Don’t send your nudes to someone who uses Nude.
I spent my morning catching up with Twitter, as one normally does on a Tuesday. A certain new “personal photo protection app” featured by The Verge caught my interest: https://www.theverge.com/2017/10/17/16414822/nude-app-photo-vault-sexting.
I decided to take a very quick dive into the app here tonight, and what I found was not very encouraging.
Let’s not bury the lede here: Nude is not a great way to protect private photographs. Whether you’re on iOS 10 or 11, unique IDs tied to your phone are sent on launch and during app use to http://app-measurement.com, a tracking server that appears to be owned by Google for analytics and ad tracking. Additionally, a whole bunch of device identifiers are sent to Facebook during your use of the app, and tied to a bunch of Facebook Social Graph/ad tracking garbage.
But it gets even worse. If you’re using iOS 10, your private photos and unique device identifiers are sent over the network to Amazon Web Services without any certificate pinning (a common technique used to prevent man-in-the-middle attacks). The team behind Nude has said that they do not retain photos, but they also said that they anonymize data sent to their server, so I’m a bit skeptical.
On iOS 11, Nude does offer a local CoreML search through your photo library which appears to perform as advertised. But if you’re running an older version of iOS (or presumably on their soon to be released Android app), your raw photo data is sent straight to their servers along with a unique device identifier metadata, which could potentially be used to tie a device to a specific person. Here’s a quick summary of what I found tonight:
All of this was found in an hour or so, with some very basic man-in-the-middling of the app on a couple of non-jailbroken devices running iOS 10 and 11. Any potential nude photos found under iOS 10 are sent to their server, directly with device tracking information. Under iOS 11, it does seems like photo analysis does stay local, but a whole bunch of possibly identifiable device tracking information is sent to Facebook and Google throughout the duration of a user’s time spent in the app.
I don’t believe that the team behind Nude has any intent to steal user photos or be malicious with their app. I think they’re probably trying to provide a service that they believe some people need. Regardless, they’re still promising privacy and security, while sending your most private photos and personal tracking metadata to companies like Facebook, Google, and Amazon.
It’s great that people are trying to use technology as a way to improve problems that regular people face everyday. But before we offer those companies the keys to our most personal data, we probably should take some time and make sure that their proposed solutions aren’t opening ourselves up to considerably more significant problems in the future.
EDIT/UPDATES:
A couple other thoughts this morning, that I forgot last night:
- When photos are sent to the AWS server for identification, I’m guessing that EXIF data isn’t stripped from the photos. I didn’t pull a full photo to verify, so I can’t say for sure. But if EXIF data is not stripped, it’s likely that full GPS location data is included with the photo. Is a private photo really anonymous if I could tell you what room it was taken in based on precise gps location data?
- I did get a chance to look really quick, and it appears as if the photos saved in Nude are not saved to an iPhone backup, which is a positive. I’ll take a deeper dive on that later, but a good first impression with that.
- Given that The Verge story mentions that the team was promoting the app at TechCrunch Disrupt, it seems as if they’re looking for VC funding with the app. I don’t want to judge anyone’s intent, but this is the sort of app idea that I would be a bit more concerned about what happens to the data they’re collecting, the photos, and the service, after VCs get on board and are determined to turn a profit.
