New iOS App Sends Users' Web Traffic Through Its Proxy Servers 83
New submitter spac writes "AllthingsD has an interesting story about how a startup called Wajam requires users of their service to download a script that sets up a proxy to handle all network requests for the purpose of providing 'Social Recommendations' within built-in apps. The privacy implications of using this profile script isn't clearly presented to users. Are we really to entrust our data to a company founded by a man who comes from the world of browser toolbars? And for social search?!"
The company rushes to counter privacy concerns by pointing out that their service has "received security certifications from TRUSTe, McAfee and Norton."
Most users don't care (Score:4, Insightful)
Those that do care wouldn't use this app in the first place.
Who actually cares about certification branding? (Score:4, Insightful)
Pay TRUSTe, et all some money and they will "certify" you. As far as I can tell all it really means is you the consumer know the company paid money to get a logo for their site/app. It's not some rigorous analysis of what is done with your data or how it is secured and seems basically worthless.
Re:Not an app, a configuration (Score:5, Insightful)
You have way more faith in users than I do. It's been shown again and again that you can make a platform as secure as you want, but if you allow a user to do something bad for them, they will do it ... even if you warn them.
Re:Who actually cares about certification branding (Score:3, Insightful)
It has been a while, but I've seen some logos that basically say "This site is certified by us... and reserve the right to hand over ever stray bit to any third party they please".
Certified, yes. Does this mean actual protection of the consumer. I'd read into it more closely.
Realistically, the only certifications I'd take seriously would be NIST controls, PCI/DSS2 or something similar that not just allows a company to stick pretty colored logos, but actually have the logos mean something other than paying some cash to a firm for a green bar on the Web browser instead of a white bar.
What would be nice is an accrediting agency that is just plain brutal in enforcement. In return for a logo (with stiff penalties for using the logo incorrectly), the firm would have to be subject to audits, confirm to data retention guidelines, have a baseline of security procedures/policies, and so on. If a firm is not keeping their end of the bargain, the logo gets pulled.
We have that with colleges and universities that if it is accredited, one is assured of a certain education level. Why not a security standard that actually means something and has teeth?
I wonder if consumers would really care though. People reading this on /. might, but Joe Sixpack might not if the service was trendy enough. In fact, I've encountered a number of people who just don't care who spies on them 24/7, provided they get their freebie.
Long-term, things might boil down to having a web of trust infrastructure tied to domain names, with people giving up/down recommendations having various reputations (that way, some bought shill can't trash the entire system with a CAPTCHA breaker and some good script-fu.) That way, if someone reliable pointed out that a site wants to install a proxy in order to use it, other people would see it and be leery, while a shill saying that something is 100% happyland is completely ignored.
Problem is that there are no immediate consequences to info being spread around to the 4 winds. I remember in the past, when MS-DOS viruses started zapping BIOSes or trying to fry older multisync monitors with bogus resolutions, that even the most brain-dead users started doing basic computer sanitation.
Re:Not an app, a configuration (Score:5, Insightful)
The real question is, what are they doing on those servers with your traffic...
Whatever they damn well want.
And if they're not doing it now, they may do so whenever they feel like it.
Re:Or it's not an App... (Score:3, Insightful)
Yes, post slamming Apple is somehow both Insightful and yet completely wrong.
And we have the hubris to slam creationists for their logical fallacies!
Re:Not an app, a configuration (Score:4, Insightful)
A point of technical accuracy; on iOS you could not sell an app that would alter the destination of traffic for all other apps.
Instead, they are using a configuration profile - it's the same mechanism that enables a company to configure iOS devices. The configuration profile can load in mandatory PIN use, or other settings for the phone - including a network proxy as we see here.
As you say, users will not really care... but even so I can't see them tricking many users into doing this.
Still, what happened to the curated garden that Apple is so proud of?
An app that helps singles find others in bars is booted from the App store for fear of stalking, but one that steals ALL your traffic is OK?
90% of IPhone users have no clue what the pop-ups and check boxes mean. Its just some techno-talk-gibberish that you have to click OK
in order to use you cool new app.
Re:It's not an app, Apple has no control over this (Score:5, Insightful)
What's your interest in defending Apple on this?
What's your interest in attacking Apple on this?
Okay, I'll point out one simple fact: This is not an App. If you go to the iTunes Store and search for Wajam, you find nothing. Nil, Zip, Nada. So it's not an App that Apple is implicitly saying is okay by hosting it in it's App Store.
If you want to "bash" Apple, what this is is a privacy attack vector. If I can get you to download something like this to your phone, I can set up the proxy so that a trip to, oh, bankofamerica.com will end up on a server of my choice. Great for spoofing and pretty dangerous.
Note that it doesn't automatically select the configuration--I have to do this myself. But that can be socially-engineered, so it's not like it's great protection. So Apple is not entirely blameless on this, I'll agree.