Difference between revisions of "Native App Privacy"

From MgmtWiki
Jump to: navigation, search
(Solutions)
(References)
 
(20 intermediate revisions by the same user not shown)
Line 5: Line 5:
  
 
* The first of the [[Laws of Security]] tell us that when an attacker gets to run their code on your computer, it is not longer just your computer any longer.
 
* The first of the [[Laws of Security]] tell us that when an attacker gets to run their code on your computer, it is not longer just your computer any longer.
* There are two parts to [[Privacy]] (the right to be let alone) that are should be subject to [[User Consent]] on a portable computer device, like a smart phone:
+
* There are two parts to [[Privacy]] (the right to be let alone) that are should be subject to [[User Consent]] on a portable computer device, like a [[Smart Phone]]:
** Attention, or just how annoying do we want a device in our immediate possession to be?
+
** [[User Private Information]] that we would like to be able to share only with permission. This is the [[Information Sharing]] that is regulated by the [[GDPR]] and the [[California Consumer Privacy Act of 2018]].
** [[User Private Information]] that we would like to be able to share only with permission.
+
** Attention, or just how annoying do we want a device in our immediate possession to be? (The regulation of user notifications is less clear.)
 
* Android App list of [[Data Category|Data Categories]] that require [[User Consent]]. https://support.google.com/googleplay/answer/6270602?hl=en
 
* Android App list of [[Data Category|Data Categories]] that require [[User Consent]]. https://support.google.com/googleplay/answer/6270602?hl=en
 
* Apple iPhone App Requesting Permission: https://developer.apple.com/design/human-interface-guidelines/ios/app-architecture/requesting-permission/
 
* Apple iPhone App Requesting Permission: https://developer.apple.com/design/human-interface-guidelines/ios/app-architecture/requesting-permission/
 
* Apple iPhone app Requesting Authorization to use System Features: https://developer.apple.com/documentation/uikit/core_app/protecting_the_user_s_privacy
 
* Apple iPhone app Requesting Authorization to use System Features: https://developer.apple.com/documentation/uikit/core_app/protecting_the_user_s_privacy
 
* Apple CKContainer manages all attempts to access user data on the device or in iCloud. https://developer.apple.com/documentation/cloudkit/ckcontainer
 
* Apple CKContainer manages all attempts to access user data on the device or in iCloud. https://developer.apple.com/documentation/cloudkit/ckcontainer
* Windows (UWP) settings are on all Windows 10 computer, but do not seem to be shown anywhere on the web.  Just navigate start -> settings -> privacy -> app settings.
+
* Windows (UWP) settings are on all Windows 10 computers, but do not seem to be shown anywhere on their documentation.  Just navigate start -> settings -> privacy -> app settings.
  
 
==Problems==
 
==Problems==
 +
*Each company that creates a set of privacy settings does so independently without any coordination or common language.
 +
*Each company puts a majority of their settings under the settings tab, but then there are other setting that occur in other locations.
 +
*Each company also supplies an "Identity Server" that provide, Apple ID, Google ID and Microsoft ID that have a rich history of providing other services, especially email.
 +
*Each of those ID offerings are slightly different and are responsible for the [[Data Sharing]] part of privacy.
  
 
==Solutions==
 
==Solutions==
 +
In spite of all the problems, the actual results are quite good as the following table shows. If a [[User]] is familiar with one service, they are likely to understand the other, at least until the Identity Server function comes into play. This table could serve as the starting point for a taxonomy of common definitions of the areas where consumer privacy could be controlled.
 +
 +
Note that [https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now/ SMS is easy to hijack] and should not be used for security purposes.
 +
 
{| border="1" padding="2""
 
{| border="1" padding="2""
 
|-
 
|-
Line 30: Line 38:
 
|Bluetooth
 
|Bluetooth
 
|
 
|
|
+
|Radios
Radios
 
 
|-
 
|-
 
|always
 
|always
Line 106: Line 113:
 
yes??
 
yes??
 
|
 
|
Notification
+
[[Notification]]
 
|-
 
|-
 
|
 
|
Line 173: Line 180:
 
File D/L
 
File D/L
 
|-
 
|-
| colspan="2" |
+
|non-persist
non-persist
+
|
 
|
 
|
 
|-
 
|-
|
+
|DNT
DNT
 
 
|
 
|
 
|
 
|
Line 185: Line 191:
  
 
==References==
 
==References==
===Other References===
+
#[[Native App Security]]
 +
#[[Native App]]
 +
# [https://www.apple.com/privacy/docs/Building_a_Trusted_Ecosystem_for_Millions_of_Apps.pdf Apple building a trusted ecosystem for millions of apps].
 +
 
 +
[[Category:Privacy]]

Latest revision as of 12:59, 19 August 2021

Full Title and Meme

An application that is installed on a user's computing device can be given access to some parts of user Privacy.

Context

Problems

  • Each company that creates a set of privacy settings does so independently without any coordination or common language.
  • Each company puts a majority of their settings under the settings tab, but then there are other setting that occur in other locations.
  • Each company also supplies an "Identity Server" that provide, Apple ID, Google ID and Microsoft ID that have a rich history of providing other services, especially email.
  • Each of those ID offerings are slightly different and are responsible for the Data Sharing part of privacy.

Solutions

In spite of all the problems, the actual results are quite good as the following table shows. If a User is familiar with one service, they are likely to understand the other, at least until the Identity Server function comes into play. This table could serve as the starting point for a taxonomy of common definitions of the areas where consumer privacy could be controlled.

Note that SMS is easy to hijack and should not be used for security purposes.

iPhone Android Windows
yes??

yes??

Accnt Info
Bluetooth Radios
always always Background
Calendar Calendar Calendar
Camera Camera Camera
Contacts Contacts Contacts
 ??  ?? Email
Health yes??
Health+
Home
File access
Location Location Location

Mic

Mic

Mic

Motion

Body

Music

Phone

Call History

yes??

yes??

Notification

Photos

Purchases

Purchases

Purchases

Reminders

Siri

SMS

Messaging

Speech

Storage

Tasks

TV

Other Devs

Diagnostics

safari

chrome

File D/L

non-persist
DNT

File access

References

  1. Native App Security
  2. Native App
  3. Apple building a trusted ecosystem for millions of apps.