[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
www/proprietary malware-mobiles.html
From: |
Therese Godefroy |
Subject: |
www/proprietary malware-mobiles.html |
Date: |
Sun, 7 Oct 2018 15:12:58 -0400 (EDT) |
CVSROOT: /webcvs/www
Module name: www
Changes by: Therese Godefroy <th_g> 18/10/07 15:12:58
Modified files:
proprietary : malware-mobiles.html
Log message:
Remove Google & Apple stuff; add a note w/links to malware-apple &
malware-google (RT #1325900); add missing items; restyle intro.
CVSWeb URLs:
http://web.cvs.savannah.gnu.org/viewcvs/www/proprietary/malware-mobiles.html?cvsroot=www&r1=1.58&r2=1.59
Patches:
Index: malware-mobiles.html
===================================================================
RCS file: /webcvs/www/www/proprietary/malware-mobiles.html,v
retrieving revision 1.58
retrieving revision 1.59
diff -u -b -r1.58 -r1.59
--- malware-mobiles.html 25 Jul 2018 01:45:33 -0000 1.58
+++ malware-mobiles.html 7 Oct 2018 19:12:58 -0000 1.59
@@ -1,5 +1,10 @@
<!--#include virtual="/server/header.html" -->
<!-- Parent-Version: 1.85 -->
+<!--
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ Generated from propr-blurbs.rec. Please do not edit this file manually !
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-->
<title>Malware in Mobile Devices
- GNU Project - Free Software Foundation</title>
<style type="text/css" media="print,screen"><!--
@@ -14,7 +19,7 @@
<p><a href="/proprietary/proprietary.html">Other examples of proprietary
malware</a></p>
-<div class="highlight-para">
+<div class="comment">
<p>
<em>Malware</em> means software designed to function in ways that
mistreat or harm the user. (This does not include accidental errors.)
@@ -36,14 +41,25 @@
tracking their movements, and listening to their conversations. This
is why we call them “Stalin's dream”.</p>
+<p>The malware we list here is present in every phone, or in software
+that is not made by Apple or Google (including its subsidiaries).
+Malicious functionalities in mobile software released by Apple or
+Google are listed in dedicated pages, <a
+href="/proprietary/malware-apple.html">Apple's Operating Systems are
+Malware</a> and <a href="/proprietary/malware-google.html">Google's
+Software Is Malware</a> respectively.</p>
+
+<div class="important">
<p>If you know of an example that ought to be in this page but isn't
here, please write
to <a href="mailto:address@hidden"><address@hidden></a>
to inform us. Please include the URL of a trustworthy reference or two
to present the specifics.</p>
</div>
+</div>
+<div class="column-limit"></div>
-<ul>
+<ul class="blurbs">
<li><p>The phone network
<a href="https://ssd.eff.org/en/module/problem-mobile-phones">
tracks the movements of each phone</a>.</p>
@@ -80,76 +96,91 @@
</li>
</ul>
-<p>Here are examples of malware in mobile devices. See also
-the <a href="/proprietary/malware-apple.html">the Apple malware
-page</a> for malicious functionalities specific to the Apple iThings.</p>
-
<div class="summary" style="margin-top: 1em">
<h3>Type of malware</h3>
<ul>
<li><a href="#back-doors">Back doors</a></li>
<!--<li><a href="#censorship">Censorship</a></li>-->
-<li><a href="#insecurity">Insecurity</a></li>
-<!--<li><a href="#sabotage">Sabotage</a></li>-->
-<!--<li><a href="#interference">Interference</a></li>-->
-<li><a href="#surveillance">Surveillance</a></li>
-<li><a href="#drm">Digital restrictions
- management</a> or “DRM” means functionalities designed
+ <li><a href="#drm">Digital restrictions
+ management</a> or “DRM”—functionalities designed
to restrict what users can do with the data in their computers.</li>
-<li><a href="#jails">Jails</a>—systems
+ <li><a href="#insecurity">Insecurity</a></li>
+<!--<li><a href="#interference">Interference</a></li>-->
+<!--<li><a href="#sabotage">Sabotage</a></li>-->
+ <li><a href="#surveillance">Surveillance</a></li>
+ <li><a href="#jails">Jails</a>—systems
that impose censorship on application programs.</li>
-<li><a href="#tyrants">Tyrants</a>—systems
+ <li><a href="#tyrants">Tyrants</a>—systems
that reject any operating system not “authorized” by the
manufacturer.</li>
</ul>
</div>
<h3 id="back-doors">Mobile Back Doors</h3>
+
<ul>
<li>
<p>See above for the <a href="#universal-back-door">general universal back
door</a> in essentially all mobile phones, which permits converting
them into full-time listening devices.</p>
</li>
+</ul>
- <li><p><a
href="https://www.fsf.org/blogs/community/replicant-developers-find-and-close-samsung-galaxy-backdoor">
- Samsung Galaxy devices running proprietary Android versions come with a
- back door</a> that provides remote access to the data stored on the
- device.</p>
+<ul class="blurbs">
+<!-- INSERT mobiles-back-door -->
+ <li id="M201609130">
+ <p>Xiaomi phones come with <a
+
href="https://www.thijsbroenink.com/2016/09/xiaomis-analytics-app-reverse-engineered">
+ a universal back door in the application processor, for Xiaomi's
+ use</a>.</p>
+
+ <p>This is separate from <a href="#universal-back-door-phone-modem">the
+ universal back door in the modem processor that the local phone
+ company can use</a>.</p>
+ </li>
+
+ <li id="M201511090">
+ <p>Baidu's proprietary Android library, Moplus, has a back door that <a
+
href="https://www.eff.org/deeplinks/2015/11/millions-android-devices-vulnerable-remote-hijacking-baidu-wrote-code-google-made">
+ can “upload files” as well as forcibly install
+ apps</a>.</p>
+
+ <p>It is used by 14,000 Android applications.</p>
+ </li>
+
+ <li id="M201412180">
+ <p><a
+
href="http://www.theguardian.com/technology/2014/dec/18/chinese-android-phones-coolpad-hacker-backdoor">
+ A Chinese version of Android has a universal back door</a>. Nearly
+ all models of mobile phones have a <a href="#universal-back-door">
+ universal back door in the modem chip</a>. So why did Coolpad bother
+ to introduce another? Because this one is controlled by Coolpad.</p>
+ </li>
+
+ <li id="M201403121">
+ <p id="samsung"><a
+
href="https://www.fsf.org/blogs/community/replicant-developers-find-and-close-samsung-galaxy-backdoor">
+ Samsung Galaxy devices running proprietary Android versions come with
+ a back door</a> that provides remote access to the files stored on
+ the device.</p>
</li>
+</ul>
- <li><p><a href="/proprietary/proprietary-back-doors.html#samsung">
- Samsung's back door</a> provides access to any file on the system.</p>
- </li>
- <li>
- <p>In Android,
- <a
href="http://www.computerworld.com/article/2506557/security0/google-throws--kill-switch--on-android-phones.html">
- Google has a back door to remotely delete apps.</a> (It was in a
- program called GTalkService, which seems since then to have been
- merged into Google Play.)
