New iOS App Sends Users' Web Traffic Through Its Proxy Servers

New submitter spac writes "AllthingsD has an interesting story about how a startup called Wajam requires users of their service to download a script that sets up a proxy to handle all network requests for the purpose of providing 'Social Recommendations' within built-in apps. The privacy implications of using this profile script isn't clearly presented to users. Are we really to entrust our data to a company founded by a man who comes from the world of browser toolbars? And for social search?!" The company rushes to counter privacy concerns by pointing out that their service has "received security certifications from TRUSTe, McAfee and Norton."

security certification != privacy

[realitycheckplease]

Presenting security certifications from Trust, Mcafee and Norton says nothing about how they'll use personal data. It just means that they might be less susceptible to hacking (but I personally doubt it) than companies without similar certifications.

Not an app, a configuration

[SuperKendall]

Those that do care wouldn't use this app in the first place.

A point of technical accuracy; on iOS you could not sell an app that would alter the destination of traffic for all other apps.

Instead, they are using a configuration profile - it's the same mechanism that enables a company to configure iOS devices. The configuration profile can load in mandatory PIN use, or other settings for the phone - including a network proxy as we see here.

As you say, users will not really care... but even so I can't see them tricking many users into doing this.

The summary is wrong

[digitallife]

The summary is wrong.
There is no app on ios, and in fact no way to do this on ios through an app. The 'script' is for fully fledged desktops. On ios they have instructions for how to setup wajam as your proxy.
This is pretty basic stuff. iOS slandering at its best.

Re:TFA must be wrong

[Anonymous Coward]

After all, it was downloaded from Apple's walled garden. Isn't the entire raison d'etre for that that Apple's intense scrutiny of all apps presented means that users don't have to think when they're installing software? They can just assume it's all safe, and rely on Apple's checking to keep them secure. That's what Apple fans tell me anyway, when they relate how superior iTunes is to Google's service.

I know hating Apple is fashionable on Slashdot, but at least try staying in context so you don't look stupid to outsiders.

The app is not the problem, there is absolutely nothing wrong with it (though it may still get banned Just Because Apple doesn't like this kind of stuff). The problem is that users of the app are being instructed by the site to manually change their proxy settings. No scripts are being downloaded here, they're using a proxy to overlay content in Safari and the app to overlay content in an augmented version of Maps.

The summary misses the point completely, but this is common on Slashdot given how biased this site really is.

It's not an app, Apple has no control over this

[SuperKendall]

Makes me wonder who had to be friends with who to get this greenlighted.

There was no need to be friends with anyone. I put in a longer post about this elsewhere, but it's not an app that does this but a configuration file that tells the phone to use their server as a proxy.

It's quite easy to build your own iPhone configuration files, anyone can download the iPhone Configuration Utility [apple.com] (They even have a Windows [apple.com] version) to build one. The trick is getting people to install the configuration...

But between building a config and applying to a device, Apple is never involved.

A configuration profile was also a way you could enable tethering at first when AT&T blocked it initially, though Apple/AT&T did fix that eventually...

Re:security certification != privacy

[Tackhead]

Presenting security certifications from Trust, Mcafee and Norton says nothing about how they'll use personal data. It just means that they might be less susceptible to hacking (but I personally doubt it) than companies without similar certifications.

It means you're not reading it like a lawyer.

"The company rushes to counter privacy concerns by pointing out that their service has "received security certifications from TRUSTe, McAfee and Norton."

"The company's concerns are counter-privacy" and/or "they're rushing to counter your privacy" seem pretty consistent with "TRUSTe, McAfee and Norton."

Remember, A TrustE is still a con [google.com]. (Attr. to Agent 01413 of the Lumber Cartel [wikipedia.org] (TINLC), and to Socks the Cat, ca. 1999 or earlier - the earliest I could find was in a .sig quote from 1999 - and scattered around the web, off and on, for at least ten years [geek.com] .)

Or it's not an App...

[SuperKendall]

After all, it was downloaded from Apple's walled garden.

Actually no.

It's amazing how just about every single poster is assuming this was an app.

In fact you could not even build an app like this that would come from the App Store. Not only would Apple not allow it, but technically no app can affect the network traffic of another app unless you jailbreak the phone.

This is simply a configuration profile that users download directly from the company and install themselves. Read my other posts giving more detail.

Are you against people being able to install custom configuration profiles? I have used one myself to route traffic from my phone to a debugging HTTP proxy, very handy...

Re:Not an app, a configuration

[scdeimos]

A point of technical accuracy; on iOS you could not sell an app that would alter the destination of traffic for all other apps.

Instead, they are using a configuration profile - it's the same mechanism that enables a company to configure iOS devices. The configuration profile can load in mandatory PIN use, or other settings for the phone - including a network proxy as we see here.

As you say, users will not really care... but even so I can't see them tricking many users into doing this.

Still, what happened to the curated garden that Apple is so proud of?

An app that helps singles find others in bars is booted from the App store for fear of stalking, but one that steals ALL your traffic is OK?

90% of IPhone users have no clue what the pop-ups and check boxes mean. Its just some techno-talk-gibberish that you have to click OK in order to use you cool new app.

Did you even read TFA? This is /. so I guess not.

Ignoring that Apple are dicktards when it comes to consistent enforcement of their own App Store policies, the Wajam app doesn't even touch your traffic. Users are encouraged to download and install a separate Configuration Profile that tells the iDevice to use a proxy server at Wajam's DC for internet traffic. Carrier Settings/Configuration Profiles are not new... for a number of years web sites like http://www.unlockit.co.nz/ [unlockit.co.nz] have enabled users to define their own APN configurations so they can do things like disable 2G/3G data access to prevent carriers from generating massive bills.