Sunday, 12 August 2018

Top Crab reminder

Just a reminder that over at Crab Juice, my reviews blog, I recently picked my favourites of the year (for the 12th time!).
Click the link to see what my favourite movie, video game, podcast and others are.

Monday, 6 August 2018

Follow the Apps

Most people take mobile apps for granted and never stop to consider the implications of using them. Well, there are implications, and privacy is one of them: when you use an app, you are - effectively - giving up on your ability to know what this app is doing on your behalf.
One very common thing for apps to do is to share your information with various players who make their money by collecting and harvesting our information. I’m talking Google, I’m talking Facebook, but I’m also talking about thousands of other companies most people have never heard of who make billions by selling our data. And, almost exclusively, they do so behind our backs (because we wouldn’t let them do it if we were aware of what was really going on).

There are ways for one to check on one’s apps.
One free and all conquering tool is Wireshark. You set it up on a computer in your network and it will tell you of everything going in and out; you can then examine it to see, in detail, what goes in and out of your phone when you use certain apps. The problem, however, is that for the laymen it can be pretty hard to identify the relevant from the irrelevant. Or, for that matter, it could be pretty hard to set Wireshark up in the first place.
Another way to check what’s going on in your internet connection is to use deep pocket inspection facilities available on some routers and switching equipment, particularly the more professional ones. For the purpose of the current discussion, I will assume this is either unavailable or is too technically demanding.
The easier and accessible for all way to see what apps are doing is to use a proxy app on your mobile device. When it’s running, all outgoing network traffic will go through that proxy app, and if it is designed for that purpose then it will allow you to peek into that outgoing traffic: where it is going, how much of it is going, and what is it that is going (as in, the actual contents). With regards to the contents, things are getting harder to assess given most apps use encryption (a much welcomed positive!), but the metadata at one's disposal is usually sufficient to make some educated assessments. For example, you can tell if an app of yours is uploading your photos to an online server.
My proxy app of choice for iOS is called Charles Proxy. I can attest that aside of having a lovely name and a lovely icon, it delivers when it comes to overseeing one’s apps.
Regardless of tool, the first thing you will see when examining traffic going in and out of an iOS device is just how often your phone calls home to Apple (and I assume the situation is very similar with Android phones calling Google home). It’s all encrypted, so you can’t tell what it is, exactly, but it does looks like Apple keeps track of opened and closed apps (probably for the purpose of assessing app popularity and such). The problem is, it’s all done behind closed doors so one cannot really tell what’s going on; regardless, we should all be aware of the fact our phones report a lot of stuff about us to the powers that be. It is something we all need to be aware of when we use our phones: you are not alone; someone is watching behind your back.
For now I will note that, given I ran my tests below on iOS, I have ignored mentioning whether apps call on an Apple service. It comes down to the fact that if you are using an Apple phone, you cannot hide from Apple. The same applies to Google and Android phones; Apple and Google’s surveillance is only limited by how far they are willing to go. In Apple’s case, it claims to be quite pro privacy (e.g., it offers navigation facilities using Apple Maps that don’t record where you are) yet it lacks in transparency. Google’s case is vastly different, with the company making its money out of its users’ data, causing it to often cross what’s acceptable (examples include tracking users’ location using cell tower data even when the user disables location services; there’s plenty more). I will put it this way, there are very good reasons why I happily pay Apple the inflated prices it charges for its devices.

Once you do start looking into apps’ behaviour, you’d be able to detect a pattern. Apps tend to come in one of the following flavours:
1. Apps that work just fine without calling any external party or any user tracking.
2. Apps that call home to Google.
3. Apps that call home to Facebook.
4. Apps that call home to a slew of other trackers, advertisers, and data harvesters.
I will note the above order of app escalation is not random. That is to say, apps that call Facebook seem to unanimously call Google, too. Similarly, apps that call on “other” trackers will not leave Google or Facebook behind.
It’s worth mentioning there are legitimate reasons for apps to call on the external resources of companies such as Google and Amazon. For example, Signal, one of the most secure and private messaging app out there, uses Amazon’s services. Similarly, there are apps that use Google’s storage facilities. However, part of the Google “contract”, if you will, says that they provide services in return for tracking. Similarly, Amazon Web Services is the engine that runs a lot of our internets, but Amazon is also a retail company running pretty sophisticated operations in the tracking and data harvesting department.

To demonstrate my point regarding apps and the tracking they come bundled with, I will point out real life examples for apps that behave differently to one another when it comes to respecting their users’ privacy. Obviously, there are a lot of apps to go through (in the millions!), but for now I will stick with three popular use cases of mine.

Camera apps:
Halide: Doesn’t call anyone.
Camera+ for iPad: Doesn’t call anyone (but do note there is a newer iteration of that app).

Photo editing apps:
Darkroom: Calls the dev’s home, a couple of analytics tools (Heap Analytics, HockeyApp), Apple’s iCloud (probably because that’s where my photos are stored).
Affinity: Calls the dev’s home and Amazon’s AWS.
Enlight: Calls Google, Facebook, and numerous others. Guess that's one app that quickly gets deleted off my phone.

