1

App Rights or wrongs ?

A look at smartphone apps

or: why RTFM* is not just important for geeks and “computer types”

* = Read The F+*#ing (or “Fine”) Manual

2What I’ll speak about today

1. What are app rights and permissions - the good, the bad and the *OMG* !!!11

2. An overview of Rights (on Android)

3. Why you no RTFMP !?! (read the f…. permissions)

4. Can I haz Cheeseburger Your Phone Contacts? Weighing off risk vs. return.

5. Why you no RTFMT&C !?! (read the f… terms & conditions)

6. All your BaseEverything Are Belong To UsUSA!

7. Helppp!!

3App rights (also called: permissions) – A horrible beauty we’ve made…

• Every smartphone is a miniature computer with sensors (GPS, gyrometres, etc) On the internet we all speak English Chinese French TCP/IP * Many of the vulnerabilities of TCP on a computer apply also to smartphones But infinitely worse are unreasonable permissions you grant to apps

• App rights are not evil from birth – they are limits to what apps can or cannot do→ Rights allow software to access either the hardware features of a phone, such

as the camera, a user’s personal information (calendar, contacts) or the phone’s GPS coordinates

• This way information, can be combined with automatic actions.

THAT. IS. Beautiful…

• But if you give too many rights, it’s possible you give away too much about yourself

• Really nasty, if wrong information is cross-referenced* Sometimes also UDP

4Android OS – Permissions 1/2

5Android OS – Permissions 2/2

6Urgh… that’s a lot of rights

7Before you install: read your rights - do they match the use you think you’ll have for the app?

So much “FAIL” that one facepalm just isn’t enough…

8After you install an app: limit rights – you are in control

So much “FAIL” that one facepalm just isn’t enough…

9Exercise 1 – Spot the potentially dishonest app

10Does your mother know… … as much about you, as Facebook, Skype and Twitter do?

11Let’s zoom in

12

Feeling a bit queasy?

Good.

‘Cause there’s more.

13Knowing your Rights? Not enough – The example of the SpotifySpytify Terms & Conditions

• “With your permission, we may collect information stored on your mobile device, such as contacts, photos or media files.”

• “We may also collect information about your location based on, for example, your phone's GPS location or other forms of locating mobile devices (e.g Bluetooth). We may also collect sensor data (e.g., data about the speed of your movements, such as whether you are running, walking, or in transit).”

• “We may share information with advertising partners in order to send you promotional communications about Spotify or to show you more tailored content, including relevant advertising for products and services that may be of interest to you, and to understand how users interact with advertisements. The information we share is in a de-identified format (for example, through the use of hashing) that does not personally identify you.”

WTF?

From Spotify’s first try at new Terms & Conditions:

So much “FAIL” that one facepalm just isn’t enough…

14Okay. So who else wants my data?

15The Government. It has you. Because Internet.

16The Government. It has you. Because Internet.

17Ok. Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaargh! So what do I do?

Check those app permissionsIf several apps available with the same function, choose the one with fewer rightsIf an app is for free, it´s likely your data is the true price you payRead the f+*#ing permissions!

Read the Terms & Conditions (and the Privacy Statement, if there is one)Learn how the company behind the app says it will use your dataKeep an eye out for changes to the Terms & ConditionsRead the f+*#ing conditions!

Lock down rights/permissionsOn iOS: go to Settings > Privacy and turn off as much as you can Yes, give up on a few comfortsOn Android: consider “CyanogenMod” to limit app access rights

Shame privacy violators on the social networks It´s your internet. If you don´t say “no”, the default is “take all my data already!”

“The Government” knowsmaybe. If you let it.

18Ok. Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaargh! So what do I do?

Use open-source apps and Encrypt! Encrypt! Encrypt!This, strictly speaking, has nothing to do with app rights/permisssionsBut is important to protect your privacyDITCH YOUR STANDARD APPS!!!Go to https://prism-break.org/en/ (plus: consider Text Secure / Signal for IM)Go to https://www.eff.org/secure-messaging-scorecard

Come back to Privacy SalonVulnerabilities in apps or protocols are discovered dailyApp Rights, T&Cs or shareholdings (!) can change

But most importantly

19

One

Last

Thing

20A word about that fingerprint reader…

21A word about that fingerprint reader

22A word about that fingerprint reader

23Thank You