New iOS App Sends Users' Web Traffic Through Its Proxy Servers 83
New submitter spac writes "AllthingsD has an interesting story about how a startup called Wajam requires users of their service to download a script that sets up a proxy to handle all network requests for the purpose of providing 'Social Recommendations' within built-in apps. The privacy implications of using this profile script isn't clearly presented to users. Are we really to entrust our data to a company founded by a man who comes from the world of browser toolbars? And for social search?!"
The company rushes to counter privacy concerns by pointing out that their service has "received security certifications from TRUSTe, McAfee and Norton."
Most users don't care (Score:4, Insightful)
Those that do care wouldn't use this app in the first place.
Not an app, a configuration (Score:5, Informative)
Those that do care wouldn't use this app in the first place.
A point of technical accuracy; on iOS you could not sell an app that would alter the destination of traffic for all other apps.
Instead, they are using a configuration profile - it's the same mechanism that enables a company to configure iOS devices. The configuration profile can load in mandatory PIN use, or other settings for the phone - including a network proxy as we see here.
As you say, users will not really care... but even so I can't see them tricking many users into doing this.
Re:Not an app, a configuration (Score:5, Insightful)
You have way more faith in users than I do. It's been shown again and again that you can make a platform as secure as you want, but if you allow a user to do something bad for them, they will do it ... even if you warn them.
Re: (Score:2)
I agree with you, it could be that perhaps Apple will do something to make it more difficult to install configuration profiles going forward...
If they felt this action was improper they could issue an OS update that would just block any attempt to use those servers as a proxy.
The real question is, what are they doing on those servers with your traffic...
Re:Not an app, a configuration (Score:5, Insightful)
The real question is, what are they doing on those servers with your traffic...
Whatever they damn well want.
And if they're not doing it now, they may do so whenever they feel like it.
Re: (Score:1)
Re: (Score:3, Funny)
Why not? Those users were tricked into buying iPhones in the first place, so there's a pretty good likelihood that they're gullible.
Re: (Score:1)
Why not? Those users were tricked into buying iPhones in the first place, so there's a pretty good likelihood that they're gullible.
Those users are probably the same people who think cloud computing has to do with the weather (from the adjacent slashdot article). XD
Re:Not an app, a configuration (Score:4, Insightful)
A point of technical accuracy; on iOS you could not sell an app that would alter the destination of traffic for all other apps.
Instead, they are using a configuration profile - it's the same mechanism that enables a company to configure iOS devices. The configuration profile can load in mandatory PIN use, or other settings for the phone - including a network proxy as we see here.
As you say, users will not really care... but even so I can't see them tricking many users into doing this.
Still, what happened to the curated garden that Apple is so proud of?
An app that helps singles find others in bars is booted from the App store for fear of stalking, but one that steals ALL your traffic is OK?
90% of IPhone users have no clue what the pop-ups and check boxes mean. Its just some techno-talk-gibberish that you have to click OK
in order to use you cool new app.
Re: (Score:3, Informative)
A point of technical accuracy; on iOS you could not sell an app that would alter the destination of traffic for all other apps.
Instead, they are using a configuration profile - it's the same mechanism that enables a company to configure iOS devices. The configuration profile can load in mandatory PIN use, or other settings for the phone - including a network proxy as we see here.
As you say, users will not really care... but even so I can't see them tricking many users into doing this.
Still, what happened to the curated garden that Apple is so proud of?
An app that helps singles find others in bars is booted from the App store for fear of stalking, but one that steals ALL your traffic is OK?
90% of IPhone users have no clue what the pop-ups and check boxes mean. Its just some techno-talk-gibberish that you have to click OK in order to use you cool new app.
Did you even read TFA? This is /. so I guess not.
