When apps are accused of shady behaviour, Jonathan Zdziarski is the guy that investigates. And, this week, the self-identified iOS forensics expert was quick to respond to requests for a deep dive into Whisper, the supposedly anonymous secret-sharing app that’s been taking heat lately. Guess what: Whisper’s not so anonymous.
Zdziarski just published his preliminary findings on Whisper, and they are not encouraging to anybody who’s used the app with the hope of concealing their identity. Actually, based on the back end, he found that Whisper doesn’t even seem like it’s well-intentioned. And if you’re going to listen to anybody about this sort of thing, Zdziarski is a good bet. The security researcher says that he “frequently trains many federal and state law enforcement agencies in digital forensic techniques and assists law enforcement and the military in high profile cases.” He’s also written books about iPhone hacking.
Zdziarski leads off with a startling realisation: “The Whisper app does not appear to be a social networking application with analytics; it appears to be an analytics and user acquisition application that also happens to have a social networking component.” In other words, Whisper’s not built to make it easy to share your secrets. It’s designed to keep track of you.
It gets worse. According to Zdziarski, Whisper actually logs identifying data regardless of whether or not you want it to. The iOS expert writes:
The application generates unique identifiers the first time it is run, without any initial user interaction. … These unique identifiers provide positive identification of the device that, given fingerprint and/or passcode authentication, can also serve as positive identification of an individual, eliminating any plausible deniability of the user’s identity. These user identifiers appear to exist for the life of the application, and are assigned even if the user wishes to remain anonymous while using the application.
It gets worse, again. After The Guardian reported that Whisper tracks users’ locations, sometimes even if they don’t want it to, Whisper’s editor-in-chief Neetzan Zimmerman claimed that the app “HEAVILY FUZZED [location data] to 500 meters away.” This is not true, according to Zdziarski:
In spite of Whisper’s claims that location data is “fuzzed”, “salted”, or in some way cleansed to a large radius, the application requests a level of accuracy from Apple’s CoreLocation manager of no worse than 100 meters, as shown below by the Apple constant kCLLocationAccuracyHundredMeters. Other constants available from Apple include 1km and 3km radii, however these larger constraints were not used by the Whisper app.
It’s worth pointing out that Whisper stores your location data, as well. So even if you only open the app once when location services are enabled, the app keeps that GPS data on file and permanently associates it with your user ID. To that effect, Zdziarski’s conclusion is foreboding:
Anonymous users have good reason to be concerned about their anonymity when using the Whisper application. While they may not have provided their name, the application has generated a unique identifier that can potentially be used to track them throughout the life of the application. When associated with global positioning data of 100m or smaller radius, their identities could be at risk.
In other words, if you want to remain anonymous, don’t use Whisper. [Jonathan Zdziarski]