Twitter Admits 'Harvesting' Users' Contacts

[Ladybbird]

Now Twitter admits 'harvesting' users' phone contacts without telling the owners as Apple announces crackdown

• Highly private contact information is taken from smartphones and sent to remote computer
• Users puzzled over why app retains contacts for 18 months
• Twitter engulfed with comments from fearful users
• Apple says it will stop apps taking data without users' consent

By Daily Mail UK




Full story here;


http://www.dailymail.co.uk/sciencet...ng-iPhone-users-address-books-permission.html
Thats why I never use these "Social Sites", nothing is private these days. [/COLOR]

 

[Subbynet]

How else did they think it "Find's Friends"...

User stupidity is part of the problem, but at the same time, I can't see why Twitter would even bother saving such data for 18 months. It should be deleted immediately.

 

[Ladybbird]

How else did they think it "Find's Friends"...

User stupidity is part of the problem, but at the same time, I can't see why Twitter would even bother saving such data for 18 months. It should be deleted immediately.

I agree and I never use those social sites, I cant believe what people are reported to have posted on them. Incredible!

 

[mit74]

As technology and the data it can store improves, confidentiality is becoming a massive problem. As we all share more information online (cloud) and in smart phones the harvesting of personal data is big business and it's not just the social apps that are stealing data. It's all very well every single app and website claiming they ask for permission but how many apps don't. They also purposely don't make it clear what data they're mining. When was the last time an app or software install said 'Do you give permission for us to download all your business and family numbers and emails for our own use?'.
For starters the information stored on phones isn't necessarily 'owned' by the individual. Should I be allowed to give permission to share numbers and information of others that are on my phone? They're not my numbers.. I keep saying the government desperately need to update the data protection laws.

 

[giffgore]

Twitter should have asked permission before taking the data and made it explicitly clear that the data would be taken and held for such a long period of time. Furthermore, Apple should have taken steps to ensure apps couldn't take this data without said permission - which is what they'll do in the next update, of course, but it should have happened sooner, before the loophole was abused to the extent a media frenzy was created.

 

[mit74]

Twitter should have asked permission before taking the data and made it explicitly clear that the data would be taken and held for such a long period of time. Furthermore, Apple should have taken steps to ensure apps couldn't take this data without said permission - which is what they'll do in the next update, of course, but it should have happened sooner, before the loophole was abused to the extent a media frenzy was created.

Apple have kept everything hush until now because they've profitted from it. The Apple store has been around for years so why are they only making changes now? What's changed?
They're taking the high ground now because since the growth of open source competition (Android mainly) people have questioned the security of apps and what data is being mined. Users of open source software generally tend to be a little more switched on and technically minded than self absorbed trend following Apple users and are making it aware of how dangerous apps are and what they're logging.

Of course now the whole App 'scandal' is damaging Apple's precious safe, secure and virus free image they like to portray so they're forced to make changes... extreme changes... as shown in their new sandbox policies.

 

[giffgore]

Apple have kept everything hush until now because they've profitted from it. The Apple store has been around for years so why are they only making changes now? What's changed?
They're taking the high ground now because since the growth of open source competition (Android mainly) people have questioned the security of apps and what data is being mined. Users of open source software generally tend to be a little more switched on and technically minded than self absorbed trend following Apple users and are making it aware of how dangerous apps are and what they're logging.

Of course now the whole App 'scandal' is damaging Apple's precious safe, secure and virus free image they like to portray so they're forced to make changes... extreme changes... as shown in their new sandbox policies.

Of course, because Android phones never have issues with logging data and apps getting access to what they shouldn't. Never!

 

[Subbynet]

Of course, because Android phones never have issues with logging data and apps getting access to what they shouldn't. Never!

You're like an Apple warrior, turning up anywhere Apple needs someone to fight it's battles.

You didn't even read the link did you? Well the link you give tells us of problems with HTC Phones, and not actually Android itself, from that page it says:

I'd like to reiterate that the only reason the data is leaking left and right is because HTC set their snooping environment up this way.

Google never claimed they vet your apps - unlike Apple, and Android does inform you in quite some detail if an application wants access - it's your fault if you grant that access.

The difference is Apple do check and approve apps, yet people still find them doing things like this. How is that possible if Apple have checked it properly?

 

[mit74]

Of course, because Android phones never have issues with logging data and apps getting access to what they shouldn't. Never!

