Researchers craft Android app that reveals to find horrific menagerie of hidden spyware; legally barred from doing the same with iOS


#1

Originally published at: https://boingboing.net/2017/11/25/la-la-la-cant-hear-you.html


#2

https://reports.exodus-privacy.eu.org/reports/apps/

The Duck Duck Go app? What the duck! Is that by design, or because they used someone else’s library that included spyware?

I rarely install apps, so there were a lot of near misses until I got to the Wikipedia app, bang! (I was looking at it to see if it could be pointed at my site as a sister-pedia.)

ETA: Duck Duck Go was listed as one they tested and found no trackers. Phew!


#3

I…don’t understand the headline.


#4

That headline, tho.


#5

I’m not sure that this is a problem with DRM. Wouldn’t the weaker platform be the one that a third party app can be written and distributed to mine data from other applications?


#6

I think the suggestion is that it’s doing that anyways - with the DRMed item - since the same apps are available on both platforms. The problem is that YOU (or your Yale researching double) can’t get in to see what is happening.


#7

by ‘doing that’ I mean ‘mining your data’


#8

The researchers sent a teenager with a faulty flashlight to check out that funny sound in the Android basement, and found slashers.

With the Apple basement, there’s a security guard and a vault door preventing access. Probably nothing to worry about.


#9

One solution is to install open source Android distribution, like LineageOS(to get rid of preinstalled spyware), and get apps not from Goodle Play, but from F-Droid store:


There’s source code for each app in F-Droid, so they can be audited by anyone.


#10

That’s a good idea, but I want to use Android Pay and have the BlackBerry Hub and tools installed. It’s a devil’s bargain; the things I use that make the device of more use than a flip phone are precisely the things that won’t work with Lineage OS, like banking. It is an enormous pity that Cyanogen pulled the rug from under Oneplus.


#11

Nothing To See Here [optimized, every 4th frame dropped]


#12

I am reminded of an observation that while the thieves may be outside the bank vault planning to break in, its contents are probably the result of much bigger thefts.
I seem to recall that when a very large safe deposit was broken into, a remarkable number of deposit box holders did not come forward to report what they had had stolen.


#13

I run FOSS wherever I can. I am posting from an ubuntu system. But there is so much code in software everywhere you look that it is almost impossible to be sure what it is doing. In theory OSS can be reviewed and checked but in practice I doubt it happens enough to keep spyware out.


#14

And a sign reading “Beware of the Jaguar”.


#15

…but that exemption only allows Exodus to use that tool; it doesn’t allow Exodus to make that tool…

Couldn’t they just kind of say they found it? Like in an empty subway car or something?


#16

Typically spyware uses significant amount of code or external library, so it can be easily noticed. I’d be move worried about purposefully introduced vulnerabilities. They are sometimes very hard to spot (like buffer overflows). Here’s one (failed) example:
https://freedom-to-tinker.com/2013/10/09/the-linux-backdoor-attempt-of-2003/

I have not tried those on LineageOS, but if the system is not rooted, I thinks that they should work (Google Play would have to be installed, but it works fine there). LineageOS is the continuation of CyanogenMod.


#17

Didn’t Mountain Lion have some problems too? I can never keep up with all these Apple distro versions.


#18

Can LineageOS be installed on an unrooted device? I mean, I don’t know these things, I’m just asking.


#19

I’ll attempt installation on Galaxy Note II next week. According to instructions, there’s no need to root original firmware:
https://wiki.lineageos.org/devices/t0lte/install
By default, when you install LineageOS, it’s also not rooted, so apps that refuse to work with rooted devices should work there too.


#20

Yes this is what I really mean. The vulnerability would be part of the system. The business logic of the exploit would be elsewhere, using the vulnerability as a way in.