's service.
I know hating Apple is fashionable on Slashdot, but at least try staying in context so you don't look stupid to outsiders.
The app is not the problem, there is absolutely nothing wrong with it (though it may still get banned Just Because Apple doesn't like this kind of stuff). The problem is that users of the app are being instructed by the site to manually change their proxy settings. No scripts are being downloaded here, they're using a proxy to overlay content in Safari and the app to overlay content in an augmented version of Maps.
The summary misses the point completely, but this is common on Slashdot given how biased this site really is.
It's not an app, Apple has no control over this by SuperKendall · 2012-08-29 10:29 · Score: 5, Informative

Makes me wonder who had to be friends with who to get this greenlighted.
There was no need to be friends with anyone. I put in a longer post about this elsewhere, but it's not an app that does this but a configuration file that tells the phone to use their server as a proxy.
It's quite easy to build your own iPhone configuration files, anyone can download the iPhone Configuration Utility (They even have a Windows version) to build one. The trick is getting people to install the configuration...
But between building a config and applying to a device, Apple is never involved.
A configuration profile was also a way you could enable tethering at first when AT&T blocked it initially, though Apple/AT&T did fix that eventually...

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
1. Re:It's not an app, Apple has no control over this by R3d+M3rcury · 2012-08-29 14:41 · Score: 5, Insightful
  
  What's your interest in defending Apple on this?
  What's your interest in attacking Apple on this?
  Okay, I'll point out one simple fact: This is not an App. If you go to the iTunes Store and search for Wajam, you find nothing. Nil, Zip, Nada. So it's not an App that Apple is implicitly saying is okay by hosting it in it's App Store.
  If you want to "bash" Apple, what this is is a privacy attack vector. If I can get you to download something like this to your phone, I can set up the proxy so that a trip to, oh, bankofamerica.com will end up on a server of my choice. Great for spoofing and pretty dangerous.
  Note that it doesn't automatically select the configuration--I have to do this myself. But that can be socially-engineered, so it's not like it's great protection. So Apple is not entirely blameless on this, I'll agree.
Isn't the bandwidth going to be expensive? by Gordonjcp · 2012-08-29 10:29 · Score: 4, Funny

Wouldn't it be terrible if someone published the details of the proxy connections, and it started getting hammered by thousands of slashdotters?
Or it's not an App... by SuperKendall · 2012-08-29 10:33 · Score: 5, Informative

After all, it was downloaded from Apple's walled garden.
Actually no.
It's amazing how just about every single poster is assuming this was an app.
In fact you could not even build an app like this that would come from the App Store. Not only would Apple not allow it, but technically no app can affect the network traffic of another app unless you jailbreak the phone.
This is simply a configuration profile that users download directly from the company and install themselves. Read my other posts giving more detail.
Are you against people being able to install custom configuration profiles? I have used one myself to route traffic from my phone to a debugging HTTP proxy, very handy...

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
1. Re:Or it's not an App... by Sez+Zero · 2012-08-29 10:42 · Score: 2, Insightful
  
  My Kingdom for some mod points!
  
  Yes, post slamming Apple is somehow both Insightful and yet completely wrong.
  
  And we have the hubris to slam creationists for their logical fallacies!
2. Re:Or it's not an App... by LordLucless · 2012-08-29 10:43 · Score: 2
  
  It's amazing how just about every single poster is assuming this was an app.
  Yes, such an amazing assumption given that that was specified in the title of the Slashdot story. Reading TFA, I can see it's wrong, but not it's not an unreasonable assumption.
  
  Are you against people being able to install custom configuration profiles? I have used one myself to route traffic from my phone to a debugging HTTP proxy, very handy...
  Me? Of course not. Then again, I'm not against people being able to install whatever apps they choose on their phone either. This does seem to run counter to Apples philosophy of "we own the phone, we just let you use it". I'll be interested to see how Apple reacts. I'm pretty sure they won't want a third party messing with the data for their built-in apps, but some popular apps seem to use the same mechanism.
  
  --
  Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
VERY relevant XKCD... by SuperKendall · 2012-08-29 10:34 · Score: 4, Funny

Three words: "Clinically Studied Ingredient"

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Re:Who actually cares about certification branding by Anonymous Coward · 2012-08-29 10:38 · Score: 3, Insightful

It has been a while, but I've seen some logos that basically say "This site is certified by us... and reserve the right to hand over ever stray bit to any third party they please".
Certified, yes. Does this mean actual protection of the consumer. I'd read into it more closely.
Realistically, the only certifications I'd take seriously would be NIST controls, PCI/DSS2 or something similar that not just allows a company to stick pretty colored logos, but actually have the logos mean something other than paying some cash to a firm for a green bar on the Web browser instead of a white bar.
What would be nice is an accrediting agency that is just plain brutal in enforcement. In return for a logo (with stiff penalties for using the logo incorrectly), the firm would have to be subject to audits, confirm to data retention guidelines, have a baseline of security procedures/policies, and so on. If a firm is not keeping their end of the bargain, the logo gets pulled.
We have that with colleges and universities that if it is accredited, one is assured of a certain education level. Why not a security standard that actually means something and has teeth?
I wonder if consumers would really care though. People reading this on /. might, but Joe Sixpack might not if the service was trendy enough. In fact, I've encountered a number of people who just don't care who spies on them 24/7, provided they get their freebie.
Long-term, things might boil down to having a web of trust infrastructure tied to domain names, with people giving up/down recommendations having various reputations (that way, some bought shill can't trash the entire system with a CAPTCHA breaker and some good script-fu.) That way, if someone reliable pointed out that a site wants to install a proxy in order to use it, other people would see it and be leery, while a shill saying that something is 100% happyland is completely ignored.
Problem is that there are no immediate consequences to info being spread around to the 4 winds. I remember in the past, when MS-DOS viruses started zapping BIOSes or trying to fry older multisync monitors with bogus resolutions, that even the most brain-dead users started doing basic computer sanitation.
Re:apple will soon ban this app by CanHasDIY · 2012-08-29 10:50 · Score: 2, Funny

It isn't an app. Apparently the submitter and the editor both failed to actually RTFA.
What, and you did?

Phukin' fanboi...

lolz

--
An enigma, wrapped in a riddle, shrouded in bacon and cheese
FTFY by peacefinder · 2012-08-29 10:53 · Score: 2

The company rushed to point out that security certifications from TRUSTe, McAfee and Norton are worthless in this situation.

--
With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
How am I "defending Apple"? by SuperKendall · 2012-08-29 15:14 · Score: 2

What's your interest in defending Apple on this?
My interest is in people getting technical facts right.
The fact is that Apple has no control over people making and distributing these profiles. That is simple fact; there is no App involved, another fact.
In FACT I even stated that I thought APple at some point might have to put some additional controls around installing profiles so naive users cannot do so easily. That's not defending Apple, that's saying they have an issue they may want to address if rogue profiles become a problem.
Nothing however will stop novice users from going into settings and manually entering a proxy, which you can also do. That is such a basic requirement of networking you cannot remove it as an option from smartphones.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley