U.S. Navy bans TikTok from government-issued mobile devices

> App security is so bad that you pretty much need to virtualize the phone and feed it fake sensor data.

Yeah, this is really bizarre to me. I was trying to check on volume levels through walls in my apartment, so I wanted to find some random decibel measuring app and lock it down so I don't have to worry too much about trusting it. But somehow Apple's permission model, which provides a whole pile of privilege switches including mobile data, has no way to completely revoke Internet privileges for an app.

> The whole idea of unrestricted network access is stupid.

I've been coming around to a similar idea. I'd like a setup something like this for my desktop:

1. Some devices representing network connections. One or more are "real"; others may be VPNs.

2. Per-application settings governing which network devices, if any, the application may use. Default to none.

For example, the common way to use a VPN is like this:

1. Start your machine. You're connected to the internet, but not yet to the VPN. All of your running software is already using the internet over the unprotected connection.

2. Start the VPN. It will magically do something such that applications wanting to use "the internet" find it instead of the connection they used to find (the one the VPN itself is still using). All of your running software is now using the VPN. Did you want something to use the other connection? Too bad.

I'm sick of the idea that Windows perceives an internet connection somehow, hides it from me, and automatically makes it available to everything that asks for "the internet". But I don't actually know how to do this. Someone is working really, really hard to make sure I don't affect who uses what device.

Installing a firewall app and checking the connection log on my Android phone really spooked me. There's a ton of traffic in the background that shouldn't be there. It's absolutely crazy that Android doesn't have a first party firewall or the ability to disable internet access permission per app, but that would impact Google's ad revenue, so of course we can't have that.

A simple approach is to just ban personal phones while at work.

You can forward your number to a work phone while you're on duty, you don't need to carry a personal device with you.

Good luck figuring out a sane UI for that for average mobile user.

No way. Restricted access to networks is a step back to the Bell System days. Once you open the door, it won’t close.

This is a legal and compliance issue. If you made the marketplace share liability for fraudulent apps, and had meaningful law around the ownership of electronic data, this problem would go poof.

In the US, a piece of paper in a locked drawer requires a warrant to access. Electronic data requires as little as an administrative subpoena

How would restricted network access help? If you permit a dodgy app to talk to only one remote endpoint, it can exfiltrate whatever it wants.

but government issued phones have access to things personal phones don't.

That is how it actually works. There is an approved app App Store. You have to go through a whole process to get it approved (I've tried). What the article really means to say is it that it's been removed from among the approved apps.

Someone likely did a risk/benefit analysis and the analysis didn’t come out in favor of the benefits. It’s probably that simple.

Yup, because it's easier to get around the parents' influence when they want to sell kids a line of BS.

I suppose the message that is sent here is : 'if you want to recruit you'll have to do it on Snapchat, YouTube, Instagram, Twitter, or Facebook instead of the one Chinese based app'

Is that not fair?

Security researchers have a legitimate use of computer viruses. Behavioural analysis or whatever else.

Does your grandma have the same legitimate use case?

Totally different risk assessment level on a threat actor gaining location information of a recruiter (or all recruiters) vs. location of special forces service members.

The recruiter should get a waiver, a use case like that isn't a good reason to default to allowing.

They can just use Facebook’s Lasso app instead

with recruiters you mean actual recruitment agencies[1] or in the sense of the Chinese IC recruiting foreign agents?

[1] I don't see job-recruiting being a reason to allow this app. IMO any device that is used by a public servant paid with tax-$$ should be limited to what it runs and I'd be surprised if they don't have a very strict BYOD policy for this reason. Never mind TikTok they shouldn't be running any social media apps on their phones. There are other problems with this use such as what data ends up being leaked to social media companies (regardless of where they are).

Traditionally they have done testing for WHQL certification. It may make sense for them to do analysis or reversing in order to raise the bar. Or maybe change the design of the NT kernel to isolate device drivers better.

They already have Grindr (for now)

By now, I'd be relatively certain that all but the absolute blackest sites are mapped comprehensively with publicly available app data.

US Congress has the authority to block such acquisitions.

I'm guessing those phones are to ensure their owners have a dedicated communication channel and a platform to run non-critical tech necessary for their job.

Apps for non-sensitive emails, schedules, maps, org directories, etc.

If the government is putting sensitive military data on an Android or iOS phone, you should be concerned. A whitelist would not be a sufficient safeguard.

> A Navy spokesman said Naval and Marine personnel who use government issued smart devices are generally allowed to use popular commercial apps, including common social media apps, but from time to time specific programs that present security threats are banned. He would not give examples of apps that are allowed or those considered unsafe.

I guess that it is phrased that way in order to signal other non-government organizations that they should have a look and probably ban it as well.

Because employees feel that they deserve to use Facebook and such on their government issued devices, and if you deny them their God given right, you are racist, sexist, and otherwise despicable person

> A Navy spokesman said Naval and Marine personnel who use government issued smart devices are generally allowed to use popular commercial apps, including common social media apps, but from time to time specific programs that present security threats are banned.

Should the Navy whitelist Ebay and Amazon? What about the Walmart app? If Target has one should they then apply to get whitelisted? What about navy personal in other countries with their apps? What about popular app/game xyz? There are a million apps?

If all that has to be whitelisted the buerocratic overhead would be either really cumbersome or the value of an issued device so small, that people would buy and use their own devices anyways.

Don't forget MS. Took German privacy regulators until recently, more than 3 years after the release of Windows 10, to notice that the thing is phoning encrypted data home even after disabling as much of that stuff as possible.

Their final conclusion is that using Windows 10, in a data privacy-compliant way, is only possible with a "rest risk" [0]. Too bad that by now Windows 10 is not just in wide use among businesses, but also the de facto government OS, most of these installations running default settings.

Same deal with Intel's ME: The German Federal Office for Information Security, a bit like the IT department for the government, rated Intel ME's risk as high early 2018 [1]. Yet no actual consequences besides that release, government systems still running Windows 10 on Intel platforms.

So while a lot of the threats are known and acknowledged, nobody seems to really act on these findings.

[0] https://www.heise.de/newsticker/meldung/Datenschutzkonferenz...

[1] https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/2018/...

That sounds like win-win to me because they kinda are, especially if you work somewhere that deals in highly secure data.

As they should.

Please don't post unsubstantive comments here, and certainly not nationalistic flamebait. We don't need yet another nationalistic flamewar.

https://news.ycombinator.com/newsguidelines.html

Please don't post nationalistic flamebait to HN. It leads to flamewars, which we're trying to avoid here.

https://news.ycombinator.com/newsguidelines.html