I didn't say Android didn't have security issues, I said Apple have only started getting tough on App content since users/developers of other OS have brought app security to everyones attention. It's only now Apple users are questioning their own apps, for years they've been caught up in the Apple 'experience' to actually care about what their Apple devices and the developers have actually been exploiting.

 

[giffgore]

You're like an Apple warrior, turning up anywhere Apple needs someone to fight it's battles.

You didn't even read the link did you? Well the link you give tells us of problems with HTC Phones, and not actually Android itself, from that page it says:

I'd like to reiterate that the only reason the data is leaking left and right is because HTC set their snooping environment up this way.

Google never claimed they vet your apps - unlike Apple, and Android does inform you in quite some detail if an application wants access - it's your fault if you grant that access.

The difference is Apple do check and approve apps, yet people still find them doing things like this. How is that possible if Apple have checked it properly?

I'm not an "Apple warrior", I have no idea where you got that from. I own technology from many different companies. I actually even have an HTC Android phone myself. I'm just making the point that saying "Android is perfect and iPhones users are idiots" just makes you look ignorant and pathetic.

If you read the link, you'd see that the issue was twofold: HTC was logging usage data in an unsecure fashion and access to this data was granted to any app which had merely the internet permission. There was no "data access" permission required here.

Bottom line is, HTC are a very popular Android phone maker and they have clearly made mistakes just as Apple has. All companies slip up from time to time, it's just that the media likes to attack Apple more because it's bigger and more popular.

I didn't say Android didn't have security issues, I said Apple have only started getting tough on App content since users/developers of other OS have brought app security to everyones attention. It's only now Apple users are questioning their own apps, for years they've been caught up in the Apple 'experience' to actually care about what their Apple devices and the developers have actually been exploiting.

Yeah, because Android has never had issues it didn't fix until a big media s**tstorm. Never!

 

[Gillie]

Amused me no end this and various other threads on here re privacy .... if you want privacy DO NOT post ANYTHING online!

If you post online using various social media sites - this one included - then accept the consequences !!

 

[giffgore]

Amused me no end this and various other threads on here re privacy .... if you want privacy DO NOT post ANYTHING online!

If you post online using various social media sites - this one included - then accept the consequences !!

That's not what this thread is about though. Apps uploaded user data without the users knowing, it's not that the users let the app upload data then complained.

 

[Gillie]

That's not what this thread is about though. Apps uploaded user data without the users knowing, it's not that the users let the app upload data then complained.

No it is what its all about .... yes perhaps twitter need their wrist slapping for keeping hold of information etc - naughty twitter!!!

Hang on though, apps, when you download them on to your phone - and also facebook/twitter etc - you are told what information they will have access to - so the decision is in your hands - either put up or shut up!

 

[giffgore]

No it is what its all about .... yes perhaps twitter need their wrist slapping for keeping hold of information etc - naughty twitter!!!

Hang on though, apps, when you download them on to your phone - and also facebook/twitter etc - you are told what information they will have access to - so the decision is in your hands - either put up or shut up!

No, at no point were you told that the apps would access your phone book and upload the entirety of it to Twitter's servers, that's the issue.

 

[Gillie]

No, at no point were you told that the apps would access your phone book and upload the entirety of it to Twitter's servers, that's the issue.

When I accepted twitter to be used on my phone as an app, yes it said it would have access to my contacts - this I took at face value and yes it was my decision to accept the use of it - therefore giving twitter and all the others I use permission .... whats so difficult to understand about that?

 

[giffgore]

When I accepted twitter to be used on my phone as an app, yes it said it would have access to my contacts - this I took at face value and yes it was my decision to accept the use of it - therefore giving twitter and all the others I use permission .... whats so difficult to understand about that?

I assume you have an Android phone then, but this is not the case on iOS devices, which is why it's mostly Apple taking the heat.

 

[Subbynet]

I'm not an "Apple warrior", I have no idea where you got that from. I own technology from many different companies. I actually even have an HTC Android phone myself. I'm just making the point that saying "Android is perfect and iPhones users are idiots" just makes you look ignorant and pathetic.

Who ever said that? This is exactly what I mean by being an Apple Warrior. What they said about Apple and their procedures wasn't wrong, but you decided to retaliate by picking holes in Android, rather than discussing the problem - Apple's Vetting Procedures.

If you read the link, you'd see that the issue was twofold: HTC was logging usage data in an unsecure fashion and access to this data was granted to any app which had merely the internet permission. There was no "data access" permission required here.

I did read the link.

The rights were only granted because HTC have set it this way. That was the problem. It says as much in the article. Not all HTC phones are effected, and no other Android phones are ever.

I have no idea why they've done something so stupid, but they have.

Bottom line is, HTC are a very popular Android phone maker and they have clearly made mistakes just as Apple has. All companies slip up from time to time, it's just that the media likes to attack Apple more because it's bigger and more popular.

Ahhhhh bless Apple. Honestly, this is a real problem that people should be aware of and Apple should be addressing. Dismissing it as an "Apple Attack" has become a cliché, it's used everytime anyone says anything about them.

It doesn't dismiss the problems with HTC's phones, but at the same time, your argument has now shifted from Android to HTC.

Yeah, because Android has never had issues it didn't fix until a big media s**tstorm. Never!

See - your doing it again, choosing anything for an attack... If you want to hear of a huge bug, imagine being stupid enough to put the antenna on the outside of the case, so that if you hold it wrong, your call might drop. Imagine something as silly as that...

 

[giffgore]

Who ever said that? This is exactly what I mean by being an Apple Warrior. What they said about Apple and their procedures wasn't wrong, but you decided to retaliate by picking holes in Android, rather than discussing the problem - Apple's Vetting Procedures.

That's because the post I was originally replying to mentioned Android as if it was perfect, I wasn't the one who brought it up, I merely responded in kind to the other poster.

I did read the link.

The rights were only granted because HTC have set it this way. That was the problem. It says as much in the article. Not all HTC phones are effected, and no other Android phones are ever.

I have no idea why they've done something so stupid, but they have.

Yes, and the HTC phones in question run Android, the permission system of which is clearly easily bypassable if you get a dodgy app into the phone. That said, Charlie Miller recently demonstrated similar issues in iOS, so to be clear, I'm not saying either is perfect.

Ahhhhh bless Apple. Honestly, this is a real problem that people should be aware of and Apple should be addressing. Dismissing it as an "Apple Attack" has become a cliché, it's used everytime anyone says anything about them.

It doesn't dismiss the problems with HTC's phones, but at the same time, your argument has now shifted from Android to HTC.

I have nothing against either company, I use both of their products and I think they're both really rather good. While it's true that it's a real problem Apple need to fix, it's also important to note that Apple aren't the only ones with such issues.

HTC are one of the most popular Android phone makers. Most customers buy Android phones which have versions of Android modified by the manufactures, so it's still a valid point.

See - your doing it again, choosing anything for an attack... If you want to hear of a huge bug, imagine being stupid enough to put the antenna on the outside of the case, so that if you hold it wrong, your call might drop. Imagine something as silly as that...

Again, this was in response to someone else who mentioned Android first, so I responded to their claims of Android's superiority in this respect. If I really wanted to go for it, I'd bring up all the Android malware Google had to release a special update to remove from peoples' phones.

Oh, and about antenna issues... But again, only Apple gets stick for it.

 

[Subbynet]

That's because the post I was originally replying to mentioned Android as if it was perfect, I wasn't the one who brought it up, I merely responded in kind to the other poster.

You felt it was, I didn't... Which kind of proves my point.

Yes, and the HTC phones in question run Android, the permission system of which is clearly easily bypassable if you get a dodgy app into the phone. That said, Charlie Miller recently demonstrated similar issues in iOS, so to be clear, I'm not saying either is perfect.

They run a custom Android ROM, just like everyone else does. The permission system of Android is not at fault, the fault lies with HTC, and the modifications they made to Android. It is not by-passable normally, as HTC introduced this issue, not Google.

I have nothing against either company, I use both of their products and I think they're both really rather good. While it's true that it's a real problem Apple need to fix, it's also important to note that Apple aren't the only ones with such issues.

HTC are one of the most popular Android phone makers. Most customers buy Android phones which have versions of Android modified by the manufactures, so it's still a valid point.

It's a valid point sure, and worthy of discussion elsewhere - but not a valid response to the point made by mit74. It just side-tracked the issue being debated, and tried to focus on others problems.

Again, this was in response to someone else who mentioned Android first, so I responded to their claims of Android's superiority in this respect.

Here - let me show you the only place it said Android in this thread before you replied.

They're taking the high ground now because since the growth of open source competition (Android mainly) people have questioned the security of apps and what data is being mined.

It doesn't say Android is superior at all. It says since Android provided competition to the iPhone, people have started questioning the security of app and data. That's it... Where did you get the rest from?

If I really wanted to go for it, I'd bring up all the Android malware Google had to release a special update to remove from peoples' phones.

Go on then, prove your Apple fanboi credentials by doing so. Just remember, your replying to a thread condemning Apple's issues with exactly the same thing, but actually even worse - as they do vet apps on the App Store. (Remember Google doesn't/didn't)

Oh, and about antenna issues... But again, only Apple gets stick for it.

You see... Your funny.. Just proved Apple's phones are no better than HTC's.

 

[Subbynet]

Here - for a laugh check this out.. iPhone gas stoves

http://www.edibleapple.com/2012/02/27/chinese-police-seize-apple-iphone-branded-gas-stoves/

 

[giffgore]

You felt it was, I didn't... Which kind of proves my point.

I'll get to this in a minute.

They run a custom Android ROM, just like everyone else does. The permission system of Android is not at fault, the fault lies with HTC, and the modifications they made to Android. It is not by-passable normally, as HTC introduced this issue, not Google.

HTC put an app on Android which offered user data to any app with the internet permission. It stands to reason that someone with more malicious intent could also do so. Again, all systems have issues of this nature because nothing is 100% secure.

It's a valid point sure, and worthy of discussion elsewhere - but not a valid response to the point made by mit74. It just side-tracked the issue being debated, and tried to focus on others problems.

Feel free to take the text messaging bug as an example instead then - that came straight from AOSP.

Here - let me show you the only place it said Android in this thread before you replied.

They're taking the high ground now because since the growth of open source competition (Android mainly) people have questioned the security of apps and what data is being mined.

It doesn't say Android is superior at all. It says since Android provided competition to the iPhone, people have started questioning the security of app and data. That's it... Where did you get the rest from?

The whole post suggests that people who own iPhones don't think about technical implications whereas Android users are more tech savvy and wouldn't have this kind of thing happen to them. This is blatantly false - many technically illiterate people own both types of phone and the permissions system of Android can be hacked.

Go on then, prove your Apple fanboi credentials by doing so. Just remember, your replying to a thread condemning Apple's issues with exactly the same thing, but actually even worse - as they do vet apps on the App Store. (Remember Google doesn't/didn't)

You're not a scarecrow are you? Because you sure seem fond of making strawman arguments

You see... Your funny.. Just proved Apple's phones are no better than HTC's.

See, strawman. I never said that Apple phones were better than HTCs, in fact I specifically stated that I use both and they're both good

 

[Subbynet]

No, no strawman, I make no bones about it, I think you're an Apple fanboi despite your protests to the contrary.

It's your actions rather than your words which lead me to this conclusion.

 

[giffgore]

No, no strawman, I make no bones about it, I think you're an Apple fanboi despite your protests to the contrary.

It's your actions rather than your words which lead me to this conclusion.

Which actions are these? My actions of buying HTC phones and running Linux on my PC?

 

[mit74]

Here - for a laugh check this out.. iPhone gas stoves

http://www.edibleapple.com/2012/02/27/chinese-police-seize-apple-iphone-branded-gas-stoves/

Retail Price: £15.95
Retail Price with Apple logo: $295.95

 

[Subbynet]

Which actions are these? My actions of buying HTC phones and running Linux on my PC?

The actions of constantly diverting the conversation away from Apple. Like I said, the original point raised was a valid one, but one on which you never made any comment. Instead, you tried to point out problems with Android. Why you can't keep on topic and debate Apple without dragging everyone and their dog into the conversation I don't really know.

 

[giffgore]

The actions of constantly diverting the conversation away from Apple. Like I said, the original point raised was a valid one, but one on which you never made any comment. Instead, you tried to point out problems with Android. Why you can't keep on topic and debate Apple without dragging everyone and their dog into the conversation I don't really know.

Again, strawman. I did comment on the issue and in fact acknowledged it's something Apple need to fix several times, see here:

I assume you have an Android phone then, but this is not the case on iOS devices, which is why it's mostly Apple taking the heat.

That said, Charlie Miller recently demonstrated similar issues in iOS, so to be clear, I'm not saying either is perfect.

While it's true that it's a real problem Apple need to fix

And my very first post in this thread...

Twitter should have asked permission before taking the data and made it explicitly clear that the data would be taken and held for such a long period of time. Furthermore, Apple should have taken steps to ensure apps couldn't take this data without said permission - which is what they'll do in the next update, of course, but it should have happened sooner, before the loophole was abused to the extent a media frenzy was created.

 

[Subbynet]

Again, strawman. I did comment on the issue and in fact acknowledged it's something Apple need to fix several times, see here:

This is getting silly.. But here..

Originally Posted by giffgore
I assume you have an Android phone then, but this is not the case on iOS devices, which is why it's mostly Apple taking the heat.

Was in response to Gillie's post. She was taking about Twitter, and them harvesting user data. Following on from this, the discussion turned too Apple, and the lack of control for Apps vetted by Apple.

For this you made no comment.

Originally Posted by giffgore
That said, Charlie Miller recently demonstrated similar issues in iOS, so to be clear, I'm not saying either is perfect.

Was in response to HTC's phones. You also brought up the HTC issue. Not us. You were replying to an issue you brought up yourself.

Originally Posted by giffgore
While it's true that it's a real problem Apple need to fix

Quote the whole sentence my friend.

While it's true that it's a real problem Apple need to fix, it's also important to note that Apple aren't the only ones with such issues.

Again emphasising the problem others have, instead of concentrating on this issue.

Originally Posted by giffgore
Twitter should have asked permission before taking the data and made it explicitly clear that the data would be taken and held for such a long period of time. Furthermore, Apple should have taken steps to ensure apps couldn't take this data without said permission - which is what they'll do in the next update, of course, but it should have happened sooner, before the loophole was abused to the extent a media frenzy was created.

There is two issues being confounded together. Firstly, Twitter has a problem with user data, across all devices. The second issue is Apple have a problem with user data, and the fact they're not vetting Apps properly.

You have spoken in relation to Twitter, and what Apple "should do", but you never made any comment regarding the problem with the vetting procedure. This is much more than about informing users, it' the fact dodgy Apps can make it to the iTunes store, despite it each application being vetted.

Plus, I have to say, I don't care that much... Just pointing this out to you.

 

[giffgore]

This is getting silly.. But here..

Yes, strawman arguments are quite silly...

Was in response to Gillie's post. She was taking about Twitter, and them harvesting user data. Following on from this, the discussion turned too Apple, and the lack of control for Apps vetted by Apple.

For this you made no comment.

The conversation actually turned to you randomly deeming me an - and I quote - "Apple fanboi" like a mature adult

If you'd like to know my stance on Apple vetting apps, then it's that they need to do a better job of it, and I also think they need to display the permissions each app needs access to just like Android does.

Was in response to HTC's phones. You also brought up the HTC issue. Not us. You were replying to an issue you brought up yourself.

I brought that up because someone else brought up Android. My point here was that issues with app data aren't exclusive to Apple, which is important because the mainstream media act like they are.

Quote the whole sentence my friend.

While it's true that it's a real problem Apple need to fix, it's also important to note that Apple aren't the only ones with such issues.

Again emphasising the problem others have, instead of concentrating on this issue.

See above.

There is two issues being confounded together. Firstly, Twitter has a problem with user data, across all devices. The second issue is Apple have a problem with user data, and the fact they're not vetting Apps properly.

You have spoken in relation to Twitter, and what Apple "should do", but you never made any comment regarding the problem with the vetting procedure. This is much more than about informing users, it' the fact dodgy Apps can make it to the iTunes store, despite it each application being vetted.

Plus, I have to say, I don't care that much... Just pointing this out to you.

The apps in question aren't dodgy, they're respected well-known social networks. This shouldn't have been allowed to happen, but they're hardly "dodgy apps".

As I said above, Apple does, nonetheless, have an issue with vetting apps. I also acknowledged this earlier by saying that Charlie Miller proved there were similar issues inside iOS - he was in fact able to get spyware into the App Store.

You care so little that you've been continuing your blatant strawman arguments and highjacking of the entire thread for three pages now!

 

[Subbynet]

No, sorry, I wrote a single line reply saying your an Apple fanboi. Nothing has changed that, I still think the same - ever that or you love playing Devils Advocate - who knows. You decided to reply and drag it out by mis-quoting yourself.

Plus, this wasn't the only thread I was basing that idea on.

 

[Subbynet]

The apps in question aren't dodgy, they're respected well-known social networks. This shouldn't have been allowed to happen, but they're hardly "dodgy apps".

