Slashdot Mirror

← Back to Stories (view on slashdot.org)

New iOS App Sends Users' Web Traffic Through Its Proxy Servers

Posted by Soulskill on from the you-can-trust-us dept.

New submitter spac writes "AllthingsD has an interesting story about how a startup called Wajam requires users of their service to download a script that sets up a proxy to handle all network requests for the purpose of providing 'Social Recommendations' within built-in apps. The privacy implications of using this profile script isn't clearly presented to users. Are we really to entrust our data to a company founded by a man who comes from the world of browser toolbars? And for social search?!" The company rushes to counter privacy concerns by pointing out that their service has "received security certifications from TRUSTe, McAfee and Norton."

18 of 83 comments (clear)

  1. Most users don't care by mr1911 · · Score: 4, Insightful

    They already post all of their life details on Facebook anyway.

    Those that do care wouldn't use this app in the first place.

    --
    This post comes with a double-your-money-back guarantee!
    Any offense taken to this post is at your sole discretion.
  2. security certification != privacy by realitycheckplease · · Score: 5, Informative

    Presenting security certifications from Trust, Mcafee and Norton says nothing about how they'll use personal data. It just means that they might be less susceptible to hacking (but I personally doubt it) than companies without similar certifications.

    1. Re:security certification != privacy by Tackhead · · Score: 4, Informative

      Presenting security certifications from Trust, Mcafee and Norton says nothing about how they'll use personal data. It just means that they might be less susceptible to hacking (but I personally doubt it) than companies without similar certifications.

      It means you're not reading it like a lawyer.

      "The company rushes to counter privacy concerns by pointing out that their service has "received security certifications from TRUSTe, McAfee and Norton."

      "The company's concerns are counter-privacy" and/or "they're rushing to counter your privacy" seem pretty consistent with "TRUSTe, McAfee and Norton."

      Remember, A TrustE is still a con. (Attr. to Agent 01413 of the Lumber Cartel (TINLC), and to Socks the Cat, ca. 1999 or earlier - the earliest I could find was in a .sig quote from 1999 - and scattered around the web, off and on, for at least ten years .)

  3. Privileged app submitter by Bovius · · Score: 4, Interesting

    As an iOS developer, if I submitted an app to the app store that does this, I'm certain it would be rejected for not meeting Apple's guidelines. Makes me wonder who had to be friends with who to get this greenlighted.

  4. Who actually cares about certification branding? by Anonymous Coward · · Score: 4, Insightful

    Pay TRUSTe, et all some money and they will "certify" you. As far as I can tell all it really means is you the consumer know the company paid money to get a logo for their site/app. It's not some rigorous analysis of what is done with your data or how it is secured and seems basically worthless.

  5. Not an app, a configuration by SuperKendall · · Score: 5, Informative

    Those that do care wouldn't use this app in the first place.

    A point of technical accuracy; on iOS you could not sell an app that would alter the destination of traffic for all other apps.

    Instead, they are using a configuration profile - it's the same mechanism that enables a company to configure iOS devices. The configuration profile can load in mandatory PIN use, or other settings for the phone - including a network proxy as we see here.

    As you say, users will not really care... but even so I can't see them tricking many users into doing this.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:Not an app, a configuration by Nerdfest · · Score: 4, Insightful

      You have way more faith in users than I do. It's been shown again and again that you can make a platform as secure as you want, but if you allow a user to do something bad for them, they will do it ... even if you warn them.

    2. Re:Not an app, a configuration by mwvdlee · · Score: 4, Insightful

      The real question is, what are they doing on those servers with your traffic...

      Whatever they damn well want.
      And if they're not doing it now, they may do so whenever they feel like it.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    3. Re:Not an app, a configuration by PopeRatzo · · Score: 3, Funny

      As you say, users will not really care... but even so I can't see them tricking many users into doing this.

      Why not? Those users were tricked into buying iPhones in the first place, so there's a pretty good likelihood that they're gullible.

      --
      You are welcome on my lawn.
    4. Re:Not an app, a configuration by icebike · · Score: 4, Insightful

      A point of technical accuracy; on iOS you could not sell an app that would alter the destination of traffic for all other apps.

      Instead, they are using a configuration profile - it's the same mechanism that enables a company to configure iOS devices. The configuration profile can load in mandatory PIN use, or other settings for the phone - including a network proxy as we see here.

      As you say, users will not really care... but even so I can't see them tricking many users into doing this.

      Still, what happened to the curated garden that Apple is so proud of?

      An app that helps singles find others in bars is booted from the App store for fear of stalking, but one that steals ALL your traffic is OK?

      90% of IPhone users have no clue what the pop-ups and check boxes mean. Its just some techno-talk-gibberish that you have to click OK
      in order to use you cool new app.

      --
      Sig Battery depleted. Reverting to safe mode.
    5. Re:Not an app, a configuration by icebike · · Score: 4, Interesting

      You make a huge distinction for very little difference.