- </p>
-
- <p>
- Google can also
- <a
href="https://jon.oberheide.org/blog/2010/06/25/remote-kill-and-install-on-google-android/">
- forcibly and remotely install apps</a> through Google Play.
- This is not equivalent to a universal back door, but permits various
- dirty tricks.
- </p>
-
- <p>
- Although Google's <em>exercise</em> of this power has not been
- malicious so far, the point is that nobody should have such power,
- which could also be used maliciously. You might well decide to let a
- security service remotely <em>deactivate</em> programs that it
- considers malicious. But there is no excuse for allowing it
- to <em>delete</em> the programs, and you should have the right to
- decide who (if anyone) to trust in this way.
- </p>
+<h3 id="drm">Mobile DRM</h3>
+
+<ul class="blurbs">
+<!-- INSERT mobiles-dr -->
+ <li id="M201501030">
+ <p id="netflix-app-geolocation-drm">The Netflix Android app <a
+
href="http://torrentfreak.com/netflix-cracks-down-on-vpn-and-proxy-pirates-150103/">
+ forces the use of Google DNS</a>. This is one of the methods that
+ Netflix uses to enforce the geolocation restrictions dictated by the
+ movie studios.</p>
</li>
</ul>
+
<h3 id="insecurity">Mobile Insecurity</h3>
<p>These bugs are/were not intentional, so unlike the rest of the file
@@ -157,328 +188,604 @@
supposition that prestigious proprietary software doesn't have grave
bugs.</p>
-<ul>
-
-<li>
- <p>Siri, Alexa, and all the other voice-control systems can be
- <a
href="https://www.fastcodesign.com/90139019/a-simple-design-flaw-makes-it-astoundingly-easy-to-hack-siri-and-alexa">hijacked
by programs that play commands in ultrasound that humans can't hear</a>.
- </p>
-</li>
-
-<li>
- <p>Many Android devices <a
href="https://arstechnica.com/security/2017/04/wide-range-of-android-phones-vulnerable-to-device-hijacks-over-wi-fi/">
+<ul class="blurbs">
+<!-- INSERT mobiles-insec -->
+ <li id="M201807100">
+ <p>Siri, Alexa, and all the other voice-control systems can be <a
+
href="https://www.fastcodesign.com/90139019/a-simple-design-flaw-makes-it-astoundingly-easy-to-hack-siri-and-alexa">
+ hijacked by programs that play commands in ultrasound that humans
+ can't hear</a>.</p>
+ </li>
+
+ <li id="M201807020">
+ <p>Some Samsung phones randomly <a
+
href="https://www.theverge.com/circuitbreaker/2018/7/2/17528076/samsung-phones-text-rcs-update-messages">send
+ photos to people in the owner's contact list</a>.</p>
+ </li>
+
+ <li id="M201704050">
+ <p>Many Android devices <a
+
href="https://arstechnica.com/security/2017/04/wide-range-of-android-phones-vulnerable-to-device-hijacks-over-wi-fi/">
can be hijacked through their Wi-Fi chips</a> because of a bug in
Broadcom's non-free firmware.</p>
-</li>
-
-<li>
-<p>Samsung
-phones <a
href="https://www.bleepingcomputer.com/news/security/sms-exploitable-bug-in-samsung-galaxy-phones-can-be-used-for-ransomware-attacks/">have
-a security hole that allows an SMS message to install
-ransomware</a>.</p>
-</li>
-
-<li>
-<p>Many proprietary payment apps <a
-href="http://www.bloomberg.com/news/articles/2016-03-10/many-mobile-payments-startups-aren-t-properly-securing-user-data">
-transmit personal data in an insecure way</a>.
-However, the worse aspect of these apps is that
-<a href="/philosophy/surveillance-vs-democracy.html">payment is not
anonymous</a>.
-</p>
-</li>
+ </li>
- <li><p><a
href="http://www.spiegel.de/international/world/privacy-scandal-nsa-can-spy-on-smart-phone-data-a-920971.html">
- The NSA can tap data in smart phones, including iPhones, Android, and
- BlackBerry</a>. While there is not much detail here, it seems that this
- does not operate via the universal back door that we know nearly all
- portable phones have. It may involve exploiting various bugs. There are
- <a href="#universal-back-door">
+ <li id="M201702170">
+ <p>The mobile apps for communicating <a
+
href="https://www.bleepingcomputer.com/news/security/millions-of-smart-cars-vulnerable-due-to-insecure-android-apps/">with
+ a smart but foolish car have very bad security</a>.</p>
+
+ <p>This is in addition to the fact that the car contains a cellular
+ modem that tells big brother all the time where it is. If you own
+ such a car, it would be wise to disconnect the modem so as to turn
+ off the tracking.</p>
+ </li>
+
+ <li id="M201701270">
+ <p>Samsung phones <a
+
href="https://www.bleepingcomputer.com/news/security/sms-exploitable-bug-in-samsung-galaxy-phones-can-be-used-for-ransomware-attacks/">have
+ a security hole that allows an SMS message to install
+ ransomware</a>.</p>
+ </li>
+
+ <li id="M201701130">
+ <p>WhatsApp has a feature that <a
+
href="https://techcrunch.com/2017/01/13/encrypted-messaging-platform-whatsapp-denies-backdoor-claim/">
+ has been described as a “back door”</a> because it would
+ enable governments to nullify its encryption.</p>
+
+ <p>The developers say that it wasn't intended as a back door, and that
+ may well be true. But that leaves the crucial question of whether it
+ functions as one. Because the program is nonfree, we cannot check by
+ studying it.</p>
+ </li>
+
+ <li id="M201607290">
+ <p><a
+
href="https://techcrunch.com/2016/07/29/research-shows-deleted-whatsapp-messages-arent-actually-deleted/">“Deleted”
+ WhatsApp messages are not entirely deleted</a>. They can be recovered
+ in various ways.</p>
+ </li>
+
+ <li id="M201607280">
+ <p>A half-blind security critique of a tracking app: it found that <a
+
href="http://www.consumerreports.org/mobile-security-software/glow-pregnancy-app-exposed-women-to-privacy-threats/">
+ blatant flaws allowed anyone to snoop on a user's personal data</a>.
+ The critique fails entirely to express concern that the app sends the
+ personal data to a server, where the <em>developer</em> gets it all.
+ This “service” is for suckers!</p>
+
+ <p>The server surely has a “privacy policy,” and surely
+ it is worthless since nearly all of them are.</p>
+ </li>
+
+ <li id="M201607190">
+ <p>A bug in a proprietary ASN.1 library, used
+ in cell phone towers as well as cell phones and routers, <a
+
href="http://arstechnica.com/security/2016/07/software-flaw-puts-mobile-phones-and-networks-at-risk-of-complete-takeover">allows
+ taking control of those systems</a>.</p>
+ </li>
+
+ <li id="M201603100">
+ <p>Many proprietary payment apps <a
+
href="http://www.bloomberg.com/news/articles/2016-03-10/many-mobile-payments-startups-aren-t-properly-securing-user-data">transmit
+ personal data in an insecure way</a>. However,
+ the worse aspect of these apps is that <a
+ href="/philosophy/surveillance-vs-democracy.html">payment is not
+ anonymous</a>.</p>
+ </li>
+
+ <li id="M201505294">
+ <p><a
+
href="http://phys.org/news/2015-05-app-vulnerability-threatens-millions-users.html">
+ Many smartphone apps use insecure authentication methods when storing
+ your personal data on remote servers</a>. This leaves personal
+ information like email addresses, passwords, and health information
+ vulnerable. Because many of these apps are proprietary it makes it
+ hard to impossible to know which apps are at risk.</p>
+ </li>
+
+ <li id="M201405190">
+ <p>An app to prevent “identity theft”
+ (access to personal data) by storing users' data on a special server <a
+
href="http://arstechnica.com/tech-policy/2014/05/id-theft-protector-lifelock-deletes-user-data-over-concerns-that-app-isnt-safe/">was
+ deactivated by its developer</a> which had discovered a security
+ flaw.</p>
+
+ <p>That developer seems to be conscientious about protecting personal
+ data from third parties in general, but it can't protect that data
+ from the state. Quite the contrary: confiding your data to someone
+ else's server, if not first encrypted by you with free software,
+ undermines your rights.</p>
+ </li>
+
+ <li id="M201402210">
+ <p>The <a
+
href="http://arstechnica.com/security/2014/02/crypto-weaknesses-in-whatsapp-the-kind-of-stuff-the-nsa-would-love/">insecurity
+ of WhatsApp</a> makes eavesdropping a snap.</p>
+ </li>
+
+ <li id="M201311120">
+ <p><a
+
href="https://web.archive.org/web/20180816030205/http://www.spiegel.de/international/world/privacy-scandal-nsa-can-spy-on-smart-phone-data-a-920971.html">
+ The NSA can tap data in smart phones, including iPhones,
+ Android, and BlackBerry</a>. While there is not much
+ detail here, it seems that this does not operate via
+ the universal back door that we know nearly all portable
+ phones have. It may involve exploiting various bugs. There are <a
+
href="http://www.osnews.com/story/27416/The_second_operating_system_hiding_in_every_mobile_phone">
lots of bugs in the phones' radio software</a>.</p>
</li>
</ul>
+
<h3 id="surveillance">Mobile Surveillance</h3>
-<ul>
- <li><p>The Sarahah app
- <a
href="https://theintercept.com/2017/08/27/hit-app-sarahah-quietly-uploads-your-address-book/">
+
+<ul class="blurbs">
+<!-- INSERT mobiles-surv -->
+ <li id="M201806110">
+ <p>The Spanish football streaming app <a
+
href="https://boingboing.net/2018/06/11/spanish-football-app-turns-use.html">tracks
+ the user's movements and listens through the microphone</a>.</p>
+
+ <p>This makes them act as spies for licensing enforcement.</p>
+
+ <p>I expect it implements DRM, too—that there is no way to save
+ a recording. But I can't be sure from the article.</p>
+
+ <p>If you learn to care much less about sports, you will benefit in
+ many ways. This is one more.</p>
+ </li>
+
+ <li id="M201804160">
+ <p>More than <a
+
href="https://www.theguardian.com/technology/2018/apr/16/child-apps-games-android-us-google-play-store-data-sharing-law-privacy">50%
+ of the 5,855 Android apps studied by researchers were found to snoop
+ and collect information about its users</a>. 40% of the apps were
+ found to insecurely snitch on its users. Furthermore, they could
+ detect only some methods of snooping, in these proprietary apps whose
+ source code they cannot look at. The other apps might be snooping
+ in other ways.</p>
+
+ <p>This is evidence that proprietary apps generally work against
+ their users. To protect their privacy and freedom, Android users
+ need to get rid of the proprietary software—both proprietary
+ Android by <a href="https://replicant.us">switching to Replicant</a>,
+ and the proprietary apps by getting apps from the free software
+ only <a href="https://f-droid.org/">F-Droid store</a> that <a
+ href="https://f-droid.org/wiki/page/Antifeatures"> prominently warns
+ the user if an app contains anti-features</a>.</p>
+ </li>
+
+ <li id="M201804020">
+ <p>Grindr collects information about <a
+
href="https://www.commondreams.org/news/2018/04/02/egregious-breach-privacy-popular-app-grindr-supplies-third-parties-users-hiv-status">
+ which users are HIV-positive, then provides the information to
+ companies</a>.</p>
+
+ <p>Grindr should not have so much information about its users.
