Tor Project: Fake Tor App Has Been In Apple's App Store For Months

← Back to Stories (view on slashdot.org)

Tor Project: Fake Tor App Has Been In Apple's App Store For Months

Posted by Unknown on Thursday March 20, 2014 @08:34AM from the well-he-paid-his-developer-fees-so-... dept.

itwbennett (1594911) writes "For the past several months Tor developers have unsuccessfully been trying to convince Apple to remove from its iOS App Store what they believe to be a fake and potentially malicious Tor Browser application. According to subsequent messages on the bug tracker, a complaint was filed with Apple on Dec. 26 with Apple reportedly responding on Jan. 3 saying it would give a chance to the app's developer to defend it. More than two months later, the Tor Browser app created by a developer named Ronen is available still in the App Store. The issue came into the public spotlight Wednesday when people involved in the Tor Project took to Twitter to make their concerns heard. Apple did not respond to IDG News Service's request for comment."

78 comments

Min score:

Reason:

Sort:

strange priorities ... unless they already knew by Anonymous Coward · 2014-03-20 08:43 · Score: 5, Insightful

Apple can burn a book in seconds for showing a little bit of flesh, yet an application may be getting their users tortured in dictatorships and it takes them months to fix.
I think we know who's been working for the NSA and then denying involvement; don't we.
1. Re:strange priorities ... unless they already knew by Anonymous Coward · 2014-03-20 08:52 · Score: 4, Informative
  
  Please put an NSFW warning. Some of us browse /. on the clock.
2. Re:strange priorities ... unless they already knew by John.Banister · 2014-03-20 08:56 · Score: 5, Informative
  
  In a similar example when Apple pulled the 500px Photo App "the company was informed of the removal just a few moments before it was pulled from the store," certainly not given months to defend it. In an effort to help Apple with their priorities, here's a link to the 50+ Best Apps for Watching Porn on iPhone.
3. Re:strange priorities ... unless they already knew by alen · 2014-03-20 09:02 · Score: 0
  
  too bad for tor there aren't any copyrights or patents behind it
  why should apple remove it?
4. Re:strange priorities ... unless they already knew by ArcadeMan · 2014-03-20 09:07 · Score: 3, Insightful
  
  "It's a disturbing example of the excesses of American prudishness."
  
  Please put an NSFW warning. Some of us browse /. on the clock.
  Indeed.
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
5. Re:strange priorities ... unless they already knew by ArcadeMan · 2014-03-20 09:59 · Score: 5, Insightful
  
  Typical American knee-jerk reaction. Showing a nude body is wrong but showing someone getting shot in the head is normal.
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
6. Re:strange priorities ... unless they already knew by Impy+the+Impiuos+Imp · 2014-03-20 10:01 · Score: 1, Offtopic
  
  Please put an NSFW warning. Some of us browse /. on the clock.
  Thank you. "NSFW" is brilliant -- anything to lead me at work to porn faster.
  
  --
  (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
7. Re:strange priorities ... unless they already knew by lgw · 2014-03-20 10:43 · Score: 5, Insightful
  
  Clearly the TOR team is going about this wrong! Stop telling Apple "this app causes your customers to be tortured to death" - Apple cares not. Instead tell Apple "please pull this app, my kid used it to watch porn". Gone in 60 seconds.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
8. Re:strange priorities ... unless they already knew by Anonymous Coward · 2014-03-20 15:36 · Score: 2
  
  In other words, it's only NSFW if you're American.
9. Re:strange priorities ... unless they already knew by Smauler · 2014-03-20 20:08 · Score: 1, Funny
  
  OP clearly said next to the link "showing a little bit of flesh". What did you think that meant?
10. Re:strange priorities ... unless they already knew by coofercat · 2014-03-21 01:03 · Score: 1
  
  All those boobs - they're not for children you know ;-)
11. Re:strange priorities ... unless they already knew by Anonymous Coward · 2014-03-23 04:07 · Score: 0
  
