iOS apps should be inside a network sandbox
Background
With my recent publications, most importantly āTrusting SDKsā it became clear that hijacked or malicious iOS apps cause major security and privacy risks for users, and allow attackers to reach a high number of users through a single point of failure.
Most of the times, the consequences of those attacks are about data:
- Usernames and passwords
- Location data
- Facial data
- Advertising data
- Address book entries
- Payment information (e.g. credit cards)
- Other personal information
Notice how sandboxes in software are designed to keep data inside that box (in the form of a filesystem), but for some reason they stop when it comes to network requests.
If an attacker manages to hijack an iOS app, the first thing they would do is sent the collected data to some server in their control.
Idea
Initially just tweeting my shower thoughts and reaching 300 likes & 50 RTs, this idea grew more and more:
Apple should require every iOS app to define a list of web hosts that should be accessible, all other web requests will fail:
— Felix Krause (@KrauseFx) February 10, 2018
- If an app gets compromised no data can leak
- It forces the use of SFSafariViewController
- Users should be able to see the host list
App Transport Security
At WWDC 2016 Apple announced ATS, an iOS 9 feature to enforce the use of HTTPs across all iOS apps. It was said to be made mandatory by end of 2016, however the deadline was moved to an undefined date. The idea makes perfect sense: All the infrastructure and tools around HTTPs encryption people already have with their web browsers to verify the security on websites, donāt work on the iOS platform. If you use your banking or dating app, how can you as a user be sure the company didnāt mess things up? Itās not like it happened before.
Web vs iOS
On the web, browsers started marking HTTP websites as āNot Secureā, HSTS is built into browsers to force HTTPs for certain hosts, people use HTTPSEverywhere to enforce HTTPs connection across more hosts and people use uBlock to block certain tracking and ad widgets that slow down websites.
On iOS, you install and use an app, and hope that the app developer uses proper encryption, securely stores your personal information, and doesnāt use any sketchy SDKs that you wouldnāt trust yourself. If you donāt agree with something (e.g. an Analytics SDK), there is nothing you can do about it.
Proposal
Step 1:
Finish the ATS plans. Itās been 2 years now, enough time for app developers to update their apps. Allow developers to file for an exception, and mark them accordingly on the App Store page with a badge of shame (similar to how Chrome marks all non HTTPs websites nowadays)
Step 2:
Introduce the concept of network sandboxes. Each app should define a list of hostnames they are allowed to access.
Imagine a ride-sharing app having access to
- my-ride-sharing-app.com
- stripe.com
- google-analytics.com
- maps.google.com
This list serves multiple purposes:
- The app can only access those hosts. Meaning if an SDK is malicious or your app got hijacked in some way, they canāt access the scary internet and leak the userās data.
- The app review team will see a list as they approve the app. At the same time, they can see a diff of the hosts between app releases
- The user should have a way to see that list as part of the App Store page
- In the future we could even put the user in control by distinguishing between primary hosts (e.g. twitter.com) that are needed to have the app running, and secondary hosts (e.g. random-analytics-service.com). This however would come with many implications when it comes to revenue models of the majority of mobile apps.
As always, exceptions should be possible, third party browsers should exist, and some apps might have to support so many hosts that they canāt follow those rules. And thatās okay, those apps will be marked as āCan access any hostā as a little warning in the App Store.
While the above doesnāt solve all the problems, it is a good first step into the right direction. Weāll run into problems, and weāll solve them. Itās a necessary change for the mobile ecosystem, catching up with where weāre already at with web browsers nowadays.
Tags: privacy, security | Edit on GitHub
Going nomad
I got rid of all my stuff and live off only a suitcase - staying in Airbnbs to explore different areas š”š excited to live nomad life pic.twitter.com/nWGf7AFKiZ
— Felix Krause (@KrauseFx) November 9, 2017
Update: Check out the One Year Nomad post from 2018
Background
I moved to San Francisco summer 2015 to join Twitter. I lived in a furnished apartment for my first year, which I really enjoyed, as I didnāt have to buy all the essentials myself after moving across the globe into a new country.
After my 1 year lease, I decided to do what āgrown-upsā are supposed to do: get their own apartment, buy furniture, decorate the place, and make it your home. After living in my little studio for about 1.5 years, I noticed a few things:
- In 2017 I only spent about 200 nights in my apartment, causing me to still pay about 5 months worth of San Francisco rent without actually living there (the average monthly lease for a studio apartment is about $3,000 + utilities, resulting in about $15,000 of my after tax money being lost)
- While I enjoy having my own space, I never invested enough time and effort into making it nice: Until the day I moved out after 18 months, I still didnāt have enough closets for all my things and I had my clothes piled up in some corner
- I didnāt like being bound to one location in the city. In particular, in the common case of getting acquired by another company (#justSFthings), your commute changes, and you canāt just move around
- I didnāt like the fact that I was always surrounded by the same places and things became routine. Same subway station, same spots you walk by every day, same views, same commute, etc. after a month it gets boring and I need a change.
The idea
Ever since I first started reading @levelsioās blog in 2014, about living out of just a backpack, and traveling across the world, while working on his own startups, I was fascinated by the idea. However I always assumed it doesnāt work if you have a full-time job at a large company like Twitter or Google.
2014 was also the time I met @orta, who told me about his first year in New York City, where he lived in a different neighborhood in a random Airbnb each month. This allowed him to see what NYC has to offer, and what area he liked the most. I loved the idea, and kind of knew I want to do this at some point in life.
Only in October 2017 I realized that combining those two things might actually just work.
Making the move
After living in San Francisco for 2.5 years, I wanted a change. With my lease ending in October, I decided to reduce my life to just
- 1 suitcase
- 1 carry-on luggage
- 1 backpack
and lived in an Airbnb in San Francisco until the winter holidays, for which I went back home to Austria. I got really lucky with my SF Airbnb, as I got it from Zeus Living a company that rents out apartments for people like me: rent a place per month, all utilities included, and enough space with a desk to get work done.
For the last 6 months Iāve lived the nomad life, with just the things listed above. So far Iāve stayed in 6 different neighborhoods in NYC, 2 areas in SF and spent time with my family in Austria for New Yearās. While I plan flights ahead of time due to costs, I donāt book places longer than a month ahead, something that took some time getting used to.
Spending time in a single city
While being a different city each month might sound like a dream to many people, I learned it comes with many downsides:
- Itās hard to build up a social circle of close friends
- Itās hard to really get to know a city, and make use of all the things it has to offer
- Itās hard to learn more about the culture
- Cities change with seasons, a summer is usually quite different than a winter
- Itās stressful changing cities too often
Last year I spoke at conferences in 9 cities. I knew I wanted to fly less in 2018.
In January 2018, we started the new fastlane.ci project, which requires us to work closer with other Google teams, that are partially based in New York. I used that opportunity to āmoveā to NYC. So while I move to a different Airbnb every week, I do so within the same city. I grew up in a village with a population of less than 2,000, with not a single traffic light. Living in New York has been an amazing experience, with almost as many people living here, as in the whole country of Austria.
For now, this seems like the perfect balance for me personally: Not getting bored by day to day routine (e.g. same commute) by moving to a new Airbnb every week, but also being able to hang out with the same friends, and get to know the whole city. Long term, Iāll switch to a monthly cycle for even less overhead.
Frequently asked questions
How do you handle physical mail?
Online orders: Iām lucky that I can use the Google office to order from Amazon, and pick them up at the end of the work day. Itās offered in most major cities, and even allows me to order something for a specific location. For example: When I flew to Amsterdam I ordered an umbrella to the office, ready for me to pick up.
Letters: I use the VirtualPostMail service. They scan your letters, and sends them to you via email. If you need the original, you can tell them to forward them to your current address (or office in my case)
Money
My first thought was: Staying in Airbnbs must be more expensive than having my own place! For multiple reasons:
- Short term leases have to charge more to account for the vacant nights
- Airbnbs are furnished, and include some basic services and utilities
- Airbnb charges a pretty hefty fee for each booking
Circling back to the number of days Iām not at home for about 5 months each year, I realized that I donāt pay my (SF/NYC) rent when:
- I speak at a conference, and the organizers cover the hotel costs
- I go on vacation
- I go back home
- I crash on a friendās couch / extra bed
- Google plans a team-offsite in a different location and covers the accommodation
- I take a red eye flight (a flight that leaves at about midnight, and lands in the morning)
Every night I donāt need to pay for my own place, I save about $100 after-tax money (NYC/SF)
Do you keep any physical memories
You can either ask your parents nicely to keep your things, or you can rent storage somewhere to keep it. I decided to bring my things back home to Austria, by just having an extra bag with me the first time I flew back.
How did you get rid of so much stuff?
I donāt care about physical things. If I were to lose all my devices, or all my clothes today, Iād buy new ones (probably the same ones). So getting rid of things was rather easy, and I personally never understood why itās difficult, unless there are certain memories attached.
All I did was: Do I really need this? If the answer wasnāt an immediate yes, itās a no. If I wanted to keep the āmemoryā, I made sure to take a picture before giving it away.
I created a spreadsheet with all the things I give away, and shared it with my friends on Facebook, from furniture, to kitchen stuff, to light bulbs, and I got āridā of everything, as 2 of my friends just moved to a new place, and needed almost everything. The remaining things I donated or threw away if it wasnāt usable any more.
I went from
It is tricky though to buy new stuff, since I need to get rid of something else, for every single new item I buy. While my suitcases still have some space left, the weight limit of 22kg of most airlines is what I have to be careful about.
How do you keep things organized?
Those travel cubes have been pretty useful, I got a lot of them, for shirts, socks, underwear, electronics, etc. and can recommend them to anyone traveling.
Did you buy any travel gear for this?
Yes, there are some really cool things out there, that made my life easier:
- Portable Bose SoundLink Revolve+
- Roost Stand (MacBook stand for ergonomic working wherever you are in combination with Bluetooth keyboard + trackpad)
- Travel cubes to keep things organized
- Travel scale (Iām into fitness, and started tracking my weight every morning)
Is that āMinimalism Lifeā?
Iāve read a bit about this topic, including a great blog post of my friend about owning 200 things. I love the concept of owning just the things you really need, and forget the rest.
I also watched the āMinimalismā documentary on Netflix, which covers some of the concepts. Personally I donāt want to count things, or reduce life in areas I donāt want to. For example, I still carry around a rather high number of shoes with me, just because I like having the right shoes for the right occasion.
Iād argue the goal is to live a normal day-to-day life, when going to work or hanging out with friends, while still being very flexible.
Security concerns
Thatās something Iāve been thinking more about recently: Breaking into an Airbnb is probably super easy, just stay in a place, copy the key and then steal from the next person, with the next person probably blaming the host or cleaning staff. Unfortunately itās not common for Airbnbs to have a safe.
- I generally donāt own anything of real value, besides my MacBook
- I donāt leave anything valuable in my Airbnb but put them in the Google office instead
- All of my documents are stored online
- Hourly backups on different continents, using hard drives and custom cloud backup solutions, all end to end encrypted, on a total of 5 different locations
- Even if I were to lose 100% of my things including all my devices, I have a clear recovery path where I can recover my complete online identity, documents and everything else within less than 24 hours. For security reasons I canāt share more about this specific topic, but I can recommend everyone to draw a map of dependencies between the services/software/hardware you use, and how you can recover them step by step.
What else is nice about not having a fixed lease?
- If you stay at a place for just a week, youāll never have to clean the apartment
- You learn how other people live day to day, e.g. how they set up their rooms and get a good idea of what you enjoy
- You learn more about yourself, like what things are important to you when it comes to having a living space
- When you own a home, you have to deal with maintenance, repairs and other things quite often. When renting an apartment building, at least some things are being taken care of by the owners. If you stay in Airbnb, there is literally nothing you have to worry about, if something doesnāt work, you notify the host and thatās it.
I wrote this post in Taipei, Taiwan, where I work remotely from the Taipei Google office for 2 weeks before heading to San Francisco.
Being able to escape the cold winter feels amazing š
Update: Check out the One Year Nomad post from 2018
Tags: digital, nomad | Edit on GitHub
How I use Twitter
Background
For most people, using the official Twitter client works fine. Itās optimized to show you new content you might be interested in, makes it easy to follow new users, and shows content that might be most relevant to you first. If you have an engineering mindset, chances are you want to be in control of what you see in your timeline.
I use Twitter to stay up to date with certain people. I want to hear about new projects or new content they published, new blog posts, thoughts of them, etc. Iām not interested in hearing political opinions, sport scores, etc, which I already have Facebook for. If I follow someone, Iāll read every single tweet from them. For the last 5 years, I didnāt miss a tweet in my timeline, so I have to be very careful about who to follow, and what content to see. So I set out to customize Twitter to achieve that goal, and to only see about 50-75 tweets per day.
Solution
Iāve been using Tweetbot for the last few years, the technique described below might work with other third party Twitter clients also.
Muted Keywords
Very basic list of words, that as soon as a tweet contains one of them, it will be hidden, examples include:
- headphone jack
- drake
- podcast
- president
Muted users
I stopped using this feature, now that I use secret lists to follow people (see below), and disabled RTs. Muting users for a given time period or forever is useful for a few situations:
- Some users in your timeline might promote a product, so you can mute that product
- If a user is at a conference/event youāre not interested in, you can mute them for a few days
Muted Regexes
A very powerful feature of Tweetbot is to define a regex to hide tweet. I use it to hide annoying jokes like
remember \w+
german word for \w+
\w+ is the new \w+
or to hide tweets from people that think weāre interested about their airplane delays or #sports
(virgin|Virgin|@United|delta|Delta|JetBlue|jetblue)
- twitter.com/i/moments
- For every #sports #event there are also custom-made mute filters (truncated):
(?#World Cup)(?i)((?# Terms)(Brazil\s*2014|FIFA|World\s*Cup|Soccer|F(oo|u)tbal)|(?# Chants)(go a l |[^\w](ole\s*){2,})|(?# Teams)(#(B....
Hide all mentions
This very much changed my whole timeline (for the better). Turns out, I follow people for their announcements, what they work on, what theyāre doing, what theyāre thinking about, etc. I actually donāt want to see 2 people communicating publicly using @ mentions, unless itās a topic Iām interested in. So I started hiding all tweets that start with an @
symbol using a simple Tweetbot regex
^@
If I want to see responses to a tweet, Iād swipe to the left side, and see all replies.
Muted Clients
Muting certain clients has been amazing, very easy to set up and cleans up your timeline a lot. Some of the clients I mute:
- Buffer (to avoid ācontent marketingā, so many companies make the mistake of tweeting the same posts every week or so using Buffer)
- IFTTT (lots of people use that to auto-post not original content)
- Spotify
- Foursquare (I follow friends on Swarm already, no need to see it twice)
Secret Lists
One issue I had was to balance the number of tweets in my timeline, and then also being polite and following friends. To avoid the whole āWhy are you not following me?ā conversation, I now use a private list to follow about 300 people only. I open sourced the script I used to migrate all the people I used to follow over to a private list.
Disable RTs
This has been a great change: As described above, I follow people for what they do, what they think of, and what theyāre working on. Some people have the habit of RTing content that might be interesting, but not relevant to why I want to stay subscribed to their tweets. On Tweetbot, you can.
Muting hashtags
I thank everyone for using hashtags for certain events, making it easy to hide them from my timeline :)
Disadvantages of this approach
Some of the newer Twitter features donāt have an API, and therefore canāt be offered by Tweetbot. This includes Polls, Moments and Group DMs. Since I donāt want to miss group DMs, I set up email notifications for Twitter DMs, and set up a Gmail filter to auto-archive emails that are not from group DMs.
Summary
Iāve spent quite some time optimizing that workflow, and itās very specific, and probably not useful for most people. I try to minimize my time on social media, I only browse my Twitter feed when I have a few minutes to kill on the go. Meaning I work through my timeline only on my iPhone, and reply to mentions and DMs only on my Mac. I donāt want to come across uninterested, I do follow people on Facebook, I do read news and stay up to date. Twitter is a place for very specific content for me, and I want to keep using it as that.
Tags: twitter | Edit on GitHub
iOS Privacy: Track website activities, steal user data & credentials and add your own ads to any website in your iOS app
Background
Most iOS apps need to show external web content at some point. Apple provided multiple ways for a developer to do so, the official ones are:
Launch a URL in Safari
This will use the app switcher to move your own app into the background. This way, the user has their own browser (Safari), with their session and content blocker, browser plugins (e.g. 1Password), etc. As launching Safari puts your app into the background, many app developers are worried the user doesnāt come back to them.
Check out the first video to see how this looks in action ā”ļø
Use in-app SFSafariViewController
Many third party iOS apps use this approach (e.g. Tweetbot).
It allows an app developer to use the built-in Safari with all its features, without making the user leave your application. It features all the Safari features, but from within your application.
Check out the second video to see how this looks in action ā”ļø
Current state with larger social network apps
Many larger iOS apps re-implemented their own in-app web browser. While this was necessary many years ago, nowadays itās not only not required any more, it actually adds a major risk to the end-user.
Those custom in-app browsers usually use their own UI elements:
- Custom address bar
- Custom SSL indicator
- Custom share button
- Custom reload button
Problems with custom in-app browsers
If an app renders their own WKWebView, they not only cause inconvenience for the user, but they actually put them at serious risk.
Convenience
User session
The userās login session isnāt available, meaning if you get a link to e.g. an Amazon product, you now have to login and enter your 2-factor authentication code to purchase a product.
Browser extensions
If the user has browser extensions (like password managers), they wonāt have access to them in a custom in-app browser.
Deep linking
Deep linking itself has multiple open issues on the iOS platform. By using a custom in-app browser, it adds an extra layer that doesnāt work well with deep linking. Instead of opening the Amazon app when tapping on an Amazon link in āSocial Media App Xā, it opens the product in a plain web-view, with no login session, and no way to open the product in the app.
Content blockers
If the user has content blockers installed, theyāre not being used by custom in-app browsers.
Bookmarks
There is no way for the user to store the current URL in their bookmarks.
Share a website
Apps use this opportunity to force their users to use whatever āsocial featuresā they think are useful to them. Usually that means locking the user into their ecosystem, and not allowing people to share the content on the platform of their choice. There should be an explicit App Store rule against this.
Security & Privacy
Using a custom in-app browser, allows the app developer to inject ANY JavaScript code into the website the user visits. This means, any content, any data and any input that is shown or stored on the website is accessible to the app.
Analytics
This is basically the main reason why in-app browsers are still a thing: It allows the app maintainer to inject additional analytics code, without telling the user. This way, the appās developer can track the following:
- How long does the user visit the linked website?
- How fast does the user scroll?
- Which links does the user open, and how long do they stay on each of them?
- Combined with watch.user, the app can record you while you browse third party websites, or even use the iPhone X face sensor to parse your face
- Every single tap, swipe or any other gesture
- Device movements, GPS location (if granted) and any other granted iOS sensor, while the app is still in the foreground.
User credentials
Any app with an in-app browser can easily steal the userās email address, passwords and two-factor authentication codes. They can do that by injecting JavaScript code that bridges the data over to the app, or directly to a remote host. This is simple, itās basically code like this:
email = document.getElementById("email").value
password = document.getElementById("password").value
Thatās all thatās needed: just inject the code above to every website, run it on every userās key stroke, and youāll get a nice list of email addresses and passwords.
To run JavaScript in your own web view, you can just use
NSString *script = @"document.getElementById('password').value";
[self evaluateJavaScript:script completionHandler:^(id result, NSError *error) { ... }];
User data
Once the user is logged in, you also get access to the full HTML DOM + JavaScript data & events, which means you have full access to whatever the user sees. This includes things like your emails, your Amazon order history, your friend list, or whatever other data/website you access from an in-app web view.
HTTPs
Usually the web browser has a standardised way of indicating the SSL certificate next to the browserās URL. In the case of custom in-app browsers, the SSL logo is being added by the appās author, meaning you trust the appās maintainer to only show the logo if itās actually a valid SSL certificate.
Ads
Custom in-app browsers allow all app developers to inject their own ad system into any website thatās shown as part of their app. But not only that, they can replace the ads identifier of ads that are already shown on the website, so that the revenue goes directly to them, instead of the website owner.
And more
These are just some of the things that immediately come to my mind, every time I use an in-app browser, there are probably a lot more evil things a company or SDK could be doing.
How can we solve this?
- Reject apps that donāt use SFSafariViewController or launch Safari directly to show third party website content
- There should be exceptions, e.g. if a webview is used to show parts of the UI, or dynamic content, but it should be illegal to use webviews to show a linked or third party website
I also filed a radar for this issue.
Similar projects Iāve worked onĀ
I published more posts on how to access the camera, the userās location data, their Mac screen and their iCloud password, check out krausefx.com/privacy for more.
Tags: security, privacy, sdks | Edit on GitHub