@josephcox is out with another barnburner of a story, this time about more than 1,000 iOS and Android apps that surreptitiously harvest users' location data. I'm assuming this works only when people enable location tracking, although I'm guessing IPs are still exposed. Someone please correct me if I'm wrong.
https://www.404media.co/candy-crush-tinder-myfitnesspal-see-the-thousands-of-apps-hijacked-to-spy-on-your-location/
=> More informations about this toot | More toots from dangoodin@infosec.exchange
@dangoodin @josephcox #paywall
=> More informations about this toot | More toots from adingbatponder@fosstodon.org
@adingbatponder
What’s your point?
@dangoodin @josephcox
=> More informations about this toot | More toots from stepheneb@ruby.social
@dangoodin @josephcox Re “only” part, I think I’ve seen allegations of “local network” access, with the ability to read WiFi names, being cross correlated for location purposes. Haven’t dug in. (Edit: was wrong. see thread)
=> More informations about this toot | More toots from adamshostack@infosec.exchange
@adamshostack @josephcox
You mean an app can read the names of SSIDs? That would be crazy. What possible legitimate reason would there be for this? I'd assume iOS and Android would do this, figure out the location and, if location sharing is turned on, provide it to the app.
=> More informations about this toot | More toots from dangoodin@infosec.exchange
@dangoodin @josephcox First, sorry, I was out of date.
https://apple.stackexchange.com/questions/411798/does-ios-hide-your-wifi-ssid-information-from-your-apps
https://support.netanalyzer.techet.net/article/155-why-does-the-app-need-the-location-permission-to-access-ssid-bssid
Second, because "why is that sensitive" :ablobcateyeroll:
=> More informations about this toot | More toots from adamshostack@infosec.exchange
@adamshostack @dangoodin @josephcox Duo Security does this too, with “wifi fingerprinting,” but only for the purpose of noting when that particular location changes. That way you don’t need to know the geolocation of the user to decide on access; you just get alerted if it’s a different environment than usual in case you want to do step-up authentication.
=> More informations about this toot | More toots from wendynather@infosec.exchange
@wendynather @adamshostack @josephcox
It seems crazy that the OSes allow apps to see nearby access points. Like I said before, I don't see any legitimate reason why apps would need this. The Duo app can simply require users turn on location sharing if they want that feature, no?
=> More informations about this toot | More toots from dangoodin@infosec.exchange
@dangoodin @wendynather @adamshostack @josephcox Well, there's this rather useful Android app called Wifi Analyzer. It seems like it needs "location" permission in order to do WiFi scanning. Many apps doing Bluetooth stuff also need location permission to work. Maybe it would make more sense to have low-level WiFi and Bluetooth access as separate permissions.
=> More informations about this toot | More toots from mansr@society.oftrolls.com
@dangoodin @wendynather @adamshostack @josephcox It can also create a rather annoying antipattern when setting up IoT devices. Some have apps which read the SSID the phone is connected to, to ensure it matches the one the IoT device is connected to.
I’m sure it cuts down on support calls for them, but it can be very annoying when you’re deliberately trying to put them on different networks.
=> More informations about this toot | More toots from alexhaydock@infosec.exchange
@dangoodin @adamshostack @josephcox Sharing geolocation is not the same as allowing the app to see what SSIDs are around you. It’s intended to be a privacy measure for people who don’t want to share their physical location. And reading SSIDs is pretty useless for deriving physical location, unless you want to see how many people are close to the “FBI_Surveillance_Van.” 😉
=> More informations about this toot | More toots from wendynather@infosec.exchange
@wendynather
Naively ... does the SSID polling also return MAC addresses "under the hood"? (If so, correlatable with efforts like WiGLE (crowdsourced wardriving mapping), etc)
@dangoodin @adamshostack @josephcox
=> More informations about this toot | More toots from tychotithonus@infosec.exchange
@dangoodin @adamshostack @josephcox There are good reasons for knowing the SSIDs in some edge cases. For example @davx5app does this so it will not try to connect to DAV servers when I am not my home network. You have to give it explicit permission of course.
=> More informations about this toot | More toots from afx@infosec.exchange
@afx @adamshostack @josephcox @davx5app
Interesting. What, exactly, has to ask for permission? Is it the OS or the app that's asking?
=> More informations about this toot | More toots from dangoodin@infosec.exchange
@dangoodin @adamshostack @josephcox @davx5app The app needs to be given access in the OS. And only when you use the feature to restrict sync to a specific SSID.
=> More informations about this toot | More toots from afx@infosec.exchange
@afx @dangoodin @adamshostack @josephcox Regarding DAVx⁵, there's more information at https://www.davx5.com/faq/wifi-ssid-restriction-location-permission
=> More informations about this toot | More toots from davx5app@fosstodon.org
@dangoodin @josephcox No they only have the IP address this isn’t based on location tracking
=> More informations about this toot | More toots from jinx@ioc.exchange
@dangoodin @josephcox Is this like PatternZ?
https://www.404media.co/inside-global-phone-spy-tool-patternz-nuviad-real-time-bidding/
=> More informations about this toot | More toots from tasket@infosec.exchange This content has been proxied by September (3851b).Proxy Information
text/gemini