  Typical American knee-jerk reaction. Showing a nude body is wrong but showing someone getting shot in the head is normal.
  So which ebook you can buy in the iBoook store has a cover where someone gets shot in the head? Unlike the many with nude bodies (but no nipples)?
12. Re:strange priorities ... unless they already knew by Anonymous Coward · 2014-03-26 01:53 · Score: 0
  
  In a similar example when Apple pulled the 500px Photo App "the company was informed of the removal just a few moments before it was pulled from the store," certainly not given months to defend it.
  And they were back in the store a short time later after upping the age requirement.
13. Re:strange priorities ... unless they already knew by ahabswhale · 2014-03-27 15:25 · Score: 1
  
  FYI: watching videos or viewing images of people shot in the head would also be considered NSFW in the US.
  
  --
  Are agnostics skeptical of unicorns too?
TOR on Apple? by Anonymous Coward · 2014-03-20 08:44 · Score: 5, Funny

If you're trying to use TOR on an Apple device, you're doing it wrong.
1. Re:TOR on Apple? by asmkm22 · 2014-03-20 09:15 · Score: 3, Funny
  
  "Take a TOR of our lovely walled garden!"
2. Re:TOR on Apple? by Anonymous Coward · 2014-03-20 10:08 · Score: 0
  
  It's apples and onions.
3. Re:TOR on Apple? by GumphMaster · 2014-03-20 10:38 · Score: 2
  
  Mmmm, chutney
  
  --
  Patent litigation: A doctrine of Mutually Assured Destruction... in which everyone seems willing to push the button
Re: I don't see a problem.. by Anonymous Coward · 2014-03-20 08:45 · Score: 0, Interesting

I've been using a tor app In the app store and it works is it the same one, what's this one called. If it is I agree I don't see a problem.
Typical Apple idiocy by bazmail · 2014-03-20 08:46 · Score: 5, Interesting

They took about 30 seconds to take down that breast feeding app (a BREAST!!!), but something so utterly evil like an app that promises anonymity and delivers spyware gets to live on for months? Sounds like Apple may have received a National Security letter about this fake Tor app (i.e. leave it alone!) and are playing dumb.
1. Re:Typical Apple idiocy by uCallHimDrJ0NES · 2014-03-20 09:50 · Score: 3, Funny
  
  CORRECT!!!
  
  --
  Cloudiot: A person who does not see offsite storage as a way to lose control over access to his or her own data.
profit before security. by bloodhawk · 2014-03-20 08:49 · Score: 2, Insightful

nothing new here, Apple have always put profits before security
1. Re:profit before security. by Anonymous Coward · 2014-03-20 09:18 · Score: 0, Troll
  
  Yep. That's why they get all the viruses.
2. Re:profit before security. by Anonymous Coward · 2014-03-20 14:16 · Score: 0, Troll
  
  the fact you think security of an OS and virus infection rate is related is a sad indictment of your security knowledge. Virus's/malware target user stupidity and the highest volume targets. This is why you see the infection rates of Android and OS.X significantly climbing over the last year or two as their popularity increases while at the same time the infection rate has decreased on windows.
slashtards by Anonymous Coward · 2014-03-20 08:49 · Score: 0, Offtopic

Oh that evil apple, refusing to take some guys app down because a random company says so.
1. Re:slashtards by bazmail · 2014-03-20 09:09 · Score: 2
  
  3/10. Your troll skills need work.
2. Re: slashtards by Anonymous Coward · 2014-03-20 13:26 · Score: 0
  
  I'm not sure why this is so objectionable and modded down. It's pretty much the truth. I know people love conspiracy theories and such, and they may actually be true, but we don't know. As is stands, this really is just some random company asking Apple to take down an app because they don't like it. It's nothing more and nothing less.
Would have liked to see more information by SuperKendall · 2014-03-20 08:50 · Score: 3, Insightful

