A hugely popular app that’s supposed protect Apple Mac users from privacy threats is, ironically, siphoning off their browsing history and sending it to a server in China, two researchers warned Friday. They say it’s a huge privacy issue. And Apple is coming under fire for not acting.
The app in question is the Adware Doctor, which sells for $14.99 and promises to remove adware, malware and other nasty pieces of software from Apple PCs. At the time of writing, it was in the top 10 paid apps on the App Store. It also claims to be able to kill annoying pop-ups, whilst “preserving” browsing history.
Perhaps as part of that latter feature, Adware Doctor’s creator has chosen to take customers’ browsing histories and store them on his own server, located in China. Any user running both the app and a major browser (Chrome, Firefox and Safari in this case) has likely had their online activity recorded and stolen away to the Chinese server. And the app has been grabbing all users’ recent searches in the App Store App.
It may’ve been going on for almost three years too – the first version of Adware Doctor was released in December 2015. The first to uncover the suspicious activity was a security researcher going by the Twitter handle @privacyisfirst, who posted a warning in August.
Researchers Patrick Wardle and Thomas Reed, who both looked into Adware Doctor’s behavior, believe it’s a huge privacy issue.
“Browsing history is an extremely personal, and potentially very sensitive, thing. It could contain data that could be used for blackmail,” warned Reed, a researcher at Malwarebytes. “It could also contain internal company URLs for a person’s employer, which could give a potential attacker inside knowledge of the company’s internal systems.
“This is bad regardless, but it’s worse that it is being sent into a country whose government does not have a history of protecting privacy.” Reed is in the process of researching at least three other tools on Apple’s App Store that do “very similar things.”
Apple hadn’t responded to a request for comment. The creator of Adware Doctor, Yongming Zhang, didn’t respond to emails from Forbes.
Anger at Apple
Wardle said he reported the issue to Apple back in August, but the company had done nothing to stop Adware Doctor from taking browser histories. The ex-NSA analyst and co-founder at DigitaSecurity blogged about his issues with Apple on Friday.
Apple should take action, given it appeared Adware Doctor breached many of the Cupertino giant’s own policies, Wardle added. First, Adware Doctor found a way to bypass Apple’s “sandbox” technology, which is supposed to prevent one app reaching out and grabbing data from another. The siphoning off of browsing history is also likely a breach of Apple policy, Wardle said.
“How can Apple claim to care about user privacy and allow an app like this to remain in the App Store?” Wardle asked. “The story Apple sells us is that the Mac App Store is designed to explicitly thwart exactly this type of behavior. They tell us they vet all the apps and that we should trust them.
“But why in god’s name don’t they swiftly and decisively act when somebody reports a malicious app?”
He called on Apple to ban both the app and its developer from the store. And he said Apple should go further and refund every user of the app too.