Ignoring that Apple are dicktards when it comes to consistent enforcement of their own App Store policies, the Wajam app doesn't even touch your traffic. Users are encouraged to download and install a separate Configuration Profile that tells the iDevice to use a proxy server at Wajam's DC for internet traffic. Carrier Settings/Configuration Profiles are not new... for a number of years web sites like http://www.unlockit.co.nz/ [unlockit.co.nz] have enabled users to define th
Re:Not an app, a configuration (Score:5, Interesting)
You make a huge distinction for very little difference.
Regardless of HOW they get the user to use a proxy server, they still systematically socially engineering them to do so.
That they use methods that were designed for corporate phones and apply them to public subscribers is simply more evidence of misbehavior.
That you accepted my gift of a wall clock does not excuse the presence of my listening device embedded therein, even if the fine print in the
clock's user manual mentioned it.
"Security certifications" != honest (Score:1)
Yes, there are "security certifications", but they are more of a nature that the website itself isn't doing overt Web attacks.
Completely different from foisting a proxy setup onto unsuspecting users in order to add a layer of ads and tracking.
Re: (Score:1)
"Security certifications", a.k.a., "none but ourselves will sell your data" :)
Re: (Score:2)
security certification != privacy (Score:5, Informative)
But mcafee said... (Score:2, Funny)
Re:security certification != privacy (Score:5, Informative)
It means you're not reading it like a lawyer.
"The company rushes to counter privacy concerns by pointing out that their service has "received security certifications from TRUSTe, McAfee and Norton."
"The company's concerns are counter-privacy" and/or "they're rushing to counter your privacy" seem pretty consistent with "TRUSTe, McAfee and Norton."
Remember, A TrustE is still a con [google.com]. (Attr. to Agent 01413 of the Lumber Cartel [wikipedia.org] (TINLC), and to Socks the Cat, ca. 1999 or earlier - the earliest I could find was in a .sig quote from 1999 - and scattered around the web, off and on, for at least ten years [geek.com] .)
VERY relevant XKCD... (Score:4, Funny)
Three words: "Clinically Studied Ingredient" [xkcd.com]
Privileged app submitter (Score:4, Interesting)
As an iOS developer, if I submitted an app to the app store that does this, I'm certain it would be rejected for not meeting Apple's guidelines. Makes me wonder who had to be friends with who to get this greenlighted.
It's not an app, Apple has no control over this (Score:5, Informative)
Makes me wonder who had to be friends with who to get this greenlighted.
There was no need to be friends with anyone. I put in a longer post about this elsewhere, but it's not an app that does this but a configuration file that tells the phone to use their server as a proxy.
It's quite easy to build your own iPhone configuration files, anyone can download the iPhone Configuration Utility [apple.com] (They even have a Windows [apple.com] version) to build one. The trick is getting people to install the configuration...
But between building a config and applying to a device, Apple is never involved.
A configuration profile was also a way you could enable tethering at first when AT&T blocked it initially, though Apple/AT&T did fix that eventually...
Re: (Score:1)
So in response to your title: you're saying that Apple's walled garden doesn't protect its users from this sort of behavior?
Are typical Apple users aware that they need to be cautious of this kind of behavior?
If the walled garden doesn't protect them, and according to you, *can't* protect them, what's the point of the walled garden at all?
--Jeremy
Re: (Score:2)
You know that with those profiles, you can password protect them so to remove it, you would need to provide a password. Good for an IT dept that doesn't want users messing with the device configs, but if a 3rd party like this one password protected the profile, you 'd never get it off without a full factory reset.
Re: (Score:1)
I put in a longer post about this elsewhere,
I'd say everywhere, not just elsewhere. And you've been splitting hairs and picking nits in all of them.
What's your interest in defending Apple on this?
Re:It's not an app, Apple has no control over this (Score:5, Insightful)
What's your interest in defending Apple on this?
What's your interest in attacking Apple on this?
Okay, I'll point out one simple fact: This is not an App. If you go to the iTunes Store and search for Wajam, you find nothing. Nil, Zip, Nada. So it's not an App that Apple is implicitly saying is okay by hosting it in it's App Store.
