Connect with us

Security

An IPhone App that Protects your Privacy for Real

Published

on

THE DATA ECONOMY has too often betrayed its customers, whether it’s Facebook sharing data you didn’t even realize it had, or invisible trackers that follow you around the webwithout your knowledge. But a new app launching in the iOS App Store today wants to help you take back some control—without making your life harder.

The Guardian Firewall app runs in the background of an iOS device, and stymies data and location trackers while compiling a list of all the times your apps attempt to deploy them. It does so without breaking functionality in your apps or making them unusable. Plus, the blow by blow list gives you much deeper insight than you would normally have into what your phone is doing behind the scenes. Guardian Firewall also takes pains to avoid becoming another cog in the data machine itself. You don’t need to make an account to run the firewall, and the app is architected to box its developers out of user data completely.

“We don’t log IPs, because that’s toxic,” says Will Strafach, a long-time iOS jailbreaker and founder of Sudo Security Group, which develops Guardian Firewall. “To us, data is a liability, not an asset. But to think that way you’ve got to think outside the box, because it means you can’t just choose the simplest solutions to engineering problems a lot of times. But if you are willing to spend the time and resources, you can find solutions where there isn’t a privacy downside.”

Block Party

The Guardian Firewall development team, which also includes noted jailbreaker Joshua Hill, currently comprises four engineers and two security researchers, and the app translates their collective knowledge about App Store services into automatic blocking for modules within apps that are known to be potentially invasive. The service costs $10 per month, or $100 per year. You pay through an in-app purchase using your AppleID, which means Guardian Firewall doesn’t manage the transaction or the data associated with it. The team doesn’t have immediate plans to expand to Android, because their expertise lies so specifically in iOS.

LILY HAY NEWMAN COVERS INFORMATION SECURITY, DIGITAL PRIVACY, AND HACKING FOR WIRED.

To start using Guardian Firewall, all you do is tap a big button on the main screen. It turns green and says “Protection is on.” From the user’s perspective, that’s it. Under the hood, the app establishes a virtual private network connection, and creates a random connection identity for it to keep track of people’s data without knowing who they are. If you turn Guardian Firewall protection off and then on again, the app establishes a new connection and new connection identity, meaning that there’s no way to connect the dots between your sessions.

LILY NEWMAN VIA GUARDIAN
LILY NEWMAN VIA GUARDIAN

The app uses its VPN connection to filter your data in the cloud, but the stream is fully encrypted. Guardian Firewall has automated machine learning mechanisms that evaluate how an app behaves and, particularly, whether it sends out data to third parties, like marketing analytics firms. The idea is to flag whenever an app tries to communicate beyond its own infrastructure. Guardian Firewall is also able to detect and block other types of potentially invasive behavior, like page hijackers that push mobile pop-ups.

Apple itself has already been working on baking similar protections directly into iOS, particularly when it comes to blocking web trackers in Safari that would otherwise fingerprint users across multiple sites. But Guardian Firewall aims to go a few steps further, and to apply across all apps.

Test Drive

I’ve been testing Guardian Firewall on and off for months, and have found it easy to leave it running in the background. The connection doesn’t seem to slow things down on my phone or eat my battery, and the list of trackers the app has blocked is constantly growing—310 location trackers, seven page hijackers, and 3,200 data trackers so far. It felt a little uncomfortable at first to have something constantly running in the background, but it was fascinating to see all the shenanigans happening on my iPhone all the time. Some beta testers have noted that they wish Guardian Firewall offered a customizable blacklisting feature, instead of only automated blocking. But I didn’t personally feel a desire to put time into customizing the app. To me the whole value is in “set it and forget it.”

“‘How can we trust you?’ is just such a valid question for users to be asking all app makers.”

WILL STRAFACH, SUDO SECURITY GROUP

Guardian Firewall has already engineered its way around at least one privacy conundrum during its limited prerelease. Someone essentially launched a denial of service attack against the service by rapidly initiating a deluge of connection requests all at once. Guardian Firewall couldn’t check what IP address or addresses the requests came from, though, because it doesn’t record IP addresses. The team could have solved the issue by altering its policy to access IP addresses during the small window when devices are establishing their connection and then delete the data. But “we determined that that would go against our values,” Strafach says.

Instead, the developers devised a workaround that uses a device check offered by Apple, but encrypts the check so Guardian Firewall itself can’t see the data that’s sent to Apple. The only thing Guardian Firewall finds out at the end of the process is whether the device is a legitimate iOS device or not.

As with any VPN, the ultimate test of Guardian Firewall’s privacy protections and approach to minimal data retention would be a subpoena that is later made public through a trial in which the service has nothing to hand over. And Strafach says that while the company will cooperate with investigators if necessary as required by law, the company has taken precautions both internally and in contracts with its infrastructure providers to ensure that it can be transparent with users about any law enforcement requests.

“Looking over their privacy policy it looks really good,” says William Budington, a senior staff technologist at the Electronic Frontier Foundation. “You’re not logging in, and there’s radical data minimization in general. If they don’t have data stored on a server then a breach or buy-out won’t actually have that much of a negative impact. But keeping an eye on the privacy policy and news about the company is a good practice in general with VPNs, because things can slowly change.”

Not Just Another VPN

Of course, many of the same questions about trust apply to Guardian Firewall as they do to other VPNs. You’re still sending all of your data to their server. But at least Guardian Firewall uses the built-in iOS VPN application programming interface instead of trying to reinvent the wheel, and the encryption scheme protecting your data similarly draws on vetted industry standards, rather than anything proprietary. Strafach also says Guardian Firewall’s goal is to be as open and transparent about its actions as possible—and agrees that people should think carefully about whether it suits their specific needs, as they should for any app.

“People should know exactly what Guardian is doing and if it’s just a concept they don’t like, or they think we’re not the right data custodians for them then so be it, that’s cool,” he says. “‘How can we trust you?’ is just such a valid question for users to be asking all app makers.”

One thing Guardian Firewall can’t currently do is identify what specific apps trigger its tracking alerts, a feature that I found myself wishing it had. If anything, though, the absence helps solidify its privacy cred. Strafach and his team hadn’t figured out how to achieve that granularity without inadvertently creating a potentially identifiable data set of all the apps on your phone. An upcoming solution still won’t directly connect warnings to specific apps, but will instead show the apps that were running at that timestamp that could have cased the alert.

“All you’ll be able to see is ‘at this time we saw this tracker and these are the apps which could be causing it,'” Strafach says. “So maybe that’s one app or maybe three, but it’s a compromise that gives more of the answer users want while it respects their privacy.”

“Clearly the biggest risk to the everyday iOS user is apps surreptitiously tracking them, which unfortunately the majority of apps do—rather massively,” says Patrick Wardle, a Mac security specialist. “Guardian generically thwarts such trackers. I love that Will and Josh, who are former jailbreakers, tackled this. I bet it wasn’t easy, but with their unique skills they are probably one of the few teams that could figure it out and make it all seamlessly work in the constrictive iOS environment.”

It’s complicated and resource-intensive to make all of these wild workarounds happen, but if Guardian Firewall can do it and be financially viable, Strafach hopes that the project will become a sort of case study that privacy pays. With so many companies in the marketplace seemingly convinced that that’s not the case, there’s a lot riding on its success.

Source: https://www.wired.com/story/guardian-firewall-ios-app/

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Security

Kaspersky raises alarm over security breaches through apps

Published

on

By

Cybersecurity firm, Kaspersky, has raised an alarm over security breaches, which emanated from apps downloads.

According to it, the target has primarily become mobile devices. Kaspersky noted that in 2019 the number of worldwide mobile phone users is expected to reach 4.68 billion of which 2.7 billion are smartphone users.

It noted that with smartphone users increasing, it makes users more vulnerable. Kaspersky said with several unsecured Wi-Fi connections, network spoofing, phishing attacks, ransomware, spyware and improper session handling – mobile devices make for the perfect easy target. In fact, according to Kaspersky mobile apps are often the cause of unintentional data leakage.

General Manager for Kaspersky in Africa, Riaan Badenhorst, said: “Apps pose a real problem for mobile users, who give them sweeping permissions, but don’t always check security. These are typically free apps found in official app stores that perform as advertised, but also send personal – and potentially corporate – data to a remote server, where it is mined by advertisers or even cybercriminals.

“Data leakage can also happen through hostile enterprise-signed mobile apps. Here, mobile malware uses distribution code native to popular mobile operating systems like iOS and Android to spread valuable data across corporate networks without raising red flags.”

In fact, according to recent reports, six Android apps that were downloaded 90 million times from the Google Play Store were found to have been loaded with the PreAMo malware, while another recent threat saw 50 malware-filled apps on the Google Play Store infect over 30 million Android devices. Surveillance malware was also loaded onto fake versions of Android apps such as Evernote, Google Play and Skype.

Kaspersky said considering that as of 2019, Android users were able to choose between 2.46 million apps, while Apple users have almost 1.96 million app options to select from, and that the average person has 60-90 apps installed on their phone, using around 30 of them each month and launching nine per day – it’s easy to see how viral apps take several social media channels by storm.

Enterprise Sales Manager at Kaspersky in Africa, Bethwel Opil, “In this age where users jump onto a bandwagon because it’s fun or trendy, the Fear of Missing Out (FOMO) can overshadow basic security habits – like being vigilant on granting app permissions.

In fact, accordingly to a previous Kaspersky study, the majority (63 per cent) of consumers do not read license agreements and 43 per cent just tick all privacy permissions when they are installing new apps on their phone. And this is exactly where the danger lies – as there is certainly ‘no harm’ in joining online challenges or installing new apps.”

However, it is dangerous when users just grant these apps limitless permissions into their contacts, photos, private messages, and more. “Doing so allows the app makers possible, and even legal, access to what should remain confidential data. When this sensitive data is hacked or misused, a viral app can turn a source into a loophole which hackers can exploit to spread malicious viruses or ransomware,” Badenhorst added.

Kaspersky advised that online users should be mindful and be more careful when it comes to the Internet and their app habits including: only download apps from trusted sources. Read the reviews and ratings of the apps as well; select apps you wish to install on your devices wisely; read the license agreement carefully; pay attention to the list of permissions your apps are requesting. Only give apps permissions they absolutely insist on, and forgo any programme that asks for more than necessary; avoid simply clicking “next” during an app installation; for an additional security layer, be sure to have a security solution installed on your device.

“While the app market shows no signs of slowing down, it is changing. Consumers download the apps they love on their devices which in turn gives them access to content that is relevant and useful. The future of apps will be in real-world attribution, influenced by local content and this type of tailored in-app experience will lead consumers to share their data more willing in a trusted, premium app environment in exchange for more personalised experiences. But until then, proceed with caution,” Opil said.

Source: https://guardian.ng/business-services/business/kaspersky-raises-alarm-over-security-breaches-through-apps/

Continue Reading

Security

Google publishes Android Q Security Release Notes

Published

on

By

The public release of Android Q is officially a “few weeks away,” and Google is gearing up for the launch. “Android version Q Security Release Notes” published today detail the vulnerabilities addressed by the upcoming version of the OS.

These “Security Release Notes” were published to the 2019 Android Security Bulletins list that’s usually updated on the first Monday of every month. Appearing as the very last entry, this document is formatted in a similar manner. An “Announcements” section states how:

  • The issues described in this document are addressed as part of Android Q. This information is provided for reference and transparency.
  • We would like to acknowledge and thank the security research community for their continued contributions towards securing the Android ecosystem.

A new security patch level of 2019-09-01 is mentioned even though Android Q Beta 6 devices today are still on August 2019. Google notes how “Android Q, as released on AOSP, has a default security patch level of 2019-09-01.”

Android Q, as released on AOSP, has a default security patch level of 2019-09-01. Android devices running Android Q and with a security patch level of 2019-09-01 or later address all issues contained in these security release notes.

However, the fact that Android Q is running the September security patch should not be surprising as Google has been targeting Q3 2019 since March for a public launch.

There are 2 vulnerabilities relating to the Android runtime, 24 as part of Framework, and 2 in Library. Media framework lists 68 and System 97. All entries are classified as “Moderate” severity.

Source: https://9to5google.com/2019/08/20/android-q-security-release-notes/

Continue Reading

Security

Lightning-compatible YubiKey 5Ci could secure your iPhone logins

Published

on

By

iPhone owners with a mind toward security have a new option for protecting their online accounts. On Tuesday, security key manufacturer Yubico announced the $70 YubiKey 5Ci, which the company says is the world’s first Lightning port-compatible security key.

At launch, the 5Ci supports a variety of popular password managers, including 1Password, Dashlane, LastPass and Bitwarden. It’s also compatible with authentication services like Okta. In all those instances, you’ll be able to plug in the 5Ci into your iPhone, launch the security app of your choice and log in to an online account without ever entering a password. And if you happen to use Brave instead of Safari for web browsing, the 5Ci removes the need to first open a password manager first in the case of some online services.

The 5Ci also includes a USB-C port for when you need to log in through an Android device or computer. However, one limitation of the 5Ci is that it currently doesn’t work with the 2018 iPad Pro. We’ve reached out to Yubikey to find the exact reason for this limitation, but we suspect it has something to do with restrictions iOS 12 places on USB-C connectivity. That could change when iOS 13 comes out this fall. The Yubikey 5Ci also doesn’t work with any FIDO-compliant service or app out of the box. In a statement to The Verge, Yubico said third-party developers must add support for the 5Ci to their apps individually. A full list of compatible services is available on the company’s website.

If you’re not familiar with physical security keys, they’re currently one of the most effective ways to protect yourself against online hackers because they remove the need for passwords and one-time codes, both of which malicious individuals can easily intercept in the right circumstances. In 2018, Google said it was able to reduce successful phishing attacks on its 85,000 employees to zero thanks to a new policy of mandatory security keys.

However, at $70 the 5Ci is one of the more expensive security keys out on the market. If you’re looking for something more affordable, Yubico also offers the $45 YubiKey 5 NFC, which is similarly compatible with the iPhone. Another option is Google’s $50 Titan security key, which has the advantage of also working through Bluetooth. And while a security key will help keep you as safe as possible, most people need to start with a simple password manager, as reused passwords are the single largest culprit behind hacked accounts. Once you have a password manager, a security key like the YubiKey 5Ci is a good next step if you want to further secure your online accounts.

Source: https://www.engadget.com/2019/08/20/yubico-yubikey-5ci-iphone-lightning/

Continue Reading
Advertisement

Trending

%d bloggers like this: