[handfuloflight]

I never said the app's issues should be absolved, the security problems are obviously serious. But the author claims he did responsible disclosure and got no response, yet somehow skipped the obvious next step of contacting Apple directly. Instead he chose to publish a detailed technical writeup that essentially creates a how-to guide for exploiting these vulnerabilities.

Now because of this post, these children are arguably at greater risk than before, since anyone can follow his step-by-step instructions. If he actually cared about user safety over HN karma, he would have escalated to Apple's App Store channel rather than publishing exploitation details.

The smugness isn't the only problem, it's the irresponsible disclosure wrapped in performative outrage.

You can criticize terrible security practices without creating a ready to replay tutorial for bad actors.

[ycombinatrix]

>the author claims he did responsible disclosure and got no response

that's an easily verifiable lie. the author says the developer is not interested in fixing it just 3 comments above this one. why are you lying?

reporting this to Apple doesn't make sense either. Apple doesn't develop this app. Christian Monfiston develops this app.

[handfuloflight]

Are you really going to be pedantic now and accuse me of deception? OP said: "Developer doesn't seem keen on changing things." Which I can rightly interpret as the developer didn't respond meaningfully or at all. Knowing the nature of OP, he would have surely published the developer's responses if he did. And if he did respond, what I said is semantically valid in that OP did not receive the response he or we would expect: the developer actually doing something about these vulnerabilities.

Apple absolutely should be contacted here: they have App Store Review Guidelines that this app clearly violates. Apps in the kids category and apps intended for kids cannot include third-party advertising or analytics software and may not transmit data to third parties. This app is transmitting children's location data to third parties through unsecured APIs, which directly violates Apple's kids category guidelines.

But you're completely ignoring the main point: by publishing this detailed technical writeup instead of escalating to Apple, the author has now made these children MORE vulnerable.

[ycombinatrix]

I ain't reading all that. Free Palestine.

[Wurdan]

I think you’re somewhat overestimating the chances of getting Apple to take action with a single person’s report.

[handfuloflight]

Perhaps, but let's not pretend his claim to responsible disclosure holds up when he skipped this obvious step. That being said, because the app violates their App Store guidelines with regards to data collection related to minors, it's a channel that should have absolutely been explored.

[Wurdan]

If you want to bring Apple and app store guidelines into this, then why aren't you calling them out for allowing this app on the market in the first place? Without that failure (which they're also making 30% on, let's not forget) we wouldn't even be having this conversation.

[handfuloflight]

Exactly, that strengthens the need to contact them as their App Store reviewers clearly slipped up.