Tag Archives: Apple

apple mouse

Apple’s Yosemite Update Exposes User’s Privacy Settings: How to Fix

Sometimes first-round launches of software reveal vulnerabilities not taken into account during the development process. If you have a Mac device and have upgraded to OS X Yosemite, you might be at risk of your IP address being exposed. As Data Privacy Day nears on January 28th, many of you are looking for a way to secure your information and protect yourselves, and education about cyber crimes and your options are at the forefront of this cyber war.

While the Yosemite bug does not have an official fix performed by apple developers yet, we uncovered an alternative for the Yosemite vulnerability, and we’ve brought it to you for peace of mind.

The Yosemite vulnerability is caused by a new Spotlight bug that targets the user’s privacy settings, reportedly by a backdoor in Apple Mail specifically designed for spammers, advertisers and phishers. As you know, Spotlight was the search mechanism introduced into Apple’s software, starting with the iPad 2 Retina Display and the applicable Mac product at the time. Using it allows the user to search for anything on the device, it’s software, it’s settings or online depending on the search topic.

However, Spotlight was discovered to not only search for useful items on the device; it also emits the users privacy setting information current installed operating system and devouges the user’s browsing activity. Under the new spotlight update, the user has the option to check a box that will block third party content, however, the bug continues the connection even after the user has checked the option.

Without fixing the issue, advertisers and spammers who use the “tracking pixels” technique to communicate email addresses and system information to servers, will have access to the user’s private information in settings.

Who does this affect?

The bug does not compromise every Apple user; only a specific niche of Apple users. If you have an Apple product such as an iPad, a Mac or an iPod, and you take advantage of the spotlight feature to search for items on your device, and you also use Apple Mail products, then you are at risk for having your confidential information exposed to third-party advertisers. There is no security check from the server or the device to prevent unsolicited emails or advertisements from these sources.

Here’s how to fix the bug.

Apple Mail users can bypass the bug by removing “Mail” and all it’s services from their Spotlight Search. By entering “System Preferences” and then opening “Spotlight”, you can eliminate Mail services from the search function by un-checking the “Mail and Messages” checkbox.

If you’d rather avoid the issue entirely, you can migrate to other apps including Dropbox Mailbox, Google Sparrow or Mindscene Mail Pilot.

These are the only two current ways to protect yourself from the Apple vulnerability. Currently, you cannot use Apple Mail and Spotlight together without being affected by this bug.

Privacy Class Action Started Against 18 Tech Companies While Congress Want to Chat with Apple

In the fight for online freedom and the right to privacy there are three main ways in which action can be taken. The first is for each individual to protect their online identity by using the right privacy software and applying common sense to their online activities. The second is to protest (like the Internet Blackout Day in January) and the third is to use the law. It is this third option which is being used this week by a group of 13 individuals in Texas, who have filed a class action, and by two congressmen who have sent Apple a letter asking Timothy Cook, Apple’s chief executive, to make representatives available to brief an Energy and Commerce subcommittee.

The class action is being brought against 18 tech companies including Facebook, Twitter, Foursquare, Yelp and the makers of the popular game Angry Birds for stealing contacts from Android and iOS powered smart phones without the owner’s permission or knowledge. The lawsuit is in response to a story which broke in February when a blogger noticed that the social networking service Path uploaded a phones entire address book to its servers. This resulted in Path issuing an apology,  deleting its entire collection of user uploaded contact information from its servers and issuing a new version of its app. But it soon turned out that other social networking apps did exactly the same thing and hence the lawsuit.

The plaintiff’s complaint is that the contacts in a mobile phone, which includes physical and e-mail addresses, job titles and birthdays as well as phone numbers, are some of the most personal data that owners carry on their wireless mobile devices. And they claim that the defendants have made, distributed and sold apps that, once installed on a wireless mobile device, surreptitiously harvest, upload and illegally steal the owner’s address book data without the owner’s knowledge or consent.

The complaint then goes on to quote from the New York times: “The address book in smartphones — where some of the user’s most personal data is carried— is free for app developers to take at will, often without the phone owner’s knowledge. . .   Companies that make many of the most popular smartphone apps for Apple and Android devices — Twitter, Foursquare and Instagram among them — routinely gather the information in personal address books on the phone and in some cases store it on their own computers… While Apple says it prohibits and rejects any app that collects or transmits users’ personal data without their permission, that has not stopped some of the most popular applications for the iPhone, iPad and iPod — like Yelp, Gowalla, Hipsterand Foodspotting — from taking users’ contacts and transmitting it without their knowledge.”

