iPhone Apps Surreptitiously Communicated with Unknown Servers

Long news article (alternate source) on iPhone privacy, specifically the enormous amount of data your apps are collecting without your knowledge. A lot of this happens in the middle of the night, when you're probably not otherwise using your phone:

IPhone apps I discovered tracking me by passing information to third parties ­ just while I was asleep ­ include Microsoft OneDrive, Intuit's Mint, Nike, Spotify, The Washington Post and IBM's the Weather Channel. One app, the crime-alert service Citizen, shared personally identifiable information in violation of its published privacy policy.

And your iPhone doesn't only feed data trackers while you sleep. In a single week, I encountered over 5,400 trackers, mostly in apps, not including the incessant Yelp traffic.

Posted on June 25, 2019 at 6:35 AM • 37 Comments

Comments

JeremyJune 25, 2019 7:28 AM

the crime-alert service Citizen, shared personally identifiable information in violation of its published privacy policy

Presumably it was turning itself in.

Clive RobinsonJune 25, 2019 7:50 AM

From the MSM link,

    According to privacy firm Disconnect, which helped test my iPhone, those unwanted trackers would have spewed out 1.5 gigabytes of data over the span of a month. That’s half of an entire basic wireless service plan from AT&T.

So they are "denying you the rights and privileges pertaining" to the data plan you pay for. Or in easier terms "out right theft".

It's time one of these silicon valley companies was prosecuted and say charged one USD for every data packet they sent.

It would help re-skew the balance between them and individuals making pervasive data gathering less profitable.

But the real underlying issue is "lack of control" even though you have purchased a phone you do not own it. In this score both Apple and Google are equally as bad.

For instance with your home computer you can put a firewall on it that you can use to block outbound traffic to various IP addresses. You can also put in a pre-filter to DNS requests such that certain entity names never resolve to anything other than localhost, and further packets sent to an IP address not in the local DNS cache can be blocked or flaged up to the user for approval.

Likewise if you don't like the "pre-installed" apps on a personal computer you can usually de-instal them or nuke the exe files their code is in.

Trying to get that level of control on iOS or Android is for the average user not realisticaly possible.

As some in the industry know when it came to the early days of "smart pads" Microsoft was threatened by Google if they made any MS OS locked onto a platform. Well both Google and Apple do lock out other OS's and atleast one of them incessantly "data rapes" the phones user not just every day but every few minutes.

The only solution to this problem is to kill off the DMCA and make "ownership" actually mean what it once did before the EULA nonsense back in the 1970's and earlier started.

JohnJune 25, 2019 8:10 AM

Why are people shocked that personal information is shared when you carry around a personal tracking device 24/7?

If you don't want to be tracked, buy a phone that cannot track you.

If you want the convenience of a "smart tracking device", then expect to be tracked.

Did you really think the TacoBell app was only for ordering food?

No One, etc.June 25, 2019 10:38 AM

I tried to make an RF-proof box for my phone, but, upon testing, that proved ineffective and amazingly difficult to construct.

I know such things are available, even ones that can charge a device--looks like I will be going back to an alarm clock once I figure this out.

This constant data collection under our noses is extremely disturbing. We are getting to the point of 24/7 collection with no gaps. Imagine a human being who is collected upon from the womb, through childhood, day and night, and then its whole life, and even after death.

Here's an idea: I will just turn the little fella off.

TimHJune 25, 2019 10:40 AM

I've got the Outlook app on my iphone and despite the app being off, and being told in can only use wifi, it still communicates frequently with the server without wifi service and shows banner for new emails. It's not on the push list, so can't disable push for it specifically.

Per Pirates of the Caribbean, the permissions controls from the user are only 'guidelines' for the apps to ignore as they wish.

And no app appears to be ever 'not running'. Standby mode with interrupts at best.

AlejandroJune 25, 2019 10:41 AM

My windows machines spew data back to various mother ships all the time. Thousands of attempted connections every day.

However, due to firewalls, network monitors, tracker apps, router security, etc much of the OUTBOUND data dumps can be curtailed, sometimes blocked altogether.