+ It could be designed so that users communicate such info to each
+ other but not to the server's database.</p>
+ </li>
+
+ <li id="M201803050">
+ <p>The moviepass app and dis-service
+ spy on users even more than users expected. It <a
+
href="https://techcrunch.com/2018/03/05/moviepass-ceo-proudly-says-the-app-tracks-your-location-before-and-after-movies/">records
+ where they travel before and after going to a movie</a>.</p>
+
+ <p>Don't be tracked—pay cash!</p>
+ </li>
+
+ <li id="M201711240">
+ <p>Tracking software in popular Android apps
+ is pervasive and sometimes very clever. Some trackers can <a
+
href="https://theintercept.com/2017/11/24/staggering-variety-of-clandestine-trackers-found-in-popular-android-apps/">
+ follow a user's movements around a physical store by noticing WiFi
+ networks</a>.</p>
+ </li>
+
+ <li id="M201711230">
+ <p>AI-powered driving apps can <a
+
href="https://motherboard.vice.com/en_us/article/43nz9p/ai-powered-driving-apps-can-track-your-every-move">
+ track your every move</a>.</p>
+ </li>
+
+ <li id="M201708270">
+ <p>The Sarahah app <a
+
href="https://theintercept.com/2017/08/27/hit-app-sarahah-quietly-uploads-your-address-book/">
uploads all phone numbers and email addresses</a> in user's address
book to developer's server. Note that this article misuses the words
“<a href="/philosophy/free-sw.html">free software</a>”
referring to zero price.</p>
</li>
- <li><p>Some portable phones <a
href="http://www.prnewswire.com/news-releases/kryptowire-discovered-mobile-phone-firmware-that-transmitted-personally-identifiable-information-pii-without-user-consent-or-disclosure-300362844.html">are
- sold with spyware sending lots of data to China</a>.</p></li>
-
-<li>
- <p>Facebook's app listens all the time, <a
href="http://www.independent.co.uk/life-style/gadgets-and-tech/news/facebook-using-people-s-phones-to-listen-in-on-what-they-re-saying-claims-professor-a7057526.html">to
snoop
- on what people are listening to or watching</a>. In addition, it may
- be analyzing people's conversations to serve them with targeted
- advertisements.</p>
-</li>
-
+ <li id="M201707270">
+ <p>20 dishonest Android apps recorded <a
+
href="https://arstechnica.com/information-technology/2017/07/stealthy-google-play-apps-recorded-calls-and-stole-e-mails-and-texts">phone
+ calls and sent them and text messages and emails to snoopers</a>.</p>
+
+ <p>Google did not intend to make these apps spy; on the contrary, it
+ worked in various ways to prevent that, and deleted these apps after
+ discovering what they did. So we cannot blame Google specifically
+ for the snooping of these apps.</p>
+
+ <p>On the other hand, Google redistributes nonfree Android apps, and
+ therefore shares in the responsibility for the injustice of their being
+ nonfree. It also distributes its own nonfree apps, such as Google Play,
+ <a href="/philosophy/free-software-even-more-important.html">which
+ are malicious</a>.</p>
+
+ <p>Could Google have done a better job of preventing apps from
+ cheating? There is no systematic way for Google, or Android users,
+ to inspect executable proprietary apps to see what they do.</p>
+
+ <p>Google could demand the source code for these apps, and study
+ the source code somehow to determine whether they mistreat users in
+ various ways. If it did a good job of this, it could more or less
+ prevent such snooping, except when the app developers are clever
+ enough to outsmart the checking.</p>
+
+ <p>But since Google itself develops malicious apps, we cannot trust
+ Google to protect us. We must demand release of source code to the
+ public, so we can depend on each other.</p>
+ </li>
+
+ <li id="M201705230">
+ <p>Apps for BART <a
+
href="https://consumerist.com/2017/05/23/passengers-say-commuter-rail-app-illegally-collects-personal-user-data/">snoop
+ on users</a>.</p>
+
+ <p>With free software apps, users could <em>make sure</em> that they
+ don't snoop.</p>
+
+ <p>With proprietary apps, one can only hope that they don't.</p>
+ </li>
+
+ <li id="M201705040">
+ <p>A study found 234 Android apps that track users by <a
+
href="https://www.bleepingcomputer.com/news/security/234-android-applications-are-currently-using-ultrasonic-beacons-to-track-users/">listening
+ to ultrasound from beacons placed in stores or played by TV
+ programs</a>.</p>
+ </li>
+
+ <li id="M201704260">
+ <p>Faceapp appears to do lots of surveillance, judging by <a
+
href="https://www.washingtonpost.com/news/the-intersect/wp/2017/04/26/everything-thats-wrong-with-faceapp-the-latest-creepy-photo-app-for-your-face/">
+ how much access it demands to personal data in the device</a>.</p>
+ </li>
+
+ <li id="M201704190">
+ <p>Users are suing Bose for <a
+
href="https://www.washingtonpost.com/news/the-switch/wp/2017/04/19/bose-headphones-have-been-spying-on-their-customers-lawsuit-claims/">
+ distributing a spyware app for its headphones</a>. Specifically,
+ the app would record the names of the audio files users listen to
+ along with the headphone's unique serial number.</p>
+
+ <p>The suit accuses that this was done without the users' consent.
+ If the fine print of the app said that users gave consent for this,
+ would that make it acceptable? No way! It should be flat out <a
+ href="/philosophy/surveillance-vs-democracy.html"> illegal to design
+ the app to snoop at all</a>.</p>
+ </li>
+
+ <li id="M201704074">
+ <p>Pairs of Android apps can collude
+ to transmit users' personal data to servers. <a
+
href="https://www.theatlantic.com/technology/archive/2017/04/when-apps-collude-to-steal-your-data/522177/">A
+ study found tens of thousands of pairs that collude</a>.</p>
+ </li>
+
+ <li id="M201703300">
+ <p>Verizon <a
+
href="https://yro.slashdot.org/story/17/03/30/0112259/verizon-to-force-appflash-spyware-on-android-phones">
+ announced an opt-in proprietary search app that it will</a> pre-install
+ on some of its phones. The app will give Verizon the same information
+ about the users' searches that Google normally gets when they use
+ its search engine.</p>
+
+ <p>Currently, the app is <a
+
href="https://www.eff.org/deeplinks/2017/04/update-verizons-appflash-pre-installed-spyware-still-spyware">
+ being pre-installed on only one phone</a>, and the user must
+ explicitly opt-in before the app takes effect. However, the app
+ remains spyware—an “optional” piece of spyware is
+ still spyware.</p>
+ </li>
-<li>
- <p>A
- <a
href="https://research.csiro.au/ng/wp-content/uploads/sites/106/2016/08/paper-1.pdf">
- research paper</a> that investigated the privacy and security
- of 283 Android VPN apps concluded that “in spite of the
- promises for privacy, security, and anonymity given by the
- majority of VPN apps—millions of users may be unawarely subject
- to poor security guarantees and abusive practices inflicted by
- VPN apps.”</p>
-
- <p>Following is a non-exhaustive list of proprietary VPN apps from
- the research paper that tracks and infringes the privacy of
- users:</p>
+ <li id="M201701210">
+ <p>The Meitu photo-editing app <a
+
href="https://theintercept.com/2017/01/21/popular-selfie-app-sending-user-data-to-china-researchers-say/">sends
+ user data to a Chinese company</a>.</p>
+ </li>
+
+ <li id="M201611280">
+ <p>The Uber app tracks <a
+
href="https://techcrunch.com/2016/11/28/uber-background-location-data-collection/">clients'
+ movements before and after the ride</a>.</p>
+
+ <p>This example illustrates how “getting the user's
+ consent” for surveillance is inadequate as a protection against
+ massive surveillance.</p>
+ </li>
+
+ <li id="M201611160">
+ <p>A <a
+
href="https://research.csiro.au/ng/wp-content/uploads/sites/106/2016/08/paper-1.pdf">
+ research paper</a> that investigated the privacy and security of
+ 283 Android VPN apps concluded that “in spite of the promises
+ for privacy, security, and anonymity given by the majority of VPN
+ apps—millions of users may be unawarely subject to poor security
+ guarantees and abusive practices inflicted by VPN apps.”</p>
+
+ <p>Following is a non-exhaustive list, taken from the research paper,
+ of some proprietary VPN apps that track users and infringe their
+ privacy:</p>
- <dl>
+ <dl class="compact">
<dt>SurfEasy</dt>
<dd>Includes tracking libraries such as NativeX and Appflood,
meant to track users and show them targeted ads.</dd>
<dt>sFly Network Booster</dt>
<dd>Requests the <code>READ_SMS</code> and <code>SEND_SMS</code>
- permissions upon installation, meaning it has full access to
- users' text messages.</dd>
+ permissions upon installation, meaning it has full access to users'
+ text messages.</dd>
<dt>DroidVPN and TigerVPN</dt>
<dd>Requests the <code>READ_LOGS</code> permission to read logs
- for other apps and also core system logs. TigerVPN developers
- have confirmed this.</dd>
+ for other apps and also core system logs. TigerVPN developers have
+ confirmed this.</dd>
<dt>HideMyAss</dt>
- <dd>Sends traffic to LinkedIn. Also, it stores detailed logs
- and may turn them over to the UK government if
- requested.</dd>
+ <dd>Sends traffic to LinkedIn. Also, it stores detailed logs and
+ may turn them over to the UK government if requested.</dd>
<dt>VPN Services HotspotShield</dt>
<dd>Injects JavaScript code into the HTML pages returned to the
- users. The stated purpose of the JS injection is to display
- ads. Uses roughly 5 tracking libraries. Also, it redirects the
- user's traffic through valueclick.com (an advertising
- website).</dd>
+ users. The stated purpose of the JS injection is to display ads. Uses
+ roughly five tracking libraries. Also, it redirects the user's
+ traffic through valueclick.com (an advertising website).</dd>
<dt>WiFi Protector VPN</dt>
- <dd>Injects JavaScript code into HTML pages, and also uses
- roughly 5 tracking libraries. Developers of this app have
- confirmed that the non-premium version of the app does
- JavaScript injection for tracking and display ads.</dd>
+ <dd>Injects JavaScript code into HTML pages, and also uses roughly
+ five tracking libraries. Developers of this app have confirmed that
+ the non-premium version of the app does JavaScript injection for
+ tracking the user and displaying ads.</dd>
</dl>
-</li>
+ </li>
-<li>
- <p><a
href="http://www.privmetrics.org/wp-content/uploads/2015/06/wisec2015.pdf">A
study in 2015</a> found that 90% of the top-ranked gratis
- proprietary Android apps contained recognizable tracking libraries. For
- the paid proprietary apps, it was only 60%.</p>
-
- <p>The article confusingly describes gratis apps as “free”,
- but most of them are not in fact
- <a href="/philosophy/free-sw.html">free software</a>.
- It also uses the ugly word “monetize”. A good replacement
- for that word is “exploit”; nearly always that will fit
- perfectly.</p>
-</li>
-
-<li>
- <p>A study found 234 Android apps that track users by
- <a
href="https://www.bleepingcomputer.com/news/security/234-android-applications-are-currently-using-ultrasonic-beacons-to-track-users/">listening
- to ultrasound from beacons placed in stores or played by TV
programs</a>.
- </p>
-</li>
-
-<li>
- <p>Faceapp appears to do lots of surveillance, judging by
- <a
href="https://www.washingtonpost.com/news/the-intersect/wp/2017/04/26/everything-thats-wrong-with-faceapp-the-latest-creepy-photo-app-for-your-face/">
- how much access it demands to personal data in the device</a>.
