Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New iOS App Sends Users' Web Traffic Through Its Proxy Servers

Soulskill posted about 2 years ago | from the you-can-trust-us dept.

IOS 83

New submitter spac writes "AllthingsD has an interesting story about how a startup called Wajam requires users of their service to download a script that sets up a proxy to handle all network requests for the purpose of providing 'Social Recommendations' within built-in apps. The privacy implications of using this profile script isn't clearly presented to users. Are we really to entrust our data to a company founded by a man who comes from the world of browser toolbars? And for social search?!" The company rushes to counter privacy concerns by pointing out that their service has "received security certifications from TRUSTe, McAfee and Norton."

cancel ×

83 comments

Most users don't care (4, Insightful)

mr1911 (1942298) | about 2 years ago | (#41172727)

They already post all of their life details on Facebook anyway.

Those that do care wouldn't use this app in the first place.

Not an app, a configuration (5, Informative)

SuperKendall (25149) | about 2 years ago | (#41172819)

Those that do care wouldn't use this app in the first place.

A point of technical accuracy; on iOS you could not sell an app that would alter the destination of traffic for all other apps.

Instead, they are using a configuration profile - it's the same mechanism that enables a company to configure iOS devices. The configuration profile can load in mandatory PIN use, or other settings for the phone - including a network proxy as we see here.

As you say, users will not really care... but even so I can't see them tricking many users into doing this.

Re:Not an app, a configuration (4, Insightful)

Nerdfest (867930) | about 2 years ago | (#41172969)

You have way more faith in users than I do. It's been shown again and again that you can make a platform as secure as you want, but if you allow a user to do something bad for them, they will do it ... even if you warn them.

Re:Not an app, a configuration (2)

SuperKendall (25149) | about 2 years ago | (#41173043)

I agree with you, it could be that perhaps Apple will do something to make it more difficult to install configuration profiles going forward...

If they felt this action was improper they could issue an OS update that would just block any attempt to use those servers as a proxy.

The real question is, what are they doing on those servers with your traffic...

Re:Not an app, a configuration (4, Insightful)

mwvdlee (775178) | about 2 years ago | (#41173091)

The real question is, what are they doing on those servers with your traffic...

Whatever they damn well want.
And if they're not doing it now, they may do so whenever they feel like it.

Re:Not an app, a configuration (0)

Anonymous Coward | about 2 years ago | (#41177523)

The real question is, what are they doing on those servers with your traffic...

Sitting in the middle and sniffing for credit card numbers?

Re:Not an app, a configuration (1)

cyp43r (945301) | about 2 years ago | (#41184349)

A platform that is secure as you want = not allowing users to do something bad for them.

Re:Not an app, a configuration (3, Funny)

PopeRatzo (965947) | about 2 years ago | (#41173131)

As you say, users will not really care... but even so I can't see them tricking many users into doing this.

Why not? Those users were tricked into buying iPhones in the first place, so there's a pretty good likelihood that they're gullible.

Re:Not an app, a configuration (1)

Anonymous Coward | about 2 years ago | (#41173491)

Why not? Those users were tricked into buying iPhones in the first place, so there's a pretty good likelihood that they're gullible.

Those users are probably the same people who think cloud computing has to do with the weather (from the adjacent slashdot article). XD

Re:Not an app, a configuration (-1, Troll)

AK Marc (707885) | about 2 years ago | (#41174543)

"tricked" by features nobody else had at a competitive price? I know, you are the only one who knows what everyone else really wants. And if they don't want what you want, it's because everyone else on the planet is insane, not that you are wrong.

Re:Not an app, a configuration (0)

Anonymous Coward | about 2 years ago | (#41173447)

I've cleaned up the aftermath of many Dancing Bunnies security "holes". One would be surprised at the gymnastics a user will go through just so they can open up an e-card or browse pr0n using a "viewer".

Even worse, there us a halo effect on iOS, where users can believe that the device is hack-proof. So, someone doing a profile like this would be something few users expect.

Re:Not an app, a configuration (4, Insightful)

icebike (68054) | about 2 years ago | (#41173501)

A point of technical accuracy; on iOS you could not sell an app that would alter the destination of traffic for all other apps.

Instead, they are using a configuration profile - it's the same mechanism that enables a company to configure iOS devices. The configuration profile can load in mandatory PIN use, or other settings for the phone - including a network proxy as we see here.

As you say, users will not really care... but even so I can't see them tricking many users into doing this.

Still, what happened to the curated garden that Apple is so proud of?

An app that helps singles find others in bars is booted from the App store for fear of stalking, but one that steals ALL your traffic is OK?

90% of IPhone users have no clue what the pop-ups and check boxes mean. Its just some techno-talk-gibberish that you have to click OK
in order to use you cool new app.

Re:Not an app, a configuration (2, Informative)

scdeimos (632778) | about 2 years ago | (#41173989)

A point of technical accuracy; on iOS you could not sell an app that would alter the destination of traffic for all other apps.

Instead, they are using a configuration profile - it's the same mechanism that enables a company to configure iOS devices. The configuration profile can load in mandatory PIN use, or other settings for the phone - including a network proxy as we see here.

As you say, users will not really care... but even so I can't see them tricking many users into doing this.

Still, what happened to the curated garden that Apple is so proud of?

An app that helps singles find others in bars is booted from the App store for fear of stalking, but one that steals ALL your traffic is OK?

90% of IPhone users have no clue what the pop-ups and check boxes mean. Its just some techno-talk-gibberish that you have to click OK in order to use you cool new app.

Did you even read TFA? This is /. so I guess not.

Ignoring that Apple are dicktards when it comes to consistent enforcement of their own App Store policies, the Wajam app doesn't even touch your traffic. Users are encouraged to download and install a separate Configuration Profile that tells the iDevice to use a proxy server at Wajam's DC for internet traffic. Carrier Settings/Configuration Profiles are not new... for a number of years web sites like http://www.unlockit.co.nz/ [unlockit.co.nz] have enabled users to define their own APN configurations so they can do things like disable 2G/3G data access to prevent carriers from generating massive bills.

Re:Not an app, a configuration (4, Interesting)

icebike (68054) | about 2 years ago | (#41174099)

You make a huge distinction for very little difference.

Regardless of HOW they get the user to use a proxy server, they still systematically socially engineering them to do so.

That they use methods that were designed for corporate phones and apply them to public subscribers is simply more evidence of misbehavior.

That you accepted my gift of a wall clock does not excuse the presence of my listening device embedded therein, even if the fine print in the
clock's user manual mentioned it.

Re:Not an app, a configuration (0)

Anonymous Coward | about 2 years ago | (#41175573)

It is more like you are giving a nice clock with a flyer that asks me to walk to your shop and receive a listening device from you for free, the flyer then says that I should install the listening device under the lamp shade.

Re:Not an app, a configuration (0)

Anonymous Coward | about 2 years ago | (#41175775)

No, it's not.

Re:Most users don't care (0)

Anonymous Coward | about 2 years ago | (#41173391)

Well if you don't mind their use of web-bugs, search history, browser history, bookmarks, lists of your apps and plugins, your MAC address, your drive SN, your CPU SN, debug info (includes logs of every app run and when), and third party cookies, just keep looking there's no-doubt more. They likely consider reading their privacy policy to make you a user, which they consider consent.

Don't even visit their website.

"Security certifications" != honest (1)

Anonymous Coward | about 2 years ago | (#41172747)

Yes, there are "security certifications", but they are more of a nature that the website itself isn't doing overt Web attacks.

Completely different from foisting a proxy setup onto unsuspecting users in order to add a layer of ads and tracking.

Re:"Security certifications" != honest (1)

Anonymous Coward | about 2 years ago | (#41172773)

"Security certifications", a.k.a., "none but ourselves will sell your data" :)

Re:"Security certifications" != honest (1)

AK Marc (707885) | about 2 years ago | (#41174555)

What's certified? The app could be certified, but not the proxy that's side-loaded and not technically part of the app itself.

security certification != privacy (5, Informative)

realitycheckplease (2487810) | about 2 years ago | (#41172765)

Presenting security certifications from Trust, Mcafee and Norton says nothing about how they'll use personal data. It just means that they might be less susceptible to hacking (but I personally doubt it) than companies without similar certifications.

But mcafee said... (1, Funny)

gatfirls (1315141) | about 2 years ago | (#41172935)

...My grandmas computer was fine while she had scareware and a few rootkits installed. So I told her to stop her whining.

Re:security certification != privacy (4, Informative)

Tackhead (54550) | about 2 years ago | (#41172987)

Presenting security certifications from Trust, Mcafee and Norton says nothing about how they'll use personal data. It just means that they might be less susceptible to hacking (but I personally doubt it) than companies without similar certifications.

It means you're not reading it like a lawyer.

"The company rushes to counter privacy concerns by pointing out that their service has "received security certifications from TRUSTe, McAfee and Norton."

"The company's concerns are counter-privacy" and/or "they're rushing to counter your privacy" seem pretty consistent with "TRUSTe, McAfee and Norton."

Remember, A TrustE is still a con [google.com] . (Attr. to Agent 01413 of the Lumber Cartel [wikipedia.org] (TINLC), and to Socks the Cat, ca. 1999 or earlier - the earliest I could find was in a .sig quote from 1999 - and scattered around the web, off and on, for at least ten years [geek.com] .)

Re:security certification != privacy (0)

Anonymous Coward | about 2 years ago | (#41173397)

This "security" claim is evidence (proof) of intent to deceive. I only regret how seldom this kind of abuse leads to a DDoS firestorm and massive doxing effort againt the offender.

Privileged app submitter (4, Interesting)

Bovius (1243040) | about 2 years ago | (#41172795)

As an iOS developer, if I submitted an app to the app store that does this, I'm certain it would be rejected for not meeting Apple's guidelines. Makes me wonder who had to be friends with who to get this greenlighted.

