cybercats

Terms of Service:
- Are purposely made lengthy and kept vague in order to confuse the customer/lose their attention.
- You blindly allow Google to collect all the info off your hard drive. Their TOS agreement provides specific examples of how it will store data on your computer however, it doesn’t state what data it is going to collect
  - “We may collect and store information (including personal information) locally on your device using mechanisms such as browser web storage (including HTML 5) and application data caches,”
  - https://techcrunch.com/2015/08/21/agree-to-disagree/
- Chicago law professor, Omri Ben Shahar, who specializes in contracts law and has even written a book on the uselessness of TOS agreements, printed out the Apple Terms of Service Agreement to read/review as well as see how long it would be. He found several typos and with an 8 point font it still came out to be a 30 foot long document that he hung off the campus roof.
  - https://www.npr.org/2014/09/01/345044359/why-do-we-blindly-sign-terms-of-service-agreements
- So the real question is, how can you protect yourself from harmful TOS agreements?
  - Website: TLDR - Terms of service
  - Add chrome browser extension “Terms of Service; Didn’t Read”
    - Rates the terms of service in classes
    - Also provides a list of the most important rated points of the TOS
    - Will warn you when you visit for the first time a website with a bad rating
    - Also a webpage
The issue with terms of service agreements is that they don’t only pertain to websites but also apps:
- Apps often have secret background activity that can be malicious and harmful.
  - Facebook:
    - Project Atlas:
      - A “Facebook Research App” that hid its association with Facebook, citing that it was a “Social Media Research App”
      - Targeted people between the ages of 13 and 35 and paid them $20 a month along with referral bonuses.
      - It sidestepped the app store by using a special feature apple has known as an enterprise certificate which allows larger companies to produce apps and distribute them within the company ONLY. It did this due to the fact that it was in violation of apple policy.
      - Users would download a VPN, that would allow Facebook to pull in a user’s web browsing activity, what apps are on their phone and how they use them, and even decrypt their encrypted traffic. Facebook went so far as to ask users to screenshot and submit their Amazon order history. Facebook uses all this data to track competitors, assess trends, and plan its product roadmap.
      - Abused apple’s system for distributing employee-only apps to sidestep the app store via the enterprise
      - ificate. Apple was so furious they revoked FB’s cert shutting down all internal FB operations for 2 days.
        
        Be sure to define what a VPN does as most users don’t know this
      - https://techcrunch.com/2019/01/30/apple-bans-facebook-vpn/
      - https://techcrunch.com/2019/01/29/facebook-project-atlas/
    - Patents:
      - Detect faulty pixel positions in the camera, lens scratches, dust on lens, camera artifacts. It will look at the image itself to try and build up a unique “signature” or fingerprint of each camera, based on physical characteristics.
        
        Any photo you take could potentially be used to identify you, even if you don’t show your face, remove the metadata, and don’t include any identifying objects.
      - Listening to your environment by turning on the microphone to listen to what show you’re watching and tailor ads based on that
      - Turning on your front facing camera to deduce your reactions to what you see on your FB feed
        
        Although they say they don’t intend to use some of the patents they file it still provides a clear picture of where the company believes they are headed.

Google:
- Google is a major culprit of using your data for their own good. It’s actually terrifying how much information they have on you 
- Screenwise Meter:
  - Very similar to Facebook’s Research App.
  - Has been rebranded as “Google Opinion Rewards program”
    - Targets 18 and up (or 13 and up if part of a family group)
    - Rewards users for installing tracking systems and even offers a specialized router with specialized software to help google understand how you use their services along with the internet
    - Paid people via gift certificates.
    - Originally targeted 13 and up
    - Also abused apple’s system for distributing employee-only apps to sidestep the app store via the enterprise certificate.
    - https://support.google.com/audiencemeasurement/answer/7574391?hl=en
  - However, google is upfront with its association with the app not trying to conceal their part. It also allows users the option of “guest mode” when they don’t want traffic monitored.
- Location Services:
  - Will show you down to the date and time you traveled and any pictures you may have taken during that trip
  - Google account – data and personalization – location history.
  - Memorizes past behavior and predicts future behavior such as traveling to work
  - Uses API to predict future traffic patterns
- Voice Recordings:
  - Google states it only records/saves audio when initiated by “hey google” or those key words. However it stores ALL audio recordings used by your phone.
  - Google account – data and personalization – web and app activity – manage activity – filter by voice and audio recordings.
Even if you somehow manage to avoid google all together somehow, apps will send their data to google analytics. One example of this is with:
- My calendar - period tracker: sends google granular info such as mood and intercourse entries (as specific as whether protected/unprotected)
- https://www.imore.com/these-apps-are-stealing-your-most-private-data-and-it-should-be-crime
Some apps will process information to be analyzed by a third party. An example of this is:
- Dot Fertility Tracker - it sends Flurry Analytics information about what contraceptive methods are used, if recently pregnant and other bits of info. Even if the age is set to be under 18.
- There are several companies out there that are designed to process large sums of data (big data) which we’ll actually discuss further in another episode.
- https://www.imore.com/these-apps-are-stealing-your-most-private-data-and-it-should-be-crime
Easy apps to develop littered with malicious content:
3rd Party Weather apps:
- One of the easiest apps to develop, often pulling information of just one of a few sites.
- Easy excuse to access your location and sell that data to third parties.
- Accuweather was caught in 2017 selling user location data to third parties even when users had location data turned off.
  - https://www.vice.com/en_us/article/gy77wy/stop-using-third-party-weather-apps
Other examples:
- Flashlights
- Cameras/scanners
- Wallpaper apps
- More than 1/2 of fraudulent apps are either games/utilities
  - https://outline.com/4TEy4R
Be weary: Almost every app you download will often ask to be granted permissions that they don’t need and shouldn’t have

