iOS apps should be inside a network sandbox

Background

With my recent publications, most importantly ā€œTrusting SDKsā€ it became clear that hijacked or malicious iOS apps cause major security and privacy risks for users, and allow attackers to reach a high number of users through a single point of failure.

Most of the times, the consequences of those attacks are about data:

  • Usernames and passwords
  • Location data
  • Facial data
  • Advertising data
  • Address book entries
  • Payment information (e.g. credit cards)
  • Other personal information

Notice how sandboxes in software are designed to keep data inside that box (in the form of a filesystem), but for some reason they stop when it comes to network requests.

If an attacker manages to hijack an iOS app, the first thing they would do is sent the collected data to some server in their control.

Idea

Initially just tweeting my shower thoughts and reaching 300 likes & 50 RTs, this idea grew more and more:

App Transport Security

At WWDC 2016 Apple announced ATS, an iOS 9 feature to enforce the use of HTTPs across all iOS apps. It was said to be made mandatory by end of 2016, however the deadline was moved to an undefined date. The idea makes perfect sense: All the infrastructure and tools around HTTPs encryption people already have with their web browsers to verify the security on websites, donā€™t work on the iOS platform. If you use your banking or dating app, how can you as a user be sure the company didnā€™t mess things up? Itā€™s not like it happened before.

Web vs iOS

On the web, browsers started marking HTTP websites as ā€œNot Secureā€, HSTS is built into browsers to force HTTPs for certain hosts, people use HTTPSEverywhere to enforce HTTPs connection across more hosts and people use uBlock to block certain tracking and ad widgets that slow down websites.

On iOS, you install and use an app, and hope that the app developer uses proper encryption, securely stores your personal information, and doesnā€™t use any sketchy SDKs that you wouldnā€™t trust yourself. If you donā€™t agree with something (e.g. an Analytics SDK), there is nothing you can do about it.

Proposal

Step 1:

Finish the ATS plans. Itā€™s been 2 years now, enough time for app developers to update their apps. Allow developers to file for an exception, and mark them accordingly on the App Store page with a badge of shame (similar to how Chrome marks all non HTTPs websites nowadays)

Step 2:

Introduce the concept of network sandboxes. Each app should define a list of hostnames they are allowed to access.

Imagine a ride-sharing app having access to

  • my-ride-sharing-app.com
  • stripe.com
  • google-analytics.com
  • maps.google.com

This list serves multiple purposes:

  • The app can only access those hosts. Meaning if an SDK is malicious or your app got hijacked in some way, they canā€™t access the scary internet and leak the userā€™s data.
  • The app review team will see a list as they approve the app. At the same time, they can see a diff of the hosts between app releases
  • The user should have a way to see that list as part of the App Store page
  • In the future we could even put the user in control by distinguishing between primary hosts (e.g. twitter.com) that are needed to have the app running, and secondary hosts (e.g. random-analytics-service.com). This however would come with many implications when it comes to revenue models of the majority of mobile apps.

As always, exceptions should be possible, third party browsers should exist, and some apps might have to support so many hosts that they canā€™t follow those rules. And thatā€™s okay, those apps will be marked as ā€œCan access any hostā€ as a little warning in the App Store.

While the above doesnā€™t solve all the problems, it is a good first step into the right direction. Weā€™ll run into problems, and weā€™ll solve them. Itā€™s a necessary change for the mobile ecosystem, catching up with where weā€™re already at with web browsers nowadays.

Tags: privacy, security   |   Edit on GitHub

Going nomad


Update: Check out the One Year Nomad post from 2018

Background

I moved to San Francisco summer 2015 to join Twitter. I lived in a furnished apartment for my first year, which I really enjoyed, as I didnā€™t have to buy all the essentials myself after moving across the globe into a new country.

After my 1 year lease, I decided to do what ā€œgrown-upsā€ are supposed to do: get their own apartment, buy furniture, decorate the place, and make it your home. After living in my little studio for about 1.5 years, I noticed a few things:

  • In 2017 I only spent about 200 nights in my apartment, causing me to still pay about 5 months worth of San Francisco rent without actually living there (the average monthly lease for a studio apartment is about $3,000 + utilities, resulting in about $15,000 of my after tax money being lost)
  • While I enjoy having my own space, I never invested enough time and effort into making it nice: Until the day I moved out after 18 months, I still didnā€™t have enough closets for all my things and I had my clothes piled up in some corner
  • I didnā€™t like being bound to one location in the city. In particular, in the common case of getting acquired by another company (#justSFthings), your commute changes, and you canā€™t just move around
  • I didnā€™t like the fact that I was always surrounded by the same places and things became routine. Same subway station, same spots you walk by every day, same views, same commute, etc. after a month it gets boring and I need a change.


The idea

Ever since I first started reading @levelsioā€™s blog in 2014, about living out of just a backpack, and traveling across the world, while working on his own startups, I was fascinated by the idea. However I always assumed it doesnā€™t work if you have a full-time job at a large company like Twitter or Google.

2014 was also the time I met @orta, who told me about his first year in New York City, where he lived in a different neighborhood in a random Airbnb each month. This allowed him to see what NYC has to offer, and what area he liked the most. I loved the idea, and kind of knew I want to do this at some point in life.

Only in October 2017 I realized that combining those two things might actually just work.

Making the move

After living in San Francisco for 2.5 years, I wanted a change. With my lease ending in October, I decided to reduce my life to just

  • 1 suitcase
  • 1 carry-on luggage
  • 1 backpack

and lived in an Airbnb in San Francisco until the winter holidays, for which I went back home to Austria. I got really lucky with my SF Airbnb, as I got it from Zeus Living a company that rents out apartments for people like me: rent a place per month, all utilities included, and enough space with a desk to get work done.

For the last 6 months Iā€™ve lived the nomad life, with just the things listed above. So far Iā€™ve stayed in 6 different neighborhoods in NYC, 2 areas in SF and spent time with my family in Austria for New Yearā€™s. While I plan flights ahead of time due to costs, I donā€™t book places longer than a month ahead, something that took some time getting used to.

Spending time in a single city

While being a different city each month might sound like a dream to many people, I learned it comes with many downsides:

  • Itā€™s hard to build up a social circle of close friends
  • Itā€™s hard to really get to know a city, and make use of all the things it has to offer
  • Itā€™s hard to learn more about the culture
  • Cities change with seasons, a summer is usually quite different than a winter
  • Itā€™s stressful changing cities too often

Last year I spoke at conferences in 9 cities. I knew I wanted to fly less in 2018.

In January 2018, we started the new fastlane.ci project, which requires us to work closer with other Google teams, that are partially based in New York. I used that opportunity to ā€œmoveā€ to NYC. So while I move to a different Airbnb every week, I do so within the same city. I grew up in a village with a population of less than 2,000, with not a single traffic light. Living in New York has been an amazing experience, with almost as many people living here, as in the whole country of Austria.

For now, this seems like the perfect balance for me personally: Not getting bored by day to day routine (e.g. same commute) by moving to a new Airbnb every week, but also being able to hang out with the same friends, and get to know the whole city. Long term, Iā€™ll switch to a monthly cycle for even less overhead.

Frequently asked questions

How do you handle physical mail?

Online orders: Iā€™m lucky that I can use the Google office to order from Amazon, and pick them up at the end of the work day. Itā€™s offered in most major cities, and even allows me to order something for a specific location. For example: When I flew to Amsterdam I ordered an umbrella to the office, ready for me to pick up.

Letters: I use the VirtualPostMail service. They scan your letters, and sends them to you via email. If you need the original, you can tell them to forward them to your current address (or office in my case)

Money

My first thought was: Staying in Airbnbs must be more expensive than having my own place! For multiple reasons:

  • Short term leases have to charge more to account for the vacant nights
  • Airbnbs are furnished, and include some basic services and utilities
  • Airbnb charges a pretty hefty fee for each booking

Circling back to the number of days Iā€™m not at home for about 5 months each year, I realized that I donā€™t pay my (SF/NYC) rent when:

  • I speak at a conference, and the organizers cover the hotel costs
  • I go on vacation
  • I go back home
  • I crash on a friendā€™s couch / extra bed
  • Google plans a team-offsite in a different location and covers the accommodation
  • I take a red eye flight (a flight that leaves at about midnight, and lands in the morning)

Every night I donā€™t need to pay for my own place, I save about $100 after-tax money (NYC/SF)

Do you keep any physical memories

You can either ask your parents nicely to keep your things, or you can rent storage somewhere to keep it. I decided to bring my things back home to Austria, by just having an extra bag with me the first time I flew back.

How did you get rid of so much stuff?

I donā€™t care about physical things. If I were to lose all my devices, or all my clothes today, Iā€™d buy new ones (probably the same ones). So getting rid of things was rather easy, and I personally never understood why itā€™s difficult, unless there are certain memories attached.

All I did was: Do I really need this? If the answer wasnā€™t an immediate yes, itā€™s a no. If I wanted to keep the ā€œmemoryā€, I made sure to take a picture before giving it away.

I created a spreadsheet with all the things I give away, and shared it with my friends on Facebook, from furniture, to kitchen stuff, to light bulbs, and I got ā€œridā€ of everything, as 2 of my friends just moved to a new place, and needed almost everything. The remaining things I donated or threw away if it wasnā€™t usable any more.

I went from

It is tricky though to buy new stuff, since I need to get rid of something else, for every single new item I buy. While my suitcases still have some space left, the weight limit of 22kg of most airlines is what I have to be careful about.

How do you keep things organized?

Those travel cubes have been pretty useful, I got a lot of them, for shirts, socks, underwear, electronics, etc. and can recommend them to anyone traveling.

Did you buy any travel gear for this?

Yes, there are some really cool things out there, that made my life easier:

Is that ā€œMinimalism Lifeā€?

Iā€™ve read a bit about this topic, including a great blog post of my friend about owning 200 things. I love the concept of owning just the things you really need, and forget the rest.

I also watched the ā€œMinimalismā€ documentary on Netflix, which covers some of the concepts. Personally I donā€™t want to count things, or reduce life in areas I donā€™t want to. For example, I still carry around a rather high number of shoes with me, just because I like having the right shoes for the right occasion.

Iā€™d argue the goal is to live a normal day-to-day life, when going to work or hanging out with friends, while still being very flexible.

Security concerns

Thatā€™s something Iā€™ve been thinking more about recently: Breaking into an Airbnb is probably super easy, just stay in a place, copy the key and then steal from the next person, with the next person probably blaming the host or cleaning staff. Unfortunately itā€™s not common for Airbnbs to have a safe.

  • I generally donā€™t own anything of real value, besides my MacBook
  • I donā€™t leave anything valuable in my Airbnb but put them in the Google office instead
  • All of my documents are stored online
  • Hourly backups on different continents, using hard drives and custom cloud backup solutions, all end to end encrypted, on a total of 5 different locations
  • Even if I were to lose 100% of my things including all my devices, I have a clear recovery path where I can recover my complete online identity, documents and everything else within less than 24 hours. For security reasons I canā€™t share more about this specific topic, but I can recommend everyone to draw a map of dependencies between the services/software/hardware you use, and how you can recover them step by step.

What else is nice about not having a fixed lease?

  • If you stay at a place for just a week, youā€™ll never have to clean the apartment
  • You learn how other people live day to day, e.g. how they set up their rooms and get a good idea of what you enjoy
  • You learn more about yourself, like what things are important to you when it comes to having a living space
  • When you own a home, you have to deal with maintenance, repairs and other things quite often. When renting an apartment building, at least some things are being taken care of by the owners. If you stay in Airbnb, there is literally nothing you have to worry about, if something doesnā€™t work, you notify the host and thatā€™s it.

I wrote this post in Taipei, Taiwan, where I work remotely from the Taipei Google office for 2 weeks before heading to San Francisco.

Being able to escape the cold winter feels amazing šŸ˜Ž


Update: Check out the One Year Nomad post from 2018

Tags: digital, nomad   |   Edit on GitHub

How I use Twitter

Background

For most people, using the official Twitter client works fine. Itā€™s optimized to show you new content you might be interested in, makes it easy to follow new users, and shows content that might be most relevant to you first. If you have an engineering mindset, chances are you want to be in control of what you see in your timeline.

I use Twitter to stay up to date with certain people. I want to hear about new projects or new content they published, new blog posts, thoughts of them, etc. Iā€™m not interested in hearing political opinions, sport scores, etc, which I already have Facebook for. If I follow someone, Iā€™ll read every single tweet from them. For the last 5 years, I didnā€™t miss a tweet in my timeline, so I have to be very careful about who to follow, and what content to see. So I set out to customize Twitter to achieve that goal, and to only see about 50-75 tweets per day.

Solution

Iā€™ve been using Tweetbot for the last few years, the technique described below might work with other third party Twitter clients also.

Muted Keywords

Very basic list of words, that as soon as a tweet contains one of them, it will be hidden, examples include:

  • headphone jack
  • drake
  • podcast
  • president

Muted users

I stopped using this feature, now that I use secret lists to follow people (see below), and disabled RTs. Muting users for a given time period or forever is useful for a few situations:

  • Some users in your timeline might promote a product, so you can mute that product
  • If a user is at a conference/event youā€™re not interested in, you can mute them for a few days

Muted Regexes

A very powerful feature of Tweetbot is to define a regex to hide tweet. I use it to hide annoying jokes like

  • remember \w+
  • german word for \w+
  • \w+ is the new \w+

or to hide tweets from people that think weā€™re interested about their airplane delays or #sports

  • (virgin|Virgin|@United|delta|Delta|JetBlue|jetblue)
  • twitter.com/i/moments
  • For every #sports #event there are also custom-made mute filters (truncated): (?#World Cup)(?i)((?# Terms)(Brazil\s*2014|FIFA|World\s*Cup|Soccer|F(oo|u)tbal)|(?# Chants)(go a l |[^\w](ole\s*){2,})|(?# Teams)(#(B....

Hide all mentions

This very much changed my whole timeline (for the better). Turns out, I follow people for their announcements, what they work on, what theyā€™re doing, what theyā€™re thinking about, etc. I actually donā€™t want to see 2 people communicating publicly using @ mentions, unless itā€™s a topic Iā€™m interested in. So I started hiding all tweets that start with an @ symbol using a simple Tweetbot regex

  • ^@

If I want to see responses to a tweet, Iā€™d swipe to the left side, and see all replies.

Muted Clients

Muting certain clients has been amazing, very easy to set up and cleans up your timeline a lot. Some of the clients I mute:

  • Buffer (to avoid ā€œcontent marketingā€, so many companies make the mistake of tweeting the same posts every week or so using Buffer)
  • IFTTT (lots of people use that to auto-post not original content)
  • Spotify
  • Foursquare (I follow friends on Swarm already, no need to see it twice)
  • Facebook

Secret Lists

One issue I had was to balance the number of tweets in my timeline, and then also being polite and following friends. To avoid the whole ā€œWhy are you not following me?ā€ conversation, I now use a private list to follow about 300 people only. I open sourced the script I used to migrate all the people I used to follow over to a private list.

Disable RTs

This has been a great change: As described above, I follow people for what they do, what they think of, and what theyā€™re working on. Some people have the habit of RTing content that might be interesting, but not relevant to why I want to stay subscribed to their tweets. On Tweetbot, you can.

Muting hashtags

I thank everyone for using hashtags for certain events, making it easy to hide them from my timeline :)

Disadvantages of this approach

Some of the newer Twitter features donā€™t have an API, and therefore canā€™t be offered by Tweetbot. This includes Polls, Moments and Group DMs. Since I donā€™t want to miss group DMs, I set up email notifications for Twitter DMs, and set up a Gmail filter to auto-archive emails that are not from group DMs.

Summary

Iā€™ve spent quite some time optimizing that workflow, and itā€™s very specific, and probably not useful for most people. I try to minimize my time on social media, I only browse my Twitter feed when I have a few minutes to kill on the go. Meaning I work through my timeline only on my iPhone, and reply to mentions and DMs only on my Mac. I donā€™t want to come across uninterested, I do follow people on Facebook, I do read news and stay up to date. Twitter is a place for very specific content for me, and I want to keep using it as that.

Tags: twitter   |   Edit on GitHub

iOS Privacy: Track website activities, steal user data & credentials and add your own ads to any website in your iOS app

Background

Most iOS apps need to show external web content at some point. Apple provided multiple ways for a developer to do so, the official ones are:

Launch a URL in Safari

This will use the app switcher to move your own app into the background. This way, the user has their own browser (Safari), with their session and content blocker, browser plugins (e.g. 1Password), etc. As launching Safari puts your app into the background, many app developers are worried the user doesnā€™t come back to them.

Check out the first video to see how this looks in action āž”ļø

Use in-app SFSafariViewController

Many third party iOS apps use this approach (e.g. Tweetbot).

It allows an app developer to use the built-in Safari with all its features, without making the user leave your application. It features all the Safari features, but from within your application.

