As a Chrome user who *doesn't* work for Microsoft (The Register seems to have implied that via my MVP status), the browser I suggest is... any of them. The observations are consistent across all the big ones in terms of the transgressions they disallow which slip by in mobile apps.
App makers, you're STILL doing security wrong
Security expert Troy Hunt has taken a look at what mobile apps collect to send home to their owners, and isn't impressed: even PayPal is still addicted to invasive habits, he says. Looking at PayPal and two Australian apps – a small sample, admittedly, but we'll get to this shortly – the prominent Microsoft security researcher …
COMMENTS
-
This post has been deleted by its author
-
-
Monday 27th April 2015 23:36 GMT Steven Burn
Good to see you here :o)
As an aside, Microsoft et al aren't exactly helping with these issues either (especially given default settings during Windows 8/10 installs as far as app access to location, profile etc etc, requiring they be manually turned off - they know as well as we do most are just going to do the default options instead of the custom route)
-
-
-
Monday 27th April 2015 00:22 GMT FF22
Security!=privacy
First of all, contrary what the title says, this is not about security, but privacy. These two things are not only not interchangeable, but are - in some way - at the opposite ends of the same spectrum: security always almost comes at the cost of privacy, and you can only increase one if you lower your requirements on the other. It's because of the simple fact that security depends on being able to identify the persons who are asking for access. So, you can only increase security at the cost of loosening privacy requirements, and vice versa (if privacy is a top factor, you can't really have good security).
And there lies actually a culprit. Obviously the clueless "expert" doesn't get it, but all that information are collected by the PayPal app so it's easier for them to spot fraudulent transaction request from unauthorized devices and unauthorized users. Because stealing a user's password might be rather easy (even using basic phishing techniques), but figuring out all the other data collected by the app, like device IDs, network IDs, etc. and duplicating them, are not so much (easy). When they do not match, PayPal can flag the transaction and run possibly extra checks on it - all in order to protect the legitimate user's money.
Also, the security "expert" worrying about PayPal knowing your device IDs is rather funny. Because you know, PayPal already knows who you are and what you're doing. Why? Because you registered your credit card and holder name with them, they also have your email address, and possibly your business name and real name. They also know what you bought and where you bough it (with your PayPal account). So by knowing also you SSID they can't "invade" your privacy any more, than they could already.
So, all these privacy issues brought up by this "expert" are not actually privacy issues. They're rather issues of knowledge and of credibility, and they pinpoint a basic problem with today's tech journalism. Namely, that why on Earth does a technology news site pick up a story or "analysis" from somebody so clueless about privacy and security implications, and does re-publish it, without all the proper commentary and corrections?
-
Monday 27th April 2015 03:28 GMT Robert Helpmann??
Re: Security!=privacy
FF22, your point about the difference between security and privacy is well taken (and well said, by the way), but I think both you and the analyst both make a fundamental error in attribution: why is PayPal gathering the info they do? Yes, they might be pulling it to compare against past transactions as a fraud prevention method. Conversely, they might have some legacy code from the beta testing phase of app development. The why of it is important for a number of reasons as it has implications for where weaknesses might be in the app itself (flaws might be left in simply because no-one is paying attention to the code) or what kind of data might be leaked in the event of a successful attack (PayPal is a prime target). While I would not expect my fellow commentards to dig through EULA of these apps or to contact the app publishers, it would seem the researcher had an missed opportunity there. The flaws mentioned in the other apps were certainly that: flaws.
At the very least, one take-away should be that apps should only gather and transmit the data needed to do what they are intended to do. The more bloat that is added in, the greater the chances of flaws creeping into the mix. Also the more power the app will use, which in a mobile device can add up. The people who run the app (customers, for want of a better term) should know what info is collected, sent and retained by the app maker and have a reason of why this is done. Finally, the owner of the device on which an app is run should be able to control access rights for the app. This last should be pinned on the OS makers. Google's offering is particularly bad in this area, but I notice that the only hint as to what manufacturer's device was looked at by the analysis seemed to be Apple.
-
Monday 27th April 2015 03:36 GMT dan1980
Re: Security!=privacy
@FF22
While you certainly make some good points about this specific instance, the larger issue is that these apps are slurping up data that has no relevance to the service being offered.
In other words, the current practice is simply to grab whatever you can or want and assume that that is fine. To argue whether any specific bit of data collected by any specific application for any specific entity is problematic or not is to get bogged down in, well, specifics - to miss the forest for the trees so to speak.
The problem here is the state-of-play of the industry, which sees both security and privacy relegated rather far down the priority list.
This is what is meant by "doing [it] wrong" - the way personal information is being treated is fundamentally incompatible with the goals of security and privacy. Security must be built in from the start to really be effective; it has to guide the development, the features, the technology and the data.
Doing it right means starting from a base position of saying that security and privacy are the most important considerations and so wherever there is a quick buck to be made selling private information, that is trumped by the requirement of ensuring that private information is kept, well, private.
Doing it right means a philosophy of 'least privilege' - grant access to as few systems and as little data as possible.
So, while my SSID is less sensitive than most of the other information PayPal already has on me, they do not need it for any part of the transaction and so it shouldn't be collected.
-
Monday 27th April 2015 06:14 GMT Remy Redert
Re: Security!=privacy
It's nice to think PayPal is collecting this information for security reasons, until you realise that your browser on both PC and phone don't leak this info and can be made to appear however you like. I expect that a lot of use of PayPal still goes through said browser.
-
Monday 27th April 2015 08:23 GMT troyhunt
Re: Security!=privacy
Let me try and give a balanced response here and provide some examples that might clarify some misunderstandings. There are a number of issues in the post related to both security and privacy, sometimes at odds with each other and sometimes complimentary. For example, it would be reasonable to say that the lack of transport layer security is a risk to both; credentials are at risk of being exposed to eavesdroppers and without TLS, you have no assurance the site you think you're talking to is legitimate. A strong TLS implementation is beneficial to both and detrimental to neither.
In terms of PayPal, of course the original article does refer to fraud protection and it also refers to how we seem to be able to survive in browser world without access to this device info. What I suspect you don't appreciate with regards to privacy is the difference between the data attributes we willingly provide (you've listed some good examples), versus those obtained without our knowledge. People get understandably edgy when they realise information about their private network environment is surreptitiously siphoned off, we saw the resulting outrage when Google was doing this.
Regardless of which observations you bucket into which category, the fact remains that each of these three apps behaves in ways that most users were not expecting and handles data in ways they would not normally consciously opt into. That mobile apps can do so indiscreetly compared to their browser-based equivalents is the heart of the story.
-
Monday 27th April 2015 09:39 GMT RayHerring
Re: Security!=privacy
Not only that, but take the comment I posted on your article about how to use Fiddler, where I investigated the Boost app, they were sending everything about me over HTTP, DOB, Address (though not all of it, likely enough, especially with the mobile phone number, easy to search Telstra whitepages).
It's rather scary what mobile apps do, I for one have location services turned off these days.
-
Monday 27th April 2015 12:46 GMT Cuddles
Re: Security!=privacy
"People get understandably edgy when they realise information about their private network environment is surreptitiously siphoned off"
But not edgy enough to actually do anything about it. People are happy to whine when some sort of data slurping happens to make the popular media, but they still blindly agree to anything and everything an app wants when they install them. It's all very well to criticise app makers for bad practice, but there's simply no incentive for them to make an effort since they know virtually no-one actually cares.
-
-
-
-
Monday 27th April 2015 22:41 GMT Adam 1
I would argue that your GPS coordinates can be easily spoofed by anyone who can type "fake GPS" into the play store search window and as such its effectiveness as a fraud detection is rather limited.
You have to look at the perspective troy would be coming from. When you witness large multinational companies accidentally letting 150 million accounts be breached, you have to recognise that step 0 for security is to not collect the private information that isn't necessary to fulfill the transaction. Or to put it another way, how much do you think the home addresses of papal customers would be worth to identity fraudsters?
-