Prevention - centric cybersecurity

Industry Updates

The Hidden Cost of Free Apps: What’s Really at Stake?

What is the price when an app is free?

We see this all the time, an application is free to use and promises no catches, but is it really free?

The long and short is most commonly no, the app is not free, and while there might be some which are absolutely free with no strings attached that is not the common reality. Why is this dangerous? Many reasons but most importantly if the app is “free” there has to be some way a company is getting paid on the back end to keep the app running (again, some apps are truly free and done as a labor of love but nowhere near as updated due to being self-funded).

I am posting this for good reason and this should come as no surprise given the topic of conversation is Facebook. That’s right Zuck, you are again in the crosshairs for doing something shady and you really hoped this one would not come to light as it’s extremely egregious.

Would it shock anyone to find out that Meta conducted one of the largest Man in the Middle (now called “Adversary in the Middle” for some stupid reason) attacks against their userbase? I didn’t think it would shock anyone and the reason they did this was purely selfish – they didn’t have enough telemetry around users on Snapchat. The reason for this is Snapchat was 100% end to end encrypted, they could not obtain behavioral data from Snapchat, they needed that data to remain relevant and tailor the program to keep people addicted to using it.

Meta sat down and built a way to interpret all the data prior to it being sent over the network, it was a program named Onavo and they went so far to even pay teenagers to run this on their devices and allow Meta to gather user data. Here is where it gets as the kids say “shady AF”, this was so successful they expanded it to items they didn’t have control over – YouTube and Amazon via what they internally called “SSL bump”. This was deployed on Snapchat in 2016, YouTube in 2017/2018 and Amazon in 2018.

How can you get all this data on the client when it’s encrypted? I am so glad you asked! You created a “kit” which installs a root certificate on devices leveraging the specific technology (Amazon’s mobile app, Snapchat, YouTube mobile) which talks to a fake server side digital cert tailor made to impersonate the legit certificate and allow decryption of the data. The goal of this was to harm competitors by finding what customers were interacting with and how Meta could develop apps to integrate with Snapchat.

The ironic thing is Zuckerberg has been called to Washington many times to discuss security and data privacy, something he obviously does not care about (at least not yours, I am sure he cares quite a bit for his). We have a free program which is making you the product, a CEO of said company advising on policy around data protection when they are openly violating wiretap acts (and formerly selling all data to Cambridge Analytics)… I cannot think of a better story for Hollywood to turn into a movie and it’s already been written for them.

Long and short, when a program is free the actual product is you. Your usage, your personal data, your interests. That is all worth large amounts of money to the right data brokers. Please be careful with what you provide these products because you never know what their intentions are with everything provided.

Share:

More Posts

Send Us A Message