Connect with us

Biz & IT

We finally started taking screen time seriously in 2018

Published

on

At the beginning of this year, I was using my iPhone to browse new titles on Amazon when I saw the cover of “How to Break Up With Your Phone” by Catherine Price. I downloaded it on Kindle because I genuinely wanted to reduce my smartphone use, but also because I thought it would be hilarious to read a book about breaking up with your smartphone on my smartphone (stupid, I know). Within a couple of chapters, however, I was motivated enough to download Moment, a screen time tracking app recommended by Price, and re-purchase the book in print.

Early in “How to Break Up With Your Phone,” Price invites her readers to take the Smartphone Compulsion Test, developed by David Greenfield, a psychiatry professor at the University of Connecticut who also founded the Center for Internet and Technology Addiction. The test has 15 questions, but I knew I was in trouble after answering the first five. Humbled by my very high score, which I am too embarrassed to disclose, I decided it was time to get serious about curtailing my smartphone usage.

Of the chapters in Price’s book, the one called “Putting the Dope in Dopamine” resonated with me the most. She writes that “phones and most apps are deliberately designed without ‘stopping cues’ to alert us when we’ve had enough—which is why it’s so easy to accidentally binge. On a certain level, we know that what we’re doing is making us feel gross. But instead of stopping, our brains decide the solution is to seek out more dopamine. We check our phones again. And again. And again.”

Gross was exactly how I felt. I bought my first iPhone in 2011 (and owned an iPod Touch before that). It was the first thing I looked at in the morning and the last thing I saw at night. I would claim it was because I wanted to check work stuff, but really I was on autopilot. Thinking about what I could have accomplished over the past eight years if I hadn’t been constantly attached to my smartphone made me feel queasy. I also wondered what it had done to my brain’s feedback loop. Just as sugar changes your palate, making you crave more and more sweets to feel sated, I was worried that the incremental doses of immediate gratification my phone doled out would diminish my ability to feel genuine joy and pleasure.

Price’s book was published in February, at the beginning of a year when it feels like tech companies finally started to treat excessive screen time as a liability (or at least do more than pay lip service to it). In addition to the introduction of Screen Time in iOS 12 and Android’s digital wellbeing tools, Facebook, Instagram and YouTube all launched new features that allow users to track time spent on their sites and apps.

Early this year, influential activist investors who hold Apple shares also called for the company to focus on how their devices impact kids. In a letter to Apple, hedge fund Jana Partners and California State Teachers’ Retirement System (CalSTRS) wrote “social media sites and applications for which the iPhone and iPad are a primary gateway are usually designed to be as addictive and time-consuming as possible, as many of their original creators have publicly acknowledged,” adding that “it is both unrealistic and a poor long-term business strategy to ask parents to fight this battle alone.”

The growing mound of research

Then in November, researchers at Penn State released an important new study that linked social media usage by adolescents to depression. Led by psychologist Melissa Hunt, the experimental study monitored 143 students with iPhones from the university for three weeks. The undergraduates were divided into two groups: one was instructed to limit their time on social media, including Facebook, Snapchat and Instagram, to just 10 minutes each app per day (their usage was confirmed by checking their phone’s iOS battery use screens). The other group continued using social media apps as they usually did. At the beginning of the study, a baseline was established with standard tests for depression, anxiety, social support and other issues, and each group continued to be assessed throughout the experiment.

The findings, published in the Journal of Social and Clinical Psychology, were striking. The researchers wrote that “the limited use group showed significant reductions in loneliness and depression over three weeks compared to the control group.”

Even the control group benefitted, despite not being given limits on their social media use. “Both groups showed significant decreases in anxiety and fear of missing out over baselines, suggesting a benefit of increased self-monitoring,” the study said. “Our findings strongly suggest that limiting social media use to approximately 30 minutes a day may lead to significant improvement in well-being.”

Other academic studies published this year added to the growing roster of evidence that smartphones and mobile apps can significantly harm your mental and physical wellbeing.

A group of researchers from Princeton, Dartmouth, the University of Texas at Austin, and Stanford published a study in the Journal of Experimental Social Psychology that found using smartphones to take photos and videos of an experience actually reduces the ability to form memories of it. Others warned against keeping smartphones in your bedroom or even on your desk while you work. Optical chemistry researchers at the University of Toledo found that blue light from digital devices can cause molecular changes in your retina, potentially speeding macular degeneration.

So over the past 12 months, I’ve certainly had plenty of motivation to reduce my screen time. In fact, every time I checked the news on my phone, there seemed to be yet another headline about the perils of smartphone use. I began using Moment to track my total screen time and how it was divided between apps. I took two of Moment’s in-app courses, “Phone Bootcamp” and “Bored and Brilliant.” I also used the app to set a daily time limit, turned on “tiny reminders,” or push notifications that tell you how much time you’ve spent on your phone so far throughout the day, and enabled the “Force Me Off When I’m Over” feature, which basically annoys you off your phone when you go over your daily allotment.

At first I managed to cut my screen time in half. I had thought some of the benefits, like a better attention span mentioned in Price’s book, were too good to be true. But I found my concentration really did improve significantly after just a week of limiting my smartphone use. I read more long-form articles, caught up on some TV shows, and finished knitting a sweater for my toddler. Most importantly, the nagging feeling I had at the end of each day about frittering all my time away diminished, and so I lived happily after, snug in the knowledge that I’m not squandering my life on memes, clickbait and makeup tutorials.

Just kidding.

Holding my iPod Touch in 2010, a year before I bought my first smartphone and back when I still had an attention span.

After a few weeks, my screen time started creeping up again. First I turned off Moment’s “Force Me Off” feature, because my apartment doesn’t have a landline and I needed to be able to check texts from my husband. I kept the tiny reminders, but those became easier and easier to ignore. But even as I mindlessly scrolled through Instagram or Reddit, I felt the existentialist dread of knowing that I was misusing the best years of my life. With all that at stake, why is limiting screen time so hard?

I wish I knew how to quit you, small device

I decided to talk to the CEO of Moment, Tim Kendall, for some insight. Founded in 2014 by UI designer and iOS developer Kevin Holesh, Moment recently launched an Android version, too. It’s one of the best known of a genre that includes Forest, Freedom, Space, Off the Grid, AntiSocial and App Detox, all dedicated to reducing screen time (or at least encouraging more mindful smartphone use).

Kendall told me that I’m not alone. Moment has 7 million users and “over the last four years, you can see that average usage goes up every year,” he says. By looking at overall data, Moment’s team can tell that its tools and courses do help people reduce their screen time, but that often it starts creeping up again. Combating that with new features is one of the company’s main goals for next year.

“We’re spending a lot of time investing in R&D to figure out how to help people who fall into that category. They did Phone Bootcamp, saw nice results, saw benefits, but they just weren’t able to figure out how to do it sustainably,” says Kendall. Moment already releases new courses regularly (recent topics have included sleep, attention span, and family time) and recently began offering them on a subscription basis.

“It’s habit formation and sustained behavior change that is really hard,” says Kendall, who previously held positions as president at Pinterest and Facebook’s director of monetization. But he’s optimistic. “It’s tractable. People can do it. I think the rewards are really significant. We aren’t stopping with the courses. We are exploring a lot of different ways to help people.”

As Jana Partners and CalSTRS noted in their letter, a particularly important issue is the impact of excessive smartphone use on the first generation of teenagers and young adults to have constant access to the devices. Kendall notes that suicide rates among teenagers have increased dramatically over the past two decades. Though research hasn’t explicitly linked time spent online to suicide, the link between screen time and depression has been noted many times already, as in the Penn State study.

But there is hope. Kendall says that the Moment Coach feature, which delivers short, daily exercises to reduce smartphone use, seems to be particularly effective among millennials, the generation most stereotypically associated with being pathologically attached to their phones. “It seems that 20- and 30-somethings have an easier time internalizing the coach and therefore reducing their usage than 40- and 50-somethings,” he says.

Kendall stresses that Moment does not see smartphone use as an all-or-nothing proposition. Instead, he believes that people should replace brain junk food, like social media apps, with things like online language courses or meditation apps. “I really do think the phone used deliberately is one of the most wonderful things you have,” he says.

Researchers have found that taking smartphone photos and videos during an experience may decrease your ability to form memories of it. (Steved_np3/Getty Images)

I’ve tried to limit most of my smartphone usage to apps like Kindle, but the best solution has been to find offline alternatives to keep myself distracted. For example, I’ve been teaching myself new knitting and crochet techniques, because I can’t do either while holding my phone (though I do listen to podcasts and audiobooks). It also gives me a tactile way to measure the time I spend off my phone because the hours I cut off my screen time correlate to the number of rows I complete on a project. To limit my usage to specific apps, I rely on iOS Screen Time. It’s really easy to just tap “Ignore Limit,” however, so I also continue to depend on several of Moment’s features.

