Archive for January 11, 2019

Friday, January 11, 2019

Strangers Watching Ring Security Cameras

Sam Biddle:

But for some who’ve welcomed in Amazon’s Ring security cameras, there have been more than just algorithms watching through the lens, according to sources alarmed by Ring’s dismal privacy practices.

[…]

Despite its mission to keep people and their property secure, the company’s treatment of customer video feeds has been anything but, people familiar with the company’s practices told The Intercept. Beginning in 2016, according to one source, Ring provided its Ukraine-based research and development team virtually unfettered access to a folder on Amazon’s S3 cloud storage service that contained every video created by every Ring camera around the world. This would amount to an enormous list of highly sensitive files that could be easily browsed and viewed. Downloading and sharing these customer video files would have required little more than a click.

[…]

At the same time, the source said, Ring unnecessarily provided executives and engineers in the U.S. with highly privileged access to the company’s technical support video portal, allowing unfiltered, round-the-clock live feeds from some customer cameras, regardless of whether they needed access to this extremely sensitive data to do their jobs.

See also: Nick Heer, MacRumors.

Previously: Nest Cam Waking in the Night.

Hacking With Private APIs on iPad

Guilherme Rambo:

The best development environment to work with private APIs is still Xcode on the Mac, but there’s a lot that can be done on iOS, especially the iPad. Of the three options shown in this article, it is hard to name a favorite because each one has advantages and disadvantages, but the one I’ve been using the most, especially because of its flexibility and integration with Shortcuts, is JSBox.

iOS Games Found Talking to Golduck Malware C&C Servers

Sergiu Gatlan:

Even though Apple has always been especially proud of its App Store app review process, it seems that some apps which are not exactly malicious but do exhibit risky behavior escape its review team’s scrutiny occasionally.

This is the case of over a dozen iOS applications found in Apple’s App Store which were observed while transferring data to command-and-control servers known to have been used by the Android Golduck Loader.

Jennifer Valentino-DeVries and Natasha Singer:

The Weather Channel app deceptively collected, shared and profited from the location information of millions of American consumers, the city attorney of Los Angeles said in a lawsuit filed on Thursday.

[…]

The government said the Weather Company, the business behind the app, unfairly manipulated users into turning on location tracking by implying that the information would be used only to localize weather reports. Yet the company, which is owned by IBM, also used the data for unrelated commercial purposes, like targeted marketing and analysis for hedge funds, according to the lawsuit.

Via Andrew Pontious:

It should also get them kicked out of the App Store, if Apple is committed to evenhandedness and fairness.

Previously: How to Game the App Store.

App Discovery, Downloading, and Purchasing

Ben Bajarin:

In collaboration with a few indie app developers, we ran a study looking to see how consumers discover, decide on which app to download, and some underlying economics around the app ecosystem. This study had respondents from the US and key parts of Europe. In total, 908 consumers participated in this study.

Reviews and price are very important. Most customers did not feel tricked into paying for IAPs or subscriptions. More than 40% of iOS customers had only three or fewer paid apps.