back to article App makers, you're STILL doing security wrong

Security expert Troy Hunt has taken a look at what mobile apps collect to send home to their owners, and isn't impressed: even PayPal is still addicted to invasive habits, he says. Looking at PayPal and two Australian apps – a small sample, admittedly, but we'll get to this shortly – the prominent Microsoft security researcher …

  1. This post has been deleted by its author

    1. troyhunt

      As a Chrome user who *doesn't* work for Microsoft (The Register seems to have implied that via my MVP status), the browser I suggest is... any of them. The observations are consistent across all the big ones in terms of the transgressions they disallow which slip by in mobile apps.

      1. Steven Burn

        Good to see you here :o)

        As an aside, Microsoft et al aren't exactly helping with these issues either (especially given default settings during Windows 8/10 installs as far as app access to location, profile etc etc, requiring they be manually turned off - they know as well as we do most are just going to do the default options instead of the custom route)

      2. Mark 85 Silver badge

        My apologies, Troy. There was this: " the prominent Microsoft security researcher concludes " and another line (edited out?) that implied you worked from them. I've withdrawn my smarmy post. I would have done it earlier but I just checked a bit ago.

    2. This post has been deleted by a moderator

  2. FF22


    First of all, contrary what the title says, this is not about security, but privacy. These two things are not only not interchangeable, but are - in some way - at the opposite ends of the same spectrum: security always almost comes at the cost of privacy, and you can only increase one if you lower your requirements on the other. It's because of the simple fact that security depends on being able to identify the persons who are asking for access. So, you can only increase security at the cost of loosening privacy requirements, and vice versa (if privacy is a top factor, you can't really have good security).

    And there lies actually a culprit. Obviously the clueless "expert" doesn't get it, but all that information are collected by the PayPal app so it's easier for them to spot fraudulent transaction request from unauthorized devices and unauthorized users. Because stealing a user's password might be rather easy (even using basic phishing techniques), but figuring out all the other data collected by the app, like device IDs, network IDs, etc. and duplicating them, are not so much (easy). When they do not match, PayPal can flag the transaction and run possibly extra checks on it - all in order to protect the legitimate user's money.

    Also, the security "expert" worrying about PayPal knowing your device IDs is rather funny. Because you know, PayPal already knows who you are and what you're doing. Why? Because you registered your credit card and holder name with them, they also have your email address, and possibly your business name and real name. They also know what you bought and where you bough it (with your PayPal account). So by knowing also you SSID they can't "invade" your privacy any more, than they could already.

    So, all these privacy issues brought up by this "expert" are not actually privacy issues. They're rather issues of knowledge and of credibility, and they pinpoint a basic problem with today's tech journalism. Namely, that why on Earth does a technology news site pick up a story or "analysis" from somebody so clueless about privacy and security implications, and does re-publish it, without all the proper commentary and corrections?

    1. Robert Helpmann??

      Re: Security!=privacy

      FF22, your point about the difference between security and privacy is well taken (and well said, by the way), but I think both you and the analyst both make a fundamental error in attribution: why is PayPal gathering the info they do? Yes, they might be pulling it to compare against past transactions as a fraud prevention method. Conversely, they might have some legacy code from the beta testing phase of app development. The why of it is important for a number of reasons as it has implications for where weaknesses might be in the app itself (flaws might be left in simply because no-one is paying attention to the code) or what kind of data might be leaked in the event of a successful attack (PayPal is a prime target). While I would not expect my fellow commentards to dig through EULA of these apps or to contact the app publishers, it would seem the researcher had an missed opportunity there. The flaws mentioned in the other apps were certainly that: flaws.

      At the very least, one take-away should be that apps should only gather and transmit the data needed to do what they are intended to do. The more bloat that is added in, the greater the chances of flaws creeping into the mix. Also the more power the app will use, which in a mobile device can add up. The people who run the app (customers, for want of a better term) should know what info is collected, sent and retained by the app maker and have a reason of why this is done. Finally, the owner of the device on which an app is run should be able to control access rights for the app. This last should be pinned on the OS makers. Google's offering is particularly bad in this area, but I notice that the only hint as to what manufacturer's device was looked at by the analysis seemed to be Apple.