The article was pretty slim (even the links to discussion within) on detail as to just WHAT they consider to be adware/spyware about the app...
I would hope that some random person could not an app pulled because of it simply having ads.
The spyware thing is way more a concern - so in what aspect is it spyware? Is it sending back everything you browse to some third party? The problem is that even in that case, I don't know it should necessarily be pulled - that could just be metrics the app developer is collecting. It's shady but not necessarily a reason to pull the app. All of the comments I could see related to being "spyware" were about ads knowing location, but that's not uncommon for ads, and a user can simply deny location services when the are running the app (as I do for any browser I run).
Also of course, there's the claim that the app is a "fake" which would imply it does not actually browse using TOR. It doesn't seem that way from the reviews - those could be faked of course but it seems like you would ALSO see reviews noting it does not work at all. It's not like people do not LOVE to read one-star reviews for an app when they are unhappy for any reason....

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
1. Re:Would have liked to see more information by Anonymous Coward · 2014-03-20 09:03 · Score: 2, Insightful
  
  It was last updated on Nov. 6 and only one of the three customer reviews so far includes a complaint about how ads are being displayed, with the reviewer noting that the app is very good at what it does otherwise.
  vs.
  
  Tor Browser in the Apple App Store is fake. It's full of adware and spyware. Two users have called to complain. We should have it removed.
  I think the root cause of the complaint is the Tor Project afraid that this app will tarnish their [adjective] name. You are right that neither the story nor the Tor panic page have anything even mildly resembling evidence of wrongdoing with the app in question.
  As often as I am disgusted by Apple, there needs to be some actual evidence of wrongdoing to justify removing an app. None has been presented, so I cannot side with the Torers until they manage to provide some.
2. Re:Would have liked to see more information by Anonymous Coward · 2014-03-20 09:17 · Score: 0
  
  Is it sending back everything you browse to some third party? The problem is that even in that case, I don't know it should necessarily be pulled - that could just be metrics the app developer is collecting.
  This is a TOR app. The aim is that, if you are a Russian citizen and want to find out how much of Gazprom Vlad owns without the FSB coming and finding you, you can do that. If the app sends back a message to it's developer showing what you looked at then that is a serious security breach.
3. Re:Would have liked to see more information by SuperKendall · 2014-03-20 09:25 · Score: 1, Interesting
  
  If the app sends back a message to it's developer showing what you looked at then that is a serious security breach.
  That's a reason not to trust the app for the intended use, but not a good reason to pull the app from the store. Apple's job is not to make sure that the app operates 100% as described, but that it falls within the guidelines for being on the store and lives up to the app description. The app says it "helps" you with security but that's as far as it goes, and would be true for anyone monitoring just the HTTP URL's accessed by the app (if it's really using TOR).
  The thing is we have no-one saying it is in fact reporting back anything to anyone - all I can find is complaints ads make use of location! Location which the app user has to approve the app getting access to.
  If you are a Russian citizen using this app because of a real need for anonymity, you would not approve it accessing location...
  
  --
  "There is more worth loving than we have strength to love." - Brian Jay Stanley
4. Re:Would have liked to see more information by Anonymous Coward · 2014-03-20 10:03 · Score: 0
  
  Also if Apple approved the app than the adds are coming from Apple's ad system and the user tracking is being done by Apple not the app developer.
  That is a significantly different class of risk than "whoever the developer is, can get location data about the app's users", if for no other reason than If Apple wanted to compromise your iPhone, they could do it much more subtly, and reliably than snooping the add data from one app they didn't write, or have any way to get you to download. So using an app with ads on your iPhone likely exposes you to no additional risk over using the iPhone in general
Plan B will probably work by Anonymous Coward · 2014-03-20 08:53 · Score: 0

Bad publicity always helps.
NSA says to keep it in there. by Anonymous Coward · 2014-03-20 08:54 · Score: 0

See title.
1. Re:NSA says to keep it in there. by PPH · 2014-03-20 10:43 · Score: 1
  
  Browser app created by a developer named Ronen
  Ronin?
  Didn't anyone see the movie and understand the plot?
  