Video playback apps:
VLC: As can be expected (?) from an app of such noble origins, VLC doesn’t call anyone.
Infuse: Doesn’t call anyone, but I will note I am using the old Pro version 4.
PlayerXtreme: Despite me paying for the premium app (there is also a free version), the app calls Google, Facebook, and numerous other trackers. It’s hard to tell what it is, exactly, that is shared; however, since I am not sure I would like to share what videos I watch with such entities, I’d rather stick with the likes of VLC.

PDF annotation apps: (I will add I grouped here several apps offering significantly different, yet overlapping, functionality)
GoodReader: As per its own statements, GoodReader does not share your information.
Notability: While this app offers superior annotation facilities (e.g., OCR, Apple Pencil support), it does calls home to Google.
GoodNotes: Very similar to Notability in form and function (though it had OCR years earlier), GoodNotes calls home to both Google and Facebook.
LiquidText: This otherwise incredible app for studying texts is also quite productive in the tracking department. It calls home to liquidtext.net looking for something called ad-pack.zip (does the name tell us all we need to know here?). It also calls Facebook and various analytics/trackers like Apptentive, Crashlytics, and AppsFlyer.

I will add I find the above findings odd. In the case of Halide I actually communicated with the devs, who told me their apps don’t send anything, but then again my device clearly shows some [yet little] mobile data use by the app. It could have been a one off or a bug.
In the case of Camera+, I distinctly remember the iPhone version calling home with each use. Perhaps the iPad version is different, or maybe they changed their approach.
I guess my point is, if you see an app sending your information away then you know it does it; if you don’t, that does not preclude the app from sending information away at some later point in time. That said, I highly recommend Halide as my favourite camera app on the iPhone, and I think it is clear the developer has all the right intentions.

You might have noticed I did not include games in this survey. Which is rather odd, given games are known to be some of the worst offenders when it comes to tracking users. Especially the free ones, some of which are pretty blatant platforms for not much more than tracking their users.
My answer there is rather simple: Sure, there are plenty of ethical games out there that do not track their users. Regardless, given that the bulk of games do not need the internet to run (I will add: given the better games do not need the internet to run), the easiest way of dealing with their user tracking is to simply go offline when playing them.
Sometimes, the crude “old style” solution is the best solution.

Yet another solution for bypassing the tracking imposed on users by apps is to use a good old browser instead. That is, instead of using an app to perform an action (say, buying an item on eBay), go to the eBay website and perform the exact same action.
The reason for choosing the browser over the app is simple: on a browser, you can take control over who can track you or not by using ad blockers and numerous other tools that are widely available out there. On a desktop browser you can install add-ons such as uBlock Origin (ad blocker), Ghostery and Privacy Badger (tracker blockers that utilise different approaches to the blocking).
On iOS Safari, on the other hand, you can utilise ad blockers such as Firefox Focus, AdBlock, or one of the flavours available from Disconnect. The Firefox iOS browser itself comes with ad blocking built in, to various degrees, but it is not on by default. Then there is my favourite iOS browser, Brave, which comes with idiot proof tracker blocking built in and even offers script blocking for the more advanced user. Indeed, Brave has become my go to recommendation whenever the layman asks me for the easiest way to avoid tracking; it is, literally, idiot proof.
Sure, nothing here can completely solve the tracking problem, but this approach lets us, users, take some initiative.

If there is a way for me to summarise this post, it will be by stating that, the way things currently are, there is no way for a user to know whether or not certain apps come with user tracking or not without (a) paying for them first, and (b) testing them yourself while, at the same time, letting the harvesters harvest by virtue of your testing. Given the above examples, it is clear I would have never bought certain apps given the availability of others that do the same (more or less) but come without that extra burden of user tracking.
With the caveat of never knowing for sure before you actually bought the app, I will add there are certain indicators that can help. Some apps “smell” right while others don’t. Take VLC as an example: it’s open source, it’s a free download and has been for eternity, and therefore I wasn’t surprised to learn it doesn’t try to track me.
In contrast, all the apps that make a living through advertising are clearly prime time suspects, if only because of the fact those same advertising companies whose contents they show are also (usually) data trackers/harvesters. Clearly, this makes paid apps less likely to use trackers than free apps (with the notable exception of the ideologically driven apps, of the likes of VLC and Signal). It’s probably worth noting that trackers do not stop tracking even after you pay the extra fee to remove the adds, as is often an option.
Bottom line, probably the most effective way of assessing whether an app will exploit you for your data’s worth or not - other than paying and testing the app for yourself - is to try and figure out how, exactly, is the app developer planning to finance their operation. In most cases, us users can tell that in advance; sure, it takes time and effort to do this research, but on the other hand it is always worthwhile to ensure you’re installing quality stuff on your devices in the first place. For the same reasons you don’t pick garbage from the street to put in your house, don’t do it with any odd garbage you find at your nearest App or Play Store.
One last thing: If you do stumble upon an ethical developer that does the right thing, do support them! Give them some of your money, because they deserve it. And try to point to your friends and colleagues the virtues of those developers. The biggest problem a developer faces is obscurity, and if we can help the good guys with that then we are actively improving the world we live in.