    2. dan1980

      Re: Security!=privacy


      While you certainly make some good points about this specific instance, the larger issue is that these apps are slurping up data that has no relevance to the service being offered.

      In other words, the current practice is simply to grab whatever you can or want and assume that that is fine. To argue whether any specific bit of data collected by any specific application for any specific entity is problematic or not is to get bogged down in, well, specifics - to miss the forest for the trees so to speak.

      The problem here is the state-of-play of the industry, which sees both security and privacy relegated rather far down the priority list.

      This is what is meant by "doing [it] wrong" - the way personal information is being treated is fundamentally incompatible with the goals of security and privacy. Security must be built in from the start to really be effective; it has to guide the development, the features, the technology and the data.

      Doing it right means starting from a base position of saying that security and privacy are the most important considerations and so wherever there is a quick buck to be made selling private information, that is trumped by the requirement of ensuring that private information is kept, well, private.

      Doing it right means a philosophy of 'least privilege' - grant access to as few systems and as little data as possible.

      So, while my SSID is less sensitive than most of the other information PayPal already has on me, they do not need it for any part of the transaction and so it shouldn't be collected.

    3. Remy Redert

      Re: Security!=privacy

      It's nice to think PayPal is collecting this information for security reasons, until you realise that your browser on both PC and phone don't leak this info and can be made to appear however you like. I expect that a lot of use of PayPal still goes through said browser.

    4. troyhunt

      Re: Security!=privacy

      Let me try and give a balanced response here and provide some examples that might clarify some misunderstandings. There are a number of issues in the post related to both security and privacy, sometimes at odds with each other and sometimes complimentary. For example, it would be reasonable to say that the lack of transport layer security is a risk to both; credentials are at risk of being exposed to eavesdroppers and without TLS, you have no assurance the site you think you're talking to is legitimate. A strong TLS implementation is beneficial to both and detrimental to neither.

      In terms of PayPal, of course the original article does refer to fraud protection and it also refers to how we seem to be able to survive in browser world without access to this device info. What I suspect you don't appreciate with regards to privacy is the difference between the data attributes we willingly provide (you've listed some good examples), versus those obtained without our knowledge. People get understandably edgy when they realise information about their private network environment is surreptitiously siphoned off, we saw the resulting outrage when Google was doing this.

      Regardless of which observations you bucket into which category, the fact remains that each of these three apps behaves in ways that most users were not expecting and handles data in ways they would not normally consciously opt into. That mobile apps can do so indiscreetly compared to their browser-based equivalents is the heart of the story.

      1. RayHerring

        Re: Security!=privacy

        Not only that, but take the comment I posted on your article about how to use Fiddler, where I investigated the Boost app, they were sending everything about me over HTTP, DOB, Address (though not all of it, likely enough, especially with the mobile phone number, easy to search Telstra whitepages).

        It's rather scary what mobile apps do, I for one have location services turned off these days.

      2. Cuddles Silver badge

        Re: Security!=privacy

        "People get understandably edgy when they realise information about their private network environment is surreptitiously siphoned off"

        But not edgy enough to actually do anything about it. People are happy to whine when some sort of data slurping happens to make the popular media, but they still blindly agree to anything and everything an app wants when they install them. It's all very well to criticise app makers for bad practice, but there's simply no incentive for them to make an effort since they know virtually no-one actually cares.

  3. Anonymous Coward
    Anonymous Coward

    I would argue that the PayPal app collects all that information as part of their fraud detection. It's to make sure one person doesn't have multiple or "stealth" PP accounts.

    1. Adam 1

      I would argue that your GPS coordinates can be easily spoofed by anyone who can type "fake GPS" into the play store search window and as such its effectiveness as a fraud detection is rather limited.

      You have to look at the perspective troy would be coming from. When you witness large multinational companies accidentally letting 150 million accounts be breached, you have to recognise that step 0 for security is to not collect the private information that isn't necessary to fulfill the transaction. Or to put it another way, how much do you think the home addresses of papal customers would be worth to identity fraudsters?

      1. Stoneshop Silver badge

        home addresses of papal customers

        That would be Piazza San Petro for a start, although I doubt they can be called "customers"

        1. Adam 1

          Bloody autocarrot

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021