Check out the second video to see how this looks in action āž”ļø

Current state with larger social network apps

Many larger iOS apps re-implemented their own in-app web browser. While this was necessary many years ago, nowadays itā€™s not only not required any more, it actually adds a major risk to the end-user.

Those custom in-app browsers usually use their own UI elements:

  • Custom address bar
  • Custom SSL indicator
  • Custom share button
  • Custom reload button

Problems with custom in-app browsers

If an app renders their own WKWebView, they not only cause inconvenience for the user, but they actually put them at serious risk.

Convenience

User session

The userā€™s login session isnā€™t available, meaning if you get a link to e.g. an Amazon product, you now have to login and enter your 2-factor authentication code to purchase a product.

Browser extensions

If the user has browser extensions (like password managers), they wonā€™t have access to them in a custom in-app browser.

Deep linking

Deep linking itself has multiple open issues on the iOS platform. By using a custom in-app browser, it adds an extra layer that doesnā€™t work well with deep linking. Instead of opening the Amazon app when tapping on an Amazon link in ā€œSocial Media App Xā€, it opens the product in a plain web-view, with no login session, and no way to open the product in the app.

Content blockers

If the user has content blockers installed, theyā€™re not being used by custom in-app browsers.

Bookmarks

There is no way for the user to store the current URL in their bookmarks.

Share a website

Apps use this opportunity to force their users to use whatever ā€œsocial featuresā€ they think are useful to them. Usually that means locking the user into their ecosystem, and not allowing people to share the content on the platform of their choice. There should be an explicit App Store rule against this.

Security & Privacy

Using a custom in-app browser, allows the app developer to inject ANY JavaScript code into the website the user visits. This means, any content, any data and any input that is shown or stored on the website is accessible to the app.

Analytics

This is basically the main reason why in-app browsers are still a thing: It allows the app maintainer to inject additional analytics code, without telling the user. This way, the appā€™s developer can track the following:

  • How long does the user visit the linked website?
  • How fast does the user scroll?
  • Which links does the user open, and how long do they stay on each of them?
  • Combined with watch.user, the app can record you while you browse third party websites, or even use the iPhone X face sensor to parse your face
  • Every single tap, swipe or any other gesture
  • Device movements, GPS location (if granted) and any other granted iOS sensor, while the app is still in the foreground.

User credentials

Any app with an in-app browser can easily steal the userā€™s email address, passwords and two-factor authentication codes. They can do that by injecting JavaScript code that bridges the data over to the app, or directly to a remote host. This is simple, itā€™s basically code like this:

email = document.getElementById("email").value
password = document.getElementById("password").value

Thatā€™s all thatā€™s needed: just inject the code above to every website, run it on every userā€™s key stroke, and youā€™ll get a nice list of email addresses and passwords.

To run JavaScript in your own web view, you can just use

NSString *script = @"document.getElementById('password').value";

[self evaluateJavaScript:script completionHandler:^(id result, NSError *error) { ... }];

User data

Once the user is logged in, you also get access to the full HTML DOM + JavaScript data & events, which means you have full access to whatever the user sees. This includes things like your emails, your Amazon order history, your friend list, or whatever other data/website you access from an in-app web view.

HTTPs

Usually the web browser has a standardised way of indicating the SSL certificate next to the browserā€™s URL. In the case of custom in-app browsers, the SSL logo is being added by the appā€™s author, meaning you trust the appā€™s maintainer to only show the logo if itā€™s actually a valid SSL certificate.

Ads

Custom in-app browsers allow all app developers to inject their own ad system into any website thatā€™s shown as part of their app. But not only that, they can replace the ads identifier of ads that are already shown on the website, so that the revenue goes directly to them, instead of the website owner.

And more

These are just some of the things that immediately come to my mind, every time I use an in-app browser, there are probably a lot more evil things a company or SDK could be doing.

How can we solve this?

  • Reject apps that donā€™t use SFSafariViewController or launch Safari directly to show third party website content
  • There should be exceptions, e.g. if a webview is used to show parts of the UI, or dynamic content, but it should be illegal to use webviews to show a linked or third party website

I also filed a radar for this issue.

Similar projects Iā€™ve worked onĀ 

I published more posts on how to access the camera, the userā€™s location data, their Mac screen and their iCloud password, check out krausefx.com/privacy for more.

Tags: security, privacy, sdks   |   Edit on GitHub