After reading this post a couple weeks ago (https://news.ycombinator.com/item?id=21725139), banning the app sounds like a good idea. I’m no expert on security, but the situation regarding Tik Tok’s practices sounds really bad.
As soon as I heard about it, I knew right away that they would have some shady practices around how they handle user data. You don't grow that quickly without not having robust data protection safeguards/policies, let alone being run by a company in a jurisdiction not known for their robust data protection laws (to put it nicely).
Doesn't matter, they have it on their personal phone.
App security is so bad that you pretty much need to virtualize the phone and feed it fake sensor data. The whole idea of unrestricted network access is stupid.
> App security is so bad that you pretty much need to virtualize the phone and feed it fake sensor data.
Yeah, this is really bizarre to me. I was trying to check on volume levels through walls in my apartment, so I wanted to find some random decibel measuring app and lock it down so I don't have to worry too much about trusting it. But somehow Apple's permission model, which provides a whole pile of privilege switches including mobile data, has no way to completely revoke Internet privileges for an app.
This is one of my favorite things about Android. It's trivial to restrict access using AFWall+ . You can block all access, mobile data access, WiFi access, it any combination thereof on a per app basis. Highly recommend it.
Yes very true. I've been rooting for years so don't usually think about that, but yes you have to be rooted. It's sad that for proper security you have to root your device. I'd love if they built that firewall into Android.
Anticipating a question, the best phones IMHO for rooting are the OnePlus phones and Pixel. Motorola had been good in the past but you have to get a code to unlock the bootloader (which I don't like).
There's a fantastic example in my sibling post. Rooting gains you the ability to more tightly control network access. That alone is massive for privacy and security.
Obviously you have to run code with lots of permissions, which means you could be highly compromised by a malicious app. The onus on the user is much higher to vet apps. At the end of the day you have to place some trust, even if you don't root. It's a game of balancing tradeoffs.
It's overly simplistic to say that rooting dramatically decreases security regardless of background or technical expertise.
Thanks for answering. I guess now that it's possible to install your own key to verify rooted images in many phones, the problem is somewhat attenuated. Losing verified boot is a major loss.
So yes, that was a bit overly simplistic. I rooted my phones for a number of years before carefully looking at the pros and cons and deciding it was a poor choice for a consumer mobile phone. Obviously, we need root access for our dev machines and servers. But I try to follow the principle of least privilege, and in that case, not clear why root would be needed for a mobile phone.
But I concede that for some use cases, it can be a trade-off.
What other security advantage of rooting can you name besides tighter control of network access? Also, note that there are a few apps that allow some degree of firewall with unrooted phones. I also suspect there's a lot of room for improvement there.
I’ve found blocking an iPhone on my WiFi AP effectively cuts it off from the net. It may have cell, but I think iOS prioritizes the WiFi connection because it’s live to the AP, even though all requests stop there.
Honest question: but what’s the threat model for wanting an OS to block this? I’ve so far only thought of leaking IP address and Bitcoin mining. But any website already easily has both capabilities (with somewhat arbitrary open sockets after the WebSockets handshake). Is the expectation that an app implementation should have less permissions than an equivalent website and so be the “safer” option?
I want to ensure that the app is just locally computing the decibel level, rather than streaming out data about what it's hearing.
I would ideally want websites to also have a "no more network access after your initial load" mode, but as you say that's fundamentally incompatible with modern web development. So I kinda just accept the loss there.
Stock Android is the same, but MIUI (Xiaomi skinned Android) does allow you to control which apps have internet access, and whether they can use mobile or wifi networks.
You can turn off WiFi and then revoke cellular data for a specific app. Not the same thing but still effective, especially if you are only going to use an app once.
> The whole idea of unrestricted network access is stupid.
I've been coming around to a similar idea. I'd like a setup something like this for my desktop:
1. Some devices representing network connections. One or more are "real"; others may be VPNs.
2. Per-application settings governing which network devices, if any, the application may use. Default to none.
For example, the common way to use a VPN is like this:
1. Start your machine. You're connected to the internet, but not yet to the VPN. All of your running software is already using the internet over the unprotected connection.
2. Start the VPN. It will magically do something such that applications wanting to use "the internet" find it instead of the connection they used to find (the one the VPN itself is still using). All of your running software is now using the VPN. Did you want something to use the other connection? Too bad.
