If you don’t understand it, don’t trust it. A security researcher
(Melissa Elliot, Veracode) takes apart the often piss-poor privacy and security of online services and “Cloud”-hosted applications. Then she goes into a case example of a mobile app (advertised to and used by the Occupy movement) that violated every single promise of privacy and security it made.
It’s not clear if the company that made the app was actively malicious or merely incompetent, of course. And a more tech-savvy protestor base would probably not have used it quite so blindly. But still. When some organization tells you their software is great, ignore their word and look under the hood, if you can.
(If you can’t, that’s why there’s open source.)
“In the rush to play with new online services – which, admittedly, are often awesome – it’s easy to forget that anyone with fifteen dollars in their pocket can rent a server to store your personal data in whatever haphazard way they want. It was only a few weeks ago that several high-profile sites such as LinkedIn were caught not properly storing passwords, making it far too easy on the hackers who stole them to crack them. If major websites can’t get password storage right, you can bet that most websites can’t.[…]
If most websites can’t get password storage right, you can also bet they can’t get storage of the actual content you are trusting them with right, either.
[…] this app hit it big with the Occupy protest movement, who read online or heard from their friends that it was an anonymous short-range messaging system.
Now, the first problem is that it is not obvious to everyone that this works by sending your current GPS location to a server somewhere out there on the internet, which is where the messages and their locations are stored. Many smartphone users don’t realize that it’s doing this – as I had several different people express astonishment and anger to me that the app in question was uploading their GPS co-ordinates to the internet and storing them. They wouldn’t have trusted it if they knew that.[…]
It gets worse. The promotional materials for this app claim that its key feature is being able to set the visible distance on your message down very low, to keep it – and this is a quote from their website – “inside your occupy camp” for sensitive activities such as “whistleblowing.” It seems perfectly reasonable for the end-user to expect that no-one outside the range they designate on their message could see it.
Guess again! It only took me a few minutes to write a fake client app which pretended to be in New York, enabling me to see short-range messages posted in Central Park from the comfort of my home a few states away. The app does not warn you that it has no way to validate that the client’s claimed geolocation is real, yet it assumes that it must be. It also has the disable-HTTPS-verification antifeature that is so common in mobile apps these days, making it easy to intercept users to spy on them.
The more I dug in, the worse it got. It claims in the FAQ that your mobile phone or tablet can be banned from posting if you post something offensive – yet they claim you are anonymous. Connect the dots: they can connect specific posts to specific devices. There is nothing anonymous about that whatsoever. The end result is that people with a genuine need for anonymity and privacy protections are trusting in an app that breaks every promise.”