  --
  Have gnu, will travel.
This is the internet,...... by Anonymous Coward · 2014-03-20 08:55 · Score: 0

.... That in combination with TOR, it should not be that hard to just find and kill him...... if the app is what they say it is (and have not been troubled by it since I ignore apple devices (besides laptop)).... then they should just trace him and just threaten anything they have to make the developer stop, run and cry! It is not that he has any added value (it seems)
Apple's Behind by Anonymous Coward · 2014-03-20 08:58 · Score: 1

The app store has been having an increasing share of issues in the past year.
I pulled my entire app catalog in protest over missing and misfiled reviews going on six months now.
The usual Apple message:
"We are aware of the issue but remain unable to give you a timeline on when the issue will be resolved."
Something big will have to happen to focus efforts on cleaning up the app store; the cracks in the infrastructure are there and growing.
Not fake... by Anonymous Coward · 2014-03-20 09:05 · Score: 2, Interesting

as much as "not an official release".
When you are working with something like the TOR network and you want to stay as secure and (hopefully) as safe as possible, you want everything to be officially released. If the browser bundle in the store is not official, you don't know *exactly* what is in it or if they added anything to it. That alone is scary. Especially if you know & trust the TOR project and expect the same from the app as you get from their other browser bundles.
"Fake" is definitely the wrong way to describe it ( if it actually does use TOR ), but it definitely makes a bigger impression than "unofficial".
Re:Nonsense. by Anonymous Coward · 2014-03-20 09:09 · Score: 0

How do you know that nothing nefarious is happening?
"unofficial" would be a better path to takedown by SuperKendall · 2014-03-20 09:12 · Score: 3, Insightful

"Fake" is definitely the wrong way to describe it ( if it actually does use TOR ), but it definitely makes a bigger impression than "unofficial".
From further reading on the app, it seems that even though "unofficial" does not sound as impressive, it's the better path to taking down this app. The app seems to be using a copyrighted TOR logo without permission, and also linking to the TOR site for support even though that is not owned by the developer.
If they want to pull the app they should note the copyright violations to Apple rather than the vague claims of "spyware" without proof. Apple treats copyright claims very seriously. The developer could put the app back up using a different logo and support link, but that's OK until someone can prove real harm from using the app.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
1. Re:"unofficial" would be a better path to takedown by AmiMoJo · 2014-03-20 09:28 · Score: 4, Insightful
  
  "Tor Browser Bundle" is the name of the official secure browser/Tor app distribution. This app was using the name but was not associated with the creators of the real Tor Browser Bundle at all, and apparently contained advertising and spyware which as well as putting users at risk was damaging the reputation of the official bundle. Since it wasn't open source or audited there is no way to really know how well it worked, but the fact that it had advertising suggests that it was not particularly well designed since adverts themselves leak information about the user.
  Apple apparently doesn't treat copyright claims from non-commercial entities very seriously, as evidenced by the bug report. It took people using their personal contacts to get things moving in the end. If the people at Apple who review apps before releasing them to the app store were half way competent they would never have allowed it in the first place. They clearly didn't understand that the claims it was making could't really be true (due to the advertising at the very least) and a quick google would have revealed that the name was ripped off.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
2. Re:"unofficial" would be a better path to takedown by DaveV1.0 · 2014-03-21 00:21 · Score: 1
  
  So, what you are saying is that TOR shouldn't free and open ala FLOSS, yes?
  
  --
  There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
3. Re:"unofficial" would be a better path to takedown by david_thornley · 2014-03-21 03:28 · Score: 1
  
  In other words, it's something of a trademark issue.
  Is there an actual legal entity called "The Tor Project"? If not, is there somebody who has standing to tell Apple "That's our trademark!"?
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Ok, I'll bite by SuperKendall · 2014-03-20 09:15 · Score: 0

Why do you need a NSWF warning on a link that claims to show "ways to watch porn"?

