Forgot your password?
typodupeerror
IOS Privacy Security Social Networks Software Your Rights Online

New iOS App Sends Users' Web Traffic Through Its Proxy Servers 83

Posted by Soulskill
from the you-can-trust-us dept.
New submitter spac writes "AllthingsD has an interesting story about how a startup called Wajam requires users of their service to download a script that sets up a proxy to handle all network requests for the purpose of providing 'Social Recommendations' within built-in apps. The privacy implications of using this profile script isn't clearly presented to users. Are we really to entrust our data to a company founded by a man who comes from the world of browser toolbars? And for social search?!" The company rushes to counter privacy concerns by pointing out that their service has "received security certifications from TRUSTe, McAfee and Norton."
This discussion has been archived. No new comments can be posted.

New iOS App Sends Users' Web Traffic Through Its Proxy Servers

Comments Filter:
  • by mr1911 (1942298) on Wednesday August 29, 2012 @06:08PM (#41172727)
    They already post all of their life details on Facebook anyway.

    Those that do care wouldn't use this app in the first place.
    • by SuperKendall (25149) on Wednesday August 29, 2012 @06:18PM (#41172819)

      Those that do care wouldn't use this app in the first place.

      A point of technical accuracy; on iOS you could not sell an app that would alter the destination of traffic for all other apps.

      Instead, they are using a configuration profile - it's the same mechanism that enables a company to configure iOS devices. The configuration profile can load in mandatory PIN use, or other settings for the phone - including a network proxy as we see here.

      As you say, users will not really care... but even so I can't see them tricking many users into doing this.

      • by Nerdfest (867930) on Wednesday August 29, 2012 @06:30PM (#41172969)

        You have way more faith in users than I do. It's been shown again and again that you can make a platform as secure as you want, but if you allow a user to do something bad for them, they will do it ... even if you warn them.

        • I agree with you, it could be that perhaps Apple will do something to make it more difficult to install configuration profiles going forward...

          If they felt this action was improper they could issue an OS update that would just block any attempt to use those servers as a proxy.

          The real question is, what are they doing on those servers with your traffic...

        • by cyp43r (945301)
          A platform that is secure as you want = not allowing users to do something bad for them.
      • Re: (Score:3, Funny)

        by PopeRatzo (965947)

        As you say, users will not really care... but even so I can't see them tricking many users into doing this.

        Why not? Those users were tricked into buying iPhones in the first place, so there's a pretty good likelihood that they're gullible.

        • by Anonymous Coward

          Why not? Those users were tricked into buying iPhones in the first place, so there's a pretty good likelihood that they're gullible.

          Those users are probably the same people who think cloud computing has to do with the weather (from the adjacent slashdot article). XD

      • by icebike (68054) * on Wednesday August 29, 2012 @07:31PM (#41173501)

        A point of technical accuracy; on iOS you could not sell an app that would alter the destination of traffic for all other apps.

        Instead, they are using a configuration profile - it's the same mechanism that enables a company to configure iOS devices. The configuration profile can load in mandatory PIN use, or other settings for the phone - including a network proxy as we see here.

        As you say, users will not really care... but even so I can't see them tricking many users into doing this.

        Still, what happened to the curated garden that Apple is so proud of?

        An app that helps singles find others in bars is booted from the App store for fear of stalking, but one that steals ALL your traffic is OK?

        90% of IPhone users have no clue what the pop-ups and check boxes mean. Its just some techno-talk-gibberish that you have to click OK
        in order to use you cool new app.

        • Re: (Score:3, Informative)

          by scdeimos (632778)

          A point of technical accuracy; on iOS you could not sell an app that would alter the destination of traffic for all other apps.

          Instead, they are using a configuration profile - it's the same mechanism that enables a company to configure iOS devices. The configuration profile can load in mandatory PIN use, or other settings for the phone - including a network proxy as we see here.

          As you say, users will not really care... but even so I can't see them tricking many users into doing this.

          Still, what happened to the curated garden that Apple is so proud of?

          An app that helps singles find others in bars is booted from the App store for fear of stalking, but one that steals ALL your traffic is OK?

          90% of IPhone users have no clue what the pop-ups and check boxes mean. Its just some techno-talk-gibberish that you have to click OK in order to use you cool new app.

