Article by Melissa Elliott
When you tap in your life’s details into the latest and greatest cloud-enabled mobile app, where does that information actually go?
When you post on a website that claims you’re anonymous, are you really? Hey, did you read the privacy policy for any of those services you’re using? Do they even have a privacy policy?
In the rush to play with new online services – which, admittedly, are often awesome – it’s easy to forget that anyone with fifteen dollars in their pocket can rent a server to store your personal data in whatever haphazard way they want.
It was only a few weeks ago that several high-profile sites such as LinkedIn were caught not properly storing passwords, making it far too easy on the hackers who stole them to crack them. If major websites can’t get password storage right, you can bet that most websites can’t.
I made a suggestion to websites everywhere to start advertising how they store passwords if they want to earn their customers’ trust by demonstrating that they do it correctly. The idea was a big hit with end-users but I haven’t seen any websites try it out yet.
If most websites can’t get password storage right, you can also bet they can’t get storage of the actual content you are trusting them with right, either. The private documents that you stored with your favorite cloud service are probably not encrypted in a way that only your account can decrypt, if they’re encrypted at all.
The mobile app or website you use to access those documents may send your password and your files “in the clear,” enabling that shady-looking person on the other side of the café to snoop on you.
They may advertise that they use encrypted connections but then disable verification in the mobile app so as to “not complicate the interface.” Someone could hijack your connection and the app would never notify you of the error. I have seen all of these problems in real-world cloud apps used by thousands of people.
If you follow any tech blogs, you’ve heard all these warnings before. Over the Independence Day holiday, however, I found a different kind of privacy violation in a fun little app that sounds like a great idea.
The premise is this: your phone has a GPS in it, right? It’s a messaging app which posts messages to other people running the same app who are physically near you. It does not have a username or password, so it’s anonymous, or so the advertising information claims.
Suggested uses are for chatting with your classmates, with other people attending the same event, or for organizing a political rally. The fact that you are physically present is all the “identification” you need to certify yourself to the other participants. In fact, this app hit it big with the Occupy protest movement, who read online or heard from their friends that it was an anonymous short-range messaging system.
Now, the first problem is that it is not obvious to everyone that this works by sending your current GPS location to a server somewhere out there on the internet, which is where the messages and their locations are stored.
Many smartphone users don’t realize that it’s doing this – as I had several different people express astonishment and anger to me that the app in question was uploading their GPS co-ordinates to the internet and storing them. They wouldn’t have trusted it if they knew that.
Where is this app’s privacy policy which explains how “anonymous” you are or aren’t? As far as I can tell, it doesn’t have one. This should be a giant, blinking red alert to anyone considering submitting messages and their geolocation to a service on the internet.
What is it doing with that data? Who knows! They did not take a few minutes out of their time to explain to you, the person using their app, what they store or to whom the information is made available.
It gets worse. The promotional materials for this app claim that its key feature is being able to set the visible distance on your message down very low, to keep it – and this is a quote from their website – “inside your occupy camp” for sensitive activities such as “whistleblowing.” It seems perfectly reasonable for the end-user to expect that no-one outside the range they designate on their message could see it.
Guess again! It only took me a few minutes to write a fake client app which pretended to be in New York, enabling me to see short-range messages posted in Central Park from the comfort of my home a few states away.
The app does not warn you that it has no way to validate that the client’s claimed geolocation is real, yet it assumes that it must be. It also has the disable-HTTPS-verification antifeature that is so common in mobile apps these days, making it easy to intercept users to spy on them.
The more I dug in, the worse it got. It claims in the FAQ that your mobile phone or tablet can be banned from posting if you post something offensive – yet they claim you are anonymous. Connect the dots: they can connect specific posts to specific devices.
There is nothing anonymous about that whatsoever. The end result is that people with a genuine need for anonymity and privacy protections are trusting in an app that breaks every promise.
I won’t leave you hanging: the app is called Vibe. I dumped my notes on why it didn’t seem safe to use at protests to my personal page and went to bed. When I woke up, dozens of people had questions for me, which is what prompted this long-form post: it’s not about Vibe in particular.
It’s about how every app you use has the potential to abuse your data or be simply careless with it behind your back. When considering a new service, take a moment and check the privacy policy and the EULA.
Your privacy is worth something – both to you and to third parties who may wish to advertise to you or spy on you. Don’t give away your personal information to services that promise the moon in their marketing materials but aren’t equipped to treat your property with respect.
Cross-posted from Veracode
Copyright 2010 Respective Author at Infosec Island