Title: Iphone && privaCy

http://blog.iphone-dev.org/ "A pinch too much"

http://i-phone-home.blogspot.com/2009/07/pinchmedia-anatomy-of-spyware-vendor.html

privaCy ist ein opt-out Tool, das den Spyware Produzenten am Iphone zu einem sauberen Image verhelfen soll. Ich bin da ein wenig skeptisch.

Ich meine ohne Opt-in muss es auch kein opt-out geben und wuerde versuche zu vermeiden, eine Vereinbarung (wie auch immer gestaltet) mit diesen Leuten abzuschliessen. Am besten ist es immer noch solche Programme zu löschen, leider muss man diese identifizieren, dass kostet Zeit und man scheitert an der eigenen Faulheit.

Ich denke man kann den "Herstellern" auch nicht vertrauen, vor einiger Zeit haben sie noch keine so rechte Einsicht gezeigt: Aus einer Mailingliste, ich habe die Emailaddressen soweit noetig unkenntlich gemacht und Realnamen entfernt. Wer Lust hat, soll im Archive suchen.

Damals hat P!nchmedia angegeben, zu tracken welche Puzzle leicht oder schwer zu loesen seien. Heute wird deutlich, dass sie u.a. Ort und auch Geschlecht und Geburtsdatum übertragen. z.T. aus Facebook Accounts extrahiert - Wieso geht das überhaupt?

Warum nicht auch die Daten, die über meinen Google Account verfügbar sind, das ist worst-case mein komplette Emailhistorie seit 1996 und mein Kalender? Oder, da ich in Kindle auch mal mein Amazon Passwort eintickerte meine Bankdaten und Kaufhistorie? Gibt es auch ein Ebay Interface? Man muss wahrscheinlich noch dankbar sein, dass Apple keinen Passwortmanager im Webbrowser eingebaut hat!

email1

Subject: Re: [iPhoneSDK] Opinions/Input: "Page Tracking" in a free app
To: iphonesdk@ericasadun.com
Date: Sun, 02 Nov 2008 18:38:34 +0100

"iXXXX" <XXXXXXXX> writes:

> On Sun, Nov 2, 2008 at 1:06 AM, DLDS iPhone
> <ipXXXXXXX> wrote:
>> Am I making too big of a deal out of this? If not, is there
>> standardized statement of best practices about this kind of
>> thing that I can show to my client?
>
> Okay. My two cents: it's UNETHICAL to do it WITHOUT INFORMING THE USER.
>
> One fact is, you're tracking him without he knowing, even if
> anonymously (bad and illegal in some jurisdictions worldwide). Another
> fact is, all iPhone plans worldwide have soft or hard data caps --
> using the Internet while the user is on WWAN is costing the user
> money, and if you don't tell him s/he's basically paying for your
> stats. May almost be acceptable if your app uses the Internet to do
> its job, it certainly isn't when the app is a standalone (say, a game)
> that only uses the Internet for tracking.
>
> So, my opinion:
>
>  - Tell the user explicitly.
>  - Use the status bar spinner when you're accessing the network. DO THIS.

Hi,

I was not aware that you could hide network access in AppStore apps.


So I started a packet dumper on my router and immediately discouvered some 
MalWare on my iphone:


This is MazeFinger from ngmoco.com transferring some data, without any
notification:


18:05:26.530191 IP (tos 0x0, ttl 64, id 40270, offset 0, flags [DF], proto TCP (6), length 52) 192.168.1.95.51234 > 8.12.42.137.443: F, cksum 0x2e60 (correct), 1810:1810(0) ack 1740 win 33120 <nop,nop,timestamp 442808412 2555152348>
18:05:26.734866 IP (tos 0x0, ttl 54, id 139, offset 0, flags [DF], proto TCP (6), length 52) 8.12.42.137.443 > 192.168.1.95.51234: F, cksum 0xeab7 (correct), 1740:1740(0) ack 1810 win 50400 <nop,nop,timestamp 2555152388 442808412>
18:05:26.840607 IP (tos 0x0, ttl 64, id 40271, offset 0, flags [DF], proto TCP (6), length 52) 192.168.1.95.51234 > 8.12.42.137.443: F, cksum 0x2e34 (correct), 1810:1810(0) ack 1741 win 33120 <nop,nop,timestamp 442808415 2555152388>


Same for Sudoku from "Mighty Good Games"