- </p>
- </li>
-
-<li>
- <p>Pairs of Android apps can collude to transmit users' personal data
- to servers. <a
href="https://www.theatlantic.com/technology/archive/2017/04/when-apps-collude-to-steal-your-data/522177/">A
study found
- tens of thousands of pairs that collude.</a></p>
-</li>
-
-<li>
-<p>Google Play intentionally sends app developers <a
-href="http://gadgets.ndtv.com/apps/news/google-play-store-policy-raises-privacy-concerns-331116">
-the personal details of users that install the app</a>.</p>
-
-<p>Merely asking the “consent” of users is not enough
-to legitimize actions like this. At this point, most users have
-stopped reading the “Terms and Conditions” that spell out
-what they are “consenting” to. Google should clearly
-and honestly identify the information it collects on users, instead
-of hiding it in an obscurely worded EULA.</p>
-
-<p>However, to truly protect people's privacy, we must prevent Google
-and other companies from getting this personal information in the first
-place!</p>
-</li>
-
-<li>
- <p>Google Play (a component of Android) <a
-
href="https://www.extremetech.com/mobile/235594-yes-google-play-is-tracking-you-and-thats-just-the-tip-of-a-very-large-iceberg">
- tracks the users' movements without their permission</a>.</p>
-
- <p>Even if you disable Google Maps and location tracking, you must
- disable Google Play itself to completely stop the tracking. This is
- yet another example of nonfree software pretending to obey the user,
- when it's actually doing something else. Such a thing would be almost
- unthinkable with free software.</p>
-
-</li>
-<li>
- <p>Verizon <a
href="https://yro.slashdot.org/story/17/03/30/0112259/verizon-to-force-appflash-spyware-on-android-phones">
- announced an opt-in proprietary search app that it will</a>
- pre-install on some of its phones. The app will give Verizon the same
- information about the users' searches that Google normally gets when
- they use its search engine.</p>
-
- <p>Currently, the app is <a
href="https://www.eff.org/deeplinks/2017/04/update-verizons-appflash-pre-installed-spyware-still-spyware">
- being pre-installed on only one phone</a>, and the
- user must explicitly opt-in before the app takes effect. However, the
- app remains spyware—an “optional” piece of spyware is
- still spyware.</p>
-</li>
-<li><p>The Meitu photo-editing
-app <a
href="https://theintercept.com/2017/01/21/popular-selfie-app-sending-user-data-to-china-researchers-say/">sends
-user data to a Chinese company</a>.</p></li>
-
-<li>
-<p>A half-blind security critique of a tracking app: it found that <a
-href="http://www.consumerreports.org/mobile-security-software/glow-pregnancy-app-exposed-women-to-privacy-threats/">
-blatant flaws allowed anyone to snoop on a user's personal data</a>.
-The critique fails entirely to express concern that the app sends the
-personal data to a server, where the <em>developer</em> gets it all.
-This “service” is for suckers!</p>
-
-<p>The server surely has a “privacy policy,” and surely it
-is worthless since nearly all of them are.</p>
-</li>
-
- <li><p>Apps that include
- <a
href="http://techaeris.com/2016/01/13/symphony-advanced-media-software-tracks-your-digital-life-through-your-smartphone-mic/">
- Symphony surveillance software snoop on what radio and TV programs are
- playing nearby</a>. Also on what users post on various sites such as
- Facebook, Google+ and Twitter.</p>
- </li>
-
- <li><p>More than 73% and 47% of mobile applications, both from Android and
iOS
- respectively <a href="http://jots.pub/a/2015103001/index.php">share personal,
- behavioral and location information</a> of their users with third
parties.</p>
+ <li id="M201611150">
+ <p>Some portable phones <a
+
href="http://www.prnewswire.com/news-releases/kryptowire-discovered-mobile-phone-firmware-that-transmitted-personally-identifiable-information-pii-without-user-consent-or-disclosure-300362844.html">are
+ sold with spyware sending lots of data to China</a>.</p>
+ </li>
+
+ <li id="M201606050">
+ <p>Facebook's new Magic Photo app <a
+
href="https://www.theregister.co.uk/2015/11/10/facebook_scans_camera_for_your_friends/">
+ scans your mobile phone's photo collections for known faces</a>,
+ and suggests you to share the picture you take according to who is
+ in the frame.</p>
+
+ <p>This spyware feature seems to require online access to some
+ known-faces database, which means the pictures are likely to be
+ sent across the wire to Facebook's servers and face-recognition
+ algorithms.</p>
+
+ <p>If so, none of Facebook users' pictures are private anymore,
+ even if the user didn't “upload” them to the service.</p>
+ </li>
+
+ <li id="M201605310">
+ <p>Facebook's app listens all the time, <a
+
href="http://www.independent.co.uk/life-style/gadgets-and-tech/news/facebook-using-people-s-phones-to-listen-in-on-what-they-re-saying-claims-professor-a7057526.html">to
+ snoop on what people are listening to or watching</a>. In addition,
+ it may be analyzing people's conversations to serve them with targeted
+ advertisements.</p>
</li>
- <li><p>“Cryptic communication,” unrelated to the app's
functionality,
- was <a
href="http://news.mit.edu/2015/data-transferred-android-apps-hiding-1119">
+ <li id="M201604250">
+ <p>A pregnancy test controller application not only can <a
+
href="http://www.theverge.com/2016/4/25/11503718/first-response-pregnancy-pro-test-bluetooth-app-security">
+ spy on many sorts of data in the phone, and in server accounts,
+ it can alter them too</a>.</p>
+ </li>
+
+ <li id="M201601130">
+ <p>Apps that include <a
+
href="http://techaeris.com/2016/01/13/symphony-advanced-media-software-tracks-your-digital-life-through-your-smartphone-mic/">
+ Symphony surveillance software snoop on what radio and TV programs
+ are playing nearby</a>. Also on what users post on various sites
+ such as Facebook, Google+ and Twitter.</p>
+ </li>
+
+ <li id="M201601110">
+ <p>The natural extension of monitoring