While several third-party screen time tracking app developers have recently found themselves under more scrutiny by Apple, Kendall says the launch of Screen Time hasn’t significantly impacted Moment’s business or sign ups. The launch of their Android version also opens up a significant new market (Android also enables Moment to add new features that aren’t possible on iOS, including only allowing access to certain apps during set times).

The short-term impact of iOS Screen Time has “been neutral, but I think in the long-term it’s really going to help,” Kendall says. “I think in the long-term it’s going to help with awareness. If I were to use a diet metaphor, I think Apple has built a terrific calorie counter and scale, but unfortunately they have not given people nutritional guidelines or a regimen. If you talk to any behavioral economist, not withstanding all that’s been said about the quantified self, numbers don’t really motivate people.”

Guilting also doesn’t work, at least not for the long-term, so Moment tries to take “a compassionate voice,” he adds. “That’s part of our brand and company and ethos. We don’t think we’ll be very helpful if people feel judged when we use our product. They need to feel cared for and supported, and know that the goal is not perfection, it’s gradual change.”

Many smartphone users are probably in my situation: alarmed by their screen time stats, unhappy about the time they waste, but also finding it hard to quit their devices. We don’t just use our smartphones to distract ourselves or get a quick dopamine rush with social media likes. We use it to manage our workload, keep in touch with friends, plan our days, read books, look up recipes, and find fun places to go. I’ve often thought about buying a Yondr bag or asking my husband to hide my phone from me, but I know that ultimately won’t help.

As cheesy as it sounds, the impetus for change must come from within. No amount of academic research, screen time apps, or analytics can make up for that.

One thing I tell myself is that unless developers find more ways to force us to change our behavior or another major paradigm shift occurs in mobile communications, my relationship with my smartphone will move in cycles. Sometimes I’ll be happy with my usage, then I’ll lapse, then I’ll take another Moment course or try another screen time app, and hopefully get back on track. In 2018, however, the conversation around screen time finally gained some desperately needed urgency (and in the meantime, I’ve actually completed some knitting projects instead of just thumbing my way through #knittersofinstagram).

Source link

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published.

Biz & IT

Google closes data loophole amid privacy fears over abortion ruling

Published

on

Google is closing a loophole that has allowed thousands of companies to monitor and sell sensitive personal data from Android smartphones, an effort welcomed by privacy campaigners in the wake of the US Supreme Court’s decision to end women’s constitutional right to abortion.

It also took a further step on Friday to limit the risk that smartphone data could be used to police new abortion restrictions, announcing it would automatically delete the location history on phones that have been close to a sensitive medical location such an abortion clinic.

The Silicon Valley company’s moves come amid growing fears that mobile apps will be weaponized by US states to police new abortion restrictions in the country.

Companies have previously harvested and sold information on the open market including lists of Android users using apps related to period tracking, pregnancy and family planning, such as Planned Parenthood Direct.

Over the past week, privacy researchers and advocates have called for women to delete period-tracking apps from their phones to avoid being tracked or penalised for considering abortions.

The US tech giant announced last March that it would restrict the feature, which allows developers to see which other apps are installed and deleted on individuals’ phones. That change was meant to be implemented last summer, but the company failed to meet that deadline citing the pandemic among other reasons.

The new deadline of July 12 will hit just weeks after the overturning of Roe vs Wade, a ruling that has thrown a spotlight on how smartphone apps could be used for surveillance by US states with new anti-abortion laws.

“It’s long overdue. Data brokers have been banned from using the data under Google’s terms for a long time, but Google didn’t build safeguards into the app approvals process to catch this behavior. They just ignored it,” said Zach Edwards, an independent cyber security researcher who has been investigating the loophole since 2020.

“So now anyone with a credit card can purchase this data online,” he added.

Google said: “In March 2021, we announced that we planned to restrict access to this permission, so that only utility apps, such as device search, antivirus, and file manager apps, can see what other apps are installed on a phone.”

It added: “Collecting app inventory data to sell it or share it for analytics or ads monetisation purposes has never been allowed on Google Play.”

Despite widespread usage by app developers, users remain unaware of this feature in Android software—a Google-designed programming interface, or API, known as the “Query All Packages.” It allows apps, or snippets of third-party code inside them, to query the inventory of all other apps on a person’s phone. Google itself has referred to this type of data as high-risk and “sensitive,” and it has been discovered being sold on to third parties.

Researchers have found that app inventories “can be used to precisely deduce end users interests and personal traits,” including gender, race and marital status, among other things.

Edwards has found that one data marketplace, Narrative.io, was openly selling data obtained by intermediaries in this way, including smartphones using Planned Parenthood, and various period tracking apps.

Narrative said it removed pregnancy tracking and menstruation app data from its platform in May, in response to the leaked draft outlining the Supreme Court’s forthcoming decision.

Another research company, Pixalate, discovered that consumer apps, like a simple weather app, were running bits of code that exploited the same Android feature and were harvesting data for a Panamanian company with ties to US defense contractors.

Google said it “never sells user data, and Google Play strictly prohibits the sale of user data by developers. When we discover violations we take action,” adding it had sanctioned multiple companies believed to be selling user data.

Google said it would restrict the Query All Packages feature to only those who require it from July 12. App developers will be required to fill out a declaration explaining why they need access, and notify Google of this before the deadline so it can be vetted.

“Deceptive and undeclared uses of these permissions may result in a suspension of your app and/or termination of your developer account,” the company warned.

Additional reporting by Richard Waters.

© 2022 The Financial Times Ltd. All rights reserved Not to be redistributed, copied, or modified in any way.

Continue Reading

Biz & IT

Billing fraud apps can disable Android Wi-Fi and intercept text messages

Published

on

Android malware developers are stepping up their billing fraud game with apps that disable Wi-Fi connections, surreptitiously subscribe users to pricey wireless services, and intercept text messages, all in a bid to collect hefty fees from unsuspecting users, Microsoft said on Friday.

This threat class has been a fact of life on the Android platform for years, as exemplified by a family of malware known as Joker, which has infected millions of phones since 2016. Despite awareness of the problem, little attention has been paid to the techniques that such “toll fraud” malware uses. Enter Microsoft, which has published a technical deep dive on the issue.

The billing mechanism abused in this type of fraud is WAP, short for wireless application protocol, which provides a means of accessing information over a mobile network. Mobile phone users can subscribe to such services by visiting a service provider’s web page while their devices are connected to cellular service, then clicking a button. In some cases, the carrier will respond by texting a one-time password (OTP) to the phone and requiring the user to send it back in order to verify the subscription request. The process looks like this:

Microsoft

The goal of the malicious apps is to subscribe infected phones to these WAP services automatically, without the notice or consent of the owner. Microsoft said that malicious Android apps its researchers have analyzed achieve this goal by following these steps:

  1. Disable the Wi-Fi connection or wait for the user to switch to a mobile network
  2. Silently navigate to the subscription page
  3. Auto-click the subscription button
  4. Intercept the OTP (if applicable)
  5. Send the OTP to the service provider (if applicable)
  6. Cancel the SMS notifications (if applicable)

Malware developers have various ways to force a phone to use a cellular connection even when it’s connected to Wi-Fi. On devices running Android 9 or earlier, the developers can invoke the setWifiEnabled method of the WifiManager class. For versions 10 and above, developers can use the requestNetwork function of the ConnectivityManager class. Eventually, phones will load data exclusively over the cellular network, as demonstrated in this image:

Microsoft

Once a phone uses the cellular network for data transmission, the malicious app surreptitiously opens a browser in the background, navigates to the WAP subscription page, and clicks a subscribe button. Confirming the subscription can be tricky because confirmation prompts can come by SMS, HTTP, or USSD protocols. Microsoft lays out specific methods that malware developers can use to bypass each type of confirmation. The Microsoft post then goes on to explain how the malware suppresses periodic messages that the subscription service may send the user to remind them of their subscription.

“By subscribing users to premium services, this malware can lead to victims receiving significant mobile bill charges,” Microsoft researchers wrote. “Affected devices also have increased risk because this threat manages to evade detection and can achieve a high number of installations before a single variant gets removed.”

Google actively bars apps from its Play market when it detects signs of fraud or malice, or when it receives reports of malicious apps from third parties. While Google often doesn’t remove malicious apps until after they have infected millions of users, apps downloaded from Play are generally regarded as more trustworthy than apps from third-party markets.

Continue Reading

Biz & IT

Microsoft Exchange servers worldwide hit by stealthy new backdoor

Published

on

Getty Images

Researchers have identified stealthy new malware that threat actors have been using for the past 15 months to backdoor Microsoft Exchange servers after they have been hacked.

Dubbed SessionManager, the malicious software poses as a legitimate module for Internet Information Services (IIS), the web server installed by default on Exchange servers. Organizations often deploy IIS modules to streamline specific processes on their web infrastructure. Researchers from security firm Kaspersky have identified 34 servers belonging to 24 organizations that have been infected with SessionManager since March 2021. As of earlier this month, Kaspersky said, 20 organizations remained infected.

Stealth, persistence, power

Malicious IIS modules offer an ideal means to deploy powerful, persistent, and stealthy backdoors. Once installed, they will respond to specifically crafted HTTP requests sent by the operator instructing the server to collect emails, add further malicious access, or use the compromised servers for clandestine purposes. To the untrained eye, the HTTP requests look unremarkable, even though they give the operator complete control over the machine.

“Such malicious modules usually expect seemingly legitimate but specifically crafted HTTP requests from their operators, trigger actions based on the operators’ hidden instructions if any, then transparently pass the request to the server for it to be processed just like any other request,” Kaspersky researcher Pierre Delcher wrote. “As a result, such modules are not easily spotted by usual monitoring practices: they do not necessarily initiate suspicious communications to external servers, receive commands through HTTP requests to a server that is specifically exposed to such processes, and their files are often placed in overlooked locations that contain a lot of other legitimate files.”

Kaspersky

Once SessionManager is deployed, operators use it to profile the infected environment further, gather passwords stored in memory, and install additional tools, including a PowerSploit-based reflective loader, Mimikat SSP, ProcDump, and a legitimate Avast memory dump tool. Kaspersky obtained multiple SessionManager variants that date back to at least March 2021. The samples show a steady evolution that has added more features with each new version. The most recent version of the malicious module includes the following:

Command name
(SM_SESSION cookie value)
Command parameters
(additional cookies)
Associated capability
GETFILE FILEPATH: path of file to be read. FILEPOS1: offset at which to start reading, from file start.

FILEPOS2: maximum number of bytes to read.

Read the content of a file on the compromised server and send it to the operator as an HTTP binary file named cool.rar.
PUTFILE FILEPATH: path of file to be written.

FILEPOS1: offset at which to start writing.

FILEPOS2: offset reference.

FILEMODE: requested file access type.

Write arbitrary content to a file on the compromised server. The data to be written in the specified file is passed within the HTTP request body.
DELETEFILE FILEPATH: path of file to be deleted. Delete a file on the compromised server.
FILESIZE FILEPATH: path of file to be measured. Get the size (in bytes) of the specified file.
CMD None. Run an arbitrary process on the compromised server. The process to run and its arguments are specified in the HTTP request body using the format: <executable path>t<arguments>. The standard output and error data from process execution are sent back as plain text to the operator in the HTTP response body.
PING None. Check for SessionManager deployment. The “Wokring OK” (sic.) message will be sent to the operator in the HTTP response body.
S5CONNECT S5HOST: hostname to connect to (exclusive with S5IP).

S5PORT: offset at which to start writing.

S5IP: IP address to connect to if no hostname is given (exclusive with S5HOST).

S5TIMEOUT: maximum delay in seconds to allow for connection.

Connect from compromised host to a specified network endpoint, using a created TCP socket. The integer identifier of the created and connected socket will be returned as the value of the S5ID cookie variable in the HTTP response, and the status of the connection will be reported in the HTTP response body.
S5WRITE S5ID: identifier of the socket to write to, as returned by S5CONNECT. Write data to the specified connected socket. The data to be written in the specified socket is passed within the HTTP request body.
S5READ S5ID: identifier of the socket to read from, as returned by S5CONNECT. Read data from the specified connected socket. The read data is sent back within the HTTP response body.
S5CLOSE S5ID: identifier of the socket to close, as returned by S5CONNECT. Terminate an existing socket connection. The status of the operation is returned as a message within the HTTP response body.

Remember ProxyLogon?

SessionManager gets installed after threat actors have exploited vulnerabilities known as ProxyLogon within Microsoft Exchange servers. Kaspersky has found it infecting NGOs, governments, militaries, and industrial organizations in Africa, South America, Asia, and Europe.

Kaspersky

Kaspersky said it has medium-to-high confidence that a previously identified threat actor that researchers call Gelsemium has been deploying SessionManager. Security firm ESET published a deep dive on the group (PDF) last year. Kaspersky’s attribution is based on the overlap of code used by the two groups and victims targeted.

Disinfecting servers that have been hit by SessionManager or similar malicious IIS modules is a complicated process. Kaspersky’s post contains indicators that organizations can use to determine if they’ve been infected and steps they should take in the event they’ve been infected.

Continue Reading

Trending