[tor-dev] Apple App Store Redux

Mike Perry mikeperry at torproject.org
Tue Dec 10 07:56:32 UTC 2013

Erinn Clark:
> * Ralf-Philipp Weinmann <ralf at coderpunks.org> [2013:11:17 10:25 +0100]: 
> > Getting TBB into the App Store would definitely help increase its visibility on
> > the OSX side. However, I am not really in favour of giving a US company a list
> > of all users having downloaded TBB plus information whether or not they are upgraded
> > to the most recent version...
> IMO this is a very persuasive reason not to put it there. 

Even more concerning is that list of users is vulnerable to other
attacks via app stores. App stores are central points of control over
the software that runs on your computer. The second an entity provides a
way to tie software delivery (especially updates) to a specific user ID,
it creates the ability to be coerced or compromised such that it can be
used to serve targeted malware to specific user IDs.

I don't think we'll have to wait long before we hear stories of this
happening through the major app stores, if it hasn't happened already.
This attack vector seems like it would be consistent with the M.O. of
the intelligence agencies and other TLAs.

Worse, while our Gitian builds may serve as enough of a deterrent to
prevent such malware from targeting Tor directly (because it would be
easier to identify and extract the malware bits with confidence), they
do not stop the adversary from infecting updates to other apps.

What this means is that as soon as a user ID is identified as a Tor
user, they can be targeted to receive malware designed to monitor their
Tor usage through an update to *any* app that they already have
installed. This also applies to people who are interesting, but who
have never installed Tor directly from the app store at all.

Despite this (or perhaps because of that last property), I could be
convinced that it is acceptable to provide TBB through the app store to
raise awareness of the software, but have the app description warn users
that if they need strong anonymity and privacy, they should not use the
app store version, and instead use a more private and safe way to
obtain a copy.

Something tells me this will make it even harder to get approval by
Apple, though. :/

> > I think I still have access to both. Let me pull the latest version of both
> > agreements (iPhone and OSX developer) and attach them to #6540.
> Thank you!
> > Have you spoken to Mozilla how they have obtained their code signing cert?
> I believe this is on Mike's TODO list since he talks to Mozilla people fairly
> frequently, but it may not be a high priority for him. Mike, let me know if you
> would prefer for me to take this on?

I will try to remember to ask the next time I'm there, but it probably
is better if you could handle most of the investigation into Mac and
Windows code signing support independently.

Mike Perry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20131209/ce185969/attachment-0001.sig>

More information about the tor-dev mailing list