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Trademark Violation by Anonymous Coward · 2014-03-20 09:17 · Score: 2, Insightful

Tor is a trademark of the Tor Project. If the app is advertising itself as the Tor Browser, it's a clear trademark violation.
1. Re: Trademark Violation by Anonymous Coward · 2014-03-20 09:44 · Score: 0
  
  They just need to change the name...TNT--this is not Tor! I say there's more than one way to dice an onion!
2. Re: Trademark Violation by Anonymous Coward · 2014-03-20 10:00 · Score: 0
  
  DAYFT ... Dis Ain't Your Father's Tor
3. Re:Trademark Violation by Goaway · 2014-03-20 10:32 · Score: 2
  
  Wait, so we like trademark law in this thread? Because I just came from another thread where trademark law was literally Hitler, and I forgot to change.
4. Re:Trademark Violation by pipedwho · 2014-03-20 14:18 · Score: 4, Informative
  
  Trademark/Copyright/Patent law aren't all inherently viewed as bad when implemented and executed properly. However, there are numerous examples (some of which appear on Slashdot) when the holder/government have overstepped the mark. This creates a feeling that the best solution to stop the abuses is to remove the system all-together. Here are some examples of the good/bad dichotomy:
  Trademarks protecting an obvious brand-name: OK
  Trademarks protecting a vague/generalised name/design: BAD
  Patents protecting a clearly novel, non-obvious and very specific invention: OK
  Patents on broad general topics and/or obvious incremental improvements: BAD
  Copyright protecting a creator from having their clearly original work from being re-distributed commercially for a short time (14 years): OK
  Copyright on a few bars of music that appear in the middle of a song from 75 years ago that could easily have been re-created without ever being exposed to the original: BAD
5. Re:Trademark Violation by Bogtha · 2014-03-20 18:58 · Score: 1
  
  Trademark law, like copyright, is relatively sensible as it is designed to be used. Trademark law is designed to protect customers, not corporations. It's there so that when you buy a FooBar, you know you are getting a genuine FooBar and not a knock-off. However some people treat it like ownership of words and use it as a club to censor people. That's what people usually object to, not trademarks as they were intended to be used.
  
  --
  Bogtha Bogtha Bogtha
6. Re:Trademark Violation by DaveV1.0 · 2014-03-21 00:20 · Score: 1
  
  Not exactly. They could say it is "A TOR(tm) browser" and be perfectly safe.
  
  --
  There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
7. Re:Trademark Violation by david_thornley · 2014-03-21 03:32 · Score: 1
  
  Trademarks are neither copyrights or patents. From my perspective:
  Under trademark law, I can't write software and try to fool people into thinking it came from you. Under copyright law, I can't borrow your software; I have to write my own. Under patent law, I can't write my own blasted software, and that ticks me off.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Re:Nonsense. by Krojack · 2014-03-20 09:21 · Score: 4, Funny

Because it's an iPhone! Apple knows what's best and they even examined the code! Geez..
Do not question the Apple Gods.
Because Republicans by Anonymous Coward · 2014-03-20 09:25 · Score: 0

They hate freedom so they want their friends at Apple to do their part to help to destroy it. CONservative Apple is only too happy to help them with their war on us.
Never mind by SuperKendall · 2014-03-20 09:27 · Score: 0

I see now you were not responding to the link I was thinking of... it would have been good for the original message to have a NSFW link.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
What was the complaint by SuperKendall · 2014-03-20 09:57 · Score: 0

