PBS Logo grey for Mojave dark mode

Security Bits – 1 June 2019


  • Andrew Orr at TMO got a bit of a sneak-peak at Cloudflare’s soon-to-be released Warp VPN (Editorial by Bart: support for a split tunnel is a nice touch) — www.macobserver.com/…
  • Security researchers have found that there are still nearly a million devices out there on the internet vulnerable to the BlueKeep RDP vulnerability Microsoft recently patched in older versions of Windows (including XP & Server 2003) — nakedsecurity.sophos.com/…
  • Apple wrote a letter to GCHQ responding to their proposal for a Ghost Key to bypass end-to-end encryption in messaging services, and Google, Microsoft, & WhatsApp co-signed the letter. The original proposal was made last November in a Lawfare article

Security Medium 1 — Mobile App Tracking in the Spotlight

An article from the Washington Post has shone a fresh spotlight on something we’ve known about, and talked about, for a long time — many mobile apps sell your data to data aggregators and advertisers. This tracking is not news, but it sure got a lot of attention this week, with some in the media reacting as if the Washing Post made some kind of earth-shattering discovery.

The core problem is real — if you follow the money it is in fact inevitable. Free apps from for-profit companies must be making their money by selling your attention and/or your information. As a society we seem to want everything for no financial cost, and the only way that works if we pay in some other way, so of course that’s what’s happening.

I quibble with the article’s definition of trackers though. Not everything that sends information across the internet is in any way nefarious or creepy! There is a world of difference between an app sending data to a software-as-a-service QA tool to monitor how their UI and UX are performing, and a company selling your personal information to 3rd parties for re-sale! The article conflates these two things to imply Microsoft’s OneDrive is the same as apps that sell your location data and browsing history for profit.

A lot of people are also blaming Apple for this, but IMO that’s unreasonable. The majority of our apps are windows into the cloud, so apps making network connections are not only not rare, they’re the absolute norm! Apple could not possibly block all network access, nor could it realistically break TLS/SSL to look into the data and block certain types of data flowing. For a start, that would be a massive invasion of privacy, and secondly, the same data can be exactly what users want to send, or totally creepy. When a cycle tracking app sends regular GPS position updates to the cloud that’s the app doing what I want it to do, but that would look no different to an app being really creepy!

What Apple can do is insist in their rules that developers have to have accurate privacy statements, and respond when developers break that rule. And, Apple do that.

An argument I would make is that Apple could do a little more by enforcing a rule that every app that sells data to aggregators or advertisers must have a badge in the app store that makes it clear that the app is paid for by tracking. Then users could more easily make a more informed choice.

If you value your privacy, know that free stuff from for-profit companies comes at a cost, and make your app choices accordingly! I choose to buy apps from developers I trust, and to steer clear of free stuff. Maybe you might want to start thinking that way too? Or maybe you’re happy to pay with your data and/or attention? Either way is fine, just make sure it’s a conscious choice!

One final note — I strongly advise against disabling following the ‘advice’ some news sites are peddling to disable iOS’s Background App Refresh feature. That feature exists for a really important reason, it massively improves your phone’s battery life by managing how all apps talk to the internet. Disabling it makes as much sense as disabling wifi and cellular data in response to this!


Security Medium 2 — Apple’s Privacy Preserving Ad Click Attribution Proposal

Apple have announced Privacy Preserving Ad Click Attribution, a new protocol which they’re working towards developing into a standard through the W3C Web Platform Incubator Community Group (WICG). The aim of this protocol is to facilitate a privacy-respecting mechanism for tracking online ad effectiveness.

Apple have made a lot of moves in their browsers to stop ad networks tracking users across the internet. These privacy-protecting features are a massive boost for users, but they are hurting the advertising industry quite badly. As well as hampering the ad and data aggregation companies ability to track all of us as we surf the web, these protections also impede ad buyers and sellers ability to measure the effectiveness of ad campaigns. For online advertising to be an effective way to monetise financially free content it has to be possible to measure the value produced by a given ad buy, and right now, browser privacy protections are making that very difficult, if no impossible.

This new technology would allow ad buyers and sellers to continue to measure the conversion rates for their ads (what percentage of the people who clicked on an ad actually bought something), but without compromising our privacy. Basically, if I bought ads I’d know how many conversion I got, but not who the individual people were.

If we assume the ad industry is being genuine when it says it needs privacy-invading tracking because that’s the only way to measure ad effectiveness and make the financially-free internet possible, then they should welcome this with open arms. This really is a win-win for everyone. It remains to be seen just how the ad industry will react, and for this to really make a big difference, other browser vendors would need to adopt the standard too.


Security Medium 3 — The US Casts a Cloud of Doubt over Huawei Phone Users

As part of the Trump administration’s on-going antagonism with China the US government has banned US companies from selling hardware or software to Huawei. Initially the ban was total and immediate, but the US government has backed off a little, allowing security updates until at least the 19th of October. It’s not clear what happens then.

In theory this whole Huawei ban is about ensuring security, but it seems the end result might be massive insecurity for all western Huawei phone users. If Huawei can’t get Android security updates, then all Huawei phones have just become un-securable, and hence, impossible to use safely.

For now, Huawei phone users know they can stay patched and stay secure until October. Maybe things will get onto a firmer footing by then. Either way, if you have a Huawei phone, you need to watch how this story develops, because you may be forced to bin your phone in a few months!


Notable Security Updates

Notable News

  • Beware Nokelock smart padlocks, security researchers find massive security vulnerabilities in these products, despite some of them being Amazon’s Choicenakedsecurity.sophos.com/…
  • A security researcher has demonstrated a phishing technique that can be used to trick users into bypassing Gatekeeper and running a malicious app. The attack starts by tricking a user into opening a malicious ZIP file, so the standard advice not to open files from un-trusted sources applies. Apple have not fixed the underlying problems yet. — 9to5mac.com/…
  • Security researchers have found that over a quarter of iPhones can be accessed with one of the most popular 20 PINs (Editorial by Bart: If you use a PIN, make sure it is not on the list. I’d suggest going further though, and using a true alphanumeric password. With TouchID and FaceID massively reducing how often you need your passcode, that’s now a very practical option) — www.cultofmac.com/…
  • 🇺🇸 Facebook have not had a good two weeks in the Delaware Chancery Court where they are defending a share-holder lawsuit over the Cambridge Analytica scandal:
  • The Intercept is reporting that Facebook offers cell carriers around the world extra data pulled from users phones by their mobile apps (Facebook, WhatsApp & Instagram) — theintercept.com/…
  • Google recalls Titan Bluetooth keys after finding security flaw — nakedsecurity.sophos.com/…
  • Following FTC complaint, Google rolls out new policies around kids’ apps on Google Play — techcrunch.com/…
  • A new academic study has found that while advertisers pay about 2½ as much for a behaviourally targeted (creepy) ad as compared to a regular ad, behaviourally targeted ads are only 4% more effective (Editorial by Bart: if this study is backed up by further research then the argument that we need creepy tracking to fund the free internet falls apart) — www.wsj.com/…

Suggested Reading

Palate Cleansers

Note: When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top