          Did you even read TFA? This is /. so I guess not.

          Ignoring that Apple are dicktards when it comes to consistent enforcement of their own App Store policies, the Wajam app doesn't even touch your traffic. Users are encouraged to download and install a separate Configuration Profile that tells the iDevice to use a proxy server at Wajam's DC for internet traffic. Carrier Settings/Configuration Profiles are not new... for a number of years web sites like http://www.unlockit.co.nz/ [unlockit.co.nz] have enabled users to define th

          • by icebike (68054) * on Wednesday August 29, 2012 @08:42PM (#41174099)

            You make a huge distinction for very little difference.

            Regardless of HOW they get the user to use a proxy server, they still systematically socially engineering them to do so.

            That they use methods that were designed for corporate phones and apply them to public subscribers is simply more evidence of misbehavior.

            That you accepted my gift of a wall clock does not excuse the presence of my listening device embedded therein, even if the fine print in the
            clock's user manual mentioned it.

  • by Anonymous Coward

    Yes, there are "security certifications", but they are more of a nature that the website itself isn't doing overt Web attacks.

    Completely different from foisting a proxy setup onto unsuspecting users in order to add a layer of ads and tracking.

    • by Anonymous Coward

      "Security certifications", a.k.a., "none but ourselves will sell your data" :)

    • by AK Marc (707885)
      What's certified? The app could be certified, but not the proxy that's side-loaded and not technically part of the app itself.
  • by realitycheckplease (2487810) on Wednesday August 29, 2012 @06:11PM (#41172765)
    Presenting security certifications from Trust, Mcafee and Norton says nothing about how they'll use personal data. It just means that they might be less susceptible to hacking (but I personally doubt it) than companies without similar certifications.
  • by Bovius (1243040) on Wednesday August 29, 2012 @06:14PM (#41172795)

    As an iOS developer, if I submitted an app to the app store that does this, I'm certain it would be rejected for not meeting Apple's guidelines. Makes me wonder who had to be friends with who to get this greenlighted.

    • by SuperKendall (25149) on Wednesday August 29, 2012 @06:29PM (#41172949)

      Makes me wonder who had to be friends with who to get this greenlighted.

      There was no need to be friends with anyone. I put in a longer post about this elsewhere, but it's not an app that does this but a configuration file that tells the phone to use their server as a proxy.

      It's quite easy to build your own iPhone configuration files, anyone can download the iPhone Configuration Utility [apple.com] (They even have a Windows [apple.com] version) to build one. The trick is getting people to install the configuration...

      But between building a config and applying to a device, Apple is never involved.

      A configuration profile was also a way you could enable tethering at first when AT&T blocked it initially, though Apple/AT&T did fix that eventually...

      • by scot4875 (542869)

        So in response to your title: you're saying that Apple's walled garden doesn't protect its users from this sort of behavior?

        Are typical Apple users aware that they need to be cautious of this kind of behavior?

        If the walled garden doesn't protect them, and according to you, *can't* protect them, what's the point of the walled garden at all?

        --Jeremy

      • by Anonymous Coward

        I put in a longer post about this elsewhere,

        I'd say everywhere, not just elsewhere. And you've been splitting hairs and picking nits in all of them.

        What's your interest in defending Apple on this?

        • by R3d M3rcury (871886) on Wednesday August 29, 2012 @10:41PM (#41174799) Journal

          What's your interest in defending Apple on this?

          What's your interest in attacking Apple on this?

          Okay, I'll point out one simple fact: This is not an App. If you go to the iTunes Store and search for Wajam, you find nothing. Nil, Zip, Nada. So it's not an App that Apple is implicitly saying is okay by hosting it in it's App Store.

          If you want to "bash" Apple, what this is is a privacy attack vector. If I can get you to download something like this to your phone, I can set up the proxy so that a trip to, oh, bankofamerica.com will end up on a server of my choice. Great for spoofing and pretty dangerous.

          Note that it doesn't automatically select the configuration--I have to do this myself. But that can be socially-engineered, so it's not like it's great protection. So Apple is not entirely blameless on this, I'll agree.

        • What's your interest in defending Apple on this?

          My interest is in people getting technical facts right.

          The fact is that Apple has no control over people making and distributing these profiles. That is simple fact; there is no App involved, another fact.

          In FACT I even stated that I thought APple at some point might have to put some additional controls around installing profiles so naive users cannot do so easily. That's not defending Apple, that's saying they have an issue they may want to address if rogue

        • Being curious, I decided to RTFA to find out the actual truth. The GP is telling the truth, and you're not.

          This is:

          1. Not an app. Apple is not involved in any way whatsoever. They have not, to the best of my knowledge, approved anything from this company, not even a different related or unrelated app, and even if they had it wouldn't mean anything - see on.

          2. Despite the hysterical write up, the "proxying" is for a legitimate reason. The concept is that the proxies insert additional information thus

  • by Anonymous Coward on Wednesday August 29, 2012 @06:14PM (#41172799)

    Pay TRUSTe, et all some money and they will "certify" you. As far as I can tell all it really means is you the consumer know the company paid money to get a logo for their site/app. It's not some rigorous analysis of what is done with your data or how it is secured and seems basically worthless.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      It has been a while, but I've seen some logos that basically say "This site is certified by us... and reserve the right to hand over ever stray bit to any third party they please".

      Certified, yes. Does this mean actual protection of the consumer. I'd read into it more closely.

      Realistically, the only certifications I'd take seriously would be NIST controls, PCI/DSS2 or something similar that not just allows a company to stick pretty colored logos, but actually have the logos mean something other than paying

  • The summary is wrong (Score:5, Informative)

    by digitallife (805599) on Wednesday August 29, 2012 @06:24PM (#41172895)

    The summary is wrong.
    There is no app on ios, and in fact no way to do this on ios through an app. The 'script' is for fully fledged desktops. On ios they have instructions for how to setup wajam as your proxy.
    This is pretty basic stuff. iOS slandering at its best.

    • I gotta admit, I was wondering how a script could change your proxy on iOS when, in theory, the only "script" you can run is JavaScript.

      The neat question, of course, is did Apple vet what they're doing in any way before allowing them on their store. Or is this one of those cases where Apple looks out for the safety and security of their users until something goes wrong and then it's, "Hey, we're not responsible for third-parties."

    • by motd2k (1675286)
      Wrong. This IS an app - the app quits and opens the connection profile in Mobile Safari when the user taps a button in the app to 'Enable'.
    • by tlhIngan (30335)

      On ios they have instructions for how to setup wajam as your proxy.

      I don't know about you - but what is restricting use of that to iPhones?

      Did this company really just open up a huge free proxy server on the 'net for everyone to use? If they're in the US, it's basically a free proxy server to all those US services that everyone whines about... if not, it's a free proxy server that lets you "hide" your IP...

      Depending on the proxy, it might be worthwhile to shove your torrent traffic through there?

      Of course,

  • Well, since we're already on the Security != Privacy train, I just thought I'd call attention to the pachyderm in the room.

  • by Gordonjcp (186804) on Wednesday August 29, 2012 @06:29PM (#41172951) Homepage

    Wouldn't it be terrible if someone published the details of the proxy connections, and it started getting hammered by thousands of slashdotters?

  • by peacefinder (469349) <alan@dewitt.gmail@com> on Wednesday August 29, 2012 @06:53PM (#41173203) Journal

    The company rushed to point out that security certifications from TRUSTe, McAfee and Norton are worthless in this situation.

  • by l3v1 (787564)
    "Are we really to entrust our data to a company founded by a man who comes from the world of browser toolbars?"

    Why, you trust your data to random apps developed by random people, and suddenly this one poked your eye because the guy made browser bars? Now at least you know he's getting the data, not with some other crap which just uses it, leaks it, etc. Also, if you know what this app does, and you don't agree with it, instead of not using it, you start complaining about it. Yeah, nice :)

    I'd never use s
    • by Bob Ince (79199)

      Coming "from the world of browser toolbars" is somewhat of an understatement in this case.

      We are talking about a founder of CDT (latterly Zango Canada), who paid affiliates to bulk-install spyware on unwitting Windows users' machines, using tactics up to and including browser security hole exploits. Hats don't come much blacker.

Some people carve careers, others chisel them.

Working...