[IgorBog61650384]

The only reason this was detected was very overt behavior - opening AD popups. So I guesstimate for each one of these we have 10 that go undetected. This means the whole ecosystem is broken, as there is no reason this will happen only for updates and not for new apps as well. Apple's ecosystem is somewhat better, but I can't imagine they go through every line of code in each package, so most of their review is probably done with some combination of automatic static and dynamic analysis, and these can be fooled. The problem with both platforms is that they don't provide run of the mill users the option of installing an effective firewall and security solutions.

[m463]

This happened on ios for me years ago.

I had two apps that radically changed their business model (owner?) through updates with no recourse.

I had an app called gas cubby, which let me locally - on the phone - keep track of all my vehicles. I could enter detailed information about each car such as year, make, model, vin, insurance policy, gas purchases, oil changes and the like. It would tell you gas mileage and remind you of upcoming maintenance. One day, I updated the app and all my local data was uploaded to the cloud.

Another app I updated was camscanner from tencent that basically did the same thing. Think of all the PDFs you scan going to their cloud.

[ChrisMarshallNY]

I've been writing apps for a long time. They are usually free/Tier 1 apps.

A while back, I was approached by a [NATION OBFUSCATED] developer, asking to buy up one of my older apps (they are all open-source).

I ignored the request, and reported the approach to Apple, as I'm sure that this actor has been doing the same for many other apps.

This is apparently a common method for malware-slingers. They buy established, older apps, that they assume the developer has abandoned (I hadn't abandoned it, but it's a simple app that hardly ever needs tweaking. If I stop supporting an app, I remove it from the store).

They then "update" the app, with a little "extra flavoring."

[lioeters]

> One day, I updated the app and all my local data was uploaded to the cloud

This happened to me with Chrome. It auto-updated, then automatically synced browser history, passwords, and who knows what else, to Google. They soon changed it to opt-in sync, but it was too late for me at that point; they had already hoovered up my personal data. That was when I stopped using Chrome and switched fully to Firefox.

[zo1]

Camscanner was a blatant bait and switch. When I first started using it, I paid for a license to get full functionality with no ads/watermarks/etc. Magically, years later I got reverted to the ad-supported/free version, and my license was nowhere to be found. This was at the same time they moved to "cloud features" and a subscription model. Their reviews are littered with people having the same issue and the developer copy-pasting some response that doesn't work.

[dotancohen]

I haven't had this issue with Camscanner, but I've had it with other apps. One outright disappeared from my library, as if I have never had it installed.

[vmception]

yeah this is one reason why I can't take mobile app end to end encryption, or client side only, claims seriously. a single update at any time could undermine all of that

and secondly, they or an analytics package can just read everything client side and upload it to a server anyway

doesn't matter if its whatsapp, or signal, or some protonmail client if such a thing exists

I just don't use them with that assurance in mind, I use them for other things.

[Barrin92]

>yeah this is one reason why I can't take mobile app end to end encryption, or client side only, claims seriously.

If it's a large company like Facebook that values these products like Whatsapp at billions I trust them at least on this issue. I'm pretty sure they're not going to put junk third party malware for 50k into the Whatsapp client.

This is mostly an issue for apps done by individual developers who have huge incentive to take these deals, like the barcode scanner in question.

[vmception]

They've been sideloading with React Native, allowing updates even for people without automatic updates enabled, and have abused enterprise/privileged developer keys which allows access to additional parts of the system. I just don't see how you can draw that conclusion.

I use the apps for other things, not for any assurance of privacy.

[krageon]

> I trust them

You literally mentioned a company that betrayed trust so bad a government tried to call them to account.

[Barrin92]

Are people capable of enough nuance to distinguish between issues that large tech firms are likely trustworthy on and issues that they aren't?

When they stand to make billions from breaking my trust I'm sceptical. When they stand to make a penny and ruin their entire product, then no I' not.

The problem in question here, that rogue developers sell out their product to third parties, is not an issue that Facebook, Google etc have. They have every incentive to keep their software secure.

[krageon]

A betrayal of trust will not "ruin their entire product", we've already seen that it won't (no matter the scale). Believing a small betrayal to be worse than a big one is your right, but that doesn't mean it isn't naive.

[vmception]

Your whole premise is based on a very arbitrarily low value of collecting your plain text data? From a company that is a machine built for monetizing this specific thing? And that they wont because their users care about trust too much, users of Facebook products but specifically whatsapp? And you think the rest of us arent compartmentalizing our issues with that company enough?

this is.... I’m speechless, I ran out of words for this absurdity

[MrPatan]

I get what you're saying, but it's funny because what the dodgy small players do with the data is actually sell it to facebook. You're just cutting out the middleman here.

[phone8675309]

>If it's a large company like Facebook that values these products like Whatsapp at billions I trust them at least on this issue. I'm pretty sure they're not going to put junk third party malware for 50k into the Whatsapp client.

Zuck: They "trust me"

Zuck: Dumb fucks.

[kobalsky]

That's a one dimensional way to think.

You may not be able to trust facebook with your privacy, but you can trust them not to install a malware that swipes your bitcoins.

That being said, I despise the current state of affairs with cellphones. I don't like needing to trust any corp. I'm jumping to a Linux native phone when my current device dies.

[phone8675309]

>you can trust them not to install a malware that swipes your bitcoins

Sure, they might not take malware that swipes my crypto, but I wouldn't put it past them to take malware that uses my resources to mine for crypto. What is the downside for them?

[chordalkeyboard]

School tried to make me use camscanner, glad I took the extra effort to do something else. Thanks for the anecdote.

[karmahunting]

Try OpenScan, open source document scanner app...

Source: I am a user

[dotancohen]

Thank you. Unfortunately, it seems that OpenScan does not have the feature to straighten out photographed documents. Cammscanner has its own camera app, which has features specific to photographing documents.

[dotancohen]

I absolutely love Camscanner, and I have been for over a year on the old version because I refuse to update to the new version which requires network permissions. I exactly suspected this is why it needs those permissions.

To what did you switch? Camscanner is otherwise an excellent app, especially for combining multiple images and straightening them out.

[radq]

Not OP, but I switched to using Microsoft Office Lens.

[dotancohen]

Thank you! This one seems to have the features of Camscanner that I use: straightening documents and combining multiple images into a single PDF.

[chordalkeyboard]

I just continue to use the brother scanner in the other room. I don’t recommend brother, they updated the software and somehow took away features.

[dotancohen]

Unfortunately the HP scanner doesn't fit into my meeting bag!

[curiousgal]

Adobe Scan is a solid option as well.

[dotancohen]

Adobe has lost my trust years ago, and I see that viewpoint vilified often enough to never use Adobe software again. The only Adobe product that I still use is Magento, and only that on client sites. I would love to find a non-Adobe alternative.

[djrogers]

> This happened on ios for me years ago.

Neither of the 2 scenarios you describe are even remotely what's happened here. Not sure how you got from 'malicious ad popups' to 'app added cloud feature'.

[flyinghamster]

I gave Slacker Radio the big heave-ho when they decided they wanted to help themselves to my contact list. They did that just before I was about to pony up for a paid subscription. Bullet dodged.

[WA]

You probably overestimate Apple here. I'm pretty sure you can do a lot of fuckery with WebView, JavaScript and an innocent-looking API and feature flags in JS that gets swapped for bad behavior remotely after the review process is complete.

[ignoramous]

> The problem with both platforms is that they don't provide run of the mill users the option of installing an effective firewall and security solutions.

Google does allow no-root firewalls on the PlayStore which rely on VPN APIs. Here are some open source ones: https://www.reddit.com/r/androidapps/comments/jhtvn4/a_list_...