It's a widespread problem on iTunes store.. Many dodgy apps are making it through the vetting process. I wasn't just referring to the Twitter app, this is why I'm saying Apple has a vetting problem.

 

[giffgore]

No, sorry, I wrote a single line reply saying your an Apple fanboi. Nothing has changed that, I still think the same - ever that or you love playing Devils Advocate - who knows. You decided to reply and drag it out by mis-quoting yourself.

Plus, this wasn't the only thread I was basing that idea on.

Strrraaaawwwwmmmmaaaaannnnnn.

It's a widespread problem on iTunes store.. Many dodgy apps are making it through the vetting process. I wasn't just referring to the Twitter app, this is why I'm saying Apple has a vetting problem.

I agree there's a vetting problem, but can you show me evidence that dodgy apps are stealing data in the wild? I've not seen any reports of that aside from the proof of concept by Charlie Miller which I mentioned earlier.

 

[RevaxMedia]

Of course, because Android phones never have issues with logging data and apps getting access to what they shouldn't. Never!

"Justin Case and I" LOL Justin Case....poor guy.

 

[giffgore]

"Justin Case and I" LOL Justin Case....poor guy.

Personally he keeps his data encrypted... Justin Case. YEAAHHHHHHH.

 

[Subbynet]

Strrraaaawwwwmmmmaaaaannnnnn.

No strawman...I'm calling you out as an Apple Fanboi plain and simple, at the very least, a symphasiser (or a strange Devils Advocate). The fact you don't like it is neither here nor there, and I don't really care - I've read enough from you to form this opinion.

I agree there's a vetting problem, but can you show me evidence that dodgy apps are stealing data in the wild?

How? It's impossible to prove unless you're in the loop of a company doing it. That's part of the problem with the permissions system of IOS, it leaves it open to access without informing you of what an app will really do. (Yeah yeah I know about HTC and their stupidity) Unless you believe Charlie Miller is the only man on earth to discover this vulnerability in IOS, you have to expect others were already exploiting it, as the market for iPhones and the type of customers they attract are far more profitable than Android users.

This exploit doesn't work anymore, but I bet someone knows a new one that does work. Plus, don't you find it funny that Miller was banned from the Apple Dev program for a year for telling people about this problem.

Hardly good for public perception of IOS security.

 

[giffgore]

No strawman...I'm calling you out as an Apple Fanboi plain and simple, at the very least, a symphasiser (or a strange Devils Advocate). The fact you don't like it is neither here nor there, and I don't really care - I've read enough from you to form this opinion.

You're entitled to your baseless opinions I guess - it's a free country for now

How? It's impossible to prove unless you're in the loop of a company doing it.

Well many were able to determine which apps were sending address book data by hooking them up to their computers and monitoring the packets going in and out, and I'm sure if a dodgy app was doing more malicious things in the wild then someone would have spotted it.

That's part of the problem with the permissions system of IOS, it leaves it open to access without informing you of what an app will really do. (Yeah yeah I know about HTC and their stupidity)

Indeed, it should be open about permissions as Android is.

Unless you believe Charlie Miller is the only man on earth to discover this vulnerability in IOS, you have to expect others were already exploiting it, as the market for iPhones and the type of customers they attract are far more profitable than Android users.

Well I've seen no evidence to support this, so I can only conclude it may or may not have happened - we simply do not know. However, ask yourself this: if some apps sending out address book data caused such a fuss, surely apps sending out large amounts of more personal data would too?

This exploit doesn't work anymore, but I bet someone knows a new one that does work. Plus, don't you find it funny that Miller was banned from the Apple Dev program for a year for telling people about this problem.

I'm sure there's more exploits kicking around, but again I've not seen any evidence of them being used in the wild.

I do think it's a stupid decision by Apple to ban him. Miller is white hat who pointed out a flaw in their OS, if anything Apple should pay him a bounty. Treating white hats like that is very bad for security and Apple made a bad move by doing so.

Hardly good for public perception of IOS security.

Apple seems more concerned with helping their PR in the short term by saying "This guy did a bad thing with our App Store and we banned him!" rather than thinking ahead and looking at the fact that people like him are important for developing security. Again, this is very stupid of Apple.

 

[Subbynet]

Well I've seen no evidence to support this, so I can only conclude it may or may not have happened - we simply do not know. However, ask yourself this: if some apps sending out address book data caused such a fuss, surely apps sending out large amounts of more personal data would too?