It's not an app, Apple has no control over this (5, Informative)

SuperKendall (25149) | about 2 years ago | (#41172949)

Makes me wonder who had to be friends with who to get this greenlighted.

There was no need to be friends with anyone. I put in a longer post about this elsewhere, but it's not an app that does this but a configuration file that tells the phone to use their server as a proxy.

It's quite easy to build your own iPhone configuration files, anyone can download the iPhone Configuration Utility [apple.com] (They even have a Windows [apple.com] version) to build one. The trick is getting people to install the configuration...

But between building a config and applying to a device, Apple is never involved.

A configuration profile was also a way you could enable tethering at first when AT&T blocked it initially, though Apple/AT&T did fix that eventually...

Re:It's not an app, Apple has no control over this (1)

scot4875 (542869) | about 2 years ago | (#41173575)

So in response to your title: you're saying that Apple's walled garden doesn't protect its users from this sort of behavior?

Are typical Apple users aware that they need to be cautious of this kind of behavior?

If the walled garden doesn't protect them, and according to you, *can't* protect them, what's the point of the walled garden at all?

--Jeremy

Re:It's not an app, Apple has no control over this (0)

Anonymous Coward | about 2 years ago | (#41174061)

If the walled garden doesn't protect them, and according to you, *can't* protect them, what's the point of the walled garden at all?

Revenue for Apple. The Carrier Settings/Configuration Profiles are for the convenience of telco carriers (lock in) and enterprise users (easy deployment), for which Apple would have far fewer sales without their support.

Re:It's not an app, Apple has no control over this (1)

CimmerianX (2478270) | about 2 years ago | (#41180681)

You know that with those profiles, you can password protect them so to remove it, you would need to provide a password. Good for an IT dept that doesn't want users messing with the device configs, but if a 3rd party like this one password protected the profile, you 'd never get it off without a full factory reset.

Re:It's not an app, Apple has no control over this (1)

Anonymous Coward | about 2 years ago | (#41174357)

I put in a longer post about this elsewhere,

I'd say everywhere, not just elsewhere. And you've been splitting hairs and picking nits in all of them.

What's your interest in defending Apple on this?

Re:It's not an app, Apple has no control over this (5, Insightful)

R3d M3rcury (871886) | about 2 years ago | (#41174799)

What's your interest in defending Apple on this?

What's your interest in attacking Apple on this?

Okay, I'll point out one simple fact: This is not an App. If you go to the iTunes Store and search for Wajam, you find nothing. Nil, Zip, Nada. So it's not an App that Apple is implicitly saying is okay by hosting it in it's App Store.

If you want to "bash" Apple, what this is is a privacy attack vector. If I can get you to download something like this to your phone, I can set up the proxy so that a trip to, oh, bankofamerica.com will end up on a server of my choice. Great for spoofing and pretty dangerous.

Note that it doesn't automatically select the configuration--I have to do this myself. But that can be socially-engineered, so it's not like it's great protection. So Apple is not entirely blameless on this, I'll agree.

How am I "defending Apple"? (2)

SuperKendall (25149) | about 2 years ago | (#41174921)

What's your interest in defending Apple on this?

My interest is in people getting technical facts right.

The fact is that Apple has no control over people making and distributing these profiles. That is simple fact; there is no App involved, another fact.

In FACT I even stated that I thought APple at some point might have to put some additional controls around installing profiles so naive users cannot do so easily. That's not defending Apple, that's saying they have an issue they may want to address if rogue profiles become a problem.

Nothing however will stop novice users from going into settings and manually entering a proxy, which you can also do. That is such a basic requirement of networking you cannot remove it as an option from smartphones.

Re:It's not an app, Apple has no control over this (1)

squiggleslash (241428) | about 2 years ago | (#41176665)

Being curious, I decided to RTFA to find out the actual truth. The GP is telling the truth, and you're not.

This is:

1. Not an app. Apple is not involved in any way whatsoever. They have not, to the best of my knowledge, approved anything from this company, not even a different related or unrelated app, and even if they had it wouldn't mean anything - see on.

2. Despite the hysterical write up, the "proxying" is for a legitimate reason. The concept is that the proxies insert additional information thus customizing, to a certain extent, the apps already on the phone (such as Safari, Maps, etc) with additional features. These are potentially useful enhancements that someone might want. For details of what, I suggest you RTFA.

3. While proxies can be abused for violating user's privacy, there's no evidence they are in this case - it's merely the technology choice that seems to have prompted the attack. This is a little like saying "OMG! Google has produced an Android app that can listen to you at any time and send what you've said to Google's HQ!!!" because... uh, Voice Dialer uses the microphone.

I'm not a fan of Apple as my comment history shows. This article does not show *any* malpractice or deriliction of responsibility *whatsoever* by Apple. The write-up is tabloidesque hysteria. And you can stalk the GP as much as you want, the GP is telling the truth.

