Adobe Flash, The Spy in Your Computer – Part 4

This is the last segment in the series. To begin with, I have a question for you…
What do you call a device that has a 1 gigahertz microprocessor, 512 megabytes of RAM, several gigabytes of solid state storage, runs programs, can be programmed, and can access the internet? Sound a bit like a Netbook, but computer is the answer I am looking for. Now add the ability to make phone calls on a CDMA or GSM network and you have a smart phone. The point is that your smart phone is a computer and many smart phones have the ability to run Adobe Flash. Flash is supported on Android version 2.2, Windows Mobile, and even on the iPhone 4. This means that it isn’t only your PC you need to be concerned with, but the spy is in your phone as well. The configuration options for mobile Flash are a lot more simplistic, but you need to go to https://settings.adobe.com/flashplayer/mobile/ on your mobile device. This is what it looks like on a Droid 2.

As you can see, there are no global settings. Taking a look at Local Storage and at Peer Assisted Networking we see that the default is for least privacy and peer-assisted networking is enabled.
   

Obviously selecting never for local storage provides the most privacy, but also the least functionality. Selecting “Only from sites I visit” is probably the most reasonable choice presented. Whether or not you enable the cache is really up to you. These telephony equipped computers have a lot less space than a standard PC, but caching components may decrease data usage if you do not have an unlimited plan. I simply disable peer-assisted networking. I’m really not interested in having someone else use my bandwidth.

Unlike the highly granular configuration options that are possible with the mms.cfg file on a PC, Flash on the mobile platform offers very little choice in protecting your privacy. If you have Flash on your mobile device, I recommend you visit the settings manager periodically to make sure your choices have not been altered in an update. If you are traveling in an area where roaming charges might apply, before you leave, you might want to disable local storage entirely for Flash, but that is for cost savings, not privacy.

To sum up the series, Adobe Flash does enable a lot of quality video content on the web, however the price it comes with is privacy. Adobe isn’t going to tell you how, who, or when Flash is being used to track you, so it is up to you to take control. Perhaps you are fine with being tracked, some people are, but you can’t make the decision if you don’t know there is a decision. I hope this series has helped you understand some of the risks associated with Flash, and some of your options for controlling your privacy.

Randy Abrams
Director of Technical Education
ESET LLC

Author ESET Research, ESET

  • Paul

    Randy, Flash isn’t really supported on iPhone 4, is it? Comex’s hack “Frash” is one way, but it’s hardly for the general population. Adobe recently updated Packager but that’s not really Flash web-content either.
    No iPhone here to test the Settings Manager link, but if it’s a Flash object that’s browser based, it’s not going to work…

  • Randy Abrams

    I don't have an iPhone either, but I can see if some of our testers might have time to play a bit. The blog comments don't allow hyperlinks currently (well, I have a work around), but if you read www{dot}adobe{dot}com/devnet/logged_in/abansod_iphone.html it does say: "For example, you can use APIs such as RTMP, Remote Shared Objects, and AMF as well as AIR APIs like SQLite and filesystem access."  Given the track record of Flash, I would assume spy-like capabilities on any device it touches.

  • Charles Jeter

    Hi guys,
    Actually I ended up doing a quick piece in SC Magazine on the Flash to iPhone stuff just a short time ago. The response was quoted:
    This is great news for developers and we're hearing from our developer community that Packager apps are already being approved for the App Store. We do want to point out that Apple's restriction on Flash content running in the browser on iOS devices remains in place.
    Apple's announcement today that it has lifted restrictions on its third-party developer guidelines has direct implications for Adobe's Packager for iPhone, a feature in the Flash Professional CS5 authoring tool.

    If the link doesn't go through, just hit 'scmagazineus.com' and look for the 'Cybercrime Corner'.

  • VPNProxies

    Note that adobe/macromedia Flash is FINALLY beginning to respond to issues of user control over flash settings and privacy.

    they have a blog entry : On Improving Privacy: Managing Local Storage in Flash Player >

    should be some cause for optimism, yes?

  • VPN~Privacy

    Also FWIW, mac OSX Tiger/10.4.x users can avail themselves of an applet called Flush Tiger to flush flash cookies. It is a great tool. simple and effective.

    I think there is a version for Leopard too.

    cheers!

  • Mike

    Hi,
    Thanks for the great article Randy. I see from one of the posts Randy is no longer with ESET and no longer researching Adobes abuse of our privacy.
    Unfortunately I believe Adobe's asault has spread to all its othre products, including Acrobat Reader. Next time you have a minute read the license agreement for Acrobat Reader. Adobe reserves the right to track your info, show you ads in Acrobat files, and share your info with advertisers without your consent.
    There is also a new abuse in Flash that requires you to visit each site to configure your privacy settings for each site, and most of them fail to disable tracking when you visit.
    This is an assault on our privacy and freedom and will lead us to an orwellian prison in the future.
    I use one approache to be sure. I use a virtual machine dedicated to web browsing. I only browse the web from this virtual machine. About once per week I revert to a clean copy and reinstall Flash and Acrobat. It's the only way to be sure.
     

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

26 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.