Apple apparently doesn't treat copyright claims from non-commercial entities very seriously, as evidenced by the bug report.
The bug report did not claim they contacted Apple about the copyright claims, only the spyware stuff. Did they contact Apple about the copyright aspect?
They clearly didn't understand that the claims it was making could't really be true (due to the advertising at the very least)
The claims he is making in the app description is only that it "helps" with security by encrypting traffic - all of which is very easily true, even with ads. What do you think ads are revealing about the user in relation to what they are browsing with TOR? There is no information potentially compromising they can reveal within the App Store framework, except for location - and location access must be approved by the user for the ad to have access to.
I honestly do not think there are a lot of apps that reviewers run for any length of time, but the automated scans are VERY effective at catching any kind of information (like a device UUID) the ads might be trying to capture that would be an issue.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
1. Re:What was the complaint by lgw · 2014-03-20 10:53 · Score: 2
  
  In short, people use TOR to avoid being jailed, tortured, and or killed by local authorities for their web browsing habits. There have been fake TOR apps before created and pushed specifically to find undesirables. There's reason to worry about anything unofficial, and the stakes are high.
  I doubt this is an NSA effort, as they can break TOR for specific users they target. But it's very easy for an ad display to de-anonymize the user (because it's very hard to stay anonymous on the web - fingerprinting and timing attacks are both pretty easy), and it's the governments who would need that bit of help that pose the most risk to their own citizens.
  If this were a year ago, I'd suspect this was some Silk Road guy pushing an app to display his own wares when the app went there, but to judge by the news stories I've seen the FBI has been pretty effective at arresting people who displease the US government on TOR (and it seems they did kill wilileaks as a result, which I suspect was the primary goal of all that), so it's mostly about people in China/Iran/etc. who are benefitting from TOR these days.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
2. Re:What was the complaint by Anonymous Coward · 2014-03-21 04:49 · Score: 0
  
  Except ads can inside a browser instance, and cookies/IP address can associate people as long as one app has asked the user to log in or otherwise identify themselves.
  This is, of course, assuming they haven't abused a bug "accidentally" like the Storm8 gathering and transmission to their servers of phone information even though the framework doesn't allow for it.
Stupid fuckers by Anonymous Coward · 2014-03-20 10:25 · Score: 0

They're stupid fuckers for filing a bug report.
They should have had their lawyers contact Apple's Legal department and demanded they take down the bogus app. Don't be nice be an asshole, show some balls and make fucking demands.
No money for lawyers?
Welcome to the free market--bitch.
Tim Cook the faggot causes this crap. by Anonymous Coward · 2014-03-20 10:32 · Score: 0

Now that I know Apple is run by a cock-gobbler, I'll never buy another Apple product
again.
Funny how in private the CEO takes it up the ass but in public the CEO wants to
stick it up the ass of Apple customers.
They have been told yet they still wont get rid of by Anonymous Coward · 2014-03-20 10:41 · Score: 0

So is that the next thing the crooks at the NSA pull? Get their apps into the walled gardens and then tell the hosting company to keep it there no matter what?
Sound like a good reason to promote jailbreaks/rooting.
Apple by koan · 2014-03-20 10:51 · Score: 2, Insightful

So the timing for that SSL "flaw" was nice.
http://daringfireball.net/2014...
Plus now that it's come out Apple was pretty much on board with the NSA and their recent encryption weakness is anyone surprised.
http://www.theguardian.com/wor...
http://www.theguardian.com/wor...
http://www.theguardian.com/wor...
Not to mention every iPhone is a WiFi scanner + Geographical locator.

--
"If any question why we died, Tell them because our fathers lied."
File DCMA TakeDown Notice by Anonymous Coward · 2014-03-20 11:48 · Score: 1

File a takedown notice claiming copyright infringement. That should get it down immediately 'cause it would cost Apple money.
Re: I don't see a problem.. by Anonymous Coward · 2014-03-20 12:02 · Score: 1, Interesting

I've been using a tor app In the app store
If you're trying to use TOR on Apple or Microsoft OSs, you're doing it wrong.
Re: strange priorities ... unless they already kne by Anonymous Coward · 2014-03-21 13:39 · Score: 0

Go fuck yourself u nasty piece of shit!!!