+ people through “their” phones is <a
+
href="http://www.northwestern.edu/newscenter/stories/2016/01/fool-activity-tracker.html">
+ proprietary software to make sure they can't “fool”
+ the monitoring</a>.</p>
+ </li>
+
+ <li id="M201511190">
+ <p>“Cryptic communication,”
+ unrelated to the app's functionality, was <a
+ href="http://news.mit.edu/2015/data-transferred-android-apps-hiding-1119">
found in the 500 most popular gratis Android apps</a>.</p>
<p>The article should not have described these apps as
- “free”—they are not free software. The clear way to say
- “zero price” is “gratis.”</p>
+ “free”—they are not free software. The clear way
+ to say “zero price” is “gratis.”</p>
<p>The article takes for granted that the usual analytics tools are
legitimate, but is that valid? Software developers have no right to
- analyze what users are doing or how. “Analytics” tools that
snoop are
- just as wrong as any other snooping.</p>
+ analyze what users are doing or how. “Analytics” tools
+ that snoop are just as wrong as any other snooping.</p>
</li>
- <li><p>Many proprietary apps for mobile devices report which other
- apps the user has
- installed. <a
href="http://techcrunch.com/2014/11/26/twitter-app-graph/">Twitter
- is doing this in a way that at least is visible and
- optional</a>. Not as bad as what the others do.</p>
+ <li id="M201510300">
+ <p>More than 73% and 47% of mobile applications, from Android and iOS
+ respectively <a href="https://techscience.org/a/2015103001/">share
+ personal, behavioral and location information</a> of their users with
+ third parties.</p>
+ </li>
+
+ <li id="M201510050">
+ <p>According to Edward Snowden, <a
+ href="http://www.bbc.com/news/uk-34444233">agencies can take over
+ smartphones</a> by sending hidden text messages which enable
+ them to turn the phones on and off, listen to the microphone,
+ retrieve geo-location data from the GPS, take photographs, read
+ text messages, read call, location and web browsing history, and
+ read the contact list. This malware is designed to disguise itself
+ from investigation.</p>
+ </li>
+
+ <li id="M201508210">
+ <p>Like most “music screaming” disservices, Spotify is
+ based on proprietary malware (DRM and snooping). In August 2015 it <a
+
href="http://www.theguardian.com/technology/2015/aug/21/spotify-faces-user-backlash-over-new-privacy-policy">
+ demanded users submit to increased snooping</a>, and some are starting
+ to realize that it is nasty.</p>
+
+ <p>This article shows the <a
+
href="https://www.theregister.co.uk/2015/08/21/spotify_worse_than_the_nsa/">
+ twisted ways that they present snooping as a way to “serve”
+ users better</a>—never mind whether they want that. This is a
+ typical example of the attitude of the proprietary software industry
+ towards those they have subjugated.</p>
+
+ <p>Out, out, damned Spotify!</p>
+ </li>
+
+ <li id="M201507030">
+ <p>Samsung phones come with <a
+
href="http://arstechnica.com/gadgets/2015/07/samsung-sued-for-loading-devices-with-unremovable-crapware-in-china/">apps
+ that users can't delete</a>, and they send so much data that their
+ transmission is a substantial expense for users. Said transmission,
+ not wanted or requested by the user, clearly must constitute spying
+ of some kind.</p>
+ </li>
+
+ <li id="M201506264">
+ <p><a
+
href="http://www.privmetrics.org/wp-content/uploads/2015/06/wisec2015.pdf">A
+ study in 2015</a> found that 90% of the top-ranked gratis proprietary
+ Android apps contained recognizable tracking libraries. For the paid
+ proprietary apps, it was only 60%.</p>
+
+ <p>The article confusingly describes gratis apps as
+ “free”, but most of them are not in fact <a
+ href="/philosophy/free-sw.html">free software</a>. It also uses the
+ ugly word “monetize”. A good replacement for that word
+ is “exploit”; nearly always that will fit perfectly.</p>
+ </li>
+
+ <li id="M201505060">
+ <p>Gratis Android apps (but not <a
+ href="/philosophy/free-sw.html">free software</a>) connect to 100 <a
+
href="http://www.theguardian.com/technology/2015/may/06/free-android-apps-connect-tracking-advertising-websites">tracking
+ and advertising</a> URLs, on the average.</p>
</li>
- <li><p>Portable phones with GPS will send their GPS location on remote
- command and users cannot stop them: <a
-
href="http://www.aclu.org/government-location-tracking-cell-phones-gps-devices-and-license-plate-readers">
-
http://www.aclu.org/government-location-tracking-cell-phones-gps-devices-and-license-plate-readers</a>.
- (The US says it will eventually require all new portable phones to have
- GPS.)</p>
- </li>
-
- <li><p>Spyware in Cisco TNP IP phones: <a
- href="http://boingboing.net/2012/12/29/your-cisco-phone-is-listening.html">
-
http://boingboing.net/2012/12/29/your-cisco-phone-is-listening.html</a>.</p></li>
+ <li id="M201504060">
+ <p>Widely used <a
+
href="https://freedom-to-tinker.com/blog/kollarssmith/scan-this-or-scan-me-user-privacy-barcode-scanning-applications/">proprietary
+ QR-code scanner apps snoop on the user</a>. This is in addition to
+ the snooping done by the phone company, and perhaps by the OS in
+ the phone.</p>
- <li><p>Spyware in Android phones (and Windows? laptops): The Wall Street
- Journal (in an article blocked from us by a paywall) reports that <a
-
href="http://www.theverge.com/2013/8/1/4580718/fbi-can-remotely-activate-android-and-laptop-microphones-reports-wsj">
- the FBI can remotely activate the GPS and microphone in Android phones
- and in laptops</a>. (I suspect this means Windows laptops.) Here is <a
- href="http://cryptome.org/2013/08/fbi-hackers.htm">more info</a>.</p>
+ <p>Don't be distracted by the question of whether the app developers
+ get users to say “I agree”. That is no excuse for
+ malware.</p>
</li>
- <li><p>Some Motorola phones modify Android to <a
- href="http://www.beneaththewaves.net/Projects/Motorola_Is_Listening.html">
- send personal data to Motorola.</a></p>
+ <li id="M201411260">