The Personal Data you speak of is being sent to Public high-profile companies - by applications that are by far the most popular available, and in the case of Twitter, it's being sent without encryption (according to reports), so it's easy to see what is being uploaded, and to who.

You can bet your bottom dollar anyone who has gone to the effort of exploiting a bug will have done enough to cover their tracks, to the point of making it difficult to trace. The chances are the app won't be a chart topper, but some simple sort of app which does just enough to convince someone to install it. You know the type - a joke database, Chat-Up lines or something really simple to make.

Plus, if they use even the simplest of encryption, it would be harder to tell what that data was. You'd have to trace the server, and find out what the server is being used for.

Also, it's not really a large amount of data. All the information in your phone, lets say, Contacts and SMS messages probably amounts to a few megabytes. On a 3G connection, that can be uploaded within minutes.

 

[giffgore]

The Personal Data you speak of is being sent to Public high-profile companies - by applications that are by far the most popular available, and in the case of Twitter, it's being sent without encryption (according to reports), so it's easy to see what is being uploaded, and to who.

You can bet your bottom dollar anyone who has gone to the effort of exploiting a bug will have done enough to cover their tracks, to the point of making it difficult to trace. The chances are the app won't be a chart topper, but some simple sort of app which does just enough to convince someone to install it. You know the type - a joke database, Chat-Up lines or something really simple to make.

Plus, if they use even the simplest of encryption, it would be harder to tell what that data was. You'd have to trace the server, and find out what the server is being used for.

Also, it's not really a large amount of data. All the information in your phone, lets say, Contacts and SMS messages probably amounts to a few megabytes. On a 3G connection, that can be uploaded within minutes.

A fair point, but then something that blatant - and in an app which will have simple code if it's just a joke database or something - will likely be caught out by Apple.

It's also possible to get an outgoing firewall app from Cydia which works like Little Snitch on a Mac - it tells you what connections apps are trying to make and lets you choose whether or not to allow them, and even if the data would be sent over an encrypted connection, the firewall can still tell you where the app is attempting to connect to, which port it's using, and of course, which app is doing it. And it's on the BigBoss repo, which comes with Cydia, so it's safe to assume a lot of geeks with jailbroken iPhones use it. There are, of course, equivalent apps for other smartphone platforms too.

Even if only a few networking geeks or hackers or whoever use such things, if one person finds something suspicious in an App Store app, it's still likely they'll go online and spread the word about it, even if the app is not well known. Remember, this firewall always runs in the background, it doesn't have to be especially set up for each app or anything, so it's easy to notice if an app is doing something it shouldn't.

 

[Subbynet]

A fair point, but then something that blatant - and in an app which will have simple code if it's just a joke database or something - will likely be caught out by Apple.

There is nothing to say it's going to be blatant. Disguising such code is an artwork in itself. You'd have to be a fairly decent programmer to understand what the code is doing, and personally, I don't think Apple employ these sorts of people for just checking apps.

Have a read of this. http://en.wikipedia.org/wiki/Underhanded_C_Contest

It's also possible to get an outgoing firewall app from Cydia which works like Little Snitch on a Mac - it tells you what connections apps are trying to make and lets you choose whether or not to allow them, and even if the data would be sent over an encrypted connection, the firewall can still tell you where the app is attempting to connect to, which port it's using, and of course, which app is doing it. And it's on the BigBoss repo, which comes with Cydia, so it's safe to assume a lot of geeks with jailbroken iPhones use it. There are, of course, equivalent apps for other smartphone platforms too.

That would be a good addition for both iOS and Android.

The trouble is I don't think that works in the iOS Sandbox, it only works on jailbroken phones so that the Firewall App can gain access to such information. Compared to the number of iPhones in existence, there isn't really many Jail broken phones out there. Most people just don't bother.

Even if only a few networking geeks or hackers or whoever use such things, if one person finds something suspicious in an App Store app, it's still likely they'll go online and spread the word about it, even if the app is not well known. Remember, this firewall always runs in the background, it doesn't have to be especially set up for each app or anything, so it's easy to notice if an app is doing something it shouldn't.

But you've narrowed down the potential quite alot. First, they have to have a jail broken phone, second they have to have the firewall app installed - which isn't a given, because of battery life/memory restrictions (Plus some "security apps" on both iOS and Android are just snakeoil and people don't trust them). Then, after all that, you have to find someone that's bothered enough to tell others, and then that message has to be listened too by others, and checked/verified again so that the message spreads.

As much as I'd like to believe 1 person can do this, in reality, I think it takes quite an effort to make people listen to you - and it helps if you're already an authority on such matters.

The issue Charlie Miller found gained a lot of attention with people and the press because he was a Pwn2Own winner. Plus, if you tell Apple directly, they'd probably try keep it secret, and quietly patch any problem before it's widespread knowledge. If they can ban Charlie Miller - they'll ban anyone.

 

[giffgore]

There is nothing to say it's going to be blatant. Disguising such code is an artwork in itself. You'd have to be a fairly decent programmer to understand what the code is doing, and personally, I don't think Apple employ these sorts of people for just checking apps.

Have a read of this. http://en.wikipedia.org/wiki/Underhanded_C_Contest

I'm aware, but then I'm sure the people Apple hired specifically to read code are good at reading code. Remember, we only see their mistakes, there's nothing showing us all the bad apps they spot. If there's one thing you can say about Apple and employees, it's that Apple's very strict about who they hire and how they manage people.

That would be a good addition for both iOS and Android.

Here's the Android equivalent BTW - it's free

The trouble is I don't think that works in the iOS Sandbox, it only works on jailbroken phones so that the Firewall App can gain access to such information. Compared to the number of iPhones in existence, there isn't really many Jail broken phones out there. Most people just don't bother.

Yes, it only works on jailbroken iPhones.

But you've narrowed down the potential quite alot. First, they have to have a jail broken phone, second they have to have the firewall app installed - which isn't a given, because of battery life/memory restrictions (Plus some "security apps" on both iOS and Android are just snakeoil and people don't trust them). Then, after all that, you have to find someone that's bothered enough to tell others, and then that message has to be listened too by others, and checked/verified again so that the message spreads.

As much as I'd like to believe 1 person can do this, in reality, I think it takes quite an effort to make people listen to you - and it helps if you're already an authority on such matters.

The issue Charlie Miller found gained a lot of attention with people and the press because he was a Pwn2Own winner. Plus, if you tell Apple directly, they'd probably try keep it secret, and quietly patch any problem before it's widespread knowledge. If they can ban Charlie Miller - they'll ban anyone.

I'm quite sure only one person noticed this address book thing, then they'd have gone online and said "Look at what so and so app is doing!" then others would have tested it for themselves, seen that it's true, and built up a fuss. You should be aware that information goes viral online very quickly.

I have faith that any genuinely dodgy app would be noticed by at least one person. There are millions and millions of iOS users, and even if a small percentage are looking out for this stuff, that's still enough IMO.

 

[Subbynet]

I'm aware, but then I'm sure the people Apple hired specifically to read code are good at reading code. Remember, we only see their mistakes, there's nothing showing us all the bad apps they spot. If there's one thing you can say about Apple and employees, it's that Apple's very strict about who they hire and how they manage people.

We have plenty to show the bad apps they spot - because they're rejected from the App store. You can hear the reasons why from news stories. They range from poor functionality, to using external payment API's, to poor graphics, and much more... They reject a hell of alot of apps - and in some cases, have been accused of ripping off developers by basically stealing their app and releasing it themselves. (iAd)

Also, look at the mistakes in general, across the company and all it's products. If they can review iTunes apps that well, why do so many issues persist in the proper Apple OS's and Applications?

The perks for working for Apple ain't that great compared to Microsoft, or Google, or plenty of other large companies.

Here's the Android equivalent BTW - it's free

Yes, I know these apps exist for Android, but the chances are not many people will install it, and so I believe it should be included in the OS. Also, this application is unavailable. Not sure why, just says so on the download page.

I'm quite sure only one person noticed this address book thing, then they'd have gone online and said "Look at what so and so app is doing!" then others would have tested it for themselves, seen that it's true, and built up a fuss. You should be aware that information goes viral online very quickly.

Well, I've been in business for over 10 years now, and I can only dream of people going on-line and telling others and a snowball effect starts off from one person. It happens, but not often, you need something that really grips the audience.

Even in advertising, you only get a 1% response rate - that's 1 person in every 100 is bothered enough to act on a targeted message, so I doubt someone mentioning it on a forum or elsewhere will have that much impact at all.

I have faith that any genuinely dodgy app would be noticed by at least one person. There are millions and millions of iOS users, and even if a small percentage are looking out for this stuff, that's still enough IMO.

Noticed, yes it will be noticed, but acted on - that's a whole different ball game.