Better Than You Know Yourself
Apple stakes a claim on privacy, Facebook stores app usage data without authorization, Google Chromecast hacked
Apple further brands itself as privacy oriented with CES billboard
Taking out a building size billboard is standard Apple procedure, but doing it outside the Consumer Electronics Show, which they traditionally don’t attend, has raised eyebrows. Even more interesting is the subject of the billboard, a claim of superior smartphone privacy through an antagonistic poke at the competition’s increasingly infamous levels of data siphoning. In stark contrast, Google’s marketing at the convention is centered around their voice assistant technology, which sends your queries to their servers and processes them for targeted advertising.
Analysis
While Apple’s claim that “what happens on your iPhone, stays on your iPhone” can be seen as technically true, in regard to sharing metadata from their own apps with other companies, the very concept of connected, third party apps puts a mile wide whole in the statement. For example, if a run tracking app wants to use your location, it is practically a guarantee that your location data will be uploaded and stored on the app’s servers - and likely that it will be shared with or sold to other organizations.
Still, if you are not knowledgeable in rooting Android devices, but must have a smartphone, an iPhone is currently your best privacy-oriented choice. The requirements for third party apps to access device information are much more stringent for the developer and notifications are upfront to the user.
Hypotheticals
With data privacy being enough of a mainstream issue for Apple to use it in marketing, is the climate warming to a fully privacy oriented, mass market smartphone operating system?
Some of the most popular Android apps share data with Facebook without user consent
The London-based charity, Privacy International, monitored the network traffic of 34 popular Android apps and found that roughly three in five of them transmitted data to Facebook as soon as the app was first opened, whether or not the user was logged into Facebook at the time. Using a unique ID for Google advertising, Facebook is able to determine who the users are.
Kayak, one of the most popular travel apps, sends Facebook detailed information on flight searches, with or without user permission - even if the user has opted out of Facebook cookies. Facebook says it is working on a “suite of changes” to address the issue.
Analysis
This is par for the course, as far as Android and Facebook are concerned. The blame for this tracking of app use can be placed firmly at Facebook’s feet, since it’s likely that many of the app developers didn’t know it was happening. The API call is apparently triggered by the initialization of Facebook’s Android SDK.
It is safe to operate under the assumption that everything done on a stock Android device is tracked by some entity, be it Google or a third party, and is used to build a targeted advertising profile on the user.
Hypotheticals
Why metadata matters: what could AI infer from metadata if a user opened an email sent from an address tied to an STD clinic, immediately called a general practitioner’s office, and then added an event to their calendar?
Chromecast hacked to promote PewDiePie’s YouTube channel
Two hackers, who go by the names HackerGiraffe and j3ws3r, remotely accessed Google Chromecasts around the world and forced them to promote the YouTube channel of Felix “PewDiePie” Kjellberg, the platform’s most subscribed-to personality. The hack affected devices connected to routers via Universal Plug and Play (UPnP). Both HackerGiraffe and Google claim that the best way to avoid the hack is to turn off UPnP on routers.
This is the second PewDiePie promotional hack claimed by the duo, who say they were also behind an attack that caused printers around the world print a message to subscribe to the channel.
Analysis
The call to turn off Universal Plug and Play is expected from the hackers, but, outside of an initial “quick fix”, it is wholly inexcusable as a solution from Google. UPnP is meant for devices on a home network to discover each other and share data. Those devices should prevent unauthorized data transmission, even if they’re connected via UPnP.
Furthermore, if the reasoning behind this lack of security is to allow any phone on the network to access the Chromecast, there should be some sort of protection from hackers pretending to be a device on the network. This is the kind of security hole expected from a connected device built by a startup, not one of Google’s flagship products.
I would like to know:
If two independent hackers can remotely control a Chromecast when it is connected via UPnP, why would Google continue to offer UPnP as an option?
What information can be extracted from this device by a hacker? For example, can malware listen for everything sent to a Chromecast by phones on the network?
What other Google devices are this insecure when connected via UPnP?
Hypotheticals
The Google Home voice assistant is often connected via UPnP. I wonder if it uses shared networking source code with the Chromecast.
The Big Brother of Things is compiled by Blake Callens