Meanwhile, I like the Apple system, but must admit the lack of CONTROL as Clive notes is a big negative.

I would add I am not aware of even a decent network MONITOR for iOS to see connections and outbound destinations ...is there one?

Where is the Apple version of Wire Shark?

Any Apple wizards out there know how to monitor and control outbound data for iOS? Any way to block/filter a specific ip address or range?

Frankly, this revelation though not entirely unexpected, is very disappointing because on whole I trust the Apple system more than the others.

Tim WarnerJune 25, 2019 10:44 AM

All phones can track you, if you don't want to be tracked do not carry a phone.

parabarbarianJune 25, 2019 11:02 AM

On the bright side: As long as you phombies keep letting yourselves be tracked like livestock, I can plead privacy concerns when the company wants to issue me a "smart" phone.

PabloJune 25, 2019 11:13 AM

Apple and Google have a very tight grip on the phone industry through their OS they ruthlessly defend their patents and any competition to their OS market is curtailed or bought out.

Some people just see this as good business as they co-operate with all requests from any state and make lots of money for app developers and advertisement agencies.

Charlie ZorattoJune 25, 2019 11:14 AM

The only way that your location is not tracked through the cellular network is by separating the Simcard from the cell phone. It is a very expensive solution that the public in general can not acquire.
Regarding the crawlers there are some functions in IOS to mitigate this. In addition to recommending using VPN with OPENVPN protocol enabled.

Clive RobinsonJune 25, 2019 11:30 AM

@ John,

If you don't want to be tracked, buy a phone that cannot track you.

As long as they are on, or in use all phones land line, satellite, cordless or mobile give away your position one way or another.

Any attempts with mobile phones to turn them off or "out of range" them by putting them in a RF shielding enclosure will after a very short time show up as repeated anomalous behaviour, that software written over a decade ago would pull out from the service providers logging records as not normal behaviour.

The software also pulled out "limited groups" that is mobile phones that only talk to a very limited number of other mobiles or land line numbers of fast food suppliers etc. That is what some refer to as "cell" behaviour which generally means suspicious or potentially criminal / terrorist thus subject to further investigation.

Interestingly in London some gangs have worked this out from a limited number of high profile cases and thus have adjusted their behaviour accordingly. Likewise high end drugs gangs and presumably other "serious organized crime" groups have adjusted their behaviours.

You can also get hold of equipment (from the US) that can be software modified that alows you to set up fairly wide area mesh VoIP and data networks. With other tricks using mobile phones where you can not just change the supposadly hardwired electronic serial number, but they also alow you to get at the user interface electronically thus potentially remotely, you can do interesting things. One such is use your fake mobile from across the other side of the city or even potentially via the Internet from any where in the world.

It's a game not to disimilar to the old ECM / ECCM / ECCCM game used by the military with regards radar and missiles. At the end of the day you just have to be technologically smarter thus have an extra "Counter Measure" in your arsenal than those that wish to track you. However as with all OpSec you have to be very very methodical about the way you do such things because one slip will end up recorded in the service providers logs and could come back to haunt you in the future[1]. Few even when their actual lives genuinely do depend on it can get OpSec right 100% of the time...

I beleive it was Al Gore who originally gave voice about the dangers of unclassified information sources that when aggregated could reveal "secret information" and voiced "National Secirity" concerns. Well we now know that the likes of "fitness trackers" and "Social media" geo-tags have done exactly that. But what is true of military personnel is also true of the everyday citizen. Such publicaly available databases represent a very real threat to ordinary individual citizens privacy thus their freedoms from undue surveillance by the State and it's direct and indirect entities.

The one thing we do know is that "Criminals Evolve" that is the smarter ones learn from the mistakes of others. Likewise terrorists, when an RF sensing missile was modified and killed an individual Russian alledged was a terrorist when he was using a satellite phone. Within a very short time Osama Bin Laden stopped using his satellite phone. Likewise as the US developed similar technology to locate mobile phones from drones to bring down Hellfire missiles the terrorists developed counter measures very quickly. The simplest was to use the phone a few times then give the phone to an innocent individual who got blown up along with their families and other "collateral damage" causing very bad publicity for the operators of drones. However Osama went further and stopped using any kind of RF emitting device and had switched to using "by hand" courriers.