If you want to "bash" Apple, what this is is a privacy attack vector. If I can get you to download something like this to your phone, I can set up the proxy so that a trip to, oh, bankofamerica.com will end up on a server of my choice. Great for spoofing and pretty dangerous.
Note that it doesn't automatically select the configuration--I have to do this myself. But that can be socially-engineered, so it's not like it's great protection. So Apple is not entirely blameless on this, I'll agree.
How am I "defending Apple"? (Score:2)
What's your interest in defending Apple on this?
My interest is in people getting technical facts right.
The fact is that Apple has no control over people making and distributing these profiles. That is simple fact; there is no App involved, another fact.
In FACT I even stated that I thought APple at some point might have to put some additional controls around installing profiles so naive users cannot do so easily. That's not defending Apple, that's saying they have an issue they may want to address if rogue
Re: (Score:2)
Who actually cares about certification branding? (Score:4, Insightful)
Pay TRUSTe, et all some money and they will "certify" you. As far as I can tell all it really means is you the consumer know the company paid money to get a logo for their site/app. It's not some rigorous analysis of what is done with your data or how it is secured and seems basically worthless.
Re: (Score:3, Insightful)
It has been a while, but I've seen some logos that basically say "This site is certified by us... and reserve the right to hand over ever stray bit to any third party they please".
Certified, yes. Does this mean actual protection of the consumer. I'd read into it more closely.
Realistically, the only certifications I'd take seriously would be NIST controls, PCI/DSS2 or something similar that not just allows a company to stick pretty colored logos, but actually have the logos mean something other than paying
Re: (Score:2, Informative)
I know hating Apple is fashionable on Slashdot, but at least try staying in context so you don't look stupi
Or it's not an App... (Score:5, Informative)
After all, it was downloaded from Apple's walled garden.
Actually no.
It's amazing how just about every single poster is assuming this was an app.
In fact you could not even build an app like this that would come from the App Store. Not only would Apple not allow it, but technically no app can affect the network traffic of another app unless you jailbreak the phone.
This is simply a configuration profile that users download directly from the company and install themselves. Read my other posts giving more detail.
Are you against people being able to install custom configuration profiles? I have used one myself to route traffic from my phone to a debugging HTTP proxy, very handy...
Re: (Score:3, Insightful)
Yes, post slamming Apple is somehow both Insightful and yet completely wrong.
And we have the hubris to slam creationists for their logical fallacies!
Re: (Score:3)
It's amazing how just about every single poster is assuming this was an app.
Yes, such an amazing assumption given that that was specified in the title of the Slashdot story. Reading TFA, I can see it's wrong, but not it's not an unreasonable assumption.
Are you against people being able to install custom configuration profiles? I have used one myself to route traffic from my phone to a debugging HTTP proxy, very handy...
Me? Of course not. Then again, I'm not against people being able to install whatever apps they choose on their phone either. This does seem to run counter to Apples philosophy of "we own the phone, we just let you use it". I'll be interested to see how Apple reacts. I'm pretty sure they won't want a third party messing with the data
Re: (Score:2)
And your proxy settings, are they on the internet too?
Re: (Score:2)
And there's no possible way Apple could ever limit or restrict what data it allowed you to enter as proxy settings. Nooooo, it's all "on the internet" and outside Apple's control.
Re: (Score:2)
Now who's not reading the article? It intercepts all web traffic, not just browser traffic. That includes app-related network traffic, such as Google Maps, which TFA even pictured in a screenshot.
"This is exactly what Wajam is trying to do on iOS — first for Safari and Google Maps, later for Apple’s own maps in iOS 6 and all sorts of other third-party apps"
Re: (Score:1)
Yes, such an amazing assumption given that that was specified in the title of the Slashdot story.
Ok, I'll grant that the title was very misleading, but even so you should RTFA before going off on rants about anyone...
Otherwise you end up with a very big NEVERMIND [youtube.com] moment.
