|
It's kinda amazing that Facebook tried that poo poo after linkedin tried the same poo poo with their esmtp proxy thing they tried to get people to install so they could automatically link emails to profiles and got the hell smacked out of them for it
|
![]() |
|
![]()
|
# ? Jun 11, 2024 11:00 |
|
Phone posted:I fail to recognise the “bad practice” here. Researchers clearly asked for consent, in case of teens they have required parental consent as well, they have had clearly worded policy, they have generously paid for participation. did you paste this from a comment somewhere the first bad practice was violating apple's terms with regards to who apps signed with that certificate may be given to, that made this open and shut. the second bad practice was using this to circumvent an app store ban, that made this open and shut with extreme prejudice. on top of that there are all the arguments to be had over whether the level of disclosure was sufficient, whether the users really understood the full implications of what they were doing, whether they did due diligence as to verifying parental consent was actually obtained, whether it's appropriate to make that sort of offer to teenagers in the first place, and the ethics of turning users' phones into bugging devices to obtain data on competitors facebook is exactly the sort of malicious actor that apple's heavy handed walled garden poo poo is meant to protect users from
|
![]() |
|
haveblue posted:did you paste this from a comment somewhere I’m the EULA defender
|
![]() |
|
I'm p.sure that unless the app is explicitly doing cert pinning that what facebook did allows for TLS intercept
|
![]() |
|
apseudonym posted:We also don't present an option to allow apps to rootkit your phone? sorry for the hyperbole my point was there's no distinction between permissions that are usually malicious, and benign permissions required for basic functions it's not as clear as it should be to a non-technical user that certain permissions should be a red flag
|
![]() |
|
fisting by many posted:sorry for the hyperbole if a permission is benign, why does the app even need to ask for it if a permission is "usually malicious", apps should probably be banned from even asking for it expecting normal users to janitor their app permissions is never going to not suck
|
![]() |
|
Shifty Pony posted:all their internal apps are dead does this mean they yanked all of facebooks development certs or that Facebook was using the same cert for all of this
|
![]() |
|
are there any actually good security consulting firms?
|
![]() |
|
Trabisnikof posted:lol at getting this design irb approval at any real research organization The approach many researchers take here is (1) write an extremely abstract proposal & application (2) actively mislead the IRB in follow-up clarification and committee
|
![]() |
|
my bitter bi rival posted:does this mean they yanked all of facebooks development certs or that Facebook was using the same cert for all of this what they yanked was the "enterprise certificate", which is different from the "developer certificate". there's only these two, really the developer cert is used to sign apps for submission to the app store. this is the cert that signs public releases of the official app, messenger, etc. this cert has not been touched so far was we know and the apps are still up on the store the enterprise cert is used when you have to put an app on a device as part of your internal operations. you can't put an entirely unsigned app on an ios device unless you jailbreak it, there always has to be some level of credentials/trust involved. so this cert is used to e.g. give a build to your QA department that they can put on all their devices. or to make small in-house apps that don't need to go through the app store because anyone and everyone who uses them works for you to begin with. this cert was used for a bunch of those things and was also abused for this VPN research program, so when apple killed it a ton of internal facebook utilities went with it
|
![]() |
|
Main Paineframe posted:if a permission is "usually malicious", apps should probably be banned from even asking for it What is malicious? Most people respond "meh" at the slightest hint of inconvenience. "Malicious" seems to be publicly defined as anything more than a few clicks between a live smartphone camera video and automatic puppy dog overlays in streamed video. "Hey I need to read your location briefly to do the thing you wanted me to do just now" and "Lol I'm going to track you forever" are the same permission prompt in mobile platforms.
|
![]() |
|
BIGFOOT EROTICA posted:are there any actually good security consulting firms? yes
|
![]() |
haveblue posted:what they yanked was the "enterprise certificate", which is different from the "developer certificate". there's only these two, really I think the question was more did Apple suspend the certificates for Instagram Inc and WhatsApp Inc as well or was Facebook only using Facebook Inc's enterprise certificate for all of their internal apps? I don't know if Apple allows that sort of per-subsidiary certificate structure or not, but if they do I could definitely see the reasoning behind yanking all of them.
|
|
![]() |
|
Not knowing what action apple took here specifically, it would make sense that entities that existed before FB acquisition have their own apple certs.
|
![]() |
|
Phone posted:I fail to recognise the “bad practice” here. Researchers clearly asked for consent, in case of teens they have required parental consent as well, they have had clearly worded policy, they have generously paid for participation. ok subjunctive but have you considered that maybe companies shouldn't make monitoring the user experience of teenagers their business
|
![]() |
|
Shifty Pony posted:I think the question was more did Apple suspend the certificates for Instagram Inc and WhatsApp Inc as well or was Facebook only using Facebook Inc's enterprise certificate for all of their internal apps? if you're at fbook and making a lovely little app to track when the company bus picks you up from the gentrification district to ferry you to Menlo Park you're probably just gonna get it deployed with the normal enterprise cert flow instead of figuring out how to use some acquisition's long-expired dev account to get a new enterprise cert
|
![]() |
|
Potato Salad posted:Not knowing what action apple took here specifically, it would make sense that entities that existed before FB acquisition have their own apple certs. I agree, maintaining the old certs/dev accounts is the only way (that I know of) to retain the original store listings for instagram.app/whatsapp.app and the ability to deploy updates to installs of those listings
|
![]() |
Cocoa Crispies posted:if you're at fbook and making a lovely little app to track when the company bus picks you up from the gentrification district to ferry you to Menlo Park you're probably just gonna get it deployed with the normal enterprise cert flow instead of figuring out how to use some acquisition's long-expired dev account to get a new enterprise cert sure, but that article says that internal Instagram and Whatapp betas were affected.
|
|
![]() |
|
Shifty Pony posted:sure, but that article says that internal Instagram and Whatapp betas were affected. I'd guess that they do internal betas with the fbook enterprise cert and only have dev certs for instagram and whatsapp e: that way they don't have to juggle multiple enterprise certs for fbook employees that want to beta-test all these different apps
|
![]() |
|
they'd want to use the same dev cert for all their apps so the apps can access shared storage where they store the user tracking data
|
![]() |
|
pseudorandom name posted:they'd want to use the same dev cert for all their apps so the apps can access shared storage where they store the user tracking data why would you store tracking data on the phone instead of in the datacenter? the only thing you'd want to share on-device is a login token
|
![]() |
|
Cocoa Crispies posted:why would you store tracking data on the phone instead of in the datacenter? the only thing you'd want to share on-device is a login token you have to share that login token between the apps somehow, either via the Keychain or App Group containers, both of which require the apps involved to be signed with the same key
|
![]() |
|
¯\_(ツ)_/¯ I don't use facebook and have never made an iOS app that stores data
|
![]() |
|
Phone posted:I fail to recognise the “bad practice” here. Researchers clearly asked for consent, in case of teens they have required parental consent as well, they have had clearly worded policy, they have generously paid for participation. They definitely got a 13 year old to get informed parental consent in the form of them just personally clicking an "I agree" button which dispenses $20 for reasons the 13 year old doesn't fully understand.
|
![]() |
|
Cocoa Crispies posted:I don't use facebook
|
![]() |
|
Snitches get stitches. ![]()
|
![]() |
|
Volmarias posted:They definitely got a 13 year old to get informed parental consent in the form of them just personally clicking an "I agree" button which dispenses $20 for reasons the 13 year old doesn't fully understand. I'm not allowed to have my own cell phone so my dad forced me to use his phone number. My dad has a steam too and uses the same number. today my brother used my dads account and cheated and now my main account is VAC banned. It's true and here is proof, my father will now write too: Hello I'm the father and what my son says is true, he did not cheat, it was his brother on my account. Please unban him valve sincerely the father Pls unban
|
![]() |
|
Zero One posted:I'm not allowed to have my own cell phone so my dad forced me to use his phone number. My dad has a steam too and uses the same number. today my brother used my dads account and cheated and now my main account is VAC banned. It's true and here is proof, my father will now write too: Reported to Garry.
|
![]() |
|
burn it all down https://twitter.com/zackwhittaker/status/1090686500331814914
|
![]() |
![]() it is fun to watch because it isn't happening to me.
|
|
![]() |
|
geonetix posted:yes would u like to elaborate, im trying to find one thats actually good to consult on a v large project
|
![]() |
|
https://twitter.com/zackwhittaker/status/1090690040047509505
|
![]() |
|
This is like the old crapware that existed for Windows"let us track your computer and web browsing use, show ads and get money" just the Mobile version
|
![]() |
|
Celexi posted:This is like the old crapware that existed for Windows"let us track your computer and web browsing use, show ads and get money" just the Mobile version lol i remember being annoyed back then that it wasnt available outside america thank god for that lmao
|
![]() |
|
tbf I already have a google spy app on my phone. It's called Android.
|
![]() |
|
https://twitter.com/alexeheath/status/1090662132600000513 Facebook phone coming soon? Bargaining chip for Apple? I hate Apple as well, but gently caress this guy's narrative.
|
![]() |
|
Krankenstyle posted:lol i remember being annoyed back then that it wasnt available outside america lol alladvantage i never met a single person who used it legit, just various ways of scamming the company:
|
![]() |
|
CmdrRiker posted:https://twitter.com/alexeheath/status/1090662132600000513 Facebook already tried a Facebook phone.
|
![]() |
|
pseudorandom name posted:Facebook already tried a Facebook phone. You don't need a facebook phone when you can train your userbase to enable developer mode and sideload an APK that all but roots an android phone. See fortnite.
|
![]() |
|
![]()
|
# ? Jun 11, 2024 11:00 |
|
CmdrRiker posted:https://twitter.com/alexeheath/status/1090662132600000513 "a policy violation"
|
![]() |