What'sUpp with your malware policy?

Tags: networking, apps, privacy.
By lucb1e on 2012-03-12 21:59:53 +0100

WhatsApp for Symbian is badly written malicious software as far as I can see. Moreover, their TOS and Privacy Policy looks good on first sight, until you read it carefully. Also I noticed most users still manage to miss the text saying that it's not actually free after a year.

In short: It remains active 24/7 (including a network connection, preferably by 3G) even after closing it in every possible way; it alters your phone software; and they can sell your user data if they want to. The TOS I agree with on install cannot be viewed, but if I want to sue them over using my phonebook without permission (or even telling me) I'd apparently have to pay the lawyers for them as well as my own.

Application problems


- You cannot close it. There is an "Exit" option in the menu, which like with all software seems to close it. The green indicator that the application is running disappears from the menu, and it doesn't show up in the "Running applications" menu.

- It keeps the network connection alive after it is 'closed'.

- When you force the network connection to close, it just starts it again after about 15 seconds.

- It even tries to use the mobile network rather than WiFi when possible, you'd think they would (keeping costs in mind) do it the other way around. Who said I had a flatfee subscription?

- You can set it to ask before using WiFi, but I want it to ask before using the mobile network. It can't apparently. Maybe by global settings for all applications, but this is neither something I would like to do nor something a user would know to do.

- When opening, it doesn't need to start anything up. Proof of that it never closed, just hid somehow. Not sure how, never seen an app do that. Feels to me like it goes even deeper than virus scanners go on Windows.

- I couldn't read the Terms Of Service on install, it displayed a blank space. When I try to contact support it "couldn't send the message because it is not configured." There is no setting related to messaging anywhere to be found.

Update: Turns out I need to configure an e-mail address in my phone's e-mail application to contact support trough or send chat history trough. Not going to do that, but I could have. (End of update, original post from here.)

- It searches my phone book without asking. Remember, there were no Terms Of Service. Even with it, they know nobody reads those, especially their main target audience: youngsters. They might have had the courtesy to, ifnot ask, at least inform me.

- It sends all my messages in plain text, not sure yet about other data. Yeah it sends it to the server at port 443, better known as HTTPS, but the data is in plain text. Just a port hoax to make it seem secure.

- It sends about 200 packets per minute when not chatting.

- After uninstalling, there is an icon visible in the screen (in every menu) which I do not recognise. It's in the spot where my WiFi connection icon should be, and it changes when I connect to WiFi. It seems to have no WiFi active though, but I wonder what it changed in my phone software. Rebooting doesn't get rid of the icon.

Update 2 months later: This thing permanently changed my phone's software, the icon is still there and I still have no idea what it's doing on my system. I can hardly sue them though, I'd have to pay their lawyers, as you'll read in a moment... (End of update, original post from here.)

Legal issues


- Their terms, which I found on their website, state that I agree to defend, indemnify and hold harmless WhatsApp, [and anyone having to do with it], from and against any and all claims, damages, obligations, losses, liabilities, costs or debt, and expenses (including but not limited to attorney's fees) arising from: [...] (iv) any claim that one of your User Status Submissions caused damage to a third party. (point 8 on whatsapp.com/legal).
So if they decide to sue me for this, I am obliged to pay them for it. If anyone claims I caused a third party damage they automatically win. And lastly, by point eleven of their TOS, I agree to fall under the Californian jurisdiction in the event of any legal dispute.

- When advertisements are introduced on the WhatsApp service, those advertisers receive your IP address and are allowed to use things like Javascript. I wonder how much you can do with Javascript as advertiser, someone should try requesting the document.cookie (although that's the most obvious possibility of all of course).

- Any data I enter trough WhatsApp falls immediately under American jurisdiction.

- After promising they won't share any data they collected (and they admit to collect just about everything there is to collect), they make an exception to share everything in the case of being 'aquired by' or 'merged with' a third party. They mention that this is also applicable when they sell their company[1]. Also, they cannot guarantee how our data is used, treated or transferred in the--according to them "(hopefully) unlikely"--event of bankrupcy, insolvency, reorganization[2], receivership, or assignment for the benefit of creditors[3].

From this I understand that by point [1] they may do anything with our data when they sell up.
By point [2] they can do anything with our data when they reorganize, e.g. when they kick a couple of people out and get some new staff. Doesn't seem so unlikely to me.
And by point [3] that they cannot guarantee anything about our data when the people they get money from benefit from doing anything with the data. This last practically means that they will give your data to advertisers whenever they like to, and by point 8 of their TOS they always win when you try to sue them for it.

- Lastly, you are responsible for keeping up with any changes in the TOS and privacy statement. So if they decide to change it entirely, they don't have to notify you.

Conclusion


Needless to say, I already got rid of the app before finishing this blogpost. I don't want to be part of this, and neither should you.
lucb1e.com
Another post tagged 'networking': Using Tor as a sysadmin tool

Look for more posts tagged apps, networking or privacy.

Previous post - Next post