Re:Privileged app submitter (0, Offtopic)

fustakrakich (1673220) | about 2 years ago | (#41173007)

Makes me wonder who had to be friends with who to get this greenlighted.

They had a seance. All communications are carried out through a crystal ball (iBall) via the ethernet. They get higher bandwidth that way.

Who actually cares about certification branding? (4, Insightful)

Anonymous Coward | about 2 years ago | (#41172799)

Pay TRUSTe, et all some money and they will "certify" you. As far as I can tell all it really means is you the consumer know the company paid money to get a logo for their site/app. It's not some rigorous analysis of what is done with your data or how it is secured and seems basically worthless.

Re:Who actually cares about certification branding (3, Insightful)

Anonymous Coward | about 2 years ago | (#41173049)

It has been a while, but I've seen some logos that basically say "This site is certified by us... and reserve the right to hand over ever stray bit to any third party they please".

Certified, yes. Does this mean actual protection of the consumer. I'd read into it more closely.

Realistically, the only certifications I'd take seriously would be NIST controls, PCI/DSS2 or something similar that not just allows a company to stick pretty colored logos, but actually have the logos mean something other than paying some cash to a firm for a green bar on the Web browser instead of a white bar.

What would be nice is an accrediting agency that is just plain brutal in enforcement. In return for a logo (with stiff penalties for using the logo incorrectly), the firm would have to be subject to audits, confirm to data retention guidelines, have a baseline of security procedures/policies, and so on. If a firm is not keeping their end of the bargain, the logo gets pulled.

We have that with colleges and universities that if it is accredited, one is assured of a certain education level. Why not a security standard that actually means something and has teeth?

I wonder if consumers would really care though. People reading this on /. might, but Joe Sixpack might not if the service was trendy enough. In fact, I've encountered a number of people who just don't care who spies on them 24/7, provided they get their freebie.

Long-term, things might boil down to having a web of trust infrastructure tied to domain names, with people giving up/down recommendations having various reputations (that way, some bought shill can't trash the entire system with a CAPTCHA breaker and some good script-fu.) That way, if someone reliable pointed out that a site wants to install a proxy in order to use it, other people would see it and be leery, while a shill saying that something is 100% happyland is completely ignored.

Problem is that there are no immediate consequences to info being spread around to the 4 winds. I remember in the past, when MS-DOS viruses started zapping BIOSes or trying to fry older multisync monitors with bogus resolutions, that even the most brain-dead users started doing basic computer sanitation.

TFA must be wrong (0, Troll)

LordLucless (582312) | about 2 years ago | (#41172815)

After all, it was downloaded from Apple's walled garden. Isn't the entire raison d'etre for that that Apple's intense scrutiny of all apps presented means that users don't have to think when they're installing software? They can just assume it's all safe, and rely on Apple's checking to keep them secure. That's what Apple fans tell me anyway, when they relate how superior iTunes is to Google's service.

Re:TFA must be wrong (0)

Mahldcat (1129757) | about 2 years ago | (#41172931)

Reminds me of the instructor who taught a class on "how to write malware"...virulently anti microsoft, and intentionally had his students do their lab assignments in the school's Windows lab, citing "They have anti virus so they should be 100% safe." Net impact is he made the IT department's S-List, the MS lab was knocked offline for about 3-4 days due to about 20-30 viruses running rampant, dire warnings were placed saying this class better use the sandboxed lab, and the dude eventually was invited to leave...

Re:TFA must be wrong (2, Informative)

Anonymous Coward | about 2 years ago | (#41172947)

After all, it was downloaded from Apple's walled garden. Isn't the entire raison d'etre for that that Apple's intense scrutiny of all apps presented means that users don't have to think when they're installing software? They can just assume it's all safe, and rely on Apple's checking to keep them secure. That's what Apple fans tell me anyway, when they relate how superior iTunes is to Google's service.

I know hating Apple is fashionable on Slashdot, but at least try staying in context so you don't look stupid to outsiders.

The app is not the problem, there is absolutely nothing wrong with it (though it may still get banned Just Because Apple doesn't like this kind of stuff). The problem is that users of the app are being instructed by the site to manually change their proxy settings. No scripts are being downloaded here, they're using a proxy to overlay content in Safari and the app to overlay content in an augmented version of Maps.

The summary misses the point completely, but this is common on Slashdot given how biased this site really is.

Or it's not an App... (5, Informative)

SuperKendall (25149) | about 2 years ago | (#41172997)

After all, it was downloaded from Apple's walled garden.

Actually no.

It's amazing how just about every single poster is assuming this was an app.

In fact you could not even build an app like this that would come from the App Store. Not only would Apple not allow it, but technically no app can affect the network traffic of another app unless you jailbreak the phone.

This is simply a configuration profile that users download directly from the company and install themselves. Read my other posts giving more detail.

Are you against people being able to install custom configuration profiles? I have used one myself to route traffic from my phone to a debugging HTTP proxy, very handy...

Re:Or it's not an App... (2, Insightful)

Sez Zero (586611) | about 2 years ago | (#41173103)

My Kingdom for some mod points!

Yes, post slamming Apple is somehow both Insightful and yet completely wrong.

And we have the hubris to slam creationists for their logical fallacies!

Re:Or it's not an App... (2)

LordLucless (582312) | about 2 years ago | (#41173113)

It's amazing how just about every single poster is assuming this was an app.

Yes, such an amazing assumption given that that was specified in the title of the Slashdot story. Reading TFA, I can see it's wrong, but not it's not an unreasonable assumption.

Are you against people being able to install custom configuration profiles? I have used one myself to route traffic from my phone to a debugging HTTP proxy, very handy...

Me? Of course not. Then again, I'm not against people being able to install whatever apps they choose on their phone either. This does seem to run counter to Apples philosophy of "we own the phone, we just let you use it". I'll be interested to see how Apple reacts. I'm pretty sure they won't want a third party messing with the data for their built-in apps, but some popular apps seem to use the same mechanism.

Re:Or it's not an App... (0)

Anonymous Coward | about 2 years ago | (#41173321)

Me? Of course not. Then again, I'm not against people being able to install whatever apps they choose on their phone either. This does seem to run counter to Apples philosophy of "we own the phone, we just let you use it". I'll be interested to see how Apple reacts. I'm pretty sure they won't want a third party messing with the data for their built-in apps, but some popular apps seem to use the same mechanism.

Even after having your idiocy clearly pointed out you still refuse to read the article! That's incredible!

Apple does not police the Internet; the proxy that you setup on your phone is on the Internet; they have no way to react to that, no matter how much you stretch your imaginary "we own the phone, we just let you use it" straw man argument!

Re:Or it's not an App... (1)

LordLucless (582312) | about 2 years ago | (#41173411)

And your proxy settings, are they on the internet too?

Re:Or it's not an App... (0)

Anonymous Coward | about 2 years ago | (#41173521)

And your proxy settings, are they on the internet too?

No, but neither is the browser, so I fail to see the relevance of this question.

Don't you think you are stretching your straw man fallacy too thin at this point?

Re:Or it's not an App... (1)

LordLucless (582312) | about 2 years ago | (#41173555)

And there's no possible way Apple could ever limit or restrict what data it allowed you to enter as proxy settings. Nooooo, it's all "on the internet" and outside Apple's control.

Re:Or it's not an App... (0)

Anonymous Coward | about 2 years ago | (#41173927)

And there's no possible way Apple could ever limit or restrict what data it allowed you to enter as proxy settings. Nooooo, it's all "on the internet" and outside Apple's control.

As I said before, Apple is not in the business of policing the Internet; the content displayed on your browser is not part of the iOS experience, much less an iOS app.

We've completed a full circle at this point.

Re:Or it's not an App... (1)

LordLucless (582312) | about 2 years ago | (#41175421)

Now who's not reading the article? It intercepts all web traffic, not just browser traffic. That includes app-related network traffic, such as Google Maps, which TFA even pictured in a screenshot.

"This is exactly what Wajam is trying to do on iOS — first for Safari and Google Maps, later for Apple’s own maps in iOS 6 and all sorts of other third-party apps"

Re:Or it's not an App... (1)

SuperKendall (25149) | about 2 years ago | (#41173377)

Yes, such an amazing assumption given that that was specified in the title of the Slashdot story.

Ok, I'll grant that the title was very misleading, but even so you should RTFA before going off on rants about anyone...

Otherwise you end up with a very big NEVERMIND [youtube.com] moment.

Re:Or it's not an App... (0)

Anonymous Coward | about 2 years ago | (#41173617)

"Reading TFA, I can see it's wrong, but not it's not an unreasonable assumption."
IMHO, if one hasn't RTFA, then one has no business posting one's opinion on the matter in the forum.

Re:Or it's not an App... (1)

10101001 10101001 (732688) | about 2 years ago | (#41173643)

This is simply a configuration profile that users download directly from the company and install themselves. Read my other posts giving more detail.

Are you against people being able to install custom configuration profiles? I have used one myself to route traffic from my phone to a debugging HTTP proxy, very handy...

Actually, yes. The whole point of a walled garden is that I, the user, shouldn't have to install "custom configuration profiles". If such behavior is at all warranted, it should be accessible automagically and appropriately. Put another way, if it's not okay for an App Store app to do it--presumably on the basis that it's somehow unsafe or unwanted by the user--then why should it be doable another way. I mean, your whole "route traffic from my phone to a debugging HTTP proxy" sounds inside the scope of development which, you know, developers should reasonably want access to but that translates into a non-common-user experience and hence isn't reasonably in the scope of the average user--and for which if such things were actually needed, they should be administered by Apple as the caregiver of the walled garden. Compare this to to a future version of Windows Defender reverting hosts file changes and the outcry against such things precisely because the PC is the antithesis of a walled garden, even though Windows computers are otherwise used by the common user.

Re:Or it's not an App... (1)

SuperKendall (25149) | about 2 years ago | (#41174955)

If such behavior is at all warranted, it should be accessible automagically and appropriately.

Well that's exactly why such profiles exist. You can go into Settings and manually enter proxy details; the configuration files exist exactly so that such a thing can happen "automagically".

Put another way, if it's not okay for an App Store app to do it-then why should it be doable another way.

I agree with this, from the standpoint that the person installing the profile may well have no concept of what it means to have ALL traffic from the phone go through that server, just as it would be unexpected to have an application do this too.

But the solution, what is the solution? You cannot remove this setting from the settings panel as it's too widespread a need. You could make profiles harder to install but then enterprises cannot properly configure user devices.

The only thing I can think of is to flag a big warning around "this profile will re-direct all your internet traffic (including porn) to XXX domain, is that OK?" on installation of a profile that contains a proxy setting. That would not really disrupt enterprise use and in fact would be good for users to remind them their company is now seeing all their traffic.

Direct administration by Apple is not practical though, as I stated there is still a workaround through manually setting which you can also socially engineer a user into doing.

Re:Or it's not an App... (1)

10101001 10101001 (732688) | about 2 years ago | (#41183567)

Well that's exactly why such profiles exist. You can go into Settings and manually enter proxy details; the configuration files exist exactly so that such a thing can happen "automagically".

Um, that's pretty much the opposite of "automagically".

But the solution, what is the solution? You cannot remove this setting from the settings panel as it's too widespread a need. You could make profiles harder to install but then enterprises cannot properly configure user devices.

Well, the answer is obvious. If an enterprise need such functionality for a set of phones, it effectively wants to administrate over the phones above and beyond what Apple offers. The leaves two options: Apple can sell phones to enterprises where they can do an at-install profile load that allows traffic redirects or Apple can have enterprises pay them to store such profiles on their servers and automagically load it up for phones bought/associated with an enterprise.

The only thing I can think of is to flag a big warning around "this profile will re-direct all your internet traffic (including porn) to XXX domain, is that OK?" on installation of a profile that contains a proxy setting. That would not really disrupt enterprise use and in fact would be good for users to remind them their company is now seeing all their traffic.

And that's no real solution. Honestly, at one level I'm surprised Apple allows web traffic redirecting precisely because it may be possible to use it as part of a spoofing attack to allow a "malicious" user to gain "unauthorized" access on their phone. I mean, I presume Apple uses things like signing keys and goes out of its way to do checks as many places as it can, but I'd imagine Apple would try to hamper (and it'd only be an inconvenience really) anything that could even potentially be used to get out of their walled garden.

Direct administration by Apple is not practical though, as I stated there is still a workaround through manually setting which you can also socially engineer a user into doing.

Which is only true because Apple included the feature and has yet to remove it.

P.S. (1)

SuperKendall (25149) | about 2 years ago | (#41174981)

Sorry about blowing the tags in the last post. Hope you can parse it OK.

Re:Or it's not an App... (1)

tgd (2822) | about 2 years ago | (#41176989)

I have used one myself to route traffic from my phone to a debugging HTTP proxy, very handy...

A lot of extra work, though -- you can go in and edit your wireless connection and add a proxy manually. Why screw around with a configuration profile?

Re:TFA must be wrong (0)

Anonymous Coward | about 2 years ago | (#41173031)

Way to fail at reading comprehension.
This isn't an app. If you are stupid enough to use this service, you have to follow directions on a web page to re-configure your phone so that all traffic goes through their servers.

But don't let a little thing like the truth stop your rant.

apple will soon ban this app (-1, Troll)

Joe_Dragon (2206452) | about 2 years ago | (#41172827)

apple will soon ban this app

Re:apple will soon ban this app (0)

Anonymous Coward | about 2 years ago | (#41173079)

It isn't an app.
Apparently the submitter and the editor both failed to actually RTFA.

Re:apple will soon ban this app (2, Funny)

CanHasDIY (1672858) | about 2 years ago | (#41173173)

It isn't an app. Apparently the submitter and the editor both failed to actually RTFA.

What, and you did?

Phukin' fanboi...

lolz

Huh? (0)

Anonymous Coward | about 2 years ago | (#41172889)

How is this an iOS app? It's also available as an extension for Chrome, Firefox and IE.

Re:Huh? (0)

viperidaenz (2515578) | about 2 years ago | (#41173263)

If it's available on iOS, its an iOS app. Being available on another platform doesn't change that.

Re:Huh? (1)

DrVxD (184537) | about 2 years ago | (#41183311)

If it's available on iOS, its an iOS app.

By that logic, every website is an iOS app (since it's available on iOS). Except, of course, that it isn't.

Re:Huh? (1)

viperidaenz (2515578) | about 2 years ago | (#41184941)

No, because a website is not an "app". It's a website. The "app" in that sense is the browser. The iOS browser could probably be called an iOS app.

The summary is wrong (5, Informative)

digitallife (805599) | about 2 years ago | (#41172895)

The summary is wrong.
There is no app on ios, and in fact no way to do this on ios through an app. The 'script' is for fully fledged desktops. On ios they have instructions for how to setup wajam as your proxy.
This is pretty basic stuff. iOS slandering at its best.

Re:The summary is wrong (2)

R3d M3rcury (871886) | about 2 years ago | (#41173151)

I gotta admit, I was wondering how a script could change your proxy on iOS when, in theory, the only "script" you can run is JavaScript.

The neat question, of course, is did Apple vet what they're doing in any way before allowing them on their store. Or is this one of those cases where Apple looks out for the safety and security of their users until something goes wrong and then it's, "Hey, we're not responsible for third-parties."

Re:The summary is wrong (0, Interesting)

Anonymous Coward | about 2 years ago | (#41173869)

What do you expect? /. is all about trashing iOS these days.

Android is SWARMING in malware but you don't see those stories on /.

It's sad to see Slashdot lose its credibility so fast. /. has become an Android fan site and has ZERO credibility. Thank hacks like Timothy and Soulskill for that.

Android malware families nearly quadruple from 2011 to 2012

http://www.zdnet.com/blog/security/android-malware-families-nearly-quadruple-from-2011-to-2012/12171 [zdnet.com]

Summary: F-Secure has found that between Q1 2011 and Q1 2012, the number of Android malware families has increased from 10 to 37, and the number of malicious Android APKs has increased from 139 to 3,069.

Almost Every Android Device Compromised With "Some Kind Of Malware"

http://www.forbes.com/sites/adriankingsleyhughes/2012/07/27/bt-almost-every-android-device-compromis [forbes.com]
ed-with-some-kind-of-malware/

Summary: British Telecom says that one third of Android apps are compromised with some form of active or dormant malware, and that almost every Android device is infected.

âoeWe analyzed more than 1,000 Android applications and found a third compromised with some form of active or dormant malware,â said Jill Knesek, head of the global security practice at BT and former cybersecurity expert for the FBI. But if you think that is bad, it gets worse, reports EETimes.

âoeAlmost every device is compromised with some kind of malware, although often itâ(TM)s not clear if that code is active or what it is doing,â she said in a panel discussion at the NetEvents Americas conference.

Re:The summary is wrong (1)

motd2k (1675286) | about 2 years ago | (#41175947)

Wrong. This IS an app - the app quits and opens the connection profile in Mobile Safari when the user taps a button in the app to 'Enable'.

Re:The summary is wrong (0)

Anonymous Coward | about 2 years ago | (#41178775)

Then you should have no problem linking us to the app. Please do.
What's that? You can't actually find the app? There's not a single thing related to the word 'wajam' in the iOS app store? The Wajam website makes absolutely no mention of any iOS functionality or app? Weird! It's almost like... There is no app!

Furthermore, connection profiles have clear and dangerous sounding warnings pop-up before installation, and can be uninstalled with a couple clicks. They have actually been in use by various websites for a while now, and very few people are historically willing to install them because of the warnings. Nonetheless I wouldnt at all be surprised if Apple makes it more difficult to install them in the future.

Re:The summary is wrong (1)

tlhIngan (30335) | about 2 years ago | (#41178525)

On ios they have instructions for how to setup wajam as your proxy.

I don't know about you - but what is restricting use of that to iPhones?

Did this company really just open up a huge free proxy server on the 'net for everyone to use? If they're in the US, it's basically a free proxy server to all those US services that everyone whines about... if not, it's a free proxy server that lets you "hide" your IP...

Depending on the proxy, it might be worthwhile to shove your torrent traffic through there?

Of course, the other thing is - you still have to install configuration profiles through iTunes? If you're not using it, you have to manually enter the settings? Hrm...

McAfee/Norton/Trust-e != Security (1)

EmagGeek (574360) | about 2 years ago | (#41172897)

Well, since we're already on the Security != Privacy train, I just thought I'd call attention to the pachyderm in the room.

Isn't the bandwidth going to be expensive? (4, Funny)

Gordonjcp (186804) | about 2 years ago | (#41172951)

Wouldn't it be terrible if someone published the details of the proxy connections, and it started getting hammered by thousands of slashdotters?

Re:Isn't the bandwidth going to be expensive? (0)

Anonymous Coward | about 2 years ago | (#41177989)

Wouldn't it be terrible if someone published the details of the proxy connections, and it started getting hammered by thousands of slashdotters?

It would probably be worse if some people used this proxy to commit copyright infringement and donate to known terrorist organizations.

And their proxy is slashdotted in 3, 2, 1... (0)

Anonymous Coward | about 2 years ago | (#41173081)

So what happens to their proxy site when all Slashdotters decide to use it all at once for all their iPhone web traffic from now until forever? Sure, they say it's based on Amazon's web services, but what happens when they can't afford to pay Amazon for the bill when 1,000,000 iPhone users indiscriminately use it for all their http communications...

These ideas work well if they are implemented at a small scale or at a network level where all users are physically or at least network-level co-located, but they don't scale arbitrarily well. Amazon won't foot the bill for their bandwidth, and who generates the revenue then? It's a nice idea, but the implementation requires too big of an internet footprint as a service. You don't want all the traffic, just relevant traffic -- plenty of online video games, for example use http / https to connect to their services, and now you redirect these. Want to watch a youtube video? How does that work through this proxy? How about facetime?

If only there was a way for them to embed their proxy filter into the iPhone OS itself they'd have something that would work without this mega hack. Did it say if and how they work around https searches on Google?

FTFY (2)

peacefinder (469349) | about 2 years ago | (#41173203)

The company rushed to point out that security certifications from TRUSTe, McAfee and Norton are worthless in this situation.

TRUSTe is just a bad joke the EFF played on us (0)

Anonymous Coward | about 2 years ago | (#41173601)

After the Real Networks unethical privacy violation, TRUSTe clarified that the TRUSTe certification only extends to actions taken directly be the website the TRUSTe seal is provided on. Even if an application authored by the same company maintaining the website and available from download from the website does not follow the privacy statement, the actions of the application are only *indirectly* related to the website and are not covered.

Based on the TRUSTe clarification, the Wajam proxy service is technically different than the website and not actually covered by TRUSTe certification. Hence, the Wajam is just using the TRUSTe seal to mislead customers.

Bogus certifications (0)

Anonymous Coward | about 2 years ago | (#41173623)

I have those same certifications. It doesn't mean anything other him having paid a few dollars.

Mind you, they do actually test some things, but after bitching about false positives the test results were ignored and I was certified.

Look at the Opera Mini Browser (0)

Anonymous Coward | about 2 years ago | (#41174295)

The Opera Mini Browser does that - send all mobile user web traffic through their proxy servers. By doing that, they can reduce by a large factor the amount of data sent over the wire to/from the phone, hence reducing significantly (up to 80%) the amount of data used by the phone for web browsing. Nokia's mobile phone browser does that also. This results in lower costs for users by reducing the probability that they will exceed their data plan caps.

FWIW, I do performance engineering for the mobile browser division of one of those two companies. We do a lot to protect user information including data compression, encryption, etc. In fact, most of the data returning to the phone are simply paint instructions (compressed and encrypted) so that even if someone were to intercept the in-bound traffic, it would not mean much to them.

Re:Look at the Opera Mini Browser (1)

anonymov (1768712) | about 2 years ago | (#41175999)

Err, no, not "does that" at all.

Opera Mini is basically server-side browser, rendering pages at their side and sending them preprocessed to the phone - to save teeny-tiny CPUs some cycles and teeny-tiny dataplans some kilobytes. AFAIK, you can't even install any of Opera proxies for use in other applications.

Wajam, OTOH, does "When you search, Wajam shows you what your friends have shared." - and they need all your webtraffic from all your apps for them to plug their added items (and their ads) in web pages.

Oh look, more lies from the Apple haters. (0)

Anonymous Coward | about 2 years ago | (#41174687)

This is not an App. It is a "profile", and has more in common with a .reg file for windows than it does an Application. An important distinction, because there is no approval process for profiles. (Imagine as a corporation having to have your configuration profiles approved? Obviously unacceptable.) You can read more about profiles here - http://developer.apple.com/library/ios/#featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html

CEASE THE LIES APPLE HATERS. THE TRUTH SHALL FREE YOU.

P.S. The Linux desktop experience has been downhill for the last 4 years. (And I have been using Linux since kernel 1.2.13.)
 

trust (1)

l3v1 (787564) | about 2 years ago | (#41175679)

"Are we really to entrust our data to a company founded by a man who comes from the world of browser toolbars?"

Why, you trust your data to random apps developed by random people, and suddenly this one poked your eye because the guy made browser bars? Now at least you know he's getting the data, not with some other crap which just uses it, leaks it, etc. Also, if you know what this app does, and you don't agree with it, instead of not using it, you start complaining about it. Yeah, nice :)

I'd never use such an app, or any other app that I know wants any data I don't want to share. But then I just don't use it, and move along, geez.

Re:trust (1)

Bob Ince (79199) | about 2 years ago | (#41176009)

Coming "from the world of browser toolbars" is somewhat of an understatement in this case.

We are talking about a founder of CDT (latterly Zango Canada), who paid affiliates to bulk-install spyware on unwitting Windows users' machines, using tactics up to and including browser security hole exploits. Hats don't come much blacker.

browser highjack specialists (0)

Anonymous Coward | about 2 years ago | (#41180551)

Martin-Luc Archambault is the same person who owned companies that did outright browser highjacking inserting search results into major search engine search pages via DOM modification.

Their business model was turning a blind eye to shady folks doing drive-by installation of their 'toolbar' via malware and viruses. Just google 'CDT Inc.' and 'blazefind'. They made millions before selling the company...

Truly, these folks are completely without scruples continuing to try to exploit systems with these types of underhanded techniques.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...