Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

iPhone protected you from Facebook call scraping. Android, not so much.
iMore ^ | March 25, 2018 | Renee Ritchie

Posted on 03/25/2018 8:05:21 PM PDT by Swordmaker

Facebook scraped call, SMS data for years from Android phones. iPhones never allowed this.

Ten Minute Video

When you think there's something lurking in the dark, you turn on the lights. And, now that Facebook's data harvesting, hoarding, and exploitation is being lit up by the internet version of the Bat Signal, more and more problems are being discovered. Most recently: That Facebook was scraping call and SMS logs of Android phone users.

And yes, this is what happens when neither your operating system nor your app care about your privacy.

From ArsTechnica:

"This past week, a New Zealand man was looking through the data Facebook had collected from him in an archive he had pulled down from the social networking site. While scanning the information Facebook had stored about his contacts, Dylan McKay discovered something distressing: Facebook also had about two years worth of phone call metadata from his Android phone, including names, phone numbers, and the length of each call made or received."

Others reported finding the same, and Ars was able to independently verify the data collection.

"If you granted permission to read contacts during Facebook's installation on Android a few versions ago—specifically before Android 4.1 (Jelly Bean)—that permission also granted Facebook access to call and message logs by default. The permission structure was changed in the Android API in version 16. But Android applications could bypass this change if they were written to earlier versions of the API, so Facebook API could continue to gain access to call and SMS data by specifying an earlier Android SDK version. Google deprecated version 4.0 of the Android API in October 2017—the point at which the latest call metadata in Facebook user's data was found. Apple iOS has never allowed silent access to call data."

People began looking into the records because of the #DeleteFacebook movement, which followed the revelation that the Facebook data of 50 million users was abused by political data firm Cambridge Analytica.

It's unclear whether Facebook's tool to delete contact information would also delete the call and SMS logs. It's also unclear why this was happening, whether Facebook was intentionally scraping the information for exploitation, or whether it was an unforeseen side-effect of the contact sharing implementation. What is clear, though, is that repeated problems like this form a pattern and a pattern of problems makes negligence indistinguishable from malice.

More recent versions of Android should prevent this kind of data collection.

The salient point is, of course, that iOS never allowed it. This type of abuse was simply never possible if you used an iPhone. Apple built it that way on purpose and it protected its users from privacy violations like this before they ever happened.

Google and Facebook's business model allow them to give you a lot of great, convenient services for free. Apple's business model allows them to give you great privacy protections by default.

If you're concerned about any of this, consider how much, if at all, and in what way you want to continue using Facebook or Android. Everything is a tradeoff. Everything has advantages and disadvantages. But for many, those cost of free-as-in-your-data is becoming too high a price to pay.


TOPICS: Business/Economy; Computers/Internet
KEYWORDS: android; applepinglist; facebook; iphone; iphones; security; smsdata
Navigation: use the links below to view more comments.
first previous 1-2021-4041-44 next last
To: JoeRed

When I want to post on FR I carve notes on birchbark and give a local boy corn meal and grain alcohol to carry them to the FR server in Fresno.


21 posted on 03/25/2018 11:05:32 PM PDT by Alter Kaker (Gravitation is a theory, not a fact. It should be approached with an open mind...)
[ Post Reply | Private Reply | To 18 | View Replies]

To: Alter Kaker

I send smoke signals and use can to string can communication.


22 posted on 03/25/2018 11:09:17 PM PDT by Trillian
[ Post Reply | Private Reply | To 17 | View Replies]

To: Swordmaker
Of course Apple is not known to be exactly perfect in protecting their customers data either.

Google circumvented Apple's Safari privacy settings in 2011 and is now to pay compensation

There is no privacy on the internet. The illusion of privacy, much like the illusion of security, is just that - an illusion.

Apple turned off the use of tracking cookies in their browser by default but then failed to lock that setting down from third party access which allowed Google to change it to their preferred setting - i.e. wide open.

Trust no one. Android. Apple. Facebook. Google. Your data is very important to them. Your data privacy - not so much.
23 posted on 03/25/2018 11:11:54 PM PDT by Garth Tater (What's mine is mine.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

A better solution for Fakebook scraping phone calls and texts: don’t install Fakebook.


24 posted on 03/26/2018 1:07:06 AM PDT by markomalley (Nothing emboldens the wicked so greatly as the lack of courage on the part of the good -- Leo XIII)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Inyo-Mono

Bttt


25 posted on 03/26/2018 1:14:29 AM PDT by thinden
[ Post Reply | Private Reply | To 4 | View Replies]

To: Alter Kaker

“I grow my own food, sew my own clothes, forge my own transistors and never ever connect to the internet.”

Phhht, big deal. I made my own PC out of rocks and tree branches.


26 posted on 03/26/2018 4:59:17 AM PDT by LouieFisk
[ Post Reply | Private Reply | To 17 | View Replies]

To: Garth Tater

“There is no privacy on the internet. The illusion of privacy, much like the illusion of security, is just that - an illusion.”

Even if you don’t interact with any site, your device still does anyway:
https://aruljohn.com


27 posted on 03/26/2018 5:06:21 AM PDT by LouieFisk
[ Post Reply | Private Reply | To 23 | View Replies]

To: Swordmaker

Yet another reason I won’t ever get an Android device (as much as I’d like to). A years old OS, without regular updates, is simply unacceptable.

I can understand why people would not want an Apple device believe me. But until anyone can convince me Android devices are just as secure, I’ll unfortunately ha entire keep buying Apple. (I can’t use a simple flip phone it’s impossible to work professionally).


28 posted on 03/26/2018 5:13:09 AM PDT by FourtySeven (47)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

Hacking is Illegal! So who is going to Jail and When?


29 posted on 03/26/2018 5:30:38 AM PDT by saywhatagain
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

Babyface suckerburg should be in jail.


30 posted on 03/26/2018 5:39:46 AM PDT by I want the USA back (It's Ok To Be White. White Lives Matter. White Guilt is Socially Constructed)
[ Post Reply | Private Reply | To 1 | View Replies]

Google is tracking you:
https://www.youtube.com/watch?v=S0G6mUyIgyg


31 posted on 03/26/2018 8:15:56 AM PDT by Rio (I was deplorable when deplorable wasn't cool.)
[ Post Reply | Private Reply | To 30 | View Replies]

To: Garth Tater
"Safari blocked tracking cookies by default, but Google overrode the settings to track users both on desktop computers and iPhones."

There is no privacy on the internet. The illusion of privacy, much like the illusion of security, is just that - an illusion.

Do you seriously think that Apple left that vulnerability from 2011 open for seven years, all the way to today? When it was discovered in 2012, Apple closed it again and then did lock it down. Users have always had the option to not accept any cookies should they choose not to, or to use a completely private Window for any browsing they chose to do.

This article is about the LAWSUIT filed by the New York Attorney General's office for the invasion of privacy of New York citizens. There are OTHER suits from other Attorneys Generals. Google had to pay other settlements already including one at the Federal Level to the FTC last year for this evil act (remember their motto "Do Not do Evil").

The point is that Apple corrected it's error which YOU imply is still there today. Apple is far more trustworthy about its customers privacy than other companies. They treat their customers AS customers to be respected, not as a product to be sold to the highest bidder. Apple takes the privacy of its customers seriously.

32 posted on 03/26/2018 10:51:14 AM PDT by Swordmaker (My pistol self-identifies as an iPad, so you must accept it in gun-free zones, you racist, bigot!)
[ Post Reply | Private Reply | To 23 | View Replies]

To: saywhatagain
Hacking is Illegal! So who is going to Jail and When?

Some have gone to jail. . . but the problem is that corporations are a tad hard to imprison. I prefer the corporate version of drawing and quartering: huge fines. $17 million isn't even a slap on the wrist for Google.

The EU may have the correct idea. . . their fines for some misdeeds by corporations can be as high as the previous year's entire profits. Samsung was faced with such a fine five or so years ago for mis-using FRAND patents against Apple, refusing to license Standards Essential Patents (SEP) which they owned and had registered as part of the cellular phone STANDARD, and which they had agreed to license to ALL cellular phone manufacturers under Fair, Reasonable, And Non-Discriminatory terms, so that they too could also license the SEPs owned by other such manufacturers.

Instead, Samsung had been attempting what is called a Patent Hold-Up, demanding far higher than FRAND licensing rates from Apple AND demanding a cross licensing from Apple's iPhone non-SEP intellectual patents to gain access to the SEPs Samsung owned. The proposed fine was over the equivalent of $18 billion. They settled for several Billion Euros, IIRC. . . and licensed their SEPs to Apple at FRAND rates.

33 posted on 03/26/2018 11:13:03 AM PDT by Swordmaker (My pistol self-identifies as an iPad, so you must accept it in gun-free zones, you racist, bigot!)
[ Post Reply | Private Reply | To 29 | View Replies]

To: Swordmaker
"Do you seriously think that Apple left that vulnerability from 2011 open for seven years, all the way to today?"

Of course not. I read the article. Did you seriously think that Android left the vulnerability described in the article that you posted open all the way until today?

I'm pretty sure that my point was pretty much exactly what I said - namely:

Apple is not known to be exactly perfect in protecting their customers data either.

I may not be an expert on all things Apple like you Swordmaker, but I do try to be clear on the few things that I do know.

"The point is that Apple corrected it's error which YOU imply is still there today."

What part of my post did you take as an implication that Apple had not corrected their error? I really just don't see that in there.

"They treat their customers AS customers to be respected, not as a product to be sold to the highest bidder.

Yes they do! Unlike the way they treat the workers putting their products together in Asian hell holes - just another commodity rented from the lowest bidder LOL
34 posted on 03/26/2018 11:58:24 AM PDT by Garth Tater (What's mine is mine.)
[ Post Reply | Private Reply | To 32 | View Replies]

To: All

Facebook claims they have Android users’ permissions to collect all these data...

http://www.freerepublic.com/focus/chat/3642634/posts?page=1


35 posted on 03/26/2018 1:52:51 PM PDT by Swordmaker (My pistol self-identifies as an iPad, so you must accept it in gun-free zones, you racist, bigot!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Garth Tater
What part of my post did you take as an implication that Apple had not corrected their error? I really just don't see that in there.

Why, then, did you feel it necessary to go back seven years to find a closed, minor glitch to claim that Apple was not being proactive in protecting its customers' privacy? It's pretty clear you did that deliberately and you obviously wanted readers to infer that situation held true until today, or you would have mentioned it was closed quickly, and not negligently ignored after it was found out.

Did you seriously think that Android left the vulnerability described in the article that you posted open all the way until today?

Actually,The fact is, that it IS still open today, as both Facebook AND Google are making money off this vulnerability feature. And today Facebook claimed that Android users have actually given them permission to mine that data when they installed the Facebook App. In addition, Android devices which are not updated to the newest and latest version of Android as they should be if and when Google does eliminate the default open setting, with Google relying on the carriers to distribute THEIR versions of Android to their customers, or hoping that Android users might go and get security updates for some of the versions of Android, will remain vulnerable. So, yes, I do believe that it is still there.

I've seen you make so many unfounded assumptions about Apple's security, based on ZERO factual data, and yet you continue to argue, no matter what factual data is brought to bear. . . along with snide insults. . . including your unfounded and false claims that Apple lies about its levels of security and that Apple does not allow its 256 bit AES encryption to be audited.

Unlike the way they treat the workers putting their products together in Asian hell holes - just another commodity rented from the lowest bidder LOL

More of your abysmal ignorance. Tell me Garth, why do you think that Chinese workers on assembly lines in the SAME factory queue up by the thousands to apply to work on Apple's assembly lines? Is it because they want to sign up for poor treatment? More poor wages?

No, Garth, it's because Apple's contracts with the assembly companies and other companies in Apple's supply chain require the workers on product lines receive better pay then workers on other products and get also get better treatment. Apple puts its own employee monitors in those plants to assure those contract requirements are adhered to.

Apple has actually CANCELLED contracts when those provisions are ignored, including an over $2 billion contract for a contractor found not adhering to working conditions and taken that contract to a higher bidder who would adhere to the working condition provisions. These are facts, Garth.

As a result of Apple's contract policies, the wages of ALL such assembly workers in Chinese have been pressured to rise to greater rates.

The more than 700 other manufacturers who use the exact SAME contract assembler that Apple uses, Foxconn, do nothing of the kind that Apple has done to improve their working conditions, instead satisfying themselves by joining organizations that merely gives lip service to worker conditions, such as China Labor Watch, a New York based Non-profit, which has been caught falsifying videos—using old video from another non-related company's worker dormitories— and mis-translating worker interviews to make its accusations against Apple. China Labor Watch was one of the sponsors of Mike Daisey's "The Agony and Ecstasy of Steve Jobs," a supposed exposé of Apple's Chinese labor misdeeds, which had to be pulled from NPR for egregious falsehoods, false evidence, mis-translated worker interviews, and outright lies.

Before you even try to raise the "Apple worker suicide issues" at Foxconn, you better do some basic research. It never happened. The 18 assembly workers, from a work force that ranged from 750,000 to 1.2 million during that period, who did actually commit suicide during an eighteen month period at Foxconn in 2010-2011, were variously workers on assembly lines making Microsoft X-boxes, Nokia cellular phones, Sony Playstations, and HP computers.

Not a single suicide was a worker on an Apple assembly line. . . and outside investigators discovered that not a single one of the suicide victims did so due to working conditions, instead each was found to have killed themselves for the same reasons that people around the world kill themselves.

Another supposed "suicide" incident that China Labor Watch tried to attribute to Apple was a threat by supposedly 250 workers to jump en masse from a factory roof over "labor issues." That incident actually involved only around 125 workers who were demonstrating on the plant's roof about having been transferred from assembling Sony Playstation, where they had had ample overtime opportunities, to another assembly line where they'd be assembling HP computer cases which had NO overtime opportunities. Some of the demonstration's leaders SAID they'd jump if they weren't given the overtime the group demanded. The plant involved was nowhere near any plant assembling Apple products. As always though, including "Apple assembler Foxconn" in the headline, even if Apple was not even mentioned in the body of the story gets more clicks which means more advertising revenue. That also did not stop CLW from conflating the workers to Apple employees, as well, because THAT brings in more donations from the Apple haters who will, like you, swallow anything anti-Apple.

Here are more than 50 of the ~700 manufacturing customers who have their assemblies done through Foxconn:


36 posted on 03/26/2018 3:41:34 PM PDT by Swordmaker (My pistol self-identifies as an iPad, so you must accept it in gun-free zones, you racist, bigot!)
[ Post Reply | Private Reply | To 34 | View Replies]

To: Swordmaker
Me: "What part of my post did you take as an implication that Apple had not corrected their error? I really just don't see that in there."

You: "Why, then, did you feel it necessary to go back seven years to find a closed, minor glitch to claim that Apple was not being proactive in protecting its customers' privacy?"

My goodness Swordmaker, did I hit an exposed nerve there? I was simply pointing out the fact that Apple is not known to be exactly perfect in protecting their customers data either. I was just trying to round out and present a more complete picture of the situation. I think it's important that people understand that when they use the internet they are being used in return.

You: "It's pretty clear you did that deliberately and you obviously wanted readers to infer that situation held true until today, or you would have mentioned it was closed quickly, and not negligently ignored after it was found out."

Yes, it is pretty clear that I posted that deliberately. As I said above, I think it is important that people get the full picture and not just the Apple-lovers side of the story. As to being obvious about what I wanted readers to infer, it is obvious that I hold FReepers' reading and comprehension abilities in higher esteem than you do. Go back and read what I posted here and here. I don't see how either of those posts merited this resulting diatribe from you.

_____________________________________


And why would you post this?

You: "Actually,The fact is, that it IS still open today, as both Facebook AND Google are making money off this vulnerability feature."

So, are you saying that third parties are still able to access users' call logs on today's Android without the users' permissions, Swordfish? That's a new one on me, autist. Can you provide me with a link that backs up your claim?

You: "In addition, Android devices which are not updated to the newest and latest version of Android as they should be if and when Google does eliminate the default open setting, with Google relying on the carriers to distribute THEIR versions of Android to their customers, or hoping that Android users might go and get security updates for some of the versions of Android, will remain vulnerable. So, yes, I do believe that it is still there. "

The first part of that statement is false, "Android devices which are not updated to the newest and latest version of Android as they should be if and when Google does eliminate the default open setting". Google/Android has already closed the hole that allowed third parties to change a user's default setting - read the article, dude. You do understand what "and" means, don't you? Because you do seem to have misused it there.

The second part of your statement does reflect a difference in Apple's and Android's view of how computer security should be handled. Apple thinks that they should push out security and all other updates and Android (following the mantra that it is your computer and you should be in control of it) relies on the user to update their phone as they see fit. There are many open source tools available that make this as easy as a single click - but that update always has to come in as the user's choice and not the choice of some corporate entity.

It might have something to do with Android being a free, open source program and no one in that community is in to forcing anything upon anyone else. Different philosophies. We all know which side of the track you come down on on that one.

______________________________________


Me: "Unlike the way they treat the workers putting their products together in Asian hell holes - just another commodity rented from the lowest bidder LOL

You: "More of your abysmal ignorance. Tell me Garth, why do you think that Chinese workers on assembly lines in the SAME factory queue up by the thousands to apply to work on Apple's assembly lines? Is it because they want to sign up for poor treatment? More poor wages?"

Damn dude, there you go with your nasty name calling again. I really am beginning to think that you are incapable of discussing in a civil manner anything having to do with Apple with anybody that disagrees with you.

As to your point that the workers are not being abused because they are lining up to apply for the jobs... well, you really should read up a bit on labor/ownership struggles through the years. In a free society -- yep a line of wanna-be employees waiting outside does mean something (it's a good job that workers are willing to take at the offered wage,) but in an un-free society (you do know that China is a communist, totalitarian state, right?) the line of employees outside begging for a job does not mean the same thing. It could mean nothing more than they would like to feed their families for another day.

________________________________________________________


A final note Swordmaker.

When you said, "I've seen you make so many unfounded assumptions about Apple's security, based on ZERO factual data, and yet you continue to argue, no matter what factual data is brought to bear. . . along with snide insults. . . including your unfounded and false claims that Apple lies about its levels of security and that Apple does not allow its 256 bit AES encryption to be audited."

you were bringing over a discussion from another thread.

A thread that is still open - AND I would like to point out, a thread that you abandoned after being unable to refute any of the corrections I made to your MANY factual errors.

You do remember your failure to address (let alone refute) my statement that the encryption theory behind AES256 is meaningless if Apple implemented it wrongly in their code, right?

It is accepted knowledge in the field of modern encryption methods that the secrecy of properly implemented encryption algorithms has nothing to do with the security of the encrypted data - only the secrecy of the algorithm's inputs does. So tell me, autist... why does Apple refuse to publish their implementation?

If you want to discuss this matter further - take it back to the thread that YOU ABANDONED IN SHAME.

37 posted on 03/26/2018 6:55:10 PM PDT by Garth Tater (What's mine is mine.)
[ Post Reply | Private Reply | To 36 | View Replies]

To: Garth Tater
As to your point that the workers are not being abused because they are lining up to apply for the jobs... well, you really should read up a bit on labor/ownership struggles through the years. In a free society -- yep a line of wanna-be employees waiting outside does mean something (it's a good job that workers are willing to take at the offered wage,) but in an un-free society (you do know that China is a communist, totalitarian state, right?) the line of employees outside begging for a job does not mean the same thing. It could mean nothing more than they would like to feed their families for another day.

Saying someone is ignorant is not an insult, it’s a statement of fact, especially when it’s self-admittedly true.

I’m ignorant about many things I have yet to study because I yet to get around to them. It doesn’t bother me to be told I’m ignorant about something I know little about. You said you know very little about Apple, which became more and more evident the more you posted, and I told you ignorance is curable by learning something about it. I even TOLD YOU to read Apple’s White Papers on their security, but you did not bother to do so, but dove right in trying to tell ME why it couldn’t work, despite the evidence that it has been working for years, when you kept showing me you did not have a clue HOW it worked.

You spouted generalities about hacking and how easy hacking an iOS device with a Secure Enclave would be, ignoring (ignorant again) that hackers have been TRYING to crack into the Secure Enclave for years and not succeeding. You could not concede that just perhaps I did know more than you did about this particular subject, especially in encryption. You REALLY demonstrated it with you challenges to the math of very large keys and the time even a powerful computer would take to brute force crack them. You pop-up with articles from years ago from hackers who make claims that were not repeatable, and continue the same argument when I show you the claim was not supported by peer testing.

You ignore facts. . . responding in generalities and believe false claims, not to mention that’s the birth of ignorance. You trivialize anything I post to you, just as you’re doing here, which is a form of ad hominem attack.

You now want me to go back and engage you in that other thread. In a word no. It’s a waste of my time. You are the only one there. YOU are a waste of my time to bother.

I’m responding here where you are invading another thread to smear Apple with a trivial, non sequitur myth about Apple and Chinese workers when in fact, as I’m pointing out, while you singled out Apple for your slur, there are really more than 700 consumer electronic manufacturers who contract with the same assembler, but Apple is the ONLY one of those contractors who puts working conditions, worker pay, and prohibitions on child labor in ALL of their contracts for their entire supply chain AND ENFORCES IT WITH ON SITE MONITORS AND WITH DRACONIAN ECONOMIC PENALTIES AND FOLLOWS THROUGH WITH ACTIONS FOR VIOLATIONS. . . including contract cancellations for violators! I also pointed out that you singled out Apple but ignored the other companies who are far worse, yet YOU want to blame the one company who is trying to proactively do something about it.

For example, in child labor, Apple specifies in their contracts that if an underage worker is found employed at any of the companies working on Apple products, that employer is required to fund a full ride scholarship college or university education, including room and board, through age 26 or graduation in the field of the child’s choice. . . Regardless of how that child came to be employed there. That’s a huge disincentive for hiring underage workers.

I’ve read far more than you on the history of what happened with Apple in China, and we are NOT talking about your strawman history of "labor/ownership" anywhere else in the world, Garth. We are just discussing the non sequitur topic YOU BROUGHT UP that had NOTHING TO DO WITH THE PRIMARY TOPIC AT HAND WHICH YOU APPARENTLY INTENDED TO INDUCE A FLAME WAR. . . I’ve posted the authoritative articles on FR on that subject over the past fifteen years or so, and commented on them with links to expert analysis, Garth, a subject you seem to only know the propaganda line about!

You don’t bother to seem to comprehend what I wrote, Garth, before you started thinking of your response. These are workers who ALREADY have employment in the same factory applying to move OVER to the Apple assembly lines.

And, no, Garth, China is no longer a communistic command Totalitarian State. They learned thirty years ago that didn’t work. It is a totalitarian state combining many features of socialism, with a growing Capitalistic Economy. I believe I told you I’m an Economist, so don’t try to tell me my line of specialized knowledge.

You’ve an arrogant attitude when you post in Apple threads that you are going to educate us Apple rubes who don’t know anything when it really is YOU who is spouting the false mythology about Apple and using ad homonem insulting names such as "Swordfish" and snide commentary. You admit you don’t know anything about Apple but then proceed to spout ex cathedral colored, ignorant screeds about generalized crap that doesn’t apply and make assertions that are false, such as Apple will not allow its 256 bit AES encryption to be audited when it is certified by NIST. As I stated, you are IGNORANT. You don’t know, but you post claims as if you do know.

So, are you saying that third parties are still able to access users' call logs on today's Android without the users' permissions, Swordfish? That's a new one on me, autist. Can you provide me with a link that backs up your claim?

Garth, in case you did not notice it, this article is about CURRENTLY AVAILABLE ANDROID DEVICES and their users finding their phone data on Facebook. They are NOT talking about Android in the past. The companies involved are dancing around making excuses that users could have turned off such permissions when they installed Facebook, but many Android users are reporting they are NOT finding that capability available to them. Perhaps it’s the carriers’ version of Android that’s the problem? I don’t know. I’m ignorant in this area. . . So might you be.

Google/Android has already closed the hole that allowed third parties to change a user's default setting - read the article, dude. You do understand what "and" means, don't you? Because you do seem to have misused it there.

You’ve made the assertion that Google has blocked Facebook’s egregious behavior on Android. . . you show US the link where they’ve gotten it out to all Android devices capable of connection to Facebook, garth.

It’s also not all about changing the user’s settings, Garth, it’s about what the default setting are in the first place and is it an "opt in" or "opt out" default? Again, I don’t know. I’m ignorant in this area.

The second part of your statement does reflect a difference in Apple's and Android's view of how computer security should be handled. Apple thinks that they should push out security and all other updates and Android (following the mantra that it is your computer and you should be in control of it) relies on the user to update their phone as they see fit.

Again, you show ignorance of Apple’s model with your "push out" mischaracterization of Apple’s approach to security. Users are free to accept or not accept updates. . . But they ARE available to iOS users either through their computers or over-the-air on demand. Apple does not install anything unbidden on users devices without their permission, not even the infamous free U2 album. It was just available for free download, but it was NOT pushed on to anyones’ devices, contrary to claims and lawsuits making that specious claim.

So fine, you don’t like what you think you know about Apple’s security model, a model that has kept malware off of what has now grown to 1.3 Billion active devices for almost eleven years. But Android’s model has allowed millions of malware to be written for it. For example, just a month ago, on February 14, 2018, over 60 million Android users’ phones were hit with a bitcoin mining malware.

I’m certain you’ll do your Googling in an attempt to find some iOS malware to post on this thread and you’ll find some. . . But 99% of the small amount that you’ll find there is in the wild is for jailbroken devices, and most of that is in China. You certainly won’t find a mass infection of iPhones afflicted in any significant numbers like you do with Android’s insecurity model.

You do remember your failure to address (let alone refute) my statement that the encryption theory behind AES256 is meaningless if Apple implemented it wrongly in their code, right?

It is accepted knowledge in the field of modern encryption methods that the secrecy of properly implemented encryption algorithms has nothing to do with the security of the encrypted data - only the secrecy of the algorithm's inputs does. So tell me, autist... why does Apple refuse to publish their implementation?

If you want to discuss this matter further - take it back to the thread that YOU ABANDONED IN SHAME.

There you go with the snide, superior attitude again.

I "abandoned nothing in shame," asshat. I answered your ignorant assertion, I not only addressed your assertions, but I completely refuted them with authoritative facts from quotations from qualified source materials—FACTS that hoist you on your own ignorant and uninformed petard, Garth.

Yes, that "asshat, is an insult, Garth, but you’re earning it and some more for your false assertions, in spades!

Oh, yes, that’s the part where YOU CLAIMED Apple’s 256 bit AES encryption implementation was not audited by anyone to assure it even worked correctly and that Apple refused to let anyone see it (now where did you get those lies from, Garth?). Do you recall I TOLD YOU TO READ APPLE’S SECURITY WHITE PAPERS? If you had, you wouldn’t be so damned ignorant and spouting such uninformed TWADDLE as that false crap!

Exactly what part of "Apple’s encryption algorithms are audited AND Certified by the National Institute of Standards and Technology to Federal Information Processing Standard (FIPS)140—Security Level 2—which I TOLD YOU—did you fail to grasp?

Was it the certification process which requires an audit of both the hardware and software algorithms? Perhaps you just didn’t read it?

The National Institute of Standards and Technology (NIST) issued the FIPS 140 Publication Series to coordinate the requirements and standards for cryptography modules that include both hardware and software components. Protection of a cryptographic module within a security system is necessary to maintain the confidentiality and integrity of the information protected by the module. This standard specifies the security requirements that will be satisfied by a cryptographic module. The standard provides four increasing, qualitative levels of security intended to cover a wide range of potential applications and environments. The security requirements cover areas related to the secure design and implementation of a cryptographic module. These areas include cryptographic module specification; cryptographic module ports and interfaces; roles, services, and authentication; finite state model; physical security; operational environment; cryptographic key management; electromagnetic interference/electromagnetic compatibility (EMI/EMC); self-tests; design assurance; and mitigation of other attacks.[3]

Federal agencies and departments can validate that the module in use is covered by an existing FIPS 140-1 or FIPS 140-2 certificate that specifies the exact module name, hardware, software, firmware, and/or applet version numbers. The cryptographic modules are produced by the private sector or open source communities for use by the U.S. government and other regulated industries (such as financial and health-care institutions) that collect, store, transfer, share and disseminate sensitive but unclassified (SBU) information. A commercial cryptographic module is also commonly referred to as a hardware security module (HSM).

FIPS 140—Security Level 1
Security Level 1 provides the lowest level of security. Basic security requirements are specified for a cryptographic module (e.g., at least one Approved algorithm or Approved security function shall be used). No specific physical security mechanisms are required in a Security Level 1 cryptographic module beyond the basic requirement for production-grade components. An example of a Security Level 1 cryptographic module is a personal computer (PC) encryption board.

FIPS 140—Security Level 2
Security Level 2 improves upon the physical security mechanisms of a Security Level 1 cryptographic module by requiring features that show evidence of tampering, including tamper-evident coatings or seals that must be broken to attain physical access to the plaintext cryptographic keys and critical security parameters (CSPs) within the module, or pick-resistant locks on covers or doors to protect against unauthorized physical access. (Apple’s implementation meets this level by having the Secure Enclave Processor sealed and no plaintext keys are stored at all on the device.—Swordmaker)

Of course, to get this certification, idiot, Apple’s Encryption implementation must be submitted for examination which you claim was NOT DONE, a lie. . . but then I’m getting to expect that level of assertive myth from you.

Here is the statement I posted to you on the thread you claim I “abandoned," cited from Apple’s latest 78 page IOS Security White Paper published January 2018:

Cryptographic validation (FIPS 140-2)
The cryptographic modules in iOS have been repeatedly validated for compliance with U.S. Federal Information Processing Standards (FIPS) 140-2 Level 2 following each release since iOS 6. As with each major release, Apple submits the modules to CMVP for re-validation when the iOS operating system is released.

The Cryptographic Module Validation Program (CMVP) is a joint American and Canadian security accreditation program for cryptographic modules. The program is available to any vendors who seek to have their products certified for use by the U.S. Government and regulated industries (such as financial and health-care institutions) that collect, store, transfer, share and disseminate "sensitive, but not classified" information. All of the tests under the CMVP are handled by third-party laboratories that are accredited as Cryptographic Module Testing Laboratories by the National Voluntary Laboratory Accreditation Program (NVLAP). Product certifications under the CMVP are performed in accordance with the requirements of FIPS 140-2.

The CMVP was established by the U.S. National Institute of Standards and Technology (NIST) and the Communications Security Establishment (CSE) of the Government of Canada in July 1995.

The Cryptographic Algorithm Validation Program (CAVP), which provides guidelines for validation testing for FIPS approved and NIST recommended cryptographic algorithms and components of algorithms, is a prerequisite for CMVP.[1]

This program validates the integrity of cryptographic operations for Apple apps and third-party apps that properly utilize iOS cryptographic services and approved algorithms.

Common Criteria Certification (ISO 15408)
Since the release of iOS 9, Apple has achieved iOS certifications for each major iOS release under the Common Criteria Certification program for the following:

iOS 11 includes additional certifications for the following:

Apple plans to do so with each successive major release of iOS. Apple has taken an active role within the International Technical Community (ITC) in developing currently unavailable Collaborative Protection Profiles (cPPs) focused on evaluating key mobile security technology. Apple continues to evaluate and pursue certifications against new and updated versions of the cPPs available today.

Commercial Solutions for Classified (CSfC)
Where applicable, Apple has also submitted the iOS platform and various services for inclusion in the Commercial Solutions for Classified (CSfC) Program Components List. As Apple platforms and services undergo Common Criteria Certifications, they will be submitted for inclusion under CSfC Program Components List as well.

To view the most recently listed components, go to:

https://www.nsa.gov/resources/everyone/csfc/components-list/

Security configuration guides
Apple has collaborated with governments worldwide to develop guides that give instructions and recommendations for maintaining a more secure environment, also known as device hardening for high-risk environments. These guides provide defined and vetted information about how to configure and utilize built-in features in iOS for enhanced protection.

Apple iOS encryption is now certified even higher, idiot, as it’s been chosen as a mobile device suitable for use by the U.S. government for TOP SECRET level and above access, and for the U.S. Military. In addition, the British Military have authorized the iPhone for use in the field as well . . . due to its encryption ability. You don’t get that level of authorization without submitting your algorithms for certification.

May I suggest you go back to your information source and tell HIM he’s an ignorant, uninformed dolt spreading anti-Apple mythology and recommend HE cure his ignorance before infecting more people with his Apple Derangement Syndrome.

38 posted on 03/27/2018 2:37:30 AM PDT by Swordmaker (My pistol self-identifies as an iPad, so you must accept it in gun-free zones, you racist, bigot!)
[ Post Reply | Private Reply | To 37 | View Replies]

To: Swordmaker
I see I did hit a nerve there Swordmaker. You are the protective one when it comes to someone pointing out Apple's shortcomings, aren't you?

Well, lets just start right out with the errors you've made this time, shall we?

When you said that I "spouted generalities about hacking and how easy hacking an iOS device with a Secure Enclave would be, ignoring (ignorant again) that hackers have been TRYING to crack into the Secure Enclave for years and not succeeding." you quite simply lied.

I never said hacking an iOS device with a Secure Enclave would be easy, in fact what I said was just the opposite.

I said, it "sucks to be Apple when backers with deep pockets have apparently decided to put the money necessary into the hands of very smart and greedy people (meaning the hackers that are being backed by govt XYZ spook agencies.) It doesn't take "Swiss cheese security," all it takes is one security hole and smart people with an unlimited budget that are willing (as in greedy enough to do the dirty work) to exploit it."

Govt agencies with unlimited budgets are paying many of the smartest people in the world to break through Apple's security - and you falsely claim that I said it would be easy.

Nice way to start off your post, Swordmaker, with a lie.

Go ahead, refute me if you can. My posts are sitting there in that other thread that you decided to drag over here in to this one. Quote me where I said hacking an iPhone or any Apple device with a Secure Enclave would be easy.

________________________________________________________


You followed that lie up with this falsehood: "You could not concede that just perhaps I did know more than you did about this particular subject, especially in encryption. You REALLY demonstrated it with you challenges to the math of very large keys and the time even a powerful computer would take to brute force crack them."

Another lie. I never attempted to challenge the difficulty of attacking the math behind the AES256 encryption Apple uses.

When you asked me to explain HOW the encryption could be broken when you and the world's encryption experts say it can't be done (which not all of them do) I told you that most likely it would be cracked as a result of an error in Apple's implementation of the AES256 encryption algorithm.

You do know the difference between the math behind the encryption algorithm and the actual implementation of that encryption algorithm in code, don't you? No, I don't think you do.

Come on Swordmaker, quote me one time where I said that the actual math behind the AES256 encryption algorithm was breakable.

_________________________________________


You: "I’m responding here where you are invading another thread to smear Apple with a trivial, non sequitur myth about Apple and Chinese workers when in fact, as I’m pointing out, while you singled out Apple for your slur, there are really more than 700 consumer electronic manufacturers who contract with the same assembler, but Apple is the ONLY one of those contractors who puts working conditions, worker pay, and prohibitions on child labor in ALL of their contracts for their entire supply chain AND ENFORCES IT WITH ON SITE MONITORS AND WITH DRACONIAN ECONOMIC PENALTIES AND FOLLOWS THROUGH WITH ACTIONS FOR VIOLATIONS. . . including contract cancellations for violators!"

I'm not invading your thread, my FRiend, I am simply adding some balance to your Apple love fest. This is a public forum. If you don't wish to hear my comments on the article you posted then ask the moderators to remove them.

And, as to that "trivial, non-sequitur myth" about Apple and Chinese workers - you believe what you want to believe about the treatment of workers in the totalitarian country of China, and I'll continue to believe that China's rulers are tyrants and their workers are abused and treated like disposable commodities.

You know Swordmaker, Apple moved their manufacturing to a totalitarian, communist country for a reason (worker exploitation) but that's okay, Apple makes sure they are being well treated. Trust them. Would they lie? LOLOLOL

_____________________________________________


Well, that's enough for today, Swordfish, I'd hate to hijack your Apple schmooze-fest. And please, feel free to post any direct quotes from me that prove me wrong in the cases above where I've called you out as a liar.

Have a nice day and ROCK ON, APPLE-HEAD!

39 posted on 03/27/2018 5:54:29 AM PDT by Garth Tater (What's mine is mine.)
[ Post Reply | Private Reply | To 38 | View Replies]

To: Swordmaker; aMorePerfectUnion
They treat their customers AS customers to be respected, not as a product to be sold to the highest bidder.

I found that to be true, when I bought my IPhone X, about 10 days ago, at the Vintage Faire Mall. The only other Apple store I had ever been to, was in Emoryville, where I got my Mac Book Pro. They treated me the same way.
I put a Globe SIM in the X, and it worked perfectly. Now, I have no monthly plan to worry about. It’s a beautiful thing. 👍😁

40 posted on 03/27/2018 9:26:45 AM PDT by Mark17 (Genesis chapter 1 verse 1. In the beginning GOD....And the rest, as they say, is HIS-story)
[ Post Reply | Private Reply | To 32 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-44 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson