Tuesday, February 12, 2019

What Happens on Your iPhone Stays on Your iPhone... Sort Of

What happens....jpg
With the recent discovery of a few apps in the Apple Store that were sending your data out to remote servers, Apple has become more than a little concerned about the privacy of its users.  For years Apple has made a point of letting users know they support privacy and have been pretty staunch defenders of that.  They have refused to yield to the FBI demands to unlock phones and other powers that be have tried to force them to build in backdoors so that access can be easily gained even if the user forbade it.  Every step of that journey, Apple has fought for the user and I appreciate that.  I have a suspicion that Thomas Jefferson would have felt the same way.
However, in the last month or 2 there have been some things that have come to light about Apple approved apps that are stealing your data and habits and then sending them along to servers without your knowledge or permission.
The latest news comes due to an investigation by one of my favorite sites TechCrunch.  Now personally I don’t mind if people know what I’m doing as long as I give them permission first.  What really frosts me though is when they just start monitoring me like the kid that used to sit behind me in Psychology 101 and copy my test answers without my permission.  That is the point where I get seriously ticked off.  
So I was pretty happy when TechCrunch investigated and reported that major companies, like Expedia, Hollister and Hotels.com, were using a third-party analytics tool to record every tap and swipe inside their apps.  TechCrunch also discovered that none of the apps tested asked the user for permission, and none of the companies said in their privacy policies that they were recording a user’s app activity.  AND while the right thing to do would at least be to encrypt the data they were stealing, some things like passport numbers and credit card numbers were leaking.  Heck, no big deal it’s ONLY your passport and your credit cards.
Apple was not happy about this.  In fact  they expressly forbid this type of behavior.  In order to collect user data, Apple requires that a user be notified and agree with the collection practices.  Apple then sent an email to the companies stating:
“Your app uses analytics software to collect and send user or device data to a third party without the user’s consent. Apps must request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity,” Apple said in the email.
So the good news is that this situation appears to be on the path to being rectified.  Of course the bad news is that it had to be rectified in the first place.
I’d like to thank TechCrunch for their research and reporting on this.  By bringing the system into the world of Apple and its users, they directly impacted getting this situation fixed.
I’d also like to issue a big “Mahalo” to Patrick Wardle.  He is the Chief Researcher Officer and Founder at Digita Security.  Patrick is one of the security professionals who discovered that the app Adware Doctor was stealing users browser history and sending it to a hidden server in China.  This discovery in September 2018 helped trigger this entire examination of app security in the Apple App Store.  He deserves a lot of kudos.  It goes to show that one man with a mission can impact the security of millions and I for one am grateful.

1 comment: