This is getting scary. I always had the impression that Trend Micro was a reputed, well-established security company. Why they would sacrifice that brand for a quick buck is beyond me.
Edit: I don't understand how Apple didn't catch this in their review process: the exfiltration is clearly visible using a disassembler, as shown in the original forum report[1].
Unfortnately, it is them, based off of their website[1], which contains descriptions for each of these apps. The App Store link on their website has also stopped working, and the apps in question have disappeared off the store.
Surveillance is where the money is. The appetite for data is insatiable, and since nobody wants to pay for anything there aren't many other business models.
In this era of ultra cheap/free software and hardware, even formerly reputable companies are likely to find alternate revenue stream irresistible.
Apple's review process is most likely largely a PR illusion. Just look at all the stories of how inconsistently and arbitrarily they've enforced App Store policies over the last decade. That's not to say that they are not sincerely trying, I'm sure they are. Unfortunately, Apple has become even more opaque about many things (the 'security' obtained via the app review process always seemed a bit hand-wavy and superficial to me). I'm sure they'll continue to improve but the the bad guys will always be a step ahead because they must be.
No doubt the EULA/privacy policy of these apps contains the requisite clause, but nonetheless they would all be considered spyware. Ostensibly they could say that recently visited URLs are submitted for better virus scanning...
It's unfortunate that the ongoing trend of opaqueness in computers is making it easier for things like this to happen. Years ago, blinking network and HDD lights/sound would have provided at least some sign of unusual activity.
"Users do not expect sandboxed apps to get this level of access to their systems, but it is important to note that when an open file dialog is opened by a sandboxed app, if you use it to open your home directory, the app can potentially get access to lots of private information including browsing history, iMessage conversations, e-mail messages and more."
The macOS sandbox isn't like other sandboxes I've used (JVM, ECMAscript, Tcl, etc). Even if the user hasn't extended it by explicitly selecting a file, and even if the app has no entitlements, there seem to be a lot of holes in it -- and they seem to be intentional. The Mac sandbox can be one piece of a security solution, but you should never count on it to protect you from untrusted applications.
Of course, if you choose your home directory in a file picker, all bets are off.
The matter of user expectations is the main reason I wish Apple would revert the sandbox requirement for the Mac App Store. As a user, it really does seem like the sandbox should protect me from malicious code, just like Safari protects me from malicious JS, but it really doesn't. They want the MAS to seem safe, but it would be better for everyone if they made it clear you still need to trust the app.
> "Users do not expect sandboxed apps to get this level of access to their systems, but it is important to note that when an open file dialog is opened by a sandboxed app, if you use it to open your home directory, the app can potentially get access to lots of private information including browsing history, iMessage conversations, e-mail messages and more."
This access is going away in macOS Mojave, at least for the built-in system apps, for precisely this reason.
> The macOS sandbox isn't like other sandboxes I've used (JVM, ECMAscript, Tcl, etc). Even if the user hasn't extended it by explicitly selecting a file, and even if the app has no entitlements, there seem to be a lot of holes in it -- and they seem to be intentional.
> Of course, if you choose your home directory in a file picker, all bets are off.
What holes are you talking about? Keep in mind that the examples you mention and the macOS sandbox solve different problems and have different constraints. The ones you've mentioned are meant to execute untrusted code and keep it (almost) completely isolated from the rest of your system. But macOS apps must have much more access by definition.
> The matter of user expectations is the main reason I wish Apple would revert the sandbox requirement for the Mac App Store. As a user, it really does seem like the sandbox should protect me from malicious code, just like Safari protects me from malicious JS, but it really doesn't.
Just curious: how do you feel about the iOS sandbox situation?
Once interviewed for a Trend Micro position and had the feeling that they were a well-reputed transnational company, didn't know that this kind of thing could have happened. I expect them to code review so this is something that must have been accepted?
I once interviewed for AVG and they were quite adamant that their mobile apps collect all the data they can get their hands on so that they can resell aggregated statistics.
Hmmm...I remember receiving daily E-mail spam from “Trend Micro”, it was absurd and I had to block it all. I used to think it might be faked but after seeing this I’m sure the original company was responsible for all the spam trash as well.
