U.S. Senator Marco Rubio (R-FL) today raised concerns with Apple CEO Tim Cook after recent reports revealed that the Adware Doctor application, sold through the Mac App Store, was collecting, storing and sending user information to a server in the People’s Republic of China. While Apple was aware of the practice, the company took weeks to inform consumers and pull the app from its platform. Rubio, in the letter, is requesting answers to Apple’s practices and seeks assurances that security protocols are in place to avoid a future reoccurrence.
The full text of the letter, dated September 19, 2018, is below:
Dear Mr. Cook:
I write to express my concern with regard to recent reports that the Adware Doctor application (“app”), sold through the Mac App Store, was covertly collecting browser histories from users, storing the data in a locked file, and periodically sending this user information to a server based in the People’s Republic of China. Heightening concerns, moreover, were reports that Apple had been informed of Adware Doctor’s actions for at least several weeks but did not pull the Adware Doctor app until these actions were made public. For a company that prides itself on prioritizing user privacy and security, this delayed response is extremely disconcerting. It is also troubling that Apple researchers failed to uncover Adware Doctor’s covert collection and “storage” process. Over the last decade, Apple’s Mac App Store has seen more than 170 billion downloads, and your users have trusted your company to protect them from unsolicited intrusions.
I have serious concerns about China’s malevolent economic behavior involving the theft of U.S. intellectual property, which costs the United States hundreds of billions of dollars annually. However, the threat of American user data being kept on a server in China is equally alarming.
While I am aware of Apple’s efforts to protect against these intrusions by keeping apps compartmentalized from each other in “sandboxes,” it is evident that Adware Doctor managed to circumvent your implemented guidelines and protections. While I understand the difficulty in managing the security threats posed by millions of apps, in this case security researchers contacted you in mid-August about the Adware Doctor issue, yet actions to address the issue did not materialize until reports were made public on September 7, 2018. This significant lapse exposes a range of problems, not least of which are internal coordination issues and possibly a blatant disregard for significant user security concerns that were brought to your attention.
I therefore ask that you answer the following questions to address my concerns.
1) Why were the claims involving Adware Doctor’s use of user data not immediately investigated? Was this an oversight issue or were the claims of the researchers simply disregarded?
2) What steps will Apple management take to respond in a more prompt and efficient manner to researcher concerns that are brought to your attention?
3) What steps will Apple take to audit application updates in a more expeditious manner?
4) What steps will Apple take to ensure that applications using Apple’s Mac App Store have appropriate security protocols in place to prevent foreign actors from gaining access to user data?
When users access the Mac App Store, they do so under the belief and reasonable expectation that the application options presented to them have been thoroughly vetted and approved by Apple. This incident with Adware Doctor has brought this trust into question. Therefore, I respectfully request that you provide the public with answers to the questions posed in this letter in order to provide needed transparency and accountability into how this incident occurred.
Sincerely,
Marco Rubio
U.S. Senator
Source: Read more in the full article www.rubio.senate.gov.
MacDailyNews Note: On September 10, 2018, Trend Micro stated in a blog post, “reports that Trend Micro is ‘stealing user data’ and sending them to an unidentified server in China are absolutely false… The browser history data was uploaded to a U.S.-based server hosted by AWS and managed/controlled by Trend Micro.”
SEE ALSO:
Trend Micro apologizes, removes browser history data collection feature from its macOS products – September 11, 2018
More apps in Apple’s Mac App Store caught stealing and uploading browser history – September 10, 2018
More malicious apps that steal user data found in Apple’s Mac App Store – September 7, 2018
No. 1 paid utility in Mac App Store, Adware Doctor, steals browser history and sends it to servers in China – September 7, 2018
Rubio as a Latino was dead silent on Immigration and the aftermath of Puerto Rico after the hurricanes of 2017.
or BJ has difficulty thinking in a straight line?
Get some help.
Off topic partisan slam …
“For a company that prides itself on prioritizing user privacy and security, this delayed response is extremely disconcerting. It is also troubling that Apple researchers failed to uncover Adware Doctor’s covert collection and “storage” process.“
Lapses like this are a serious concern for users. Rubio’s four bullet points are excellent and will shall see if Apple issues a response.
Sadly, we know Apple is sloppy and not bulletproof. They must do better …
I agree with Senator Rubio’s concerns. People do indeed expect the apps available on the Apple App Store are safe because Apple tells us that it vets them, etc. However, there are countless apps which are not safe and Apple hides behind this fact by saying they allow the user to make their own choices about what information they share with others. However, the average user can not fully understand what they are agreeing to when they give an app permission to access various data. I’m far from an average user and I can not know what each app is doing. I don’t have time to read or the legal background to understand their lengthy privacy agreements. Apple needs to corral all of these independent developers and put a stop to this. I should not have to worry about my privacy if I’m using Apple’s devices and apps from their App Stores! Apps should not be allowed to ask me to agree to things that violate any privacy standard of Apple’s. They should all be the same! Any data they might need to gather in order to function should be annomynized and stored and utilized only according to Apple’s policies. How can the user be expected to police what hundreds of thousands of developers are really doing with out data? We should have to worry about it.