      Regardless of HOW they get the user to use a proxy server, they still systematically socially engineering them to do so.

      That they use methods that were designed for corporate phones and apply them to public subscribers is simply more evidence of misbehavior.

      That you accepted my gift of a wall clock does not excuse the presence of my listening device embedded therein, even if the fine print in the
      clock's user manual mentioned it.

      --
      Sig Battery depleted. Reverting to safe mode.
  6. The summary is wrong by digitallife · · Score: 5, Informative

    The summary is wrong.
    There is no app on ios, and in fact no way to do this on ios through an app. The 'script' is for fully fledged desktops. On ios they have instructions for how to setup wajam as your proxy.
    This is pretty basic stuff. iOS slandering at its best.

  7. It's not an app, Apple has no control over this by SuperKendall · · Score: 5, Informative

    Makes me wonder who had to be friends with who to get this greenlighted.

    There was no need to be friends with anyone. I put in a longer post about this elsewhere, but it's not an app that does this but a configuration file that tells the phone to use their server as a proxy.

    It's quite easy to build your own iPhone configuration files, anyone can download the iPhone Configuration Utility (They even have a Windows version) to build one. The trick is getting people to install the configuration...

    But between building a config and applying to a device, Apple is never involved.

    A configuration profile was also a way you could enable tethering at first when AT&T blocked it initially, though Apple/AT&T did fix that eventually...

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:It's not an app, Apple has no control over this by R3d+M3rcury · · Score: 5, Insightful

      What's your interest in defending Apple on this?

      What's your interest in attacking Apple on this?

      Okay, I'll point out one simple fact: This is not an App. If you go to the iTunes Store and search for Wajam, you find nothing. Nil, Zip, Nada. So it's not an App that Apple is implicitly saying is okay by hosting it in it's App Store.

      If you want to "bash" Apple, what this is is a privacy attack vector. If I can get you to download something like this to your phone, I can set up the proxy so that a trip to, oh, bankofamerica.com will end up on a server of my choice. Great for spoofing and pretty dangerous.

      Note that it doesn't automatically select the configuration--I have to do this myself. But that can be socially-engineered, so it's not like it's great protection. So Apple is not entirely blameless on this, I'll agree.

  8. Isn't the bandwidth going to be expensive? by Gordonjcp · · Score: 4, Funny

    Wouldn't it be terrible if someone published the details of the proxy connections, and it started getting hammered by thousands of slashdotters?

  9. Or it's not an App... by SuperKendall · · Score: 5, Informative

    After all, it was downloaded from Apple's walled garden.

    Actually no.

    It's amazing how just about every single poster is assuming this was an app.

    In fact you could not even build an app like this that would come from the App Store. Not only would Apple not allow it, but technically no app can affect the network traffic of another app unless you jailbreak the phone.

    This is simply a configuration profile that users download directly from the company and install themselves. Read my other posts giving more detail.

    Are you against people being able to install custom configuration profiles? I have used one myself to route traffic from my phone to a debugging HTTP proxy, very handy...

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  10. VERY relevant XKCD... by SuperKendall · · Score: 4, Funny

    Three words: "Clinically Studied Ingredient"

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  11. Re:Who actually cares about certification branding by Anonymous Coward · · Score: 3, Insightful

    It has been a while, but I've seen some logos that basically say "This site is certified by us... and reserve the right to hand over ever stray bit to any third party they please".

    Certified, yes. Does this mean actual protection of the consumer. I'd read into it more closely.

    Realistically, the only certifications I'd take seriously would be NIST controls, PCI/DSS2 or something similar that not just allows a company to stick pretty colored logos, but actually have the logos mean something other than paying some cash to a firm for a green bar on the Web browser instead of a white bar.

    What would be nice is an accrediting agency that is just plain brutal in enforcement. In return for a logo (with stiff penalties for using the logo incorrectly), the firm would have to be subject to audits, confirm to data retention guidelines, have a baseline of security procedures/policies, and so on. If a firm is not keeping their end of the bargain, the logo gets pulled.

    We have that with colleges and universities that if it is accredited, one is assured of a certain education level. Why not a security standard that actually means something and has teeth?

    I wonder if consumers would really care though. People reading this on /. might, but Joe Sixpack might not if the service was trendy enough. In fact, I've encountered a number of people who just don't care who spies on them 24/7, provided they get their freebie.

    Long-term, things might boil down to having a web of trust infrastructure tied to domain names, with people giving up/down recommendations having various reputations (that way, some bought shill can't trash the entire system with a CAPTCHA breaker and some good script-fu.) That way, if someone reliable pointed out that a site wants to install a proxy in order to use it, other people would see it and be leery, while a shill saying that something is 100% happyland is completely ignored.

    Problem is that there are no immediate consequences to info being spread around to the 4 winds. I remember in the past, when MS-DOS viruses started zapping BIOSes or trying to fry older multisync monitors with bogus resolutions, that even the most brain-dead users started doing basic computer sanitation.