[handfuloflight]

Valid security issues buried under unnecessary smugness and basic 'techniques' like demonstrating the unzip command. The condescending tone undermines what could have been constructive disclosure. This reads like a high schooler dunking on a first grader, I'm just glad we all learned from the technical prowess of extracting an archive. The underlying problems with exposed API keys and unrestricted database access are serious, but your arrogant presentation does a disservice to responsible disclosure.

[rockemsockem]

I read it as an incredulous and increasingly pissed off person absolutely dunking on a smug person's attitude and success who has done so in a fashion they find completely unacceptable.

[ycombinatrix]

this app leaks the private data of hundreds of children, but GP's "smugness" is the problem? give me a break.

are you Christian Monfiston? that would explain a lot.

[ryandrake]

Both sides can be wrong. This isn't the first HN article investigating security issues where the researcher has this exact smug, exasperated, "oh, how can the dev be so stupid" attitude. I can say that in business communication, this kind of insufferable smugness never helps, even if the subject person really is stupid/incompetent.

[handfuloflight]

I never said the app's issues should be absolved, the security problems are obviously serious. But the author claims he did responsible disclosure and got no response, yet somehow skipped the obvious next step of contacting Apple directly. Instead he chose to publish a detailed technical writeup that essentially creates a how-to guide for exploiting these vulnerabilities.

Now because of this post, these children are arguably at greater risk than before, since anyone can follow his step-by-step instructions. If he actually cared about user safety over HN karma, he would have escalated to Apple's App Store channel rather than publishing exploitation details.

The smugness isn't the only problem, it's the irresponsible disclosure wrapped in performative outrage.

You can criticize terrible security practices without creating a ready to replay tutorial for bad actors.

[ycombinatrix]

>the author claims he did responsible disclosure and got no response

that's an easily verifiable lie. the author says the developer is not interested in fixing it just 3 comments above this one. why are you lying?

reporting this to Apple doesn't make sense either. Apple doesn't develop this app. Christian Monfiston develops this app.

[handfuloflight]

Are you really going to be pedantic now and accuse me of deception? OP said: "Developer doesn't seem keen on changing things." Which I can rightly interpret as the developer didn't respond meaningfully or at all. Knowing the nature of OP, he would have surely published the developer's responses if he did. And if he did respond, what I said is semantically valid in that OP did not receive the response he or we would expect: the developer actually doing something about these vulnerabilities.

Apple absolutely should be contacted here: they have App Store Review Guidelines that this app clearly violates. Apps in the kids category and apps intended for kids cannot include third-party advertising or analytics software and may not transmit data to third parties. This app is transmitting children's location data to third parties through unsecured APIs, which directly violates Apple's kids category guidelines.

But you're completely ignoring the main point: by publishing this detailed technical writeup instead of escalating to Apple, the author has now made these children MORE vulnerable.

[ycombinatrix]

I ain't reading all that. Free Palestine.

[Wurdan]

I think you’re somewhat overestimating the chances of getting Apple to take action with a single person’s report.

[handfuloflight]

Perhaps, but let's not pretend his claim to responsible disclosure holds up when he skipped this obvious step. That being said, because the app violates their App Store guidelines with regards to data collection related to minors, it's a channel that should have absolutely been explored.

[Wurdan]

If you want to bring Apple and app store guidelines into this, then why aren't you calling them out for allowing this app on the market in the first place? Without that failure (which they're also making 30% on, let's not forget) we wouldn't even be having this conversation.

[handfuloflight]

Exactly, that strengthens the need to contact them as their App Store reviewers clearly slipped up.