SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 140: To Track or Not to Track?

Posted on May 30, 2019

On this week’s Checklist by SecureMac: Apps are talking in your sleep, A case against tracking software for kids, A followup on ZombieLoad, and Automatic updates and. FileVault.

Is your phone talking behind your back? It might seem like an odd question, but the answer might be as surprising to you as it recently was to some security researchers. Here’s another question: how closely should you monitor your kids? Despite the popularity of child tracking apps, today we’ll be making a case for why you shouldn’t rush out to install them. Those stories plus tying up a few loose ends, including an update for you on ZombieLoad, make up our list this week as we check off:

  • Who Has Your Phone Been Talking To?
  • A Case Against Tracking Software for Kids
  • Tying Up Some Loose Ends

So — what’s your phone doing behind your back?

Who Has Your Phone Been Talking To?

We picked up this story from MacRumors, highlighting a piece published by The Washington Post. In it, Post writer Geoffrey Fowler, working alongside a business focused on digital privacy, subjected his phone to a day of data analysis, using custom-built software to collect information about what the device did on its own — that is, with tasks running in the background.

Fowler reported that the results were startling, finding that unexpected apps used his phone’s “background refresh” feature and often quite frequently at that. Background refresh is the type of service that allows your email app to download new messages when they arrive automatically; the app “refreshes” its data by connecting to the web and checking in with a server in the background. The data transmissions that Fowler discovered were just as surprising.

Throughout one night, servers from three separate companies — Amplitude, Appboy, and Demdex — communicated with apps on Fowler’s phone to collect information such as his phone number and email, digital fingerprints (e.g., unique identifiers to build a device profile), and more. 

Now, if your first thought is, “He must be using some crappy apps,” that’s not an unreasonable response; we’ve covered the concerns surrounding unsavory app developers here on The Checklist many times. However, the apps in play here are likely ones that you know because they come from some big-name players — Yelp, Spotify, The Weather Channel, Microsoft OneDrive, and funnily enough, even one of The Washington Post’s own apps.

“Okay,” you say, “then it’s just crappy Android phones again.” But no — Fowler is an iPhone user, and all these tests were conducted on an up to date iPhone. So, what does Apple have to say in response to these findings? Quoting now from the statement they supplied for the Post’s article:

For the data and services that apps create on their own, our App Store Guidelines require developers to have clearly posted privacy policies and to ask users for permission to collect data before doing so. When we learn that apps have not followed our Guidelines in these areas, we either make apps change their practice or keep those apps from being on the store.

In other words, Apple promises to shut the barn door once the horse has bolted. Some of the apps were indeed breaking policies; Citizen, for example, shared information that violated the app’s own privacy policy, though the offending portion of the app was later removed. Yelp, meanwhile, phoned home with data every five minutes. The company claims that was a bug that has since been addressed. Nonetheless, it’s clear that there were multiple offenders among apps many people would trust implicitly. 

Apple could do better, it’s true; at the same time, they face many challenges with the app store, and some developers will always look for a way to skirt around the rules or to get by on a technicality to keep on collecting data for behind-the-scenes analytical efforts. Then, of course, there’s the privacy policy: when was the last time you actually read one for an app you installed? Maybe the collection was disclosed, but for most users, that information is not easy to find.

Even if you are OK with some of these apps collecting information on you — it’s ostensibly to make the user experience better, right? — it’s not just those apps that end up with the information. DoorDash, for example, was employing nine trackers in total in its app, on top of Facebook and Google’s ad services — so those companies know when you’re placing an order for delivery, too. DoorDash is not unique in this regard.

According to MacRumors and the Post, Fowler encountered more than 5,000 trackers within apps in just one week of investigating. Disconnect, the privacy firm that supplied the tools for this undertaking, said that such a large number of trackers could likely transmit more than a gigabyte of information back to servers over the Internet in a month. Better hope you’re connected to Wi-Fi!

There’s good news, though: there are things you can do right now in lieu of any sea changes in Apple’s stance towards combating this sharing. 

First, there’s our good old friend, the VPN: using a VPN on your iOS device or your Mac will stop apps from tracking your IP address, which can prevent some forms of geolocation.

Next, if you want to turn off background refresh to stop this sharing altogether, you can do that. Be aware this may cause some apps to launch more slowly when you come back to them after some time away. Head to your Settings app, tap on General, find Background App Refresh, and then toggle it off or on as you’d like. It’s simple, quick, and an easy way to lock down your phone even further if you’re concerned about advertisers and others building profiles about your app and device usage. 

A Case Against Tracking Software for Kids

Here on The Checklist, so much of what we do and discuss centers around keeping you and your loved ones safe in an increasingly dangerous digital world. Sometimes, though, our desire for safety can lead us to engage in some unsafe behaviors. We got to thinking about this subject after the website The Conversation recently ran an article that raised serious questions and concerns about apps designed for tracking and monitoring children. The article’s author, John Michael Reynolds, is an assistant professor of philosophy at UMass Lowell, and states that he is entirely against the usage of these apps. 

Reasoning through it, Reynolds listed three reasons you shouldn’t put tracking apps on your child’s phone. One of them ties back into his role as a philosophy professor — Reynolds suggests that using such apps can harm or even break the bonds of trust between a child and their parents. That’s above our pay grade, so we’ll leave that one to you. The other two reasons, though, are more on our level.

The first of those two: these companies are tracking your kids for profit. Remember, these companies aren’t providing you with these services out of the goodness of their hearts; they’re trying to make money, and lots of it. They don’t do that by protecting your kids — they do it by selling the data generated by protecting your child. Every time you use these apps, you’re permitting these companies to collect data, including location info, which they can use for profit. If you think about it for too long, it starts to feel pretty shady — especially when you consider that these designers of these apps encourage you to use them throughout the day, providing a never-ending stream of info. 

The next reason: the risk of a data leak. 

Devices can often be tracked even if you have location services turned off just by correlating IP addresses with known Wi-Fi networks and other similar information. A study done by MIT revealed that the availability of four location data points with relevant time stamps was enough info to identify people with a near-95% accuracy rate. Data about where you are, where you’ve been, and where you’re going is incredibly valuable to these companies — and maybe that’s all well and good, but what happens when a hacker breaks in and steals a database? Or worse, when a company leaves it up unsecured on the Internet for anyone to find?

In other words, there’s just too much risk there — that info can open you up to all kinds of personal privacy problems that are better left alone.

Reynolds does note that there are times when throwing caution to the wind is acceptable — such as when you suspect your child may be a threat to themselves or others, or when you’re concerned they’re engaged in unlawful activity. These circumstances are rare exceptions, however, and not the rule that you should follow. Instead — have a conversation with your kids. 

Tying Up Some Loose Ends

We’ve got a few bits and bobs laying around here — let’s tie up some loose ends and bring you some quick updates and minor questions.

First up, an update on ZombieLoad, the new side channel attack similar to Meltdown and Spectre that we discussed a few weeks ago. This is a flaw affecting numerous Intel processors and could allow the bad guys to read secret data straight out of your processor. 

Are you wondering whether your Mac will get a fix for that problem? If it’s eight years old or less, then yes — in fact, you’ve probably already got the update you need. If your Mac is older than eight years, well, congratulations on getting your money’s worth! But also, no — you probably aren’t going to get a fix. Joking aside, Apple Insider says that the reason some pre-2011 Apple computers can’t receive the relevant updates from Apple because they use older processors for which Intel has declined to furnish firmware code. 

If you’ve been running your updates, you should be fine, as all processors made since 2011 have since received the relevant fixes from device manufacturers. Most machines from before 2011 are immune to ZombieLoad itself, but similar attacks could still be possible on some Mac models because Intel won’t help. Apple’s lists contain Macs produced from 2009 to 2010; these are vintage models able to run macOS Mojave, but for those who are still using these computers, it might be time to consider an upgrade. Just because you can run this software doesn’t necessarily mean you should, as you’re increasingly at risk of vulnerabilities as the ability to patch them goes away. 

Moving on to our last bit for today’s show, we received an email from a listener named Daniel. Daniel writes:

You’ve mentioned a few times now that you recommend having automatic updates turned on, especially on Macs. I understand the general reasoning behind that and so recently changed my Mac and iOS devices to automatically install updates. 

However, I then realized that this can cause a problem when a Mac has FileVault enabled and is used as a home server for say network file access, running automation tasks, or for remote access when away from home. 

The problem here is that when the Mac auto-reboots to complete installation of the updates, the user must authenticate for FileVault before the Mac OS will fully load. So, in the worst case, someone may go away on a trip expecting they can remote into their Mac at home when they need to, only to find that their Mac rebooted after installing an update and is no longer accessible remotely. 

Granted it’s a bit of a specific scenario but thought I’d mention it and ask if you know of any solutions to this?

Great question, Daniel, thanks!  While most people might not encounter an “edge case” like this one, where they use automatic updates, FileVault, and remote access, it’s still an interesting scenario to think through. The first thing to note is that in a specific scenario such as this, the usual advice might not apply; you must balance convenience for yourself with the need for security. 

The best (free) solution would be to leave automatic updates on for your iOS devices and other Macs but to turn it off for your file server. While this does mean there could be a window of opportunity for an attack if a critical update comes out and you forget to run the update, you won’t run into this kind of scenario. If you have updates run on a weekly instead of a daily basis, you’re still more likely than not to end up protected from any would-be bad guys. In most cases, automatic updates are just a matter of convenience. You don’t have to worry about keeping up with things, and if something is critical, you’ll get a fix long before you’re ever a target.

Thanks for writing in, Daniel!

Join our mailing list for the latest security news and deals