What I don’t understand about review processes is that scummy apps and companies are really not that hard to spot. Maybe the really crafty ones are hard to see but I have to wonder how much time Apple really has to spend (sometimes just from descriptions alone) to question what an app is doing.
Meanwhile, I once got rejected because I didn’t have a damned minimize button or something.
I've always enjoyed the Apple App Store because they generally do a decent job of code review of the apps, and most folks can feel generally safe when installing applications. But...I've been reading about the apps recently that have been stealing location data and selling it to third parties. Pretty scary.
Hopefully Apple will figure this all out before long-time users who have trusted them completely, start to trust them less.
I'm a fan of the walled-garden, but sometimes the cracks in the facade worry me a little.
This is a huge lawsuit. Apple clearly states in the press and in advertising that the app store is the only way to get apps that are assured to be safe.
I can't imagine it'll take long before there are many and massive class action lawsuits over this incident. The legal bill will be massive.
I can't wait to see how many precedents get created over the total fallout from this event. Should be interesting.
Such comments are common after every "disaster". When Intel chip vulnerabilities due to aggressive caching were announced, the fixes reduced perf for those chips, and these same types of comments were made.
I can’t see Apple getting seriously nailed, since they probably had no idea this was happening.
But beyond shutting the companies responsible for selling these applications down, there should be some criminal liability for the executives. Exfiltrating users’ browser history without reasonable consent is a huge privacy violation.
“phantom legal risk” = fear of the unknown, or hope that something that seems bad will actually be punished. Of course “seems bad” often turns out to be more complicated.
> Apple clearly states in the press and in advertising that the app store is the only way to get apps that are assured to be safe.
Citation or it didn't happen. No way Apple has "assured" anyone that the app stores are 100% malware free at all times. They've said it's the safest thing out there which is a weaker claim (and still true).
Moving forward with my assertion and based on what others are saying about the Apple testing practices; I'm guessing that this was something that Apple should have caught in their testing, which if true would go towards proving culpability.
Negligence would then be the argument I'm guessing and then liability would follow.
I understand from many other situations it's arguable about whether the company could have foreseen the issue.
Typical breaches like the Dropbox breach which passwords were still hashed and therefore the request to reset the password was proactive. That's an acceptable breach to me and is bound to happen, but negligence such as Apple's or in the case of BA (British Airlines) breaking with known and valid credit card processes should result in conseuqences up to the criminal level depending on the situation.
There’s just no way failing to catch 100% of malware in the App Store review process constitutes criminal liability. The TOS you agree to explicitly absolve Apple of liability, and it’s an unreasonable expectation as well. It’s the safest system out there.
Similar behavior is so widespread (browser extensions, mobile apps, and now desktop apps) that some legislative solution is required. Otherwise, the companies and individuals doing this will be limited with a light slap on the wrist like in this case.
I would think that this kind of data collection is already illegal, at least with installs in the EU. GDPR mandates that the collected data is either directly required to render the desired service or explicit and revokable consent must be given. Clearly neither is the case here.
And now lets think a moment about the fact that Google, Facebook, Twitter, Microsoft, and thousands of smaller companies do pretty much the same thing. The only difference is that they collect it differently. Instead of offering to "clean your Mac" they offer components that developers can integrate into their websites and apps, for analytics, crash reporting, captchas, etc.
Privacy on our computers and phones is an empty promise, and we need to radically rethink the way our devices and browsers work if we want to change that. Legislation like the GDPR is one step, but we need to think about ways that make it impossible to collect all that data in the first place.
How is this not spyware, and why is this not illegal? Why aren't the makers of this software getting busted? If I would do this in a shell script on a machine of my employer I would be toast.
29 comments
[ 3.1 ms ] story [ 72.4 ms ] threadEdit: I don't understand how Apple didn't catch this in their review process: the exfiltration is clearly visible using a disassembler, as shown in the original forum report[1].
[1]: https://forums.malwarebytes.com/topic/217353-get-rid-of-open...
[1]: https://www.trendmicro.com/en_us/forHome/products/free-tools...
Edit: here's their website for the unarchive tool, seems like it is them: https://www.drcleaner.com/dr-unarchiver/
https://www.buzzfeednews.com/article/nicolenguyen/apple-remo...
In this era of ultra cheap/free software and hardware, even formerly reputable companies are likely to find alternate revenue stream irresistible.
Apple's review process is most likely largely a PR illusion. Just look at all the stories of how inconsistently and arbitrarily they've enforced App Store policies over the last decade. That's not to say that they are not sincerely trying, I'm sure they are. Unfortunately, Apple has become even more opaque about many things (the 'security' obtained via the app review process always seemed a bit hand-wavy and superficial to me). I'm sure they'll continue to improve but the the bad guys will always be a step ahead because they must be.
It's unfortunate that the ongoing trend of opaqueness in computers is making it easier for things like this to happen. Years ago, blinking network and HDD lights/sound would have provided at least some sign of unusual activity.
The macOS sandbox isn't like other sandboxes I've used (JVM, ECMAscript, Tcl, etc). Even if the user hasn't extended it by explicitly selecting a file, and even if the app has no entitlements, there seem to be a lot of holes in it -- and they seem to be intentional. The Mac sandbox can be one piece of a security solution, but you should never count on it to protect you from untrusted applications.
Of course, if you choose your home directory in a file picker, all bets are off.
The matter of user expectations is the main reason I wish Apple would revert the sandbox requirement for the Mac App Store. As a user, it really does seem like the sandbox should protect me from malicious code, just like Safari protects me from malicious JS, but it really doesn't. They want the MAS to seem safe, but it would be better for everyone if they made it clear you still need to trust the app.
This access is going away in macOS Mojave, at least for the built-in system apps, for precisely this reason.
> The macOS sandbox isn't like other sandboxes I've used (JVM, ECMAscript, Tcl, etc). Even if the user hasn't extended it by explicitly selecting a file, and even if the app has no entitlements, there seem to be a lot of holes in it -- and they seem to be intentional.
> Of course, if you choose your home directory in a file picker, all bets are off.
What holes are you talking about? Keep in mind that the examples you mention and the macOS sandbox solve different problems and have different constraints. The ones you've mentioned are meant to execute untrusted code and keep it (almost) completely isolated from the rest of your system. But macOS apps must have much more access by definition.
> The matter of user expectations is the main reason I wish Apple would revert the sandbox requirement for the Mac App Store. As a user, it really does seem like the sandbox should protect me from malicious code, just like Safari protects me from malicious JS, but it really doesn't.
Just curious: how do you feel about the iOS sandbox situation?
What I don’t understand about review processes is that scummy apps and companies are really not that hard to spot. Maybe the really crafty ones are hard to see but I have to wonder how much time Apple really has to spend (sometimes just from descriptions alone) to question what an app is doing.
Meanwhile, I once got rejected because I didn’t have a damned minimize button or something.
Hopefully Apple will figure this all out before long-time users who have trusted them completely, start to trust them less.
I'm a fan of the walled-garden, but sometimes the cracks in the facade worry me a little.
I can't imagine it'll take long before there are many and massive class action lawsuits over this incident. The legal bill will be massive.
I can't wait to see how many precedents get created over the total fallout from this event. Should be interesting.
It never happens.
But beyond shutting the companies responsible for selling these applications down, there should be some criminal liability for the executives. Exfiltrating users’ browser history without reasonable consent is a huge privacy violation.
I wonder if it falls under CFAA.
Citation or it didn't happen. No way Apple has "assured" anyone that the app stores are 100% malware free at all times. They've said it's the safest thing out there which is a weaker claim (and still true).
Moving forward with my assertion and based on what others are saying about the Apple testing practices; I'm guessing that this was something that Apple should have caught in their testing, which if true would go towards proving culpability.
Negligence would then be the argument I'm guessing and then liability would follow.
I understand from many other situations it's arguable about whether the company could have foreseen the issue.
Typical breaches like the Dropbox breach which passwords were still hashed and therefore the request to reset the password was proactive. That's an acceptable breach to me and is bound to happen, but negligence such as Apple's or in the case of BA (British Airlines) breaking with known and valid credit card processes should result in conseuqences up to the criminal level depending on the situation.
BA link: “So, about that BA hack …” https://medium.com/the-automator/so-about-that-ba-hack-a82e5...
Privacy on our computers and phones is an empty promise, and we need to radically rethink the way our devices and browsers work if we want to change that. Legislation like the GDPR is one step, but we need to think about ways that make it impossible to collect all that data in the first place.