Will Strafach is best known for being an early and frequent jailbreaker of Apple’s iOS operating system for iPhones and iPads. But Strafach has always aimed for the white-hat side of the hacking ethical divide. He’s in favor of people having more control of what apps they use–and receiving better disclosure about where information on their phones winds up.
Many privacy organizations have raised red flags about unwanted, if not quite illegal, leakage of location information, online behavior, and other personal details from smartphone apps. A New York Times report in December focused on location data being shared with third-party organizations and tied to specific users; in February, a Wall Street Journal investigation reported that app makers were sharing events as intimate as ovulation cycles and weight with Facebook. But no matter how alarmed you are by such scenarios, there hasn’t been much you could do. Mobile operating systems don’t let you monitor your network connection and block specific bits of data from leaving your phone.
That led Strafach and his colleagues at Sudo Security Group aim to take practical action. “We are aware of almost every active tracker that is in the App Store,” he says. Building on years of research, Sudo is putting the finishing touches on an iPhone app called Guardian Mobile Firewall, a product that combines a virtual private network (VPN) connection with a sophisticated custom firewall managed by Sudo.
It looks like Guardian will be the first commercial entry into a fresh category of apps and services that look not only just for malicious behavior, but also what analysis shows could be data about you leaving your phone without your explicit permission. It will identify and variably block all kinds of leakage, based on Sudo’s unique analysis of App Store apps.
Sudo is taking preorders for the app in the Apple Store and plans a full launch no later than June. It will debut on iOS, and required some lengthy conversations with Apple’s app reviewers as Sudo laid out precisely what part of its filtering happens in the app (none of it) and what happens at its cloud-based firewall (everything). The price will be in the range of a high-end, unlimited VPN—about $8 or $9 a month. Sudo plans an expanded beta program in April, followed by a production release that will be automatically delivered to preorder customers.
Trackers in your apps
Some app developers do make an affirmative effort, in statements and actions, to avoid including any tracking elements that aren’t necessary and fully disclosed, such as Marco Arment’s Overcast podcast app. Arment even blocks images that provide tracking data in podcast show notes.
On the flip side, other apps intentionally and underhandedly track your location and other private details—and when discovered by mobile OS makers or researchers, tend to get knocked out of app stores, often permanently. Adware Doctor was dumped by Apple after a noted iOS security guru Patrick Wardle found it engaged in a variety of undisclosed and guideline-breaking data extraction. Embarrassingly, Facebook pulled its own security app, Onavo, from Apple’s App Store (but not Google Play) after Apple required it obtain affirmative consent for tracking. (Facebook re-released it quietly by violating Apple’s terms for distributing apps to company employees and contractors and was found out.)
But for the most part, the app world doesn’t neatly divide into “good apps” and “bad apps.” Many app developers rely on third-party monetization to fund their work or make a profit. That requires them to include software code from companies that target advertising based on tracking information the app provides. The app developers get a cut of revenue. (Some apps loaded with these trackers may also be engaged in other unsavory practices.) Without fully understanding the implications, developers often include other third-party modules for analytics, social media integration, crash-report generation, and other tasks that leak information about a user.
Apple and Google generally frown on apps passing location and other data to third parties. Apps are also not supposed to pull location information—especially a continuously updated position—unless it’s germane to the app’s features. However, we don’t know much about how the app stores enforce such policies, except in instances when researchers have found egregious examples and either reported them to smartphone OS makers or gone public.
Apple only began to crack down on violators of an App Store policy in May 2018 that reads, “Data collected from apps may not be used or shared with third parties for purposes unrelated to improving the user experience or software/hardware performance connected to the app’s functionality.” We don’t know how many developers Apple targeted, and whether it has continued in this effort. (Apple didn’t reply to a request for comment.)
Windows and Mac users can install firewalls and anti-malware software that, in addition to handling more nefarious stuff, also block apps and traffic known to siphon user data off for unwanted purposes. Browser plug-ins such as Ghostery, 1Blocker, and many others can use rules to halt tracking of all sorts.
Smartphone users don’t have it that easy. Android and iOS don’t allow the installation of a firewall as such, and more recent releases of both operating systems limit apps that monitor network traffic. Guardian Mobile Firewall takes a path that’s been used before—often for parental control and monitoring—of passing data through a remote server using a virtual private network (VPN) connection. In May 2017, I wrote about apps that used this technique for privacy protection, looking at approaches from two academic groups that hoped to turn their ideas into commercial projects. Both remain works in progress and available only on Android.
Guardian’s approach typically involves blocking apps that send extremely precise, frequently updated GPS-based location information. The way it does this is quite straightforward. After installing the app, you follow a single-step setup procedure that installs a VPN profile. That allows it to provide an encrypted connection between your device and a VPN server at a data center. This protects data in transit—even via an insecure coffee shop or convention-center network, as well as over your wireless carrier.
Guardian layers on that foundation by examining queries made by apps across the connection, although it doesn’t peer into secure connections and doesn’t examine private information in unencrypted ones. For services it knows about, it blocks those that pass private information to third parties, while passing (but noting in its log) “good actors.”
Blocked connections result in push notifications, so you’ll see if an app you just installed or are using is sending out data. In the production release, you should be able to whitelist URLs, too, in case Guardian is disrupting something an app needs to function, or you otherwise want to allow. (Sudo hasn’t fully decided how expansive features will be in the first production release as it learns about scaling on its custom firewall as adds beta testers.)
To test the system, I installed a couple of apps widely criticized for their use of trackers, and which remain available on the App Store. One immediately caused about 20 alerts, some from repeated use of the same network connection, likely due to the app recognizing it couldn’t pass the data. Other alerts were more benign, noting that a library called Adjust and another called Flurry were detected, but used to collect analytics data to “assist app developers.”
Though Guardian Mobile Firewall will be a commercial product, it’s driven by Sudo’s interest in research. Strafach published a report in August 2017 about the use by the AccuWeather app of background location tracking in iOS to ship information off to an ad-targeting firm. (AccuWeather quickly updated the app.)
In September 2018, Sudo published a more extensive report that identified a number of apps also monetizing location data, and the associated third-party networks to which they were sending user location details.
Strafach said Sudo has developed software that allows it to perform bulk analysis of App Store apps, and then identify the code in apps that generate network connections. Sudo can then determine how an app passes information and to what end. Network trackers try to evade detection by obfuscating and updating URLs, but Sudo’s ongoing analysis defeats those attempts.
As part of this research, Sudo won’t examine traffic from its subscribers. It will rely entirely on its bulk analysis and devices under its control, and use that to update its firewall rules. “We track apps, not people,” he says. The company hoped to open up its large-scale beta test by December 2018, but kept finding unwanted tracking and logging elements in VPN server software, such as logging IP addresses for connections. Revising that server code and making it resilient and scalable pushed the release date back.
The Guardian app uses a number of techniques to keep users and their behavior unknown even to Sudo. “We’re not looking at user traffic; we’re not even retaining it,” says Strafach. When the system blocks or reports a network connection, the app relies on an anonymous tag from a user’s app that lets it send a push notification, rather than requiring a user-based account login.
Also because of that approach, Guardian avoids even identifying which app is making the calls to internet resources. Strafach says even trying to bundle together queries would reduce privacy, so in this initial version, Guardian doesn’t even try. In a future release, the app might let users opt into a feature that could ID apps. “We’ve done everything we can to make sure we can’t tell that it’s their device,” he says. Users should be able to figure out which apps are problematic, since notifications will appear when they’re installed or used, Strafach notes.
By storing and associating as little information as possible, the company minimizes the risk that it could suffer a security breach or even be subject to government orders to turn over data. (Strafach warns that journalists, activists, and others looking for strict anonymity shouldn’t rely on Guardian, which is focused on data privacy, and use the Tor browser instead.)
Sudo’s interest in reducing tracking extends to its website. It’s opted not to use Google Analytics or other tracking software, and doesn’t run ads. Subscription fees from Guardian will have to cover all expenses, and will fund research as well. “We can be successful just by getting hard currency for a useful service and useful products we can provide,” says Strafach. This can make even reporting bugs difficult. Strafach says, “We have to rely on what information they send us and are willing to send us,” because the app doesn’t include crash reporting.
Some issues remain to shake out. At launch, the software and service combo is intended for a single iPhone. Because it doesn’t require you to create an account, Sudo has to figure out an ideal way to register multiple devices without affecting anonymity. And because it’s a VPN service, it also has to deal with bandwidth bills, as it both receives and sends user data. That cost could add up if people stream a lot of video, which Sudo can’t currently shunt around the VPN without performing more network handling on the iPhone itself.
And because Apple hasn’t approved an app like Guardian before, Strafach says it took some time to make sure the company was comfortable with how the app and its firewall fit together, ensuring that Guardian crosses all the t’s in how it describes in its store listing and operation how it monitors and blocks.
Guardian Mobile Firewall might be the first commercial service focused on blocking smartphone tracking, but it won’t be the last. People’s sense of privacy remains more fragile now following disclosures by Facebook and many other firms than at any previous point in the history of the internet, and their trust in promises about how their data will be used is at a low ebb. There may be no better time to launch an app that taps into widespread consumer paranoia that, increasingly, feels entirely justified.