SecureMac, Inc.

Checklist 230: Waiting for Various Labels

May 14, 2021

This week on The Checklist: Google Play privacy nutrition labels, AirTag and child safety issues, and the very first AirTag “hack”!

Checklist 230: Waiting for Various Labels

This week on The Checklist, we’ll discuss:

Privacy in Google Play

When Apple introduced its “privacy nutrition labels”, they were hailed as a big win for users. The labels are self-reported summaries of app developers’ privacy practices. They can be found on any app’s page in the App Store. Privacy labels let people see how their personal data is being collected and shared, and how it’s being used to track them.

Google is now taking a page out of Apple’s playbook. Starting in 2022, the company will be adding privacy labels to Google Play, the app marketplace for Android users. Google will require developers to self-report their privacy practices just like Apple does. This information will be made available to users in the “safety” section for each app on Google Play. The Google privacy labels will include information about how an app collects, shares, and secures user data. The company says that it will take action against developers who violate Google Play policies or who inaccurately report their privacy practices.

That sounds good … but some observers are still skeptical. A piece in Business Insider points out that unlike Apple, Google is, at its core, a company that collects and monetizes user data. The author worries about the fact that privacy information will be lumped in with security information, which could make it hard for people to actually use Google’s privacy labels. As he remarks: 

It’s almost as if the goal is to put so much information into the safety section that a user won’t be able to tell what really matters, which is how much of their data and activity is being collected in the name of monetizing their personal information.

Only time will tell if Google Play privacy labels are as user-friendly as their Apple counterparts. If they are, that’s great news for Android users. But if not … well, a label that no one reads (or understands) is pretty much the same as no label at all.

AirTag and child safety

AirTag is Apple’s new device tracker. It works on the Find My network and can be used to locate everything from lost luggage to misplaced car keys. 

We talked about AirTag on a previous Checklist — and addressed some of the privacy concerns around the new device. But now that AirTag has been out for a couple of weeks, some safety worries have emerged as well.

Retailers in Australia have pulled AirTag from their shelves over concerns that its “button battery” could be removed and swallowed by children. So far, Australian chains Officeworks, JB Hi-Fi, and Big W have all stopped selling AirTag.

Doctors say that small batteries like the ones used in AirTag are much more than just choking hazards. If a button battery gets caught in the throat, the liquid there can create a circuit — causing serious damage to the lining of the esophagus, and almost certainly requiring surgical intervention. Australia is particularly sensitive to these dangers after a number of well-publicized deaths of children who swallowed small batteries.

While a product redesign is not expected, Apple is reportedly updating AirTag’s packaging to include warnings that will conform to Australia’s upcoming (2022) product safety regulations.

Hacking AirTag

It was bound to happen … a security researcher has hacked an AirTag, effectively “jailbreaking” the little tracking device.

The researcher, who goes by the handle “stacksmashing”, managed to dump an AirTag’s firmware and reprogram its microcontroller. This allowed him to change the NFC URL that shows up in AirTag alerts, replacing it with a custom message.

Interesting, yes … but is this a security issue?

Probably not. For one thing, Stacksmashing says that it took him hours to produce an altered AirTag — and that he destroyed a couple of AirTags in the process. And while it’s conceivable that someone could modify an AirTag and use it to redirect a person to a malicious website, that’s probably not a scenario most people are likely to encounter.

Meanwhile, a different group of researchers has found a way to subvert the Find My network used by AirTag. They discovered that it’s possible to get the network to upload arbitrary data to Apple devices — simply by sending out said data as “Find My-style broadcasts”.

In other words, if you wanted to, you could build a specialized device to broadcast encrypted data that would get picked up by nearby Apple devices. You wouldn’t even have to connect your device to the Internet for this to work. Because of the way Find My is designed, your data would just be automatically uploaded to nearby devices — and there would be no way for Apple to monitor the data or stop it from being uploaded.

It doesn’t sound like much … and from the point of view of personal security, it probably isn’t! But the researchers who discovered the phenomenon say that it could have a very specific use case: to “exfiltrate data from … airgapped systems or Faraday-caged rooms”. Such precautions are normally found in high-security environments, which means that anyone trying to use the Find My network in this way would probably be doing it for purposes of espionage.

But as for the rest of us — folks who don’t work in top-secret labs or at alphabet agencies — there’s probably not much of a security risk from AirTag hacking.

To learn more about digital security and privacy while you’re waiting for the next Checklist, check out our show archives. And as always, if you have a question that you’d like to have answered on the podcast, write to us and let us know.

Get the latest security news and deals