Just remember that some Governments are looking favourably on using similar or identical drones in and around their own borders and we have good reason to believe that certain US Government entities have been using small aircraft to do similar. Because they messed up their OpSec and left the ADSB beacon on (as required by federal law) and got tracked by ordinary "hobbyist" individuals who put up on the Internet flights they thought were odd. Others then traced down registration to shell companies and so on, all because due to poor OpSec they emitted RF energy that got recorded...

There are truisms about people alowing odd things to "nag at them like an aching tooth" and others about "Pulling at loose threads till it all unravels". These days we have the likes of Palantir employing "big data" to do such searching things fully automatically. Further it's well within the bounds that this can be done in human terms appears to be "real time".

[1] Supposadly under law various records kept by the US and other Governments and their entities have to be deleted after a number of years. But as various entities have been caught out in various ways, it's safe to assume that the law is either being ignored or bypassed in some way. As there are loop holes in the public legislation and some Governments have "secret laws" it's fairly safe to assume that some "interesting" records will be kept effectively indefinitely within some Government entities. However as the majority of these records are actually "Third Party Business Records", on which there are no limits on how long these can be kept, and in many cases require little more than a secret letter to gain access to them, I can easily see how the Government could "out source" keeping of such information indefinitely. In fact there have been stories circulating that companies like Palantir Technologies that specializes in big data analytics, which was founded by amongst others Peter Thiel and is hedquatered in Silicon Valley is one such entity doing exactly that...

AlejandroJune 25, 2019 11:52 AM

There a tracker app for iOS from Disconnect called Privacy Pro that supposedly stops a lot of the outbound data for the entire phone.

But, it's $4.99...PER MONTH. Pay up front even for the "free" 7 day trial.

hmmmmmm.

Clive, as someone suggested, we all know we can throw the phone in the river.

But, for those of us who think that's a bit extreme, what's your best practical advice for iOS users?

SchomoJune 25, 2019 12:02 PM

Even if you make a handset which is semi untraceable how many people would buy it?

AJune 25, 2019 2:45 PM

To "Regarding Purism"

https://en.wikipedia.org/wiki/Purism_(company)
https://en.wikipedia.org/wiki/Librem#Librem_5_smartphone

I think the company has demonstrated its commitment to security and privacy in their delivered products, and will likely continue to do so.

As for me, I'm more concerned about privacy than strictly-Free hardware. (With respect to the individuals' views in those old forums you linked.)

I'll take GNU/Linux over Google or Apple, always. Even if it's imperfect.


lurkerJune 25, 2019 5:24 PM

@Charlie Zoratto
"separating the Simcard from the cellphone" is a very cheap and quick solution for someone who only wants a Pocket PC. The odd phonecall can still be made via VOIP on WiFi; but of course that deals you into a new game with the trackers…

Clive RobinsonJune 25, 2019 6:04 PM

@ Alejandro,

But, for those of us who think that's a bit extreme, what's your best practical advice for iOS users?

It depends on who you are protecting yourself against.

The first thing to remember is that any communications device that emmits RF potentially gives your position away.

Yes there are tricks you can do to reduce the "Find, Fix and Finish" issue, but they are mainly based on the assumption of ground level HF Direction Finding (DF or Huff-Duff). That is they are using the "Ground wave" not "line of sight" to find your direction.

At the upper end of the UHF band or bottom end of the Microwave band that mobile phones tend to be in line of sight operating or single reflection operation are assumed.

Thus if you can find yourself a suitable high gain antenna and an advantageous position you can point your signal not at the mobile phone mast but a suitably reflecting object from which it then bounces to a phone mast. This makes the mast think you are somewhere you are not, and if the gain of your antenna is suitably high then the power you radiate is actually automatically reduced. This means first of all you are putting out a lot less power, but that outside of the "main beam" or some "side lobes" your radiated power is reduced a lot lot further. Thus you could end up with a signal that is way to weak to be DF'd in any other direction.

