In the rush to play with new online services – which, admittedly, are often awesome – it’s easy to forget that anyone with fifteen dollars in their pocket can rent a server to store your personal data in whatever haphazard way they want. It was only a few weeks ago that several high-profile sites such as LinkedIn were caught not properly storing passwords, making it far too easy on the hackers who stole them to crack them. If major websites can’t get password storage right, you can bet that most websites can’t. I made a suggestion to websites everywhere to start advertising how they store passwords if they want to earn their customers’ trust by demonstrating that they do it correctly. The idea was a big hit with end-users but I haven’t seen any websites try it out yet.
If most websites can’t get password storage right, you can also bet they can’t get storage of the actual content you are trusting them with right, either. The private documents that you stored with your favorite cloud service are probably not encrypted in a way that only your account can decrypt, if they’re encrypted at all. The mobile app or website you use to access those documents may send your password and your files “in the clear,” enabling that shady-looking person on the other side of the café to snoop on you. They may advertise that they use encrypted connections but then disable verification in the mobile app so as to “not complicate the interface.” Someone could hijack your connection and the app would never notify you of the error. I have seen all of these problems in real-world cloud apps used by thousands of people.
If you follow any tech blogs, you’ve heard all these warnings before. Over the Independence Day holiday, however, I found a different kind of privacy violation in a fun little app that sounds like a great idea. The premise is this: your phone has a GPS in it, right? It’s a messaging app which posts messages to other people running the same app who are physically near you. It does not have a username or password, so it’s anonymous, or so the advertising information claims. Suggested uses are for chatting with your classmates, with other people attending the same event, or for organizing a political rally. The fact that you are physically present is all the “identification” you need to certify yourself to the other participants. In fact, this app hit it big with the Occupy protest movement, who read online or heard from their friends that it was an anonymous short-range messaging system.
Now, the first problem is that it is not obvious to everyone that this works by sending your current GPS location to a server somewhere out there on the internet, which is where the messages and their locations are stored. Many smartphone users don’t realize that it’s doing this – as I had several different people express astonishment and anger to me that the app in question was uploading their GPS co-ordinates to the internet and storing them. They wouldn’t have trusted it if they knew that.
It gets worse. The promotional materials for this app claim that its key feature is being able to set the visible distance on your message down very low, to keep it – and this is a quote from their website – “inside your occupy camp” for sensitive activities such as “whistleblowing.” It seems perfectly reasonable for the end-user to expect that no-one outside the range they designate on their message could see it.
Guess again! It only took me a few minutes to write a fake client app which pretended to be in New York, enabling me to see short-range messages posted in Central Park from the comfort of my home a few states away. The app does not warn you that it has no way to validate that the client’s claimed geolocation is real, yet it assumes that it must be. It also has the disable-HTTPS-verification antifeature that is so common in mobile apps these days, making it easy to intercept users to spy on them.
The more I dug in, the worse it got. It claims in the FAQ that your mobile phone or tablet can be banned from posting if you post something offensive – yet they claim you are anonymous. Connect the dots: they can connect specific posts to specific devices. There is nothing anonymous about that whatsoever. The end result is that people with a genuine need for anonymity and privacy protections are trusting in an app that breaks every promise.