Re: (Score:1)
Actually, yes. The whole point of a walled garden is that I, the user, shouldn't have to install "custom configuration profiles". If such behavior is at all warranted, it should be accessible
Re: (Score:1)
If such behavior is at all warranted, it should be accessible automagically and appropriately.
Well that's exactly why such profiles exist. You can go into Settings and manually enter proxy details; the configuration files exist exactly so that such a thing can happen "automagically".
Put another way, if it's not okay for an App Store app to do it-then why should it be doable another way.
I agree with this, from the standpoint that the person installing the profile may well have no concept of what it means to
Re: (Score:1)
Um, that's pretty much the opposite of "automagically".
Well, the answer is obvious. If an ent
P.S. (Score:1)
Sorry about blowing the tags in the last post. Hope you can parse it OK.
Re: (Score:2)
I have used one myself to route traffic from my phone to a debugging HTTP proxy, very handy...
A lot of extra work, though -- you can go in and edit your wireless connection and add a proxy manually. Why screw around with a configuration profile?
Re: (Score:3, Funny)
It isn't an app. Apparently the submitter and the editor both failed to actually RTFA.
What, and you did?
Phukin' fanboi...
lolz
Re: (Score:1)
Re: (Score:2)
If it's available on iOS, its an iOS app.
By that logic, every website is an iOS app (since it's available on iOS). Except, of course, that it isn't.
Re: (Score:2)
The summary is wrong (Score:5, Informative)
The summary is wrong.
There is no app on ios, and in fact no way to do this on ios through an app. The 'script' is for fully fledged desktops. On ios they have instructions for how to setup wajam as your proxy.
This is pretty basic stuff. iOS slandering at its best.
Re: (Score:3)
I gotta admit, I was wondering how a script could change your proxy on iOS when, in theory, the only "script" you can run is JavaScript.
The neat question, of course, is did Apple vet what they're doing in any way before allowing them on their store. Or is this one of those cases where Apple looks out for the safety and security of their users until something goes wrong and then it's, "Hey, we're not responsible for third-parties."
Re: (Score:1)
Re: (Score:2)
I don't know about you - but what is restricting use of that to iPhones?
Did this company really just open up a huge free proxy server on the 'net for everyone to use? If they're in the US, it's basically a free proxy server to all those US services that everyone whines about... if not, it's a free proxy server that lets you "hide" your IP...
Depending on the proxy, it might be worthwhile to shove your torrent traffic through there?
Of course,
McAfee/Norton/Trust-e != Security (Score:1)
Well, since we're already on the Security != Privacy train, I just thought I'd call attention to the pachyderm in the room.
Isn't the bandwidth going to be expensive? (Score:5, Funny)
Wouldn't it be terrible if someone published the details of the proxy connections, and it started getting hammered by thousands of slashdotters?
FTFY (Score:3)
The company rushed to point out that security certifications from TRUSTe, McAfee and Norton are worthless in this situation.
Re: (Score:2)
Err, no, not "does that" at all.
Opera Mini is basically server-side browser, rendering pages at their side and sending them preprocessed to the phone - to save teeny-tiny CPUs some cycles and teeny-tiny dataplans some kilobytes. AFAIK, you can't even install any of Opera proxies for use in other applications.
Wajam, OTOH, does "When you search, Wajam shows you what your friends have shared." - and they need all your webtraffic from all your apps for them to plug their added items (and their ads) in web pages
trust (Score:2)
Why, you trust your data to random apps developed by random people, and suddenly this one poked your eye because the guy made browser bars? Now at least you know he's getting the data, not with some other crap which just uses it, leaks it, etc. Also, if you know what this app does, and you don't agree with it, instead of not using it, you start complaining about it. Yeah, nice
I'd never use s
Re: (Score:2)
Coming "from the world of browser toolbars" is somewhat of an understatement in this case.
We are talking about a founder of CDT (latterly Zango Canada), who paid affiliates to bulk-install spyware on unwitting Windows users' machines, using tactics up to and including browser security hole exploits. Hats don't come much blacker.