+ <p>Many proprietary apps for mobile devices
+ report which other apps the user has installed. <a
+ href="http://techcrunch.com/2014/11/26/twitter-app-graph/">Twitter
+ is doing this in a way that at least is visible and optional</a>. Not
+ as bad as what the others do.</p>
</li>
- <li><p>Some manufacturers add a <a
-
href="http://androidsecuritytest.com/features/logs-and-services/loggers/carrieriq/">
- hidden general surveillance package such as Carrier IQ.</a></p>
+ <li id="M201403120">
+ <p><a href="/proprietary/proprietary-back-doors.html#samsung">
+ Samsung's back door</a> provides access to any file on the system.</p>
</li>
- <li><p>Widely used <a
-
href="https://freedom-to-tinker.com/blog/kollarssmith/scan-this-or-scan-me-user-privacy-barcode-scanning-applications/">proprietary
- QR-code scanner apps snoop on the user</a>. This is in addition to
- the snooping done by the phone company, and perhaps by the OS in the
- phone.</p>
-
- <p>Don't be distracted by the question of whether the app developers get
- users to say “I agree”. That is no excuse for malware.</p>
+ <li id="M201401151">
+ <p>The Simeji keyboard is a smartphone version of Baidu's <a
+ href="/proprietary/proprietary-surveillance.html#baidu-ime">spying <abbr
+ title="Input Method Editor">IME</abbr></a>.</p>
+ </li>
+
+ <li id="M201312270">
+ <p>The nonfree Snapchat app's principal purpose is to restrict the
+ use of data on the user's computer, but it does surveillance too: <a
+
href="http://www.theguardian.com/media/2013/dec/27/snapchat-may-be-exposed-hackers">
+ it tries to get the user's list of other people's phone
+ numbers</a>.</p>
+ </li>
+
+ <li id="M201312060">
+ <p>The Brightest Flashlight app <a
+
href="http://www.theguardian.com/technology/2013/dec/06/android-app-50m-downloads-sent-data-advertisers">
+ sends user data, including geolocation, for use by companies</a>.</p>
+
+ <p>The FTC criticized this app because it asked the user to
+ approve sending personal data to the app developer but did not ask
+ about sending it to other companies. This shows the weakness of
+ the reject-it-if-you-dislike-snooping “solution” to
+ surveillance: why should a flashlight app send any information to
+ anyone? A free software flashlight app would not.</p>
</li>
-</ul>
-<h3 id="drm">Mobile DRM</h3>
-<ul>
-
-<li id="android-apps-detect-rooting">
-<p>Google now allows Android apps to detect whether a device has been
-rooted, <a
href="http://www.androidpolice.com/2017/05/13/netflix-confirms-blocking-rootedunlocked-devices-app-still-working-now/">and
refuse to install
-if so</a>.</p>
-
-<p>Update: Google <i>intentionally</i> <a
href="https://torrentfreak.com/netflix-use-of-google-drm-means-rooted-android-devices-are-banned-170515/">
-changed Android so that apps can detect rooted devices and refuse to
-run on them</a>.</p>
-</li>
+ <li id="M201307000">
+ <p>Portable phones with GPS <a
+
href="http://www.aclu.org/government-location-tracking-cell-phones-gps-devices-and-license-plate-readers">
+ will send their GPS location on remote command, and users cannot stop
+ them</a>. (The US says it will eventually require all new portable phones
+ to have GPS.)</p>
+ </li>
- <li>
- <p>The iPhone 7 contains DRM specifically designed to <a
-
href="https://motherboard.vice.com/en_us/article/kbjm8e/iphone-7-home-button-unreplaceable-repair-software-lock">
- brick it if an “unauthorized” repair shop fixes it</a>.
- “Unauthorized” essentially means anyone besides Apple.</p>
-
- <p>The article uses the term “lock” to describe the DRM,
- but we prefer to use the term <a
- href="https://gnu.org/philosophy/words-to-avoid.html#DigitalLocks">
- digital handcuffs</a>.</p>
+ <li id="M201212100">
+ <p>FTC says most mobile apps for children don't respect privacy: <a
+
href="http://arstechnica.com/information-technology/2012/12/ftc-disclosures-severely-lacking-in-kids-mobile-appsand-its-getting-worse/">
+
http://arstechnica.com/information-technology/2012/12/ftc-disclosures-severely-lacking-in-kids-mobile-appsand-its-getting-worse/</a>.</p>
</li>
- <li><p>Android <a
href="https://developer.android.com/reference/android/drm/package-summary.html">contains
- facilities specifically to support DRM</a>.</p>
+ <li id="M201111170">
+ <p>Some manufacturers add a <a
+
href="http://androidsecuritytest.com/features/logs-and-services/loggers/carrieriq/">
+ hidden general surveillance package such as Carrier IQ</a>.</p>
</li>
</ul>
+
<h3 id="jails">Mobile Jails</h3>
-<ul>
- <li><p><a
- href="https://fsf.org/campaigns/secure-boot-vs-restricted-boot/">Mobile
- devices that come with Windows 8 are tyrants</a>. <a
-
href="http://www.itworld.com/article/2832657/operating-systems/microsoft-metro-app-store-lock-down.html">Windows
- 8 on “mobile devices” is a jail.</a></p>
+
+<ul class="blurbs">
+<!-- INSERT mobiles-jail -->
+ <li id="M201210080">
+ <p><a
+
href="http://www.itworld.com/article/2832657/operating-systems/microsoft-metro-app-store-lock-down.html">
+ Windows 8 on “mobile devices” (now defunct) was a
+ jail</a>.</p>
</li>
</ul>
+
<h3 id="tyrants">Mobile Tyrants</h3>
-<ul>
- <li><p><a
href="http://blog.azimuthsecurity.com/2013/04/unlocking-motorola-bootloader.html">
- Some Android phones are tyrants</a> (though someone found a way to crack
- the restriction). Fortunately, most Android devices are not tyrants.</p>
+
+<ul class="blurbs">
+<!-- INSERT mobiles-tyrant -->
+ <li id="M201110110">
+ <p><a href="https://fsf.org/campaigns/secure-boot-vs-restricted-boot/">
+ Mobile devices that come with Windows 8 are tyrants</a>.</p>
</li>
</ul>
+
+
</div><!-- for id="content", starts in the include above -->
<!--#include virtual="/server/footer.html" -->
<div id="footer">
@@ -536,7 +843,7 @@
<p class="unprintable">Updated:
<!-- timestamp start -->
-$Date: 2018/07/25 01:45:33 $
+$Date: 2018/10/07 19:12:58 $
<!-- timestamp end -->
</p>
</div>
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- www/proprietary malware-mobiles.html,
Therese Godefroy <=