I'm sick of the idea that Windows perceives an internet connection somehow, hides it from me, and automatically makes it available to everything that asks for "the internet". But I don't actually know how to do this. Someone is working really, really hard to make sure I don't affect who uses what device.
They secure and compartmentalize at the VM-level so you can setup a VM to work only over Tor or VPN, and others to work directly over your own network. You can also restrict access to hardware per VM.
Reading your comment melts my mind as a Linux user.
You can't just set your vpn connection as the default route? What's even the point if it's not the default route?
Applications (at least on Linux) have no idea what device they are using. They just request a connection to an IP and it's the kernels job to route that request correctly.
Of course Windows can (and does usually) use a VPN as an active route. The poster just doesn't know what they are talking about.
In particular this sentence is complete nonsense:
I'm sick of the idea that Windows perceives an internet connection somehow, hides it from me, and automatically makes it available to everything that asks for "the internet". But I don't actually know how to do this. Someone is working really, really hard to make sure I don't affect who uses what device.
You've described the same system I just said I didn't want. But I'm uninformed for complaining that I want something different?
> Applications (at least on Linux) have no idea what device they are using. They just request a connection to an IP and it's the kernels job to route that request correctly.
This is a bad idea. I want to connect the application to the device I think it should use. It shouldn't be able to find anything I don't tell it about.
>> Applications (at least on Linux) have no idea what device they are using. They just request a connection to an IP and it's the kernels job to route that request correctly.
> This is a bad idea. I want to connect the application to the device I think it should use. It shouldn't be able to find anything I don't tell it about.
Telling applications about resources is literally what the operating system is for. Both Linux and Windows let you do what you want.
Installing a firewall app and checking the connection log on my Android phone really spooked me. There's a ton of traffic in the background that shouldn't be there. It's absolutely crazy that Android doesn't have a first party firewall or the ability to disable internet access permission per app, but that would impact Google's ad revenue, so of course we can't have that.
I don't know if this is a feature of Android or of the alternative ROM I'm using, but I can disable network access on a per app basis.
In my Android Pie based ROM, in Settings / Network & Internet / Data Usage / App data usage I can select any app and disable WiFi, Cellular data or both.
That is what all units in USSOCOM do. No personal cell phones, smart watches, etc allowed in the office. Guests have lock boxes outside main entrance to secure their phone.
About once a week security folks wander through the offices looking for phones with some type of detector. God help the person who brought their phone in.
Few years ago I worked at an oil refinery in Scotland, the rules were the same - no personal phones on site, if you were found with one you'd get in deep trouble.
You may have seen people doing the two minute sprint then?
That's when you check the TOTP code on your phone, put it back on the stack of phones, and race as fast as you can back to your desk to enter the code before it expires.
No way. Restricted access to networks is a step back to the Bell System days. Once you open the door, it won’t close.
This is a legal and compliance issue. If you made the marketplace share liability for fraudulent apps, and had meaningful law around the ownership of electronic data, this problem would go poof.
In the US, a piece of paper in a locked drawer requires a warrant to access. Electronic data requires as little as an administrative subpoena
That is how it actually works. There is an approved app App Store. You have to go through a whole process to get it approved (I've tried). What the article really means to say is it that it's been removed from among the approved apps.
There is a legitimate usage for these kinds of apps on some devices. Armed services recruiters tend to use various social media apps to communicate with people they are trying to recruit.
Given the intrusiveness of social media platforms, I think they would justify having hardware that’s air gapped from their military devices. That way they retain access to their audience, while maintaining security.
I suppose the message that is sent here is : 'if you want to recruit you'll have to do it on Snapchat, YouTube, Instagram, Twitter, or Facebook instead of the one Chinese based app'
I do not quite see that as a fair or valid comparison. Recruiters are trying to target 18 year olds, and the reality is a lot of these 18 year olds (outside of the tech field) prefer to use Snapchat, Facebook, etc to communicate. They’re not using these apps to communicate classified information.
Totally different risk assessment level on a threat actor gaining location information of a recruiter (or all recruiters) vs. location of special forces service members.
The recruiter should get a waiver, a use case like that isn't a good reason to default to allowing.
with recruiters you mean actual recruitment agencies[1] or in the sense of the Chinese IC recruiting foreign agents?
[1] I don't see job-recruiting being a reason to allow this app. IMO any device that is used by a public servant paid with tax-$$ should be limited to what it runs and I'd be surprised if they don't have a very strict BYOD policy for this reason. Never mind TikTok they shouldn't be running any social media apps on their phones. There are other problems with this use such as what data ends up being leaked to social media companies (regardless of where they are).
I think it's probably more for security reasons -- ie. they can be passing a dot map of all the Navy personnel around the world and their traveling patterns to the Chinese government.
That level of basic location data seems almost trivial, they probably don't even need you to install anything for that. I would expect the app feeds them far more data.
It's absurd that _any_ non-sanctioned software was ever allowed on US Navy phones, let alone apps developed by a major adversary known for pervasive metadata collection. WTF kind of total and utter incompetence is this? Sounds to me like a major house cleaning is needed.
Traditionally they have done testing for WHQL certification. It may make sense for them to do analysis or reversing in order to raise the bar.
Or maybe change the design of the NT kernel to isolate device drivers better.
An American financial service that I had multiple accounts with was just bought by a Chinese organization. There was nothing obscure about the service nor was there publicly available data about my accounts.
I'd say buying Experian is the nightmare scenario but all that data has already leaked. So maybe buying a major US bank like Wells Fargo is the way to go if someone wants more detailed data about American spending habits. I'm sure it's why Google's Project Cache is extending their reach to banking in 2020.
wouldn't surprise me if the military makes you strip naked, put your clothes in a microwave, then put them back on before getting on the plane to the black site. Each and every time.
Because it's the military so everything technical is done/designed obtusely...although your idea is more in line with typical financial/resource wastefulness so it wouldn't surprise me either!
On the way in, they leave everything from outside, and on the way out, they leave everything from the inside and take what they brought in from the outside.
I'm guessing those phones are to ensure their owners have a dedicated communication channel and a platform to run non-critical tech necessary for their job.
Apps for non-sensitive emails, schedules, maps, org directories, etc.
If the government is putting sensitive military data on an Android or iOS phone, you should be concerned. A whitelist would not be a sufficient safeguard.
I think it's more an issue that non-sensitive data can still be harvested and turned into sensitive data. So for example, troop movements are sensitive. They probably wouldn't be coordinating those over unofficial channels. And normally if, say, a soldier says "I love you" to his family, that's not really sensitive. If all of a sudden, 40% of the soldiers on a base do that though, that's leaking sensitive data.
> A Navy spokesman said Naval and Marine personnel who use government issued smart devices are generally allowed to use popular commercial apps, including common social media apps, but from time to time specific programs that present security threats are banned. He would not give examples of apps that are allowed or those considered unsafe.
Because employees feel that they deserve to use Facebook and such on their government issued devices, and if you deny them their God given right, you are racist, sexist, and otherwise despicable person
> Because employees feel that they deserve to use Facebook and such on their government issued devices
True, and contributes to the discussion by pointing out that morale is a tricky thing.
> if you deny them their God given right, you are racist, sexist, and otherwise despicable person
This is _at best_ hyperbole. It has no insights, adds nothing of intellectual interest to the conversation, and falsely equates "I'm not getting what I want" with "Accusing other people of being racist and/or sexist."
That last bit is not only way off-topic for this, but it's an ugly and false smear that drags the level of conversation into the mud.
I agree strong security protocols are necessary, but our soldiers abroad should be allowed to interact with their friends and family abroad in some capacity via social media. I think your comment is a little over the top.
> A Navy spokesman said Naval and Marine personnel who use government issued smart devices are generally allowed to use popular commercial apps, including common social media apps, but from time to time specific programs that present security threats are banned.
Should the Navy whitelist Ebay and Amazon? What about the Walmart app? If Target has one should they then apply to get whitelisted? What about navy personal in other countries with their apps? What about popular app/game xyz? There are a million apps?
If all that has to be whitelisted the buerocratic overhead would be either really cumbersome or the value of an issued device so small, that people would buy and use their own devices anyways.
Do they need those apps to carry out their duties? If not, that should remain on personal devices and left in a secure location while on duty. There have been too many incidents of apps like Strava publishing locations that it's just not worth missing something important.
This is a work phone and people should have an extra cell phone for personal uses, and when they're at a government job with sensitive information they should be using their work phone. People who don't work with sensitive information or interesting responsibilities can use whatever phone they want if they don't mind totally forfeiting their privacy.
But eBay? Amazon? Walmart? Popular apps and games? Sure, get those whitelisted. Or are we thinking about maximizing the value proposition of a work phone at a government job?
If you're arguing that soldiers shouldn't do business with Target or Amazon on their mobile device, blocking an app won't get the job done, agreed.
But if the argument for blocking the app has to do with untrusted native code running on a device used for military purposes, the surface area of a browser is much smaller than the surface area of a plethora of native apps.
Don't forget MS. Took German privacy regulators until recently, more than 3 years after the release of Windows 10, to notice that the thing is phoning encrypted data home even after disabling as much of that stuff as possible.
Their final conclusion is that using Windows 10, in a data privacy-compliant way, is only possible with a "rest risk" [0]. Too bad that by now Windows 10 is not just in wide use among businesses, but also the de facto government OS, most of these installations running default settings.
Same deal with Intel's ME: The German Federal Office for Information Security, a bit like the IT department for the government, rated Intel ME's risk as high early 2018 [1]. Yet no actual consequences besides that release, government systems still running Windows 10 on Intel platforms.
So while a lot of the threats are known and acknowledged, nobody seems to really act on these findings.
I'm not sure that's fair. To me GP comes over as jingoistic nationalism, but it also seems to have a substantive basis - the idea that foreign nations should be ejected at all levels from a governments internal systems?
I'd really like to ask "should other nations eject all USA companies products from their governmental systems too?" (because I'm really curious how an apparent ultra-nationalist sees that?), but you've decided we can't explore that avenue.
Sure, if things get perjorative cut it off, but conversations here tend to have a higher standard of discourse and excluding anything that might get touchy , IMO, unnecessarily limits the topics we can [usefully!] address here.
We can't learn to understand one another if we're afraid to enter discourse on the tricky topics. Yes, there are other places, but this is special here somehow; I think we, HN, as a community can explore these ideas intelligently and maturely with perhaps a slightly lighter tiller.
A key difference between your comment here and the one 'dang is responding to is that yours is conducive to continuing such a conversation in a constructive manner and the latter is not. I find that's very important in engendering the kind of environment you're striving for. That's how I read 'dang's admonishment: it's unsubstantive and flamebait because it doesn't provide much leverage to continue a meaningful conversation and rather encourages knee-jerk, similarly unsubstantive comments (as you've noted in describing it as coming across as "jingoistic nationalism").
(I'll leave this now as continuing a meta-discussion is something these threads often need less of, and I don't have a lot to add beyond this.)
You make a good point and yes, it seems that other governments would do very good to eject U.S. products from their governments too. Both Russia and China are working on just that. China is pushing Microsoft Windows out as much as possible, even in civilian computers.
Every government is looking to angle what they can from other governments. If I were in charge of a government it would be the approach I'd take.
I understand your point, and I agree. It's impossible to audit all that software and hardware and it is not an irrational decision to completely eject an adversarial government's technology, I don't know why this guy is giving you a hard time. I certainly wouldn't blame a Chinese or Russian government policy that bans technology from the USA.
Trying to keep this place interesting to benefit the community. HN's mandate is to serve the curious. Rage has important functions, but that is not one.
I've posted countless comments explaining this from many angles. If you're interested, there's lots of opportunity to learn what this site is for and why we moderate it the way we do. Here's a recent one: https://news.ycombinator.com/item?id=21832654.
I am genuinely curious here, when one player has a free market and the other does not, how do you think that will work out? Do you believe that America can remain dominant while its companies get 85% access to the world population and Chinese companies get 100% access? I honestly don't understand this attitude, yes free markets are great as long as your counter parties are free market economies also, but China has been proven to be anything but
What is incorrect about my statement? In case you don’t know or want to be reminded, the name of the ruling party in China is called ‘China Communist Party’.
Yes, I realize this, and my belief is that American needs to decouple with China and bring the total net trade between the two down by 70-80%, leaving rare earths, agriculture, and some manufacturing left in the balance of trade. When two systems are so far off of each other, there cannot be fair agreement between the two. As a result the only three options are containment, playing by communist rules, or walking away. In my mind oppression and state communism are not ethical, and so the only option is to walk away.
Capitalism is unethical. No economic system is perfect. Ironically, when the rich in the US are in financial trouble, they force government to be communist. Like in 2008 recession, companies were bailed out using taxpayers’ money. I am not denying that US has to do everything in their power to bring the deficit down, but they must stop pretending to be a free market while doing the exact opposite of a free market. Protectionism is only expected from communist countries, not countries that market themselves as free markets.
Denying apps from an adversarial country on military personnel phones is not "Sino bashing". I wouldn't see it as American bashing if the Chinese government did similar. I'd just shrug and say "that makes sense".
One off bans makes more sense, a whole unit set up to pre-approve millions of potential apps is crazy-town.
Then they use Google Chrome and hit a phishing-hole site and get their phone owned. But don't worry, they weren't allowed to install Netflix!
The problem here is open-source intelligence because TikTok is very popular among young members who spend all their free time in their bunk on their phone. Limiting the apps might help with that, but I'm highly skeptical. There's already plenty of restrictions on social media use for armed-forces members. I believe that path is the way to go - create restrictions on posting personal information.
Having some paper pusher unit pre-approving millions of potential apps sounds like a giant waste of time. It makes a lot more sense to react to bad stuff (like one-off reactions for a massively popular video sharing app with sketchy Chinese ownership) than pre-emptively ban everything, simply because it won't do much for security beyond what Apple and Google are already doing in the app store.
Explain to me how it's useful for security? Because I can guarantee you it will be a giant time-and-money waster with plenty of arbitrary rules that do nothing for security.
There's millions of apps and tons come out every year. This nation-wide 'unit' will have to be constantly 'measuring them for security'. This isn't going to accomplish much of anything.
Either have a secure phone with pre-installed apps (ie, just a browser plus encrypted phone/messenger, military mapping tools, etc) and let them install nothing (which means they'll just use their private phone any way for the OPSEC fail stuff). Or let them do whatever and selectively ban the ones like TikTok which are massive surveillance potential just based on its popularity alone. These one-off or watching for bad-stuff and react approach makes far more sense to me.
You are right, there are millions of apps and nobody would be able to manually review them all.
The question then becomes, which error state is more acceptable for the organization? A system that occasionally misses malicious apps? Or a system that occasionally blocks a non-malicious app?
It doesn't matter if it's a laptop or a phone, you should only be using it for work.
Technology is much cheaper than it was 20 years ago. If you're not willing to purchase your own phone or laptop to do what you personally want to do with a device, you're likely not good at budgeting or decision making.
I'm not sure why they would evaluate any apps other than the ones they want to consider allowing people to install. It certainly does sound wasteful to evaluate something no one wants.
Yes and I'm advocating to continue taking that one-off approach instead of making some "ministry of apps" in the Navy to pre-approve every one of them.
There are various stories (the Daily Mail, Reuters, Times, please take your pick) that report that the Army is 'playing with' TikTok to see if it works in recruitment. Those same reports say it is being used by 'The Guards Division'.
The British Army doesn't have a 'Guards Division' [0]
> ... Naval and Marine personnel who use government issued smart devices are generally allowed to use popular commercial apps, including common social media apps ...
Not surprising. For several days now TikTok has left the information of 700 million of their users available via an open S3 bucket. It is online now at this very moment and includes IDFAs from Apple as well as interestingly, although I bet American companies do this to, the MAC Addresses. This is significant because my understanding is that Apple rotates / randomizes the MAC address because those can be used to, quite effectively, track individuals anywhere in the world (I would say it is better than GPS often at this point, especially indoors). Storage is cheap so maybe everyone stores them these days, or perhaps someone has found how to guess the rotation pattern (completely unproven theory that is likely wrong but only thing I can think of).
The coverage that Skyhook claims to have for instance is extraordinary considering this is totally reliant on Wifi points and cell towers: https://www.skyhook.com/Coverage-Map
Compromised and front company are different things I want to emphasize. ProtonMail hasn’t been hacked, it is a deceptive (and smart) company. So again want to make that distinction. For instance, https://joesdatacenter.com and https://datacenterwest.com are front companies. On the other hand, Facebook is just a kind of sad company that has been compromised obviously many times but isn’t a front company and I very much believe Mark Zuckerberg established it with the best of intentions.