You can also do tricks with "passive repeaters" these are in effect two higg gain antennas connected by a shortish length of low loss cable. A signal received by one antenna will be re-radiated by the other antenna and vice-versa. One trick I've used is a high mounted high gain yagi array pointing at the mobile mast with a drop down cable that connects to an inverted omnidirectional colinear antenna at around eight feet off the ground. The effect creates a sort of local hotspot in an otherwise virtually uncovered area. It's a good way to get a distant home and garden cell coverage in rural "fringe" areas which are all to common these days. Using two high gain yagi's cross polarized on a tower block can give you using a third yagi on your phone a way of being in an entirely different cell area.

However all of those tricks won't hide your location if the GPS in your phone is not properly and permanently deactivated (with a skill knife, soldering iron or both). A similar issue exists with both WiFi and Bluetooth. As you probably know Google amongst others has a database of WiFi ID's and where they are located, so they can track you even with GPS disabled. The advent of "Store tracking by Bluetooth" likewise gives an opportunity to fix your location, and as we've seen by Apple's "find me" any mobile phone within thirty feet of you can see your Bluetooth and "rat you out" location wise through that phone... Oh and don't forget the NFC system, whilst it's range appears small, it's greater than you think when the sensor coils are mounted in a door frame or around the walls of buildings at hip hight.

So ditching the smart phone might be your only option unless you know how to get into it and where to do the required "slice-n-dice" on the PCB's. At which point much of the functionality of your "smart phone" is gone, but for some users the lack of the "local comms" and GPS is not an issue.

As for the OS and apps side, my view right or wrong is to assume they all have backdoors or spyware attributes unless they can be shown to be otherwise. Whilst Apple do alow some apps to get down low in the stack Google on the otherhand prevents any sort of low level app going into their online repository that might conceivably stop advertising...

The thing is how do you find an app on iOS "innocent" the simple answer is it at best difficult at worst near impossible. The only real way is to get down below the computing stack down to the underlying physical layer that is the GSM communications. Making sense of what you find there requires some interesting professional test equipment that you won't get much change from 50,000 USD even of you do shop around carefully. However times have changed and professional kit is not your only option these days. There are a number of Software Defined Radio systems that easily cover all the GSM bands, and importantly have hogh end A-D converters and FPGA chips on for realy quite reasonable money. It's not that difficult for those sufficiently knowledgable to find software online that can turn these SDR cards into nano/femto cell towers. You can therefore using one of the SDR cards and a high end PC get the iPhone to use the cell to communicate with.

Then it's a matter of playing the waiting game to see if unexpected data appears on the interface. The problem is that a spyware app could in some cases not send data without being triggered in some way and only then downloading the data it has accumulated.

But an app does not even have to do anything other than make a glorified rolling log file if it knows you have the Apple cloud backup enabled, it simply waits for the file to get downloaded to apple's hard drives where it can be read by not actually connecting with the phone...

Obviously there are a limited number of things you can do, but they may well not cover all the tricks a knowledgeable app writter might do.

So at the end of the day you can,

1, live with things the way they are.
2, take limited software steps to find and remove the spyware.
3, get out the craft knife and soldering iron and so brain surgery on the phone.
4, find a non smart phone that does not have GPS or GPS you can neuter, and a battery you can remove.
5, as an extension to 3, start getting creative with antennas.

But to be frank my recomendation for the majority would be 4.

There are a few other things you could do, but at the end of the day most people will muck up their OpSec and it will be game over.

JackJune 25, 2019 6:22 PM

Any talk of "privacy" in connection with the surveillance capitalism military industrial spy-complex is delusional - they got the seedmoney from In-Q-Tell precisely so they could spy on everybody, without those annoying and fun-killing warrants..

The Flower of MarxismJune 26, 2019 2:34 AM

What happens if you routinely put the phone in airplane mode, or turn off mobile data and wifi? It should at least stop the third party apps from chattering.

In general, install less apps. Every now and then, look at your home screen, thank an app for its service and uninstall it.

