Be careful what you install an app for, c/o Flickr

Popular Mac App Store apps have been secretly gathering sensitive user dataand uploading it to servers in China and elsewhere, building vast troves of data in places that may not provide the same level of protection as we expect. This is a Very Bad Thing.

What are they doing with this data?

We don’t know what is happening with this data once it is collected. It’s conceivable that this information could be analysed alongside other collections of data to provide insights into a person’s identity, online activity, or even political beliefs. Cambridge Analytica and other dodgy behavioural modification companies taught us this.

The fact is we don’t know what is happening to the data that is being exfiltrated in this way. And in most cases we are not even aware this is taking place.

The only reason we know about this collection of data-stealing apps is because security researcher, Patrick Wardle told us. Sudo Security Group’s GuardianApp claims another set of dodgy privacy eroding iOS apps, while Malwarebytes has yet another list of bad actors.

Don’t buy Adware Doctor

Adware Doctor is just one of the apps doing this – and has a long history of attempting to subvert user privacy. The developer used fake names, created fake reviews and more in its attempt to steal your information, including browser history.

On installation, the app would scoop up your browser history, create a zip file containing the data, and attempt to upload it to rogue servers. You’ll find more information on Wardle’s website and at ThreatPost.

The problem may go deeper than just one app. Sudo Security Group’s GuardianApp claims that several apps have been used to, “Covertly collect precise location histories from tens of millions of mobile devices, using packaged code provided by data monetization firms.”  These are apps distributed on the App Store.

That means they are making money out of your data, but not telling you they are doing so — this will be in clear contravention of Apple’s privacy policy as of a recent change.

Here’s the complete list of apps that have been abusing our trust in this way. If you have one of the apps on this list installed on your Mac, I recommend you uninstall it using instructions provided later in this report.

The bad actors

As well as Adware Doctor, Sudo Security warns that the following apps have been known to be gathering data to provide to data monetization firms, making money out of you, but not telling you they are doing so.

• Classifieds 2.0 Marketplace
• Code Scanner by ScanLife
• Askfm
• GasBuddy
• MyRadar NOAA Weather Radar
• C25K 5K Trainer
• Coupon Sherpa
• com
• Mobiletag
• Movo
• My Aurora Forecast
• NOAA Weather Radar
• Perfect365
• Photobucket
• QuakeFeed
• Roadtrippers
• Scoutlook Huntin
• SnipSnap Coupon App
• Tapatalk
• The Coupons App
• Tunity
• Weather Live
• YouMail
• PayByPhone Parking (it’s an app that’s widely used in cities like London) is also listed as using location tracking code from a company called AreaMetrics, but users are not informed.

In addition to these apps, Malwarebytes warns of the following:

• RAR support,  exfiltrates browsing histories
• Dr Antivirus
• Dr. Cleaner

Should you panic?

Apple allegedly took a few weeks to act on complaints concerning Adware Doctor. However, it may be reassuring to note that some of the things the app did (such as stealing browser history) will be impossible in macOS Mojave when it ships.

In another recent move, Apple changed its privacy policy to force developers to take responsibility for any customer data they collect, which means the company is most certainly watching for nonsense like this in future – apps and developers will be banned, I suspect. Any based in nations with strong privacy protection will likely spend time in court. Apple is clearly calling time on such behaviour.

All the same, you must be very careful which apps you download, and should take time to review the privacy and system permissions you give apps installed on your iOS and macOS devices regularly. Delete apps you don’t use, and revoke permissions for those you use infrequently until you need to use them.

Another handy tip? Use Private Browsing mode wherever possible, as this leaves no data on your device for rogue apps like Adware Doctor to steal.

Finally, when installing an app ask yourself why it might need some of the data it asks for (if it is polite enough to ask). Does the app need your location data? If you don’t trust the app, don’t approve it and delete it. You’ll probably find a more trustworthy solution if you look.

What can I do to protect against this kind of stuff?

• Review permissions given to apps
• Delete apps you do not use
• Revoke permissions for apps you use very little
• Use Private Browsing mode in your browser
• Don’t allow Location Services on apps that don’t provide a clear privacy policy
• Use a very generic name for your Wi-Fi router (eg. Home WiFi)
• Go to Settings > Privacy > Advertising and turn on Limit Ad Tracking in order to make uniquely identification of your iOS device more difficult for location trackers.
• Turn off Bluetooth functionality when it is not in use.
• Install and regularly run Malwarebytes for Mac or Malwarebytes for iOS to protect against malware.
• If you download an app that you later find is abusing your trust, you can report the app to Apple: https://reportaproblem.apple.com

What else should Apple do?

Apple clearly hasn’t acted swiftly enough in the case of AdWare Doctor. It needs to expedite action in response to such security complaints. Another problem is that the rogue app was one of the most popular paid apps on the Mac App Store. With this in mind I’d urge Apple to improve its security checking policy to deeply examine any app that makes it into the top 100 list, over and above existing procedure. It seems clear that whoever was behind Adware Doctor was making a concerted effort to push it up the best-selling list, most likely to maximize the data it stole. Apple’s security teams must now examine any high-profile app for similar behaviour.

How do I delete these apps?

• On iOS, tap and hold the app icon lightly until all the app icons begin to wriggle, then tap the app to delete it. Alternatively, tap General>Storage> Select the app and then tap Delete App.
• On Mac:In most cases deleting an app only needs you to drop the application icon into the Trash and empty the trash – but some apps (particularly bad actors) make it their business to save elements of themselves all over your system. Getting rid of them is much harder than most people need – but a good guide to doing so is here.

Otherwise try this simple approach:

• When you first install an app, take a note of what it has installed and where using the free Find Any File app (instructions provided on this page). This will make it easier to track down the apps components later.
• When deleting an app, use a utility such as Uninstaller, AppCleaner, AppDeleteor CleanApp. (I’ve used AppCleaner for years and find it does an effective job getting rid of app-related cruft, so try that one I reckon).
• When you’ve used this, check the component note you made earlier and ensure all the components are evicted – but do take care not to remove essential system components.

I hope this is of some help.