One of the largest culprits of requiring far too many permissions and deliberately masking their collection activities is TikTok.
- A user reverse engineered the TikTok app by conducting a man in the middle attack and discovered several scary things:
- “TikTok is a data collection service that is thinly-veiled as a social network”
- This app collects more data than Facebook (and Facebook combines data from several different apps to build one large collective profile on you – we’ll actually talk more about this in a later episode as well)
  - Collects:
  - Phone hardware (CPU type, number, hardware ids, screen dimensions, memory usage, disk space, etc.)
  - Other apps installed (including deleted)
  - Everything network related (IP, local IP, router mac, your mac, Wi-Fi access point name)
  - GPS ping
  - Clipboard data
  - Sets up a local proxy server on your device for “transcoding media” but has zero authentication
  - Android: downloading of remote zip, unzipping, and executing as binary.
  - Logging is all remotely configurable highly obfuscated with protections in place to prevent you from reversing/debugging
  - Cant use app if you block communication to their analytics host at DNS level
  - Leaked user’s email address and secondary emails for pass reset, name and birthdays in their HTTP REST API
  - https://www.boredpanda.com/tik-tok-reverse-engineered-data-information-collecting/?utm_source=google&utm_medium=organic&utm_campaign=organic
- TikTok capturing data from your clipboard
  - https://www.forbes.com/sites/zakdoffman/2020/06/26/warning-apple-suddenly-catches-tiktok-secretly-spying-on-millions-of-iphone-users/?fbclid=IwAR1nUTnK6NJw2otE3biSsvTasvxYXAkt-L4x-ka6TVXoZEjyTJvEmJZ8DGo#5f78b49b34ef
- India has already banned TikTok. The US and Australia are currently debating if they will follow suit.
  - https://fortune.com/2020/07/10/tiktok-ban-trump-us-india-hong-kong/
How do these apps work?
- It all lies in the trackers/cookies and permissions. But how?
- Trackers are embedded to find out as much information about you as possible. This data can be sold to third parties or used for their own gain
- Permissions granted upon download. With IOS you only push one button to accept all permissions, whereas android apps are obligated to request approval per dangerous permission. IE: access to your contacts, SMS messaging, etc.
- While you’re being shown a full page advertisement, background activity occurs. Such as running hidden videos behind the ad that paid to be seen. These drain battery
- Receiving ads every time you hang up a call? Lock your screen? Some apps have a hidden timer starts counting down upon installation (regardless of function). The apps will work normally until the timer completes, upon which the apps remove their icons and start running continuously in the background and deliver incessant popups.
- Continually opening web pages and clicking links without any user interaction.
- Can install spyware and SMS trojans that will register you for premium text services. Can get around static analysis (being approved to be in the app store or play store) by not being hardcoded into the app

Ways to protect yourself:
- Almost every app and browser extension you download will often ask to be granted permissions that they don’t need and shouldn’t have
- Do your research!! Type out Exodus Privacy in google: https://exodus-privacy.eu.org/en/
  - Allows you to check an app for android but if the app is also developed for iPhones it more than likely has the same cookies/permissions.
- Use the website rather than the app.
- Download an ad blocker (such as AdGuard) – blocks ads within apps and on the internet as well as personal tracking. Helps secure your personal data. Shows you were your data is being “leaked” from
- Access Dots – android app that indicates whether an app or website is using your camera or mic by putting colored dots in the corner. Feature automatically included in IOS14
Key Takeaways:
- Remember if an app is free there is a reason for it. Free is never free. Apps need to develop revenue.
- Bounty hunters use analytic companies to locate people.
  - Real time location tracking
  - IPS’s selling data vs. app developers selling your data
  - $4.95 per phone