SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 106: Breaking Down Breakdowns in the Mac App Store

Posted on September 13, 2018

This week, we’re taking a bit of a different approach to our show. Instead of presenting you with a list of topics and running down several separate stories, this week we’re focusing in on one major story that’s developed over the last week or two: breaches within Apple’s walled garden, the App Store. If you’ve heard disturbing stories about apps stealing your data and sending it off to China, or rumors about a major tech company (Trend Micro) fumbling the ball and mishandling user data, chances are good you’ve got plenty of questions about what’s going on. And if you’re just hearing about these things for the first time, we’re here to bring you up to speed.

So, on this week’s Checklist, we’re taking a deep dive into what’s been going on here. What happened? Who is responsible?  What will  be the consequences? Those are the questions we’ll be exploring as we search for answers in this week’s discussion.

Breaches Within the Walled Garden

This entire saga began with a simple app called Adware Doctor. Topping the “Paid Apps” chart on the App Store in the utility category, Adware Doctor claimed to be a simple but helpful tool: a fast and easy way to identify adware threats on your Mac, including browser extensions, and to remove them painlessly. According to researcher Patrick Wardle, however, it did more than just that. Adware Doctor also made a list of all the software you had installed, all the current processes running, and most chilling of all, a copy of your browser history.

In some cases, this data was being collected by Adware Doctor and transmitted off your machine to a remote server in China. As we know, China does not have nearly the same level of restrictions or rules in place regarding the storage and handling of sensitive user data — so once it reaches a server overseas, what happens to it is anybody’s guess. Of course, Apple has rules in place to prevent something like this from happening. However, the developers of Adware Doctor used an exploit to get around them and gather the data anyway. Once this news became public, it didn’t take long before Apple de-listed the software from the App Store altogether.

If that was where the story stopped, it’s likely we’d only be talking about this story as one part of a broader, more general discussion. Instead, the removal of Adware Doctor kicked off a chain reaction that led to the discovery of similar, though “less bad,” behavior on the part of another developer. When something like the Adware Doctor incident occurs, it’s not entirely surprising given that the developer is small-time and not a major company. When it is a major company that turns out to be gathering user info without giving information that’s necessarily easy to find, though, well — that gets more people to sit up and pay attention. So, if you heard the name “Trend Micro” getting thrown around in headlines lately, here’s why.

Not long after the initial Adware Doctor reports, information came out suggesting that several Trend Micro products did something similar by collecting 24 hours’ worth of a user’s browsing history across all browsers, plus recent search times and a complete list of the user’s software. Using an “open file” dialog box, the apps could gain access to a user’s home folder and thus all the relevant data. The affected products included:

  • Dr Cleaner (and Pro version)
  • Dr Antivirus
  • Dr Unarchiver
  • Dr Battery
  • Duplicate Finder

At first, many believed it was an impostor and not Trend Micro itself; however, it quickly became clear that the security giant was responsible for these products. Not long after, Apple pulled at least two of the apps from the store and suspended the developer’s account.

According to Trend Micro, there was no malicious purpose behind these actions, and they point out that they never allowed the data to leave US shores. Furthermore, the company stated, this collection action was clearly spelled out in the End User License Agreement (EULA) everyone had to agree to during installation. And as we all know, everyone takes all the time they need to read every EULA they see… right? The appearance (and disappearance) of these apps is troubling because Apple claims to create a “walled garden” of safety within the App Store, yet these snuck in — so how do we know they got them all? That’s a tough question to answer, but we’ll get to concerns about Apple’s reputation shortly. First, some more details, as Trend Micro undertook an “investigation” of their own, posting daily updates to the company blog.

No sooner after the company’s initial announcement, they shared an apology with the community and reassured all users that their data had never left US shores and that they never experienced a breach. They then stated that their developers had removed the “feature” from all the affected apps and deleted all the logs they already had stored. Trend Micro then stated that, to their chagrin, it appeared the data collection utility was a part of a common code base they developed — thus, the “feature” ended up in non-security apps, like Dr Battery, when it should not have.

Now, this on its own isn’t necessarily a bad thing. Many developers re-use code by developing a common base of code, because it saves time and allows for easy troubleshooting. In this case, the code was written for a special purpose with legitimate reasoning — but the execution leaves something to be desired regarding being transparent and open about what’s going on in the software. More than that, Trend Micro should’ve been much more familiar with their own code base.

As shady as collecting your browser history may sound — and in the case of Adware Doctor, it certainly was — it was for a good reason on Trend Micro’s part. In fact, it makes sense from an anti-adware perspective, as it can allow the company to see where a user may have encountered the adware originally. It could also enable the company to research and even uncover new types of adware. However, their informational procedures here were really lacking; collecting something as sensitive as a user’s browsing history should come with a big alert, not something buried in the EULA.

Speaking of the EULA, its inclusion of the collection utility was probably what let it get onto the App Store. Adware Doctor’s developers are probably done for good on the App Store in their current iteration (hopefully) because their actions were less legitimate and far more egregious. That all being said, Trend Micro’s EULA probably contains a very generic user data collection clause — so it’s unlikely that even if users had read it through they would know precisely to what they had agreed. Asking users up front should’ve been the way to go; if they say no, the company loses comparatively little, and one would assume their products would still function as intended. If they say yes, the user has granted truly explicit permission, and Trend Micro could have pointed to a clear message instead of a vague EULA.

What about Apple’s role in all this? We should know by now that the company’s review process isn’t ironclad. The review process focuses on ensuring that the app functions and runs, and not necessarily so much with security outside of the basics. There’s plenty of room for improvement in the app review process from that perspective, but Apple could be doing more for solving problems after the app goes live, too. Apple’s process for communicating with the security community is not good, with no direct line to report security issues, and a catch-all email address for the App Store that means many messages can end up buried. We’re noticing a trend where Apple waits until a story breaks into the news before rushing to fix these problems. With a more direct line, these issues could be fixed much faster.

So, what about EULAs? We’ve joked for years, and plenty on this show, about how no one reads them due to the length, heavy legalese, and the desire to just get a program installed. Is there any way that we can approach EULAs to make them more accessible so that users will understand what they’re agreeing to when they install software? Unfortunately, this is not really what most companies want to do; while some provide synopses and guides to their EULAs, most are simply trying to protect themselves, and thus the legal need will always exist. The better solution is to include the information in the EULA but to also put explanations within the software itself. If Trend Micro had merely explained why they needed the data to users, chances are many would continue to allow collection to occur.

That concludes our look into this topic for today. As Trend Micro continues to do damage control and speculations swirl about what this means for the App Store in general, remember to be extra vigilant about the types of things you install on your Mac. Remember that if something sounds too good to be true, it probably is. Strenuously question why you really need five different apps that claim to “speed up” your Mac or that say they’ll find improvements to make to your machine.

Not only can you often do many of the same things within macOS already or with an all-in-one tool, but you often don’t even need the services these apps peddle. The easiest way to avoid having your information swept up in a shady manner such, as we discussed in today’s discussion, is to avoid these apps altogether. Your Mac may not be an impenetrable fortress, but there is still a whole lot of snake oil out there trying to convince users to download unnecessary software.

With that, we’ll put this one in the books. Want to go back and check out some of the other stories and topics we discussed in recent weeks and months? The Checklist Archives have everything you need to do just that, from complete episode audio to full show notes so that you can take your own deep dives into the subjects of your choice.

Join our mailing list for the latest security news and deals