Facebook app on Android Stealing User's Contacts

Monday, July 1, 2013

Facebook, the top-ranking free app in Google Play, has taken advantage of Android's weak platform security to collect users' phone numbers as soon as the app is installed, highlighting core differences in Apple's approach to protecting users' privacy and those of social-advertising firms like Facebook and Google.

Google Play

The news of Facebook's latest "leak" was outed by Symantec after it analyzed various Android apps using its Norton Mobile Insight tool designed to "discover malicious applications, privacy risks, and potentially intrusive behavior."

Symantec didn't need to dig deep into Google Play to find pay dirt, but its researchers still noted that it "even surprised us when we reviewed the most popular applications exhibiting privacy leaks."

The firm stated, "the first time you launch the Facebook application, even before logging in, your phone number will be sent over the Internet to Facebook servers. You do not need to provide your phone number, log in, initiate a specific action, or even need a Facebook account for this to happen.""Unfortunately, the Facebook application is not the only application leaking private data or even the worst" - Symantec

Just one week ago, Facebook users found that it was possible to download private information from people who had "some connection to them," even when that data had not been intentionally shared with Facebook. That illuminated the company's efforts to secretly collect all kinds of data in its social graph to improve its advertising and friend recommendations, beyond the details intentionally shared by members.

Because the various versions of Android have no coherent security policy regarding the sharing of personal data without the user's permission, Facebook's "automatic sharing" in its Android app affects everyone, even iOS users with Android friends.

Symantec said it "reached out" to Facebook, which it said "investigated the issue and will provide a fix in their next Facebook for Android release." Facebook denied that it was collecting the data for actual use and stated that it had deleted the information from its servers.

"Unfortunately, the Facebook application is not the only application leaking private data or even the worst," Symantec noted. "We will continue to post information about risky applications to this blog in the upcoming weeks." In the mean time, the firm recommends that Android users download its tool to see which Android apps are "leaking" private information. 

Apple's Walled Garden

Apple's "walled garden" approach to its mobile platform has long erected barriers for app developers, forcing them to request permission before collecting the user's location data, well before anyone anticipated that developers would broadly harvest location data. 

Last year, Apple's iOS 6 similarly began to block unauthorized access to Contacts after Path was found to be unloading users' address books without asking. One year later, 96 percent of iOS users are on the latest version and protected by the security enhancement. 


Mobile OS installed base stats

Due to fragmentation on even new Android phones, Google's platform can't be similarly secured even if it were in Google's interests to stop app developers from sharing users' private data for advertising and social recommendation purposes. 

Apple's app model on iOS has always blocked third party apps from collecting data from other apps or reading other apps' files that aren't expressly accessed by the user. The company has also worked to protect users' privacy when browsing, turning off injected cookie tracking by default in Safari.

That practice has stymied the efforts of advertising networks to build dynamic Facebook-style dossiers on individuals for ad tracking and behavior purposes, something that bothered Google so much that it simply ignored the security settings to collect data for ads and Google+, eventually resulting in the largest fine in FTC history.

Corporations' end run around Constitutional rights

Recent leaks describing corporate cooperation with government requests for private information have highlighted how businesses that collect large amounts of data for marketing, social graph or other purposes are effectively creating huge repositories for governments to tap into, often with minimal oversight in place to prevent abuses.

Public concerns about the U.S. government's spying programs have reached a fevered pitch so high thatArs recently launched an investigation into whether Apple's iMessage, an encrypted enhancement that provides far more security than plain text SMS messages, could potentially be "spied upon" by Apple itself, something the company has said it simply does not do. 

"Apple has always placed a priority on protecting our customers’ personal data" the company had statedearlier, "and we don’t collect or maintain a mountain of personal details about our customers in the first place. There are certain categories of information which we do not provide to law enforcement or any other group because we choose not to retain it."

No comment was made in the article about the complete lack of messaging security on other mobile platforms where SMS messaging isn't encrypted at all, including Android and Windows Mobile.

Encryption does appear to be having an impact on government efforts to police via wiretaps however. Areport this week by David Kravets of Wired cited a document by the U.S. Administrative Office of the Courts which noted:"the encryption numbers begin to highlight the government’s stated fear, and its propaganda railing against encryption — which is a standard feature on today’s Apple computers."

"Encryption was reported for 15 wiretaps in 2012 and for 7 wiretaps conducted during previous years. In four of these wiretaps, officials were unable to decipher the plain text of the messages. This is the first time that jurisdictions have reported that encryption prevented officials from obtaining the plain text of the communications since the AO began collecting encryption data in 2001."

Kravets wrote that "the encryption numbers begin to highlight the government’s stated fear, and its propaganda railing against encryption — which is a standard feature on today’s Apple computers."

He also pointed out that "97 percent of the wiretaps issued last year were for 'portable devices' such as mobile phones and pagers," and "about 87 percent of the wiretaps were issued in drug-related cases."

AppleInsider, by Daniel Eran Dilger

Warning! Russian Malware attacking routers.

According to the FBI Russian malware called Fancy Bear has infected thousands of routers and has the potential to spread quickly. The malware can allow the perpetrators to collect information by reading people's internet activity, like email, web browsing, passwords etc..

Netflix Scam

There is a new assault on Netflix subscribers by scammers, that isn't so new. However, it is more sophisticated than in past attempts.

Netflix subscribers are being targeted by phishing scam

Apple releases iOS 11 and tvOS 11 today.

Today Apple released iOS 11 & tvOS 11. It is a major release to be followed OS 11 for the Mac on September 25th. These updates come along side the exciting new hardware updates, iPhone X, iPhone 8, Watch series 3 and Apple tv 4k. 

Say "Yes" scam alert

The Federal Communications Commission is warning consumers about a new scam that is hooking consumers with just one word: Yes.

say yes scam

Swift-based ransomware targets Mac pirated software seekers

There is a new ransomware for Macs that has been discovered. It is "poorly coded" in Swift programming language. It encrypts the user's files and demands payment to get your files back. In the end, regardless if you pay or not, your files will not be decrypted.

The ransomware is found in Bit Torrent sites with the name Patcher. It poses as a crack for removing copy protection and licensing systems that are used with popular software like Adobe Premiere Pro and Microsoft Office 2016. It is possible that it is circulating under different names.