“We’re making some fairly serious allegations against the big boys,” the plaintiffs’ attorney, Jeff Edwards, told the Austin American-Statesman. “We’re saying, ‘Hey, you took something that didn’t belong to you, and you’re making a profit off it.’”

Congress it seems is also interested in how apps can get hold of a user’s data. This week Representative Henry A. Waxman, a California Democrat, and Representative G.K. Butterfield, Democrat of North Carolina, sent a letter to Apple’s CEO Timothy Cook asking for further clarification on how applications for the iPhone, iPad and iPod Touch are allowed to access photos without a user’s knowledge. In fact this is the second letter the pair have sent to Apple. Having received Apple’s reply to their first letter, Waxman and Butterfield wrote back to Apple saying that Apple’s reply did “not answer a number of the questions raised about the company’s efforts to protect the privacy and security of its mobile device users.”

Rather than asking for another reply from Apple, this time the two ranking members of the Subcommittee on Commerce, Manufacturing, and Trade are asking Apple to make available representatives to brief staff on the committee.



Twitter Stealing Smartphone Contacts

In another blunder by a top social networking site, Twitter has confirmed that its iPhone app copies the entire address book from a users’ smartphone and stores the data on its servers, for up to 18 months, without the users’ permission. As with many privacy breaches, the “need” to take private, confidential data comes wrapped in innocence and convenience. In the case of Twitter it is the “Find Friends” feature. This feature, which uploads names, phone numbers and email addresses, is used to identify possible friends who also use Twitter. Twitter’s blatant privacy blunder has two parts. First the app should notify the user that it will now upload the entire contents of the users’ address book to Twitter’s servers. This is something that isn’t make clear by the app, but it might be written somewhere in tiny print in Twitter’s privacy policy. Secondly the data should never, never be stored. Even if I do want Twitter to snoop around my address book to automatically find my friends and even if I might let them upload my data to their servers to do this, I will never give my permission for this upload to remain on their servers for 18 months. This upload should be temporary and deleted as soon as the find friends search is complete.

What about other social networking sites?
The first time this problem was seen, was not with Twitter but with Path, a social media service which provides a “simple way to keep a journal, or ‘Path’, of your life on the go.” Developer Arun Thampi was looking into the way the Path protocol worked when he noticed that his entire iPhone address book (including full names, emails and phone numbers) was being sent to Path. He blogged about his discovery, this in turn caused the CEO of Path David Morin to issue an apology: “We made a mistake. Over the last couple of days users brought to light an issue concerning how we handle your personal information on Path, specifically the transmission and storage of your phone contacts.” Path then issued a statement that it had deleted the entire collection of user uploaded contact information from its servers.

This then caused privacy experts to start looking at other socail networking sites including Facebook, FourSquare, Instagram, Foodspotting and Yelp. It turns out that they all send data from your smartphone’s internal address book to their servers. Several do so without first asking permission. Instagram and Foursquare now ask for permission, but only after the issues found at Path.

Apple and Congress

Apple run a very tight ship when it comes to their App Store with apps taking days (even weeks) to be approved before being published. According to Apple’s guidelines: “Apps that read or write data outside its designated container area will be rejected” and “Apps cannot transmit data about a user without obtaining the user’s prior permission.” Unless you are Twitter, Facebook or Path that is! This slip-up by Apple has led two US congressmen to write to Tim Cook, the CEO of Apple, asking why the company allows the practice on the iPhone. In the letter they ask if “this incident raises questions about whether Apple’s iOS app developer policies and practices may fall short when it comes to protecting the information of iPhone users and their contacts.”

Back to Twitter

Path issued new versions of their app (for iPhone and Android), as have Instagram and Foursquare. It seems that Twitter will do the same:

“We want to be clear and transparent in our communications with users. Along those lines, in our next app updates, which are coming soon, we are updating the language associated with Find Friends – to be more explicit,” Twitter spokeswoman Carolyn Penner said to the BBC.