2025 is turning out to be very meta so far.
-
@briankrebs But none of those should have access to location to begin with. Unless they've exploited bugs or tricked the user (or exploited bad OS defaults) to have location permission.
-
@dalias Yeah you're asking good questions, but afaict they are answered in the story I wrote and linked to. I realize it's long, but that's because it's also complicated.
-
@briankrebs I'm not asking this to be difficult or to blame users for installing junk apps and not locking down permissions right.
I'm trying to understand who the real culprits in leaking this data are, to know both who to target, and who is affected (like, are carriers doxxing us even if we have location properly locked down?).
-
@dalias @briankrebs You give location access to the app or site to get the weather, the embedded SDK passes the location to data brokers.
-
@BucciaBuccia @dalias from the 404 story: "The location data is staggering; in one file, I see over 10,000 distinct Android applications providing data such as GPS locations, IP addresses, user agents, and more from millions of phones"
-
@BucciaBuccia @dalias what Buccia said. basically, the capability to harvest this information is included in mobile SDKs that app developers get paid to include in their code.
-
@[email protected] @[email protected] @[email protected] honestly this is one of the cons of how android (and ios) are designed. I am not sure there is a fix for this, but people become so used to clicking "ALLOW" because when installing an app the first thing you get is a bunch of pop ups for allowing various permissions. I absolutely can see how someone would just be used to tapping allow without fully reading or understanding the implications. The typical "calculator" app requesting location data is always used as an example right but it's much more subtle than that. you'll get an app like a messaging service for instance, it asks for contacts, asks for access to your camera roll, and maybe at the end it asks for "find and connect to devices on your network"
I hate apple for this one because it's kinda misleading. your typical person isn't going to see a red flag in that, they'll just be like "huh weird, i guess that makes sense it needs internet connection" instead of understanding what that permission entails. now, i understand that IP address data is super easy (I mean you can collect that as long as you have access to an internet connection right http://icanhazip.com/) but it applies more to the GPS location data, contacts, etc. I feel like the mandatory access control systems in mobile phones are not informed consent in the slightest. Maybe they should follow what browsers have started to do, actually explaining the level of access and potential implications. -
@puppygirlhornypost2 @briankrebs @dalias @BucciaBuccia
I think about this a lot. So many dark patterns. I'm pretty technically savvy, and I don't always answer "don't track me for targeted ads" when an app asks me. Maybe I want to see more useful ads from this app? What if I change my mind?
The same for location data. Very rarely when running apps do people have time to leisurely consider the meaning of giving consent to the OS to send personal data to "free" apps.
-
According to the FTC, Gravy and Venntel process more than 17 billion signals from about a billion devices every day
-
Nonya Bidniss :CIAverified:replied to BrianKrebs last edited by
@briankrebs I'd like to opt out
-