Though note that this of course still does not hinder tracking by the operator, government or similar entities. (See RRLP for an example.)

Clive RobinsonJune 26, 2019 6:04 AM

@ The Flower of Marxism,

Every now and then, look at your home screen, thank an app for its service and uninstall it.

Unfortunately "uninstalling" is no guarentee of a fix.

One trick to make things stick in times past used to be update a shared library. As it's shared it does not get uninstalled, so if you can hide your malware in a shared library function that gets called frequently not only does it stays, it carries on being used...

Whilst that trick should not work these days, there are plenty of orhers...

65535June 26, 2019 7:00 AM

@ Clive Robinson

'So they [Apple] are "denying you the rights and privileges pertaining" to the data plan you pay for. Or in easier terms "out right theft".'- Clive R.

Yes, it is about the size of it.

But, just think of the extra money and data AT&T is collecting with this "app-scam". It is a win-win for AT&T. It makes your blood boil.

I am hoping General Data Protection Regulation will stop this cash and data theft... assuming Apple doesn't buy them off.

I would guess that is possibly why Apple's new "Find My" Feature was introduced to deflect the possibly criminal charges of milking dry people's "metered" bandwidth by using other's people cell phones and computers bandwidth to transfer personal data. This data and bandwidth scam was going to be discovered sooner or later. But, who knows.

https://www.schneier.com/blog/archives/2019/06/how_apples_find.html

I wonder what Matthew Green will say - or not say - about this scam.

@ Nobody

"Apple has control over your device and any pretense they will honor any private keys on your device is laughable."-Nobody

That is my feeling also.

I always thought Apple was ripping-off their customers with their so called "Apple Ecosystem" and now we know it. This is a sad commentary on all "security experts" who touted Apple's customer security.

The reality is that Apple with the help of so licenses, warranties and complex "terms of service agreements" skins their customers. This whole data-bandwidth theft via "Terms of service" agreements must be stopped.

@ No One, etc.

'I tried to make an RF-proof box for my phone, but, upon testing, that proved ineffective and amazingly difficult to construct." -No One

Yes, that has been our experience also. You can just search this blog for my comments. It is indeed harder than it looks.

But, if you use a very thick metal cooking pot with not holes in it you may see it work. Also, using very think tinfoil wrapped many times around cell phones also works. I will say the only easy test is to see is cell phone rings within the home made RF container. If it rings you RF contianer doesn't work.

Other than that test it will require more complex radio detection equipment. There is always going to be some radio leakage but not enough for TLAs or Large Corporations to intelligibly use.

Other posters indicated that taking out the GSM chip probably does work on cell phones that can be opened - but on cell phones that are sealed it doesn't. Also CDMA phones are usually "carrier locked in" and with an onboard chip.

RF blocking is harder than expected. Note some carrier bit sampling can be done at a low rate of 8KHz verse hundreds of MHz So, thick metal is necessary [you can ask Clive R of the difficulty blocking lower frequencies than of extremely high frequencies and the power requirements]. I am saying that it is possible some radio signals can be emitted by the cell phone hardware without the GSM chip but a lot of intelligible RF signals will be gone.

It is a good subject to study. If any poster has a quick way of making an RF proof home make cell phone signal blocker please speak up.

Petre Peter June 26, 2019 7:30 AM

EULA seems to be a big issue. It doesn't matter if you read the terms, the company reserves the right to change them without notifying you. I don't own software, I have the permission to use it because legally software is considered a service. So modifying the software on your phone doesn't seem to be a solution; however, something like LittleSnitch would be nice for iOS.

Charlie ZorattoJune 26, 2019 11:08 AM

@Iurker
Yes, that is correct too. in the case of ios it collects the mac address and ssid in the Wi-Fi therefore the trackers assume in physical place previously identified in conjunction with the last cell, even having turned off the radio. I once saw an Italian app for android (old versions) that changed to the second most powerful cell in the list "neighbor cells" of gsm, the only one is that the cell phone consumes more battery and may suffer some micro cuts during the call in progress. In short, to achieve full anonymous functionality requires a data vpn attached to a portable external modem or a second phone that fulfills that function. the firewalls for android detect silent calls and queries of imsi catchers, but they do not block them, they only warn you even when you are transiting through a cell rouge (without active A5.1 encryption) anyway, the problem will remain SS7.

Well playedJune 26, 2019 10:52 PM

@Jeremy

Presumably it was turning itself in.
Well played, Sir. Well played.

65535June 27, 2019 3:33 AM

@ Petre Peter

"EULA seems to be a big issue. It doesn't matter if you read the terms, the company reserves the right to change them without notifying you." Petre Peter

I have to agree.

They have become one-sided, abusive, ever-changing at the whims of the Corporation who wrote them, and sometimes printed in miniscule print and spread over separate but related domain or corporations. This abuse of so-called Terms of service, EULA, and licenses must be tamed or neutered. Terms of service or EULAs will probably end up in the US Supreme Court if anybody is brave enough to balance the scales of justice.

Sure, it possible the EU courts could have a hand in remedying this situation - but I have my doubts.

To all posters on the cell phone tracking issue:

I believe Clive Robinson's [June 25, 2019 6:04 PM] is the best answer for the average Jane/Joe cell phone user for security.

"4, find a non smart phone that does not have GPS or GPS you can neuter, and a battery you can remove."- Clive Robinson

All of the rest of Clive's surgery, high gain multi-antenna, and so forth suggestions are probably out of the budget or skill level of the average Jane/Joe.

Oddly, Clive Robinson contradicts his # 4 suggestion in a prior post in this thread.

"...Any attempts with mobile phones to turn them off or "out of range" them by putting them in a RF shielding enclosure will after a very short time show up as repeated anomalous behaviour... also pulled out "limited groups" that is mobile phones that only talk to a very limited number of other mobiles or land line numbers of fast food suppliers etc. That is what some refer to as "cell" behaviour which generally means suspicious or potentially criminal / terrorist thus subject to further investigation..." -Clive Robinson, June 25, 2019 11:30 AM.

I don't know how to reconcile Clive's various posts and suggestions.

Sure, maybe some 007 style NSA/CIA/DEA program could easily do such a statistical function but I would highly doubt that it would prove to be useful or un-useful.

There an thousands upon thousands of cell phone dead spots in buildings, tunnels, foot hills, mountains, and other remote terrain and so on. I would guess the entire USA is only partially covered - not fully covered by cell phone service as hole [Nebraska, Wyoming, Nevada, Alaska, various USA islands and so on]. I am sure the reader's here can check cell phone coverage maps by giggling it. Here is a small example.

"This is the most important, so listen up. The fanciest phone on the market won't get you anywhere if you can't get data or voice service. Network strength is so incredibly variable, and can change by time of day, weather and even where you are inside or outside a building. It changes, too, since carriers upgrade their networks or adjust their towers all the time..." CNET and Rootmetrics

ht tps://www.cnet[.]com/news/comparing-wireless-carrier-plans-us/

[links broken for safety]

"The two urban hubs where CNET editors test, San Francisco and New York, are especially challenging. Our cities are riddled with radio-blocking concrete and hills (S.F.), too-few towers, unexpected dead zones, and heavy congestion."- CNET

ht tps://www.cnet[.]com/news/five-things-you-didnt-know-about-data-testing-smartphones-unlocked/

Other than Clive Robinson's odd "you will be profiled as a terrorist if you remove the power to your phone - on the other hand you can remove the battery of the non-GPS cell phone" disconnect in his posting, I basically agree with him.

Yes, there are plenty of large high flying drones covering the USA boarders and you can hear their rather fast turning propellers - assuming they are not jet engine monster drones. There are plenty of Stingray type devices and so on. They surely, can pickup up almost any cell phone that is powered on.

I do wonder how many Judges, Lawyers, Clerks of Courts, Paralegals and politicians and their families are being data minded, sold-out or ruined by Apple and their data brokers. Hopefully, we will find out.

You can take Clive's advice, and buy a dumb phone [no GPS] and remove the battery and replace it - or use an RF bag from e-bay or an homemade RF bag. Lastly, you can just not buy a cell phone [an inexpensive alternative].

I don't think Apple is going to let any app that really secures your data on their economic eco-system. Their profits would shrink.

Regarding tinfoilJune 27, 2019 6:41 AM

@65535

I was gonna mention tinfoil, but figured you folks were trying to keep the phone usable in some way, like playing with apps that don't need a connection. I did a test awhile back with my crappy phone. I believe I needed 3 layers of tinfoil before it stopped ringing.

Sed Contra June 27, 2019 2:23 PM

My approach to phone safety - forget tinfoil Faraday etc., I just always carry my own portable stingray plus GPS jammer, so the phone never connects to anything else.

Maxwell's DaemonJune 29, 2019 12:55 AM

@65535

GCHQ, NSA and the rest of the 5Eyes already use graph databases to map out constricted/limited graphs around particular cellphone numbers as a method to potentially identify terrorist cells. People who have limited access to the towers due to geographical and other environmental factors aren't as likely to have a limited quantity of other nodes on their graph. It's a method of filtering, nothing more nor less.

If you want to see a prior version of GCHQ's graph database, it's up on GitHub last time I looked.

well....June 29, 2019 3:48 AM

@Clive Robinson:

>"Trying to get that level of control on iOS or Android is for the average user not realisticaly possible."


The "average user" you talk about would *not* be able to secure a Windows installation like that so no point in trying to compare. Apples and oranges.

But actually it is quite a lot easier on Android (I don't know about iOS) than Windows. You can install an open source firewall that does not require root. Lots of them out there. They work by setting themselves up as a VPN and hence all traffic goes through that single app - even system apps. A good trustworthy one (IMO) is NetGuard by the creator of xPrivacy and FairMail. I bought the pro version and chaining it via SOCKS to a VPN provider. That last bit is not as easy though but installing and securing Android is within reach of most "average android users" unlike with Windows (and iOS AFAIK).

AMcAJune 30, 2019 4:57 PM

The one that alarms me is WeChat. I had to sign up to do business in China - they insist on using it.

What I discovered when re-activating it (after "deleting" it from my iPhone) is that by signing up for WeChat, I was assigned a China Social Credit identification number. I'm enrolled in the China Social Credit system!

And I bet that even though I've deleted the app, it's still snooping on me. And when I travel next to China, they'll deny me boarding on trains, or whatever. Because I totally don't meet their high standards.

Bob July 1, 2019 2:16 AM

"What I discovered when re-activating it (after "deleting" it from my iPhone) is that by signing up for WeChat, I was assigned a China Social Credit identification number. I'm enrolled in the China Social Credit system!"

This is entirely plausible. Presumably this identifier should work similar to advertiser identifiers commonly seen among various mobile and desktop devices.

That is, each device has its own agnostic identifier independent of the owner. These device identifiers may not have an owner attached but once an owner is identified thru various nefarious methods they will be linked vary much like how apple identification works to link diseparate devices to an account holder.

As a foreigner you may not have a social credit in their system but your device must be submitted to the system which stays until they are able to link it to a verifiable account owner and determine his nationality.

Btw, here's an early happy fourth of July to y'all new world lads!

65535July 2, 2019 7:36 AM

@ Maxwell's Daemon

"If you want to see a prior version of GCHQ's graph database, it's up on GitHub last time I looked."

I looked and did not find it. Do you have a link?

SherlockHomieJuly 12, 2019 5:54 PM

I just created a nextdns account (no affiliation with them). It is essentially a raspberry pi hole in the cloud, with the benefits being you can point multiple devices to it even while away from the home very easily. Of course the negative is that your dns requests are going to a 3rd party (although you can turn off logging).

On my android phone connected to nextdns with basic ad tracking/malware dns block filters here is what I've seen over a few weeks:

** 48,007 total queries, of which 20,112 were blocked for a block rate of 41.89% **

Makes me wonder why I used my phone without this before. Cloudflare and Quad9 have now been displaced by nextdns on my phone.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.