18:08:07.181979 IP (tos 0x0, ttl 64, id 40288, offset 0, flags [DF], proto TCP (6), length 64) 192.168.1.95.51236 > 63-246-8-198.contegix.com.80: S, cksum 0xd355 (correct), 3776697937:3776697937(0) win 65535 <mss 1460,nop,wscale 2,nop,nop,timestamp 442810016 0,sackOK,eol>
18:08:07.349303 IP (tos 0x0, ttl 51, id 0, offset 0, flags [DF], proto TCP (6), length 60) 63-246-8-198.contegix.com.80 > 192.168.1.95.51236: S, cksum 0x9875 (correct), 2782360830:2782360830(0) ack 3776697938 win 5792 <mss 1452,sackOK,timestamp 1748939298 442810016,nop,wscale 7>
18:08:07.851113 IP (tos 0x0, ttl 51, id 51194, offset 0, flags [DF], proto TCP (6), length 52) 63-246-8-198.contegix.com.80 > 192.168.1.95.51236: F, cksum 0xd40b (correct), 199:199(0) ack 1729 win 77 <nop,nop,timestamp 1748939799 442810021>
18:08:08.244861 IP (tos 0x0, ttl 64, id 40301, offset 0, flags [DF], proto TCP (6), length 52) 192.168.1.95.51236 > 63-246-8-198.contegix.com.80: F, cksum 0x52f1 (correct), 1729:1729(0) ack 200 win 33120 <nop,nop,timestamp 442810027 1748939799>



What is Apples position on this? Do they have some sort of complaint
system which I could address?

Or is it better to use some of the antivirus vendors to make this kind
of unauthorized computer usage publically known?

I think a report on heise/register/... or maybe even an offical CERT
or CVE would make application vendors sensitive to these issues.

Has anyone used https://forms.us-cert.gov/report for incidents like
this? 

regards
  Frank

email2

Subject: Re: [iPhoneSDK] Opinions/Input: "Page Tracking" in a free app
To: iphonesdk@ericasadun.com
Date: Sun, 02 Nov 2008 19:35:32 +0100

"JXXXX (saurik)" XXX writes:

> Umm... talk about amazing over-reaction? You have no idea why these
> programs are doing that. Once you did know, for all you know they
> aren't even doing anything wrong. For example, I do not believe, at
> least in the US (the only place I could even begin to know anything),
> that a program needs to notify you of /anything/ if it, for example,
> sends a packet to a server to determine "is this the latest version",
> doesn't store anything on the server of the fact that that happened,
> and uses that information locally to tell you "your version is out of
> date, you really should upgrade".

I do not think that I need know why these applications are doing that.

The approach taken is the problem.

They 'hide' the accesses (no user spinning wheel notification) and
have not informed me about them.

They seem to have encrypted the data they copied from my iphone
(judging from the port 443) so I cannot easily check what is being
transferred.

regards
  Frank

email 3

RXXXX <XXXXX@pinchmedia.com> writes:

> I have no idea about what MazeFinger is doing but the Sudoku game
> actually uses a package produced by my company to track which puzzle
> datasets are the easiest/hardest.  The game should contain notice that
> it does so in it's appstore eula.  

I agree they should inform me that some sort of usage tracking is
taking place. That they intend to use my network for their
purposes.....

They should follow the conventions and show network traffic by some
'spinning wheel' notification. 

And I guess there are strict regulations with respect to EULAs. At
least it should be possible for the end user to access them or so....

I did not find any EULA with respect to sudoku. How do I access them?

> Similarly, Apple uses Omniture to
> track application usage for the apps that ship on the device (as does
> Adobe on the desktop).  If you really have a huge issue with it, don't
> use an iPhone, an Android phone, or any other phone that can connect
> to the internet.  Or a computer.  Or a TV (the cable companies know
> your DVR habits, read the license info).

Yes I noticed too that the privacy standards are pretty low on the
iphone. 

Quite funny advice you give otherwise. What did you intend to say?

regards
  Frank

Man muss wahrscheinlich noch dankbar sein, dass Apple keinen Passwortmanager im Webbrowser eingebaut hat!

Seit 3.0 kann sich Safari Passwoerter merken...

Hm, hoert sich so an, als ob es bald die ersten Application Firewalls fuer's iPhone geben wuerde. MacOS hat ja auch eine, sollte also kein Problem sein...

FrankHartmann - 2009-08-23 10:01 GMT:

Dann muss ich wohl sagen, zum Glück dass das Ding es bei mir nicht tut. Ich habe zwar einen Knopf 'automatisch ausfüllen', aber mit dem Passwort Merken hapert es.

Applikation Firewall wird nicht so recht gehen. Viele Programme nutzen das Internet in meinem Auftrag und übertragen ungewollt Daten an andere.

Lustig finde ich da die Kommentare der Pinchmedia Leute. Airplane mode wirkt effektiv, oder wenn sie das nicht wollen, kaufen sie kein Iphone Auch sonst sammel sie ja keine Daten die mich identifizierbar machen uuid. Klar.

Ich denke aber, dadurch dass jetzt sichtbar wird,dass Sie auch eine Auflistung der 'cracked